{ "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-3cx_supply_chain_attack_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.587885Z", "creation_date": "2026-03-23T11:46:25.587887Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.587893Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.trendmicro.com/de_de/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\nhttps://www.elastic.co/fr/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack" ], "name": "3cx_supply_chain_attack_loader.yar", "content": "rule supply_chain_attack_3cx_loader {\n meta:\n title = \"3CX Desktop App Supply Chain Attack Loader\"\n id = \"d5066a5c-be2a-445b-b4fe-9fecfcf99e5f\"\n description = \"Detects the loader embedded in the 3CX Desktop App infected by a supply chain attack.\\nThe 3CX Desktop App was compromised in March 2023, delivering a malware capable of stealing browser credentials and exfiltrating them to a remote, attacker-controlled server. This rule identifies the specific signature of the malicious loader within the legitimate 3CX application.\"\n references = \"https://www.trendmicro.com/de_de/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\\nhttps://www.elastic.co/fr/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack\"\n date = \"2023-03-30\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1102;attack.exfiltration;attack.t1567;attack.credential_access;attack.t1539\"\n classification = \"Windows.Loader.3CXSupplyChainAttack\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02\n // 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896\n\n $s1 = \"d3dcompiler_47.dll\" fullword wide\n\n $magic_marker = {\n 41 80 7C 00 FD FE // cmp byte ptr [r8+rax-3], 0FEh\n 75 ?? // jnz short loc_18004E04A\n 41 80 7C 00 FE ED // cmp byte ptr [r8+rax-2], 0EDh\n 75 ?? // jnz short loc_18004E04A\n 41 80 7C 00 FF FA // cmp byte ptr [r8+rax-1], 0FAh\n 75 ?? // jnz short loc_18004E04A\n 41 80 3C 00 CE // cmp byte ptr [r8+rax], 0CEh\n 74 ?? // jz short loc_18004E057\n }\n\n $pe_parsing = {\n 3D 4D 5A 00 00 // cmp eax, 5A4Dh\n 0F 85 ?? ?? ?? ?? // jnz loc_18004E1F7\n 48 63 43 3C // movsxd rax, dword ptr [rbx+3Ch]\n 48 8D 14 03 // lea rdx, [rbx+rax]\n 48 83 C2 18 // add rdx, 18h ; Src\n 4C 8D ?? 24 50 // lea r14, [rsp+598h+var_548]\n 41 B8 F0 00 00 00 // mov r8d, 0F0h ; Size\n 4C 89 F1 // mov rcx, r14 ; void *\n }\n\n $payload_decryption = {\n 48 63 D0 // movsxd rdx, eax\n 4C 69 C2 AB AA AA 2A // imul r8, rdx, 2AAAAAABh\n 4D 89 C1 // mov r9, r8\n 49 C1 E9 3F // shr r9, 3Fh\n 49 C1 E8 21 // shr r8, 21h\n 45 01 C8 // add r8d, r9d\n 41 C1 E0 02 // shl r8d, 2\n 47 8D 04 40 // lea r8d, [r8+r8*2]\n 44 29 C2 // sub edx, r8d\n 8A 14 0A // mov dl, [rdx+rcx]\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "supply_chain_attack_3cx_loader" ], "rule_creation_date": "2023-03-30", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.3CXSupplyChainAttack" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1567", "attack.t1539", "attack.t1102" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-3cx_supply_chain_attack_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576482Z", "creation_date": "2026-03-23T11:46:25.576485Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576490Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.trendmicro.com/de_de/research/23/c/information-on-attacks-involving-3cx-desktop-app.html" ], "name": "3cx_supply_chain_attack.yar", "content": "rule supply_chain_attack_3cx {\n meta:\n title = \"3CX Desktop App Supply Chain Attack\"\n id = \"bf1cfc8c-2838-4a72-8814-d664a83ccac1\"\n description = \"Detects the supply chain attack infected versions of the 3CX Desktop App.\\nThe 3CX Desktop App, a popular VoIP solution, was targeted in a supply chain attack. The malicious software embedded within the legitimate application is designed to harvest browser credentials and exfiltrate them to a remote, attacker-controlled server.\"\n references = \"https://www.trendmicro.com/de_de/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\"\n date = \"2023-03-30\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1102;attack.exfiltration;attack.t1567;attack.credential_access;attack.t1539\"\n classification = \"Windows.Malware.3CXSupplyChainAttack\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 4e8cbfd24b11b36a89138736401da17db984c59096098e3cacd95c29b40f4942\n\n $inmem_str_1 = \"ChainingModeGCM\" fullword wide\n $inmem_str_2 = \"ChainingMode\" fullword wide\n\n $inmem_str_3 = \"https://raw.githubusercontent.com/IconStorages/images/main/icon%d.ico\" fullword wide\n $inmem_str_4 = \"https://github.com/IconStorages/images\" wide\n\n condition:\n 3 of ($inmem_str_*)\n}\n", "rule_count": 1, "rule_names": [ "supply_chain_attack_3cx" ], "rule_creation_date": "2023-03-30", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.3CXSupplyChainAttack" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1567", "attack.t1539", "attack.t1102" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-acidbox_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578036Z", "creation_date": "2026-03-23T11:46:25.578038Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578044Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/acidbox-rare-malware/" ], "name": "acidbox_driver.yar", "content": "rule acidbox_driver {\n meta:\n title = \"AcidBox Windows Driver\"\n id = \"5a3aafcf-0eb8-42f4-bdf0-93d09d45fa7f\"\n description = \"Detects the AcidBox malware's kernel driver.\\nAcidBox is a malware developed by the Turla APT.\\nIt features an unsigned kernel mode driver loaded using CVE-2008-3431 and acts as a rootkit.\"\n references = \"https://unit42.paloaltonetworks.com/acidbox-rare-malware/\"\n date = \"2022-11-28\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1547;attack.privilege_escalation;attack.t1543;attack.t1055.001;attack.t1068;attack.defense_evasion;attack.t1562.001\"\n classification = \"Windows.Malware.AcidBox\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 3ef071e0327e7014dd374d96bed023e6c434df6f98cce88a1e7335a667f6749d\n\n $critical_1 = \"\\\\DosDevices\\\\PCIXA_CFGDEV\" fullword wide\n $critical_2 = \"\\\\Device\\\\PCIXA_CFG\" fullword wide\n $critical_3 = \"PCIXA_Cfg.sys\" fullword wide\n\n // Shellcode decryption\n $op1 = {\n 41 8B CB // mov ecx, r11d\n 48 C1 E1 02 // shl rcx, 2\n 41 8B C0 // mov eax, r8d\n 48 2B C8 // sub rcx, rax\n 8B 04 19 // mov eax, [rcx+rbx]\n 43 8B 0C DF // mov ecx, [r15+r11*8]\n 33 C8 // xor ecx, eax\n 43 23 4C DF 04 // and ecx, [r15+r11*8+4]\n 89 ?? 24 04 // mov [rsp+28h+var_24], ecx\n 75 0A // jnz short loc_1159B\n FF C7 // inc edi\n 89 ?? 24 // mov [rsp+28h+var_28], edi\n 41 FF C3 // inc r11d\n }\n\n $op2 = {\n 8B C2 // mov eax, edx\n D1 E8 // shr eax, 1\n 44 3B C8 // cmp r9d, eax\n 0F 82 ?? ?? ?? ?? // jb loc_115CE\n 44 8B CA // mov r9d, edx\n 41 C1 E9 03 // shr r9d, 3\n 45 85 C9 // test r9d, r9d\n 0F 84 ?? ?? ?? ?? // jz loc_115CE\n F6 C2 07 // test dl, 7\n 0F 85 ?? ?? ?? ?? // jnz loc_115CE\n }\n\n $byte_marker_1 = { DE AD BA FA }\n $byte_marker_2 = { DE AD BE EF }\n $byte_marker_3 = { DE AD FE ED }\n condition:\n 1 of ($critical_*) or (1 of ($op*) and all of ($byte_marker_*))\n}\n", "rule_count": 1, "rule_names": [ "acidbox_driver" ], "rule_creation_date": "2022-11-28", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.AcidBox" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1055.001", "attack.t1547", "attack.t1068", "attack.t1543" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-acr_stealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572500Z", "creation_date": "2026-03-23T11:46:25.572502Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572507Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acr_stealer\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/" ], "name": "acr_stealer.yar", "content": "rule acr_stealer {\n meta:\n title = \"ACR Stealer\"\n id = \"1da93d4d-1d95-4d1b-a913-052fe830d1ea\"\n description = \"Detects the ACR Stealer, a Windows-based information stealer known for exfiltrating browser credentials, cryptocurrency wallets, and other sensitive user data.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.acr_stealer\\nhttps://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\"\n date = \"2025-06-17\"\n modified = \"2025-07-07\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.t1074.001;attack.credential_access;attack.t1555.003;attack.command_and_control;attack.t1071.001;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Stealer.ACRStealer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 35eb93548a0c037d392f870c05e0e9fb1aeff3a5a505e1d4a087f7465ed1f6af\n // 632f198d9c0795f326f090d7db23b8ad540f0ad5f86d40a1a3e9ea36a38ad1fa\n // 875b30f812f6bd3e039698bfeb9e9e0363ebd970b8bd6377892e32df9dde3f70\n // a3a82185ebbd3e415f562501a094b45f4823bdbcec659d9efcaf5f031fa6c0e3\n // eabaa53d09f1114bde48800235cc78a69f210eeb4ce9d4e8a302df0499fd0db0\n\n $s1 = \"/ujs/\" ascii fullword\n $s2 = \"/Up/f\" ascii fullword\n $s3 = \"\\\\Err.txt\" ascii fullword\n $s4 = \"app_bound_encrypted_key\" ascii fullword\n $s5 = \"g/screen/screen.bmp\" ascii fullword\n $s6 = \"SOFTWARE\\\\WOW6432Node\\\\Valve\\\\Steam\" ascii fullword\n $s7 = \"o/41/tokens.txt\" ascii fullword\n\n $error1 = \"Error: no user32.dll\" ascii fullword\n $error2 = \"Error: no GetSystemMetrics\" ascii fullword\n\n $x1 = {\n 55 // push ebp\n 8B EC // mov ebp, esp\n 83 EC 0C // sub esp, 0Ch\n C7 45 FC 34 77 34 77 // mov [ebp+var_4], 77347734h\n\n // loc_40636D:\n 8B 45 08 // mov eax, [ebp+arg_0]\n 0F B6 08 // movzx ecx, byte ptr [eax]\n 89 4D F8 // mov [ebp+var_8], ecx\n 8B 55 F8 // mov edx, [ebp+var_8]\n 89 55 F4 // mov [ebp+var_C], edx\n 8B 45 08 // mov eax, [ebp+arg_0]\n 83 C0 01 // add eax, 1\n }\n\n $x2 = {\n 55 // push ebp\n 8B EC // mov ebp, esp\n 51 // push ecx\n 0F B6 45 08 // movzx eax, [ebp+arg_0]\n 83 F8 30 // cmp eax, 30h\n 7C 09 // jl short loc_40FF36\n 0F B6 4D 08 // movzx ecx, [ebp+arg_0]\n 83 F9 39 // cmp ecx, 39h\n 7E 3F // jle short loc_40FF75\n }\n\n condition:\n all of ($s*) or\n (all of ($error*) and 1 of ($x*))\n}\n", "rule_count": 1, "rule_names": [ "acr_stealer" ], "rule_creation_date": "2025-06-17", "rule_modified_date": "2025-07-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.ACRStealer" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1041", "attack.t1555.003", "attack.t1074.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-adaptixc2_75d63c302afd_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567003Z", "creation_date": "2026-03-23T11:46:25.567005Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567011Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Adaptix-Framework/AdaptixC2" ], "name": "adaptixc2_75d63c302afd.yar", "content": "rule adaptix_c2_75d63c302afd {\n meta:\n title = \"AdaptixC2 Agent (75d63c302afd)\"\n id = \"d643e044-2a53-47bb-a34b-75d63c302afd\"\n description = \"Detects AdaptixC2 agent. AdaptixC2 is an open source post-exploitation and command and control (C2) framework used for adversary simulation.\\nThis rule identifies malicious components by detecting API hashing resolution, the BOF (Beacon Object File) loading mechanism, and the communication encryption key generation.\\nIt applies to all payload formats generated by the framework, including executables, DLLs, services, and shellcode.\"\n references = \"https://github.com/Adaptix-Framework/AdaptixC2\"\n date = \"2025-08-12\"\n modified = \"2025-08-28\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012;attack.t1027.007\"\n classification = \"Windows.Framework.AdaptixC2\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 236be6f28943aaecd77f74e7fa186b3d64e8d805bc580f689fc3b8443c217f21\n // ad96a3dab7f201dd7c9938dcf70d6921849f92c1a20a84a28b28d11f40f0fb06\n // 74b02d558a1118843d5d9cad67a90d68244096c6eef64329e57572e027aaf5b7\n $api_resolution = {\n e8 ?? ?? ?? ?? // call GetModuleAddress\n 48 89 45 f8 // mov [rbp-0x8], rax\n 48 8b 45 f8 // mov rax, [rbp-0x8]\n ba 7a 14 ff ae // mov edx, 0xaeff147a\n 48 89 c1 // mov rcx, rax\n e8 ?? ?? ?? ?? // call GetSymbolAddress\n 48 89 45 f0 // mov [rbp-0x10], rax\n 48 8b 45 f0 // mov rax, [rbp-0x10]\n ba 30 00 00 00 // mov edx, 0x30\n b9 40 00 00 00 // mov ecx, 0x40\n ff d0 // call rax\n }\n\n $alloc_pattern = {\n b9 18 00 00 00 // mov ecx, 0x18 (allocation size)\n e8 ?? ?? ?? ?? // call MemAllocLocal\n 48 8b 15 ?? ?? ?? ?? // mov rdx, qword [rel data]\n 48 89 02 // mov qword [rdx], rax\n }\n\n $packer_init = {\n 48 89 01 // mov qword [rcx], rax (size)\n 48 89 51 08 // mov qword [rcx+0x8], rdx (buffer)\n 8b 44 24 30 // mov eax, dword [rsp+0x30]\n 89 41 10 // mov dword [rcx+0x10], eax (index)\n }\n\n condition:\n 2 of them\n}\n", "rule_count": 1, "rule_names": [ "adaptix_c2_75d63c302afd" ], "rule_creation_date": "2025-08-12", "rule_modified_date": "2025-08-28", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.AdaptixC2" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1027.007", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-agent_tesla_stealer_v3_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582495Z", "creation_date": "2026-03-23T11:46:25.582497Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582507Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\nhttps://attack.mitre.org/software/S0331/" ], "name": "agent_tesla_stealer_v3.yar", "content": "rule agent_tesla_v3 {\n meta:\n title = \"Agent Tesla Stealer v3\"\n id = \"d9ce35d1-7e53-4d5f-b144-fbb75417cfba\"\n description = \"Detects AgentTesla, a Malware-as-a-Service RAT available for purchase in hacker forums.\\nAgent Tesla is a sophisticated credential stealer commonly used in cyberattacks.\\nIt is primarily distributed through phishing emails and exhibits capabilities such as keylogging, screen capturing, form-grabbing, and credential theft. The malware can inject itself into legitimate processes and create services or scheduled tasks to maintain persistence on the infected system.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\\nhttps://attack.mitre.org/software/S0331/\"\n date = \"2024-03-22\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0331;attack.credential_access;attack.t1555;attack.exfiltration;attack.t1048.003;attack.defense_evasion;attack.t1564.001\"\n classification = \"Windows.Stealer.AgentTesla\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e5eea4a3f574b6850589bd1ed44ecb124d7333cb6c3f877ad868389acec05887\n // b86a5b34eba05b9bfd389c6d82dbd58e31a45cfcd8bd13884ed98e1b1a7d8ba8\n\n $s1 = \"{CAPSLOCK}\" wide fullword\n $s2 = \"
Copied Text:
\" wide fullword\n $s3 = \"wow_logins\" wide fullword\n $s4 = \" -convert xml1 -s -o \\\"\" wide fullword\n $s5 = \"startProfile=([A-z0-9\\\\/\\\\.\\\\\\\"]+)\" wide fullword\n $s6 = \"master_passphrase_salt=(.+)\" wide fullword\n $s7 = \"\\\\passwordstorerc\" wide fullword\n $s8 = \"{(.*),(.*)}(.*)\" wide fullword\n $s9 = \".*\\\"username\\\":\\\"(.*?)\\\"\" wide fullword\n $s10 = \"
Computer Name:\" wide fullword\n\n condition:\n 5 of them\n}\n", "rule_count": 1, "rule_names": [ "agent_tesla_v3" ], "rule_creation_date": "2024-03-22", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.AgentTesla" ], "rule_tactic_tags": [ "attack.credential_access", "attack.defense_evasion", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1555", "attack.t1048.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-agent_tesla_stealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572720Z", "creation_date": "2026-03-23T11:46:25.572722Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572727Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\nhttps://attack.mitre.org/software/S0331/" ], "name": "agent_tesla_stealer.yar", "content": "import \"pe\"\nimport \"math\"\nimport \"dotnet\"\n\nrule agent_tesla {\n meta:\n title = \"Agent Tesla Stealer\"\n id = \"464b1797-1ea4-48cc-89c7-6ad4b79fd826\"\n description = \"Detects the Agent Tesla Stealer, a Malware-as-a-Service RAT available for purchase in hacker forums.\\nAgent Tesla is primarily delivered through phishing emails and has capabilities such as keylogging, screen capture, form-grabbing, credential stealing, and more.\\nIt can inject itself into other processes and establish persistence through services or scheduled tasks.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.sentinelone.com/labs/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\\nhttps://attack.mitre.org/software/S0331/\"\n date = \"2023-11-20\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0331;attack.credential_access;attack.t1555;attack.exfiltration;attack.t1048.003;attack.defense_evasion;attack.t1564.001\"\n classification = \"Windows.Stealer.AgentTesla\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ee226ec9420fd022ce8bf7752432ab32cdfbb6ce7c03d2d96618c67bf4bace08\n // 91499b570a98b7fd30a72d921d5bba82bd96918f8ce06532de3ca2362e1d5c35\n // 16a5368c8befb46e2e872d1fb695f1a9372b8e2db4c8549f14603745a61e034f\n // 5e01a8249a8b5d677764e8390abb59bc59656149668951dcee38442d03b61935\n // ff8a874ebfa745cd5b0103f9ad7be9dcb49760c5820d542f8fe53a92ca7db411\n // 51b487c92f5e52dc485cb8971b4725ed6a475e2ace51946e3cc113863067ef13\n // 10f79a0bcff0aa1bd3c2ee942bb6894627ad897317413a354df70b50f4e0f56e\n // af6fe603f93c415dd49f79d49bebb51dbece4997941f97455f025d4b43bf95de\n // 6d1850fe5869d9797504f883e887dc5ad0652251d9b3038e8461187cf8e58f0c\n // d6e5f1e82e5820ce9515c472dc1b475389d729071c69b076331c5e9f0f8520d4\n\n $bmp1 = \"System.Drawing.Bitmap\" ascii\n $png1 = \"PNG\" ascii\n $png2 = \"IHDR\" ascii\n\n $assembly_ref1 = \"System.Drawing\" ascii fullword\n $assembly_ref2 = \"System.Core\" ascii fullword\n $assembly_ref3 = \"System.Windows.Forms\" ascii fullword\n\n condition:\n dotnet.is_dotnet and\n for any resource in dotnet.resources: (\n resource.length > 520000 and resource.length < 590000\n and $bmp1 in (resource.offset..(resource.offset + resource.length))\n and $png1 in (resource.offset..(resource.offset + resource.length))\n and $png2 in (resource.offset..(resource.offset + resource.length))\n and math.entropy(resource.offset, resource.length) > 7.99\n )\n and math.entropy(pe.sections[pe.section_index(\".text\")].raw_data_offset, pe.sections[pe.section_index(\".text\")].raw_data_size) > 6.8\n and all of ($assembly_ref*)\n}\n", "rule_count": 1, "rule_names": [ "agent_tesla" ], "rule_creation_date": "2023-11-20", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.AgentTesla" ], "rule_tactic_tags": [ "attack.credential_access", "attack.defense_evasion", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1555", "attack.t1048.003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-amadey_6bded4fda014_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574523Z", "creation_date": "2026-03-23T11:46:25.574525Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574530Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/" ], "name": "amadey_6bded4fda014.yar", "content": "rule amadey_bot_6bded4fda014 {\n meta:\n title = \"AmadeyBot (6bded4fda014)\"\n id = \"3a1dfe23-9bf2-4579-9bcf-6bded4fda014\"\n description = \"Detects AmadeyBot agents by detecting their string substitution cipher used in 2024 campaigns.\\nAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called \\\"tasks\\\") for all or specifically targeted computers compromised by the malware.\\nThis agent is usually the one that is regularly executed for persistence via a Scheduled Task.\\nIt is recommended to identify the source of the process' execution to eliminate persistence and to terminate any suspicious processes.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey\\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\"\n date = \"2025-03-24\"\n modified = \"2025-03-31\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.credential_access;attack.t1555.003;attack.command_and_control;attack.t1071.001;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Malware.Amadey\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6\n // f4b82a4025f3b706df554e85b50a6e6be1175fb224e11475c9e7c5c0522031ce\n // 7e88a7c92acd7c028befff6e42c7a631fa369f2f436322241e682771cbc26f5d\n // 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d\n\n $string_buf_prep = {\n 57 // push edi {var_20_1}\n 0F BE C8 // movsx ecx, al\n 51 // push ecx {var_24_1}\n 53 // push ebx {var_28_1}\n 89 7E 10 // mov dword [esi+0x10], edi\n E8 [4] // call _memset\n 83 C4 ?? // add esp, 0xc\n C6 04 1F 00 // mov byte [edi+ebx], 0x0\n 8B C6 // mov eax, esi\n 5F // pop edi {__saved_edi}\n 5E // pop esi {__saved_esi}\n 5B // pop ebx {__saved_ebx}\n 8B E5 // mov esp, ebp\n 5D // pop ebp {__saved_ebp}\n C2 // retn 0x8 {__return_addr}\n }\n\n $subst_cipher = {\n 0F 43 [5] // cmovae eax, dword [char_mapping]\n 83 [3] // cmp dword [esi+0x14], 0x10\n 7? ?? // jb 0x405a34\n 8B 3E // mov edi, dword [esi]\n 8A 04 02 // mov al, byte [edx+eax]\n 88 04 0F // mov byte [edi+ecx], al\n 41 // inc ecx\n 8B [2] // mov edi, dword [ebp-0x4 {var_8}]\n 8D 42 01 // lea eax, [edx+0x1]\n 3B CB // cmp ecx, ebx\n 7? ?? // jl 0x405a10\n }\n\n condition:\n $string_buf_prep and $subst_cipher\n}\n", "rule_count": 1, "rule_names": [ "amadey_bot_6bded4fda014" ], "rule_creation_date": "2025-03-24", "rule_modified_date": "2025-03-31", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Amadey" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.discovery", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1041", "attack.t1555.003", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-amadey_ae516d1279bf_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574555Z", "creation_date": "2026-03-23T11:46:25.574557Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574562Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/" ], "name": "amadey_ae516d1279bf.yar", "content": "rule amadey_bot_ae516d1279bf {\n meta:\n title = \"AmadeyBot (ae516d1279bf)\"\n id = \"2809805c-f9b3-482c-a295-ae516d1279bf\"\n description = \"Detects AmadeyBot agents by detecting the general pattern in the malware's initial setup; creating a mutex and decrypting strings, followed by \\\"CreateThread\\\" calls for polling, then a continuous 30 second \\\"Sleep\\\" call on the main thread.\\nAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called \\\"tasks\\\") for all or specifically targeted computers compromised by the malware.\\nThis agent is usually the one that is regularly executed for persistence via a Scheduled Task.\\nIt is recommended to identify the source of the process' execution to eliminate persistence and to terminate any suspicious processes.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey\\nhttps://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/\"\n date = \"2025-03-24\"\n modified = \"2025-03-31\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.credential_access;attack.t1555.003;attack.command_and_control;attack.t1071.001;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Malware.Amadey\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6\n // 517422af0bb3ad483144aaf489017311678f4af7cec58f5dafe68a0db9bd5952\n\n $start_function = {\n (56 | FF D6) // push esi {var_c} | call esi\n 6A 00 // push 0x0 {var_10}\n 6A 00 // push 0x0 {var_14}\n 6A 00 // push 0x0 {var_18}\n 68 [4] // push third_thread {var_1c}\n 6A 00 // push 0x0 {var_20}\n 6A 00 // push 0x0 {var_24}\n FF [1-5] // call esi | call dword [CreateThread]\n 8B 35 [4] // mov esi, dword [Sleep]\n\n [0-4] // nop dword [eax]\n\n 68 30 75 00 00 // push 0x7530 {var_10} ; Sleep for 30s\n FF D6 // call esi\n EB ?? // jmp 0x41a520 ; while true\n\n CC CC CC CC CC CC CC // MSVS Compiler function padding\n\n // 0041a530 void start_threads() __noreturn\n 55 // push ebp {var_4}\n 8B EC // mov ebp, esp {var_4}\n 83 E4 F8 // and esp, 0xfffffff8\n E8 [4] // call create_mutex\n B9 01 00 00 00 // mov ecx, 0x1\n E8 [4] // call sub_40e410\n E8 [4] // call sub_40eca0\n E8 [4] // call sub_416f40\n E8 [4] // call sub_4060b0\n E9 // jmp 0x41a4e0\n }\n\n condition:\n $start_function\n}\n", "rule_count": 1, "rule_names": [ "amadey_bot_ae516d1279bf" ], "rule_creation_date": "2025-03-24", "rule_modified_date": "2025-03-31", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Amadey" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.discovery", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1041", "attack.t1555.003", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-amatera_stealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "weak", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583602Z", "creation_date": "2026-03-23T11:46:25.583604Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583610Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "weak", "rule_confidence_override": null, "references": [ "https://x.com/solostalking/status/1907320756595220710" ], "name": "amatera_stealer.yar", "content": "rule amatera_stealer {\n meta:\n title = \"Amatera Stealer\"\n id = \"b898dab1-afcf-4536-acca-0ba6bd5d24cc\"\n description = \"Detects Amatera, a Malware-as-a-Service stealer available for purchase in hacker forums.\\nAmatera stealer is a new credential stealer used in cyberattacks.\\nIt exhibits anti-analysis behavior such as virtualization environment detection.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://x.com/solostalking/status/1907320756595220710\"\n date = \"2025-06-02\"\n modified = \"2025-07-02\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555;attack.exfiltration;attack.defense_evasion\"\n classification = \"Windows.Stealer.Amatera\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"weak\"\n strings:\n // Detection for this sample:\n // fa3c4166e792a74c179c401745390f79ebfa203be63c8d107abaa1b2585b67d9\n\n $str00 = \"CheckRemoteDebuggerPresent\"\n $str01 = \"VirtualBox\"\n $str02 = \"VMware\"\n $str03 = \"QEMU\"\n $str04 = \"Hyper-V\"\n $str05 = \"BIOSVendor\"\n $str06 = \"HARDWARE\\\\DESCRIPTION\\\\System\\\\BIOS\"\n $str07 = \"/core/createSession\"\n $str08 = \"/core/sendPart\"\n $str09 = \"%appdata%\\\\Telegram Desktop\\\\tdata\" wide\n condition:\n 9 of ($str*)\n}", "rule_count": 1, "rule_names": [ "amatera_stealer" ], "rule_creation_date": "2025-06-02", "rule_modified_date": "2025-07-02", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Amatera" ], "rule_tactic_tags": [ "attack.credential_access", "attack.defense_evasion", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1555" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-amos_stealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575352Z", "creation_date": "2026-03-23T11:46:25.575354Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575360Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.amos\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates\nhttps://blog.kandji.io/amos-macos-stealer-analysis" ], "name": "amos_stealer.yar", "content": "rule amos_stealer {\n meta:\n title = \"AMOS Stealer\"\n id = \"9a0c7421-0691-4e17-8dfc-dd143cbf2835\"\n description = \"Detects AMOS Stealer, also known as Atomic Stealer, first seen in early 2023.\\nThis stealer targets Apple users by distributing fake browser update pop-ups, tricking them into installing the infostealer on their Macs.\\nAMOS can exfiltrate a wide range of sensitive data, including keychain passwords, user documents, system information, cookies, browser data, credit card details, cryptocurrency wallets, and more.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/osx.amos\\nhttps://www.malwarebytes.com/blog/threat-intelligence/2023/11/atomic-stealer-distributed-to-mac-users-via-fake-browser-updates\\nhttps://blog.kandji.io/amos-macos-stealer-analysis\"\n date = \"2024-03-05\"\n modified = \"2025-03-12\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.t1217;attack.execution;attack.t1059.002;attack.collection;attack.t1056.002;attack.credential_access;attack.t1555.003\"\n classification = \"MacOS.Stealer.Amos\"\n context = \"process,memory,file.macho\"\n os = \"MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c579574973b9d47adc6be38027972ca585bbf08d1f27cdafc3d3df22a944eedd\n // 6379fc90b0fafcd003db83735181905ad71e7cea3d9e1808ac6183fbb46e5f0b\n // 9eab45c146b233c46ffd1f3541b4bb89352b1769dc444dcc320f1f69afc0cd6e\n // c27f5d8ab85120fd63b9bc3817f855b3fd47f05b115da829cb700b4da6c49eff\n\n $s1 = \"ditto -c -k --sequesterRsrc --keepParent\" ascii fullword\n $s2 = \"/Sysinfo.txt\" ascii fullword\n $s3 = \"=== Graphics Info ===\" ascii fullword\n $s4 = \"dscl /Local/Default -authonly \" ascii fullword\n $s5 = \"security 2>&1 > /dev/null find-generic-password -ga 'Chrome' | awk '{print $2}'\" ascii fullword\n $s6 = \"set srcFiles to every file of desktopFolder whose name extension is in {\\\"txt\\\", \\\"rtf\\\", \\\"doc\\\", \\\"docx\\\", \\\"xls\\\", \\\"key\\\", \\\"wallet\\\", \\\"jpg\\\", \\\"png\\\", \\\"web3\\\", \\\"dat\\\"}\" ascii fullword\n $s7 = \"Binance Chain Wallet\" ascii fullword\n\n $t1 = \"osascript -e '\" ascii fullword\n $t2 = \"6f7361736372697074202d65202774656c6c206170706c69636174696f6e20225465726d696e616c2220746f20636c6f73652066697273742077696e646f772720262065786974\" ascii fullword\n\n $xor = {\n 48 83 F8 ?? // cmp rax, 3\n 74 12 // jz short loc_100005672\n 8A 8D ?? ?? FF FF // mov cl, [rbp+var_120]\n 30 8C 05 ?? ?? FF FF // xor [rbp+rax+var_120], cl\n 48 FF C0 // inc rax\n EB E8 // jmp short loc_10000565A\n }\n\n $strtol_x64 = {\n 4C 89 FF // mov rdi, r15 ; __str\n 31 F6 // xor esi, esi ; __endptr\n BA 10 00 00 00 // mov edx, 10h ; __base\n E8 ?? ?? ?? 00 // call _strtol\n 41 88 45 00 // mov [r13+0], al\n 48 83 C3 02 // add rbx, 2\n 49 83 C5 01 // add r13, 1\n 48 81 FB 8C 00 00 00 // cmp rbx, 8Ch\n }\n\n $strtol_arm = {\n 01 00 80 D2 // MOV X1, #0 ; __endptr\n 02 02 80 52 // MOV W2, #0x10 ; __base\n ?? ?? 00 94 // BL _strtol\n C0 16 00 38 // STRB W0, [X22],#1\n 88 0A 00 91 // ADD X8, X20, #2\n 9F 32 02 F1 // CMP X20, #0x8C\n F4 03 08 AA // MOV X20, X8\n }\n\n condition:\n 5 of ($s*) or\n all of ($t*) or\n #xor > 80 or\n 1 of ($strtol_*)\n}\n", "rule_count": 1, "rule_names": [ "amos_stealer" ], "rule_creation_date": "2024-03-05", "rule_modified_date": "2025-03-12", "rule_os": [ "macos" ], "rule_classifications": [ "MacOS.Stealer.Amos" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access", "attack.discovery", "attack.execution" ], "rule_technique_tags": [ "attack.t1056.002", "attack.t1555.003", "attack.t1059.002", "attack.t1082", "attack.t1217" ], "rule_score": 100, "rule_context": [ "memory", "file.macho", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-amsi_bypass_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571623Z", "creation_date": "2026-03-23T11:46:25.571625Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571631Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal Research" ], "name": "amsi_bypass.yar", "content": "rule amsi_bypass_x64 {\n meta:\n title = \"AMSI Bypass Generic Tool\"\n id = \"36d180f2-8dc2-45a7-b1b0-07208afbcfc8\"\n description = \"Detects a generic method used to bypass the Windows Anti Malware Scanning Interface (AMSI).\\nThis rule identifies a common technique used to evade AMSI detection by searching for specific signatures in memory. The bypass method involves a search loop that looks for AMSI-related identifiers and attempts to avoid detection by modifying or obfuscating its presence.\\nThis technique can be part of various malicious activities aimed at subverting antivirus and endpoint protection mechanisms.\\nIt is recommended investigate for additional signs of malicious behavior on the host.\"\n references = \"Internal Research\"\n author = \"HarfangLab\"\n date = \"2021-03-29\"\n modified = \"2025-03-06\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1562.006\"\n classification = \"Windows.Generic.AMSIBypass\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $amsi_bypass_search_loop = {\n // amsi_bypass_search_signature:\n 81 39 41 4D 53 49 // cmp dword ptr [rcx], 0x49534d41\n 74 11 // je found_amsi_signature\n 48 FF C1 // inc rcx\n 48 8D 04 0A // lea rax, [rdx + rcx]\n 48 3D 00 01 00 00 // cmp rax, 0x100\n 7C E9 // jl amsi_bypass_search_signature\n EB 0? // jmp 0x0X\n // found_amsi_signature:\n // ...\n }\n\n $s1 = \"AmsiBypass.pdb\" ascii\n $s2 = \"AmsiBypass\" ascii wide\n $s3 = \"AmsiScanBuffer\" ascii wide\n\n condition:\n $amsi_bypass_search_loop or (all of ($s*))\n}\n", "rule_count": 1, "rule_names": [ "amsi_bypass_x64" ], "rule_creation_date": "2021-03-29", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.AMSIBypass" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1562.006" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-amsi_reaper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588347Z", "creation_date": "2026-03-23T11:46:25.588349Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588355Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/h0ru/AMSI-Reaper/\nhttps://attack.mitre.org/techniques/T1562/004/" ], "name": "amsi_reaper.yar", "content": "rule amsi_reaper {\n meta:\n title = \"AMSI Reaper HackTool\"\n id = \"522f24a4-61f9-4674-985d-057910ebf35c\"\n description = \"Detects the AMSI Reaper tool.\\nAMSI Reaper prevents Windows AMSI from scanning specified processes by patching the address of the AmsiOpenSession function in amsi.dll.\\nIt is recommended to investigate for suspicious activities around this alert.\"\n references = \"https://github.com/h0ru/AMSI-Reaper/\\nhttps://attack.mitre.org/techniques/T1562/004/\"\n date = \"2024-02-06\"\n modified = \"2025-11-24\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1562.006\"\n classification = \"Windows.HackTool.AMSIReaper\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9dc0204abf0679322e9aca39dcb3d5ea6f216c293b964aaa09b8d3206b8cd312\n\n $s_gen_1 = \"amsi.dll\" wide fullword\n $s_gen_2 = \"AmsiOpenSession\" wide fullword\n $s_gen_3 = \"powershell\" wide fullword\n\n $s_fatal_1 = \"AMSI-Reaper\" wide\n $s_fatal_2 = \"AMSI-Reaper\" ascii\n $s_fatal_3 = \"[!] Injection process PowerShell with PID:\" wide\n $s_fatal_4 = \"ModAMSI\" ascii fullword\n $s_fatal_5 = \"PatchAllPowershells\" ascii fullword\n\n // AMSIReaper.OpenProcess(56, false, (int)processId);\n $open_process = {\n 1F38 // ldc.i4.s 56\n 16 // ldc.i4.0\n 02 // ldarg.0\n 28 // call native int AMSIReaper::OpenProcess(int32, bool, int32)\n }\n\n condition:\n all of ($s_gen_*) and $open_process and 1 of ($s_fatal_*)\n}\n", "rule_count": 1, "rule_names": [ "amsi_reaper" ], "rule_creation_date": "2024-02-06", "rule_modified_date": "2025-11-24", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.AMSIReaper" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1562.006" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-apt29_string_decryption_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569585Z", "creation_date": "2026-03-23T11:46:25.569587Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569592Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://live.paloaltonetworks.com/t5/blogs/diplomats-beware-cloaked-ursa-phishing-with-a-twist/ba-p/549960\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing" ], "name": "apt29_string_decryption.yar", "content": "rule apt29_string_decryption {\n meta:\n title = \"APT29 String Decryption\"\n id = \"1a004524-5257-45de-aff4-f6681cd6321c\"\n description = \"Detects the string encryption algorithms used by APT29 in its final payload.\\nThe final payload is injected inside a remote process like sihost.exe.\\nThis pattern was observed in 2023 during a campaign targeting diplomatic missions globally as part of the Turkey Campaign.\\nThe initial access vector for this activity is typically a phishing lure.\"\n references = \"https://live.paloaltonetworks.com/t5/blogs/diplomats-beware-cloaked-ursa-phishing-with-a-twist/ba-p/549960\\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\"\n date = \"2023-10-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1204.002;attack.defense_evasion;attack.t1140;attack.t1055;attack.command_and_control;attack.t1102\"\n classification = \"Windows.Backdoor.APT29\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // bbf9f384a56a1108eaf820ef5bfed7cfbabc102e493f5b022b4931b57c72351a\n\n $decrypt_string = {\n 41 8A (C8|C9) // mov cl, r9b\n (80 E1 07|4? 22 C?) // and cl, 7\n // and cl, sil\n C0 E1 03 // shl cl, 3\n 4? 8B C? // mov r8, rbx\n (48|49) D3 E8 // shr r8, cl\n 4? 30 04 (01|08) // xor [r9+rax], r8b\n 4D 03 C? // add r9, r12\n 49 83 (F8|F9) ?? // cmp r9, 9\n 72 E4 // jb short loc_41F79\n }\n\n condition:\n #decrypt_string > 50\n}\n", "rule_count": 1, "rule_names": [ "apt29_string_decryption" ], "rule_creation_date": "2023-10-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.APT29" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1140", "attack.t1204.002", "attack.t1102", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-arkanix_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589188Z", "creation_date": "2026-03-23T11:46:25.589190Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589196Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.gdatasoftware.com/blog/2025/12/38306-arkanix-stealer\nhttps://www.esecurityplanet.com/threats/rapidly-evolving-arkanix-stealer-hits-credentials-and-wallets/" ], "name": "arkanix.yar", "content": "rule arkanix {\n meta:\n title = \"Arkanix Stealer\"\n id = \"839c6151-dac0-47e7-a7c1-97286a758b3d\"\n description = \"Detects Arkanix Stealer, an evolving C++ information-stealing malware used to collect sensitive data and credentials from infected hosts.\\nIt is recommended to investigate the context around this alert for signs of credential theft and data exfiltration.\"\n references = \"https://www.gdatasoftware.com/blog/2025/12/38306-arkanix-stealer\\nhttps://www.esecurityplanet.com/threats/rapidly-evolving-arkanix-stealer-hits-credentials-and-wallets/\"\n date = \"2025-12-18\"\n modified = \"2026-02-03\"\n author = \"HarfangLab\"\n tags = \"attack.initial_access;attack.t1204.002;attack.execution;attack.t1059.006;attack.credential_access;attack.t1555;attack.t1555.003;attack.collection;attack.exfiltration\"\n classification = \"Windows.Stealer.Arkanix\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1a0844e0227dda3691d13bbf9233a64ac67d5ba828563725d857259686b219d4\n // 414d7ec11ad5ad3735640aa48c44fe4a55dc2c2d553a9d9b1a84f79eb1f0b54d\n // c76968927c96de27766d5f91520d41c1640f475fc4ee57539d39786b15105eb9\n\n $stub_extract_wifi_info = {\n 0F 57 C0 // xorps xmm0, xmm0\n 0F 11 01 // movups xmmword ptr [rcx], xmm0\n 45 33 ED // xor r13d, r13d\n 4C 89 29 // mov [rcx], r13\n 4C 89 69 08 // mov [rcx+8], r13\n 4C 89 69 10 // mov [rcx+10h], r13\n 45 8D 65 01 // lea r12d, [r13+1]\n 44 89 64 24 40 // mov [rsp+340h+var_300], r12d\n 4C 89 AD [4] // mov [rbp+240h+phClientHandle], r13\n 44 89 AD [4] // mov [rbp+240h+pdwNegotiatedVersion], r13d\n 4C 8D 8D [4] // lea r9, [rbp+240h+phClientHandle] ; phClientHandle\n 4C 8D 85 [4] // lea r8, [rbp+240h+pdwNegotiatedVersion] ; pdwNegotiatedVersion\n 33 D2 // xor edx, edx ; pReserved\n 8D 4A 02 // lea ecx, [rdx+2] ; dwClientVersion\n }\n\n $stub_wifi_get_profile = {\n 48 69 C8 04 02 00 00 // imul rcx, rax, 204h\n 4C 8D 42 08 // lea r8, [rdx+8]\n 4C 03 C1 // add r8, rcx ; strProfileName\n 48 8D 85 [4] // lea rax, [rbp+240h+var_DC]\n 48 89 44 [2] // mov [rsp+340h+pdwGrantedAccess], rax ; pdwGrantedAccess\n 48 8D 85 [4] // lea rax, [rbp+240h+var_D8]\n 48 89 44 [2] // mov [rsp+340h+pdwFlags], rax ; pdwFlags\n 48 8D 85 [4] // lea rax, [rbp+240h+var_158]\n 48 89 44 [2] // mov [rsp+340h+pstrProfileXml], rax ; pstrProfileXml\n 45 33 C9 // xor r9d, r9d ; pReserved\n 48 8B D7 // mov rdx, rdi ; pInterfaceGuid\n 48 8B 8D // mov rcx, [rbp+240h+phClientHandle] ; hClientHandle\n }\n\n $stub_extract_password_wifi = {\n 48 83 C2 20 // add rdx, 20h ; ' '\n 48 03 D7 // add rdx, rdi\n 4C 8B 42 10 // mov r8, [rdx+10h]\n 4C 39 7A 18 // cmp [rdx+18h], r15\n 76 03 // jbe short loc_14009C4BA\n 48 8B 12 // mov rdx, [rdx]\n 48 8B C8 // mov rcx, rax\n }\n\n $stub_extract_ssid_wifi = {\n 48 8B FB // mov rdi, rbx\n 48 C1 E7 07 // shl rdi, 7\n 48 8B [4-6] // mov rdx, qword ptr [rsp+0C58h+wifi_info_extracted]\n 48 03 D7 // add rdx, rdi\n 4C 8B 42 10 // mov r8, [rdx+10h]\n 4C 39 7A 18 // cmp [rdx+18h], r15\n 76 03 // jbe short loc_14009C487\n 48 8B 12 // mov rdx, [rdx]\n 48 8B C8 // mov rcx, rax\n }\n\n\n $stub_encrypt_string = {\n 8A C1 // mov al, cl\n 42 32 84 21 [4] // xor al, [rcx+r12+127178h]\n 32 C2 // xor al, dl\n 88 44 0C 68 // mov byte ptr [rsp+rcx+578h+var_510], al\n 48 FF C1 // inc rcx\n 48 83 F9 09 // cmp rcx, 9\n 73 06 // jnb short loc_1400B567F\n }\n\n $str_00 = \"C:\\\\ArkanixData\" ascii fullword\n $str_01 = \"ARKANIX STEALER - BROWSER PASSWORDS\" ascii fullword\n $str_02 = \"ARKANIX STEALER - BROWSER COOKIES\" ascii fullword\n $str_03 = \"ARKANIX STEALER - BROWSER AUTOFILL DATA\" ascii fullword\n $str_04 = \"ARKANIX STEALER - CREDIT CARDS\" ascii fullword\n $str_05 = \"arkanix_secret_key_\" ascii fullword\n $str_06 = \"ArkanixStealer/1.0\" ascii fullword\n $str_07 = \"ARKANIX STEALER - SYSTEM INFORMATION\" ascii fullword\n $str_08 = \"ArkanixStealer/2.0\" ascii fullword\n $str_09 = \"arkanix_data.zip\" ascii fullword\n $str_10 = \"Arkanix C++ Stealer initialized\" ascii fullword\n $str_11 = \"Arkanix Screenshot\" ascii fullword\n $str_12 = \"ArkanixDebug/1.0\" ascii fullword\n $str_13 = \"----ArkanixBoundary\" ascii fullword\n $str_14 = \"Arkanix/1.0\" ascii fullword\n $str_15 = \"Arkanix Stealer Debug\" ascii fullword\n $str_16 = \"Arkanix Screenshot\" ascii fullword\n $str_17 = \"Failed to extract chromelevator from resources!\" ascii fullword\n $str_18 = \"Data extracted via chromelevator.exe\" ascii fullword\n $str_19 = \"Executing chromelevator.exe for\" ascii fullword\n $str_20 = \"CHROMELEVATOR START\" ascii fullword\n $str_21 = \"chromelevator.exe execution failed for\" ascii fullword\n $str_22 = \"Extracted chromelevator from resources\\n\" ascii fullword\n\n condition:\n 1 of ($stub*) or 4 of ($str_*)\n}", "rule_count": 1, "rule_names": [ "arkanix" ], "rule_creation_date": "2025-12-18", "rule_modified_date": "2026-02-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Arkanix" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access", "attack.execution", "attack.exfiltration", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1059.006", "attack.t1555", "attack.t1555.003", "attack.t1204.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-asyncrat_client_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574614Z", "creation_date": "2026-03-23T11:46:25.574616Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574621Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp" ], "name": "asyncrat_client.yar", "content": "rule asyncrat_client {\n meta:\n title = \"AsyncRAT Client\"\n id = \"bbee809d-fbdd-4111-98a8-e6e82c9b9568\"\n description = \"Detects AsyncRAT, a C2 server used in the later stages of an infection chain.\\nAsyncRAT is an open-source C#-based Command and Control (C2) server designed for remote control and persistence. It operates as the final component in an attack chain, enabling the C2 server to inject and execute DLLs on infected hosts. The tool is highly modular, allowing for various functionality extensions and making it a versatile tool for attackers to maintain persistence and control over targeted systems.\"\n references = \"https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp\"\n date = \"2022-08-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Malware.AsyncRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3923d390ce9e9f25b701c36cd2ad09d1a6fd9aac839ef39864bc6bc2189bf72a\n // 1a183559d511fb7383bb0f6c6bb81908fe8ee7c85691c453b912330decf9a173\n // a7a86f886a367edb3bb30013d45582babf374a941ef6483f0da25521ecef42d1\n // 2c06631f853bf622282e91a3d6d956acd80927ab852ebbf2d184d57bd5ad8fac\n // decb60e843db591af3533ce9e0da58b1da2684812a8de39fc41b2f5b9558e01c\n // 2d1eb4ad0856042a8d93b994b2e7ef1768f1a18543ab97fa0b5b827d10f3d6f6\n // 874f3f1d0b2d9a3fdfc9ad54c0921804b7a87923b873a16f61866218317260f2\n // 6ee6f6ca6935e41ea481c761c4b298c24fdd2ef0d6244f1950dc32b3a7242fa1\n // 22d72a90b85041dca93d9dfb29f0bc1b81199db878b34769045d2e20b37cb767\n // e962f84f34cb3a20687104d64a16a021978b2e6868095e51173d237dd2cebb20\n // f540cfbd7cba449ab8514a3f808a8e03c1f35516fe95ee4e6f32ff5064622e87\n // 185083f395279abd7ed57512954fc99641a3e0275b71b7c74c0810b2eea5f7e8\n // 87dcd1b85431613cb0c6a8937a79a043ae5c46e08022f9d3f59a105855adc1b6\n // 691277c90510db997e479b3e56360c0c36e891ade4004df4fa1b85d1dd5a9122\n // 5cdc6ad4ef4e82c8926e74345d5feb5e6bc509917531c8f1a4e9846742d429bf\n // 6a4de29a2b535265b7fe6321aa095f5a45c0f8de6312c451dfb5734c122f78bd\n // b00124c98b204084146ded1f54f3389037da12ea5f7b1c0ba88146b40d4d3f29\n // acf1cf1bced5d3d9bf5f08e9a64a79a6430920b60d10a9596c7649cbe9d24d77\n // 9e97eebefc36370e23615267e6a33cdb9edb241be4914e24ad4791bda6f1e595\n // 6f105d359fe32edd24c3e5a441f3f8d3f4be7fad856ce7b0e606e9e18b742024\n // a449420bc7abe1d650d2b39bf49da6de900ef4d7d014e72223f8585a31accb0e\n // a875d01bc2a764c2f7d850ef0a0b25a3586f9b7cda2968d2c2d9eb7c0eab0763\n\n $str1 = \"\\\"' & exit\" fullword wide\n $str2 = \"timeout 3 > NUL\" fullword wide\n $str3 = \"\\\\root\\\\SecurityCenter2\" fullword wide\n $str4 = \"masterKey can not be null or empty.\" fullword wide\n $str5 = \"{0:X2}\" fullword wide\n $str6 = \"(ext8,ext16,ex32) type $c7,$c8,$c9\" fullword wide\n\n $s1 = \"\\\\nuR\\\\noisreVtnerruC\\\\swodniW\\\\tfosorciM\\\\erawtfoS\" fullword wide\n $s2 = \"U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==\" fullword wide\n $s3 = \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" fullword wide\n $s4 = \"L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g\" fullword wide\n $s5 = \"Select * from Win32_ComputerSystem\" fullword wide\n $s6 = \"Select * from Win32_CacheMemory\" fullword wide\n $s7 = \"Select * from AntivirusProduct\" fullword wide\n $s8 = \"Pastebin\" fullword wide\n $s9 = \"Paste_bin\" fullword wide\n $s10 = \"\\\\root\\\\SecurityCenter2\" fullword wide\n\n $anti_analysis_str_1 = \"VirtualBox\" fullword wide\n $anti_analysis_str_2 = \"SbieDll.dll\" fullword wide\n $anti_analysis_str_3 = \"vmware\" fullword wide\n $anti_analysis_str_4 = \"ProcessHacker.exe\" fullword wide\n $anti_analysis_str_5 = \"NisSrv.exe\" fullword wide\n\n condition:\n all of ($str*) or\n (5 of ($s*) and 1 of ($anti_analysis_str_*))\n}\n", "rule_count": 1, "rule_names": [ "asyncrat_client" ], "rule_creation_date": "2022-08-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.AsyncRAT" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-aukill_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567759Z", "creation_date": "2026-03-23T11:46:25.567761Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567766Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/" ], "name": "aukill.yar", "content": "rule aukill {\n meta:\n title = \"AuKill HackTool\"\n id = \"3ed03295-dec5-4c12-9836-3369f33a6c70\"\n description = \"Detects AuKill, a defense solution killer that terminates security solutions' processes and services.\\nAuKill exploits a vulnerable driver from Process Explorer to neutralize EDR products and other security tools by terminating their processes and services, and unloading their drivers.\\nThis allows the malware to maintain persistence and evade detection.\"\n references = \"https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/\"\n date = \"2023-04-24\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1134.001;attack.t1068;attack.defense_evasion;attack.t1014\"\n classification = \"Windows.HackTool.AuKill\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8\n // 08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540\n\n $s1 = \"\\\\x64\\\\Release\\\\ProcExpDriver.pdb\" ascii\n $s2 = \"[-] NtLoadDriver: 0x%X\" ascii\n $s3 = \"[*] Found PID: 0x%X\" ascii\n $s4 = \"[!] OpenProcess failed (winlogon.exe): %d\" ascii\n $s5 = \"[!] OpenProcessToken failed (winlogon.exe): %d\" ascii\n $s6 = \"[!] DuplicateTokenEx failed (winlogon.exe): %d\" ascii\n $s7 = \"[!] ImpersonateLoggedOnUser failed: %d\" ascii\n $s8 = \"OpenSCManager failed: %d\" ascii\n $s9 = \"OpenService failed: %d\" ascii\n $s10 = \"StartService failed: %d\" ascii\n $s11 = \"QueryServiceStatusEx failed: %d\" ascii\n $s12 = \"[+] Killing process <%s>...\" ascii wide\n $s13 = \"[i] Extracting the driver to %ws\" ascii wide\n $s14 = \"[-] Could not load driver %s may be loaded\" ascii wide\n $s15 = \"[+] Driver %s loaded successfully\" ascii wide\n $s16 = \"[-] NoConnectTo %s Device\" ascii wide\n $s17 = \"\\\\DosDevices\\\\PROCEXP152\" ascii wide\n $s18 = \"\\\\Device\\\\PROCEXP152\" ascii wide\n $s19 = \"\\\\\\\\.\\\\PROCEXP152\" ascii\n $s20 = \"[!] OpenProcess failed (TrustedInstaller.exe): %d\" ascii\n $s21 = \"[!] OpenProcessToken failed (TrustedInstaller.exe): %d\" ascii\n $s22 = \"[!] DuplicateTokenEx failed (TrustedInstaller.exe): %d\" ascii\n\n condition:\n 8 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "aukill" ], "rule_creation_date": "2023-04-24", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.AuKill" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1134.001", "attack.t1014", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-auto-color_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564480Z", "creation_date": "2026-03-23T11:46:25.564482Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564487Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/" ], "name": "auto-color.yar", "content": "rule autocolor_backdoor {\n meta:\n title = \"Auto-Color Backdoor\"\n id = \"82f7f169-692a-462d-bb77-1fec77f152ab\"\n description = \"Detects the Auto-Color Linux backdoor, which uses sophisticated evasion techniques, including renaming itself with benign file names and deploying a malicious library to hide network activity and prevent uninstallation.\\nThis backdoor allows remote access to infected systems while making detection and removal difficult.\\nIt is recommended to investigate actions that were performed by the related process.\"\n references = \"https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/\"\n date = \"2025-03-11\"\n modified = \"2025-03-14\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1574;attack.defense_evasion;attack.t1140;attack.command_and_control;attack.t1071.001\"\n classification = \"Linux.Backdoor.AutoColor\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 65c3946a4831df02b69e7c3528f33030b4503049786a0af3f30783bb0de60cce\n // 815b74947d3a78a1b7d2aece43596ddc0ffc264e26092f1f9b6409c62e1437d6\n // a492f6d4183a8809c69e415be5d241f227f6b6a56e0ab43738fd36e435116aa0\n // a57b1039aedbcdd7883f575ce02317949bc4c1aeabba17cbc7e8ba419ded0f13\n // 2c79f0ad407a5adf490e510b75ca197daa1f61031457929c41317154dc599705\n // d4a1186387072207607684a016af05804a9f1ce90c987c80827b2d5223bddc9e\n\n // generic strings\n $s1 = \"dladdr\" fullword ascii\n $s2 = \"/etc/ld.so.preload.xxx\" fullword ascii\n\n // specific strings for initial payload\n $s5 = \"/proc/%d\" fullword ascii\n $s6 = \"/door-%d.log\" fullword ascii\n $s7 = \"%s memory dump %d bytes...\" fullword ascii\n\n // specific strings for evasive library\n $s8 = \"/var/log/cross\" fullword ascii\n $s9 = \"-flush\" fullword ascii\n $s10 = \"/proc/self/fd/%d\" fullword ascii\n\n // initial payload\n // decrypt_string()\n $x1 = {\n 48 01 D0 // add rax, rdx\n 0F B6 00 // movzx eax, byte ptr [rax]\n 83 C0 7B // add eax, 7Bh\n 83 F0 1F // xor eax, 1Fh\n 83 E8 7B // sub eax, 7Bh\n 89 C2 // mov edx, eax\n }\n\n $x2 = {\n C1 EA 13 // shr edx, 13h\n 29 D0 // sub eax, edx\n 89 C2 // mov edx, eax\n 8B 45 EC // mov eax, [rbp+var_14]\n C1 E8 0B // shr eax, 0Bh\n 31 D0 // xor eax, edx\n 89 C6 // mov esi, eax\n 8B 45 EC // mov eax, [rbp+var_14]\n C1 E8 03 // shr eax, 3\n 89 C1 // mov ecx, eax\n 8B 45 FC // mov eax, [rbp+var_4]\n 48 63 D0 // movsxd rdx, eax\n 48 8B 45 D8 // mov rax, [rbp+var_28]\n 48 01 D0 // add rax, rdx\n 29 CE // sub esi, ecx\n 89 F2 // mov edx, esi\n 88 10 // mov [rax], dl\n }\n\n // evasive library\n $x3 = {\n 48 BA 73 6F 2E 70 72 65 6C 6F // mov rdx, 6F6C6572702E6F73h\n 48 33 54 24 08 // xor rdx, [rsp+1028h+var_1020]\n 48 B8 2F 65 74 63 2F 6C 64 2E // mov rax, 2E646C2F6374652Fh\n 48 33 04 24 // xor rax, [rsp+1028h+var_1028]\n 48 09 C2 // or rdx, rax\n 74 ?? // jz short loc_5B60\n }\n\n $x4 = {\n 89 C1 // mov ecx, eax\n 48 8D 35 ?? ?? ?? ?? // lea rsi, byte_B260\n C1 E9 10 // shr ecx, 10h\n A9 80 80 00 00 // test eax, 8080h\n 0F 44 C1 // cmovz eax, ecx\n 48 8D 4A 02 // lea rcx, [rdx+2]\n 48 0F 44 D1 // cmovz rdx, rcx\n 89 C1 // mov ecx, eax\n 00 C1 // add cl, al\n 48 83 DA 03 // sbb rdx, 3\n 48 29 FA // sub rdx, rdi\n 0F 84 5A FF FF FF // jz loc_4299\n }\n\n condition:\n uint16(0) == 0x457f and (5 of ($s*) or 1 of ($x*))\n}\n", "rule_count": 1, "rule_names": [ "autocolor_backdoor" ], "rule_creation_date": "2025-03-11", "rule_modified_date": "2025-03-14", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Backdoor.AutoColor" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1574" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-avneutralizer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571439Z", "creation_date": "2026-03-23T11:46:25.571442Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571447Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/" ], "name": "avneutralizer.yar", "content": "rule avneutralizer {\n meta:\n title = \"AvNeutralizer HackTool\"\n id = \"3572939c-4613-4486-a64d-7c15f66f8b3a\"\n description = \"Detects AvNeutralizer (aka AuKill), an EDR killer tool developed by FIN7.\\nIt uses vulnerable Process Explorer and TTD drivers to terminate security products from Kernel-mode.\"\n references = \"https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\"\n date = \"2024-07-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1134.001;attack.t1068;attack.defense_evasion;attack.t1014\"\n classification = \"Windows.HackTool.AvNeutralizer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 64b6f85b70d888a1f451ca2486fa09f51e8b7299ea56fd26e5a64fef93604b7f\n // 79ae0f11b8c158a19a7e7f7d8ed8791e5f314b74ce5d1e3e10c382ff350d3a62\n // c20faaf0713f35d7d707e4ce72142eef11bfa53ad33e61f1ab072e6a7ca9b81e\n // 08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540\n // 1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8\n // 5846f4648919bad0da9c0a63ec1086d3c2362f50a533de61f323f8d0198ee9ed\n\n $s_common_stub_01 = {\n // Init buffer DeviceIoControl function\n 0f b7 [1-6] // movzx ebx, dx\n 8b [1-6] // mov edi, ecx\n e8 [1-6] // call sub_140002d80\n 4? 8b [1-6] // mov r9, rax\n 4? 33 [1-6] // xor r8d, r8d {0x0}\n 4? 89 [1-6] // mov dword [rsp+0x20 {var_28_1}], r8d\n 4? 3b [1-6] // cmp r8d, dword [r9]\n 73 [1-6] // jae 0x140002eaa\n 4? 8d [1-6] // lea rdx, [r8+r8*2]\n 4? 0f 10 [1-6] // movups xmm1, xmmword [r9+rdx*8+0x8]\n 0f 11 [1-6] // movups xmmword [rsp+0x28 {var_20_1}], xmm1\n f2 4? 0f 10 [1-6] // movsd xmm0, qword [r9+rdx*8+0x18]\n f2 0f 11 [1-6] // movsd qword [rsp+0x38 {var_10_1}], xmm0\n 66 0f 7e [1-6] // movd eax, xmm1\n 3b ?? // cmp eax, edi\n 75 ?? // jne 0x140002ea5\n 4? 8b [1-6] // mov rax, qword [rsp+0x28 {var_20_1}]\n 4? c1 ?? 30 // shr rax, 0x30\n [0-1] 3b [1-6] // cmp ax, bx\n 75 ?? // jne 0x140002ea5\n 4? 8b c9 // mov rcx, r9\n e8 [1-6] // call sub_140002e20\n 4? 8b [1-6] // mov rax, qword [rsp+0x30 {var_20_1+0x8}]\n eb ?? // jmp 0x140002ec3\n 4? ff [1-6] // inc r8d\n eb ?? // jmp 0x140002e5a\n 4? 8b [1-6] // mov rcx, r9\n e8 [1-6] // call sub_140002e20\n eb // jmp 0x140002ec1\n }\n $s_common_stub_02 = {\n // Call functions to get SeLoadDriverPrivilege and create service\n 4? 8d [3-6] // lea rax, [rsp+0x28 {s}]\n 4? 8b [1-4] // mov rdi, rax {s}\n 33 ?? // xor eax, eax {0x0}\n b9 10 00 00 00 // mov ecx, 0x10\n f3 aa // rep stosb byte [rdi] {var_450} {s} {0x0}\n 4? 8d [3-6] // lea rax, [rsp+0x40 {var_428}]\n 4? 8b [1-4] // mov rdi, rax {var_428}\n 33 ?? // xor eax, eax {0x0}\n b9 08 02 00 00 // mov ecx, 0x208\n f3 aa // rep stosb byte [rdi] {var_630} {var_428} {0x0}\n 4? 8d [6-10] // lea rax, [rsp+0x250 {s_1}]\n 4? 8b [1-4] // mov rdi, rax {s_1}\n 33 ?? // xor eax, eax {0x0}\n b9 08 02 00 00 // mov ecx, 0x208\n f3 aa // rep stosb byte [rdi] {var_420} {s_1} {0x0}\n 4? 8d [4-6] // lea rcx, [rel data_140005600] {u\"SeLoadDriverPrivilege\"}\n e8 [2-6] // call sub_140004be0\n 85 ?? // test eax, eax\n 75 // jne 0x140001d4f\n }\n $s_common_stub_03 = {\n // Create service function\n 4? c7 [3] 00 00 00 00 // mov qword [rsp+0x58 {var_450}], 0x0\n 4? 8d [4-6] // lea rax, [rsp+0x290 {var_218}]\n 4? 8b [1-4] // mov rdi, rax {var_218}\n 33 ?? // xor eax, eax {0x0}\n b9 08 02 00 00 // mov ecx, 0x208\n f3 aa // rep stosb byte [rdi] {var_420} {var_218} {0x0}\n 4? 8d [4-6] // lea rax, [rsp+0x80 {var_428}]\n 4? 8b [1-4] // mov rdi, rax {var_428}\n 33 ?? // xor eax, eax {0x0}\n b9 08 02 00 00 // mov ecx, 0x208\n f3 aa // rep stosb byte [rdi] {var_630} {var_428} {0x0}\n c7 [3] ff ff ff ff // mov dword [rsp+0x50 {var_458}], 0xffffffff {0xffffffff}\n c7 [3] 00 00 00 00 // mov dword [rsp+0x54 {var_454}], 0x0\n c7 [3] 00 00 00 00 // mov dword [rsp+0x68 {lpdwDisposition}], 0x0\n 4? 8b [4-6] // mov r8, qword [rsp+0x4b8 {arg_10}]\n 4? 8d [4-6] // lea rdx, [rel data_1400054c0] {u\"System\\CurrentControlSet\\Service…\"}\n 4? 8d [4-6] // lea rcx, [rsp+0x290 {var_218}]\n ff [4-6] // call qword [rel wsprintfW]\n 4? 8b [4-6] // mov r9, qword [rsp+0x4b0 {arg_8}]\n 4? 8d [4-6] // lea r8, [rel data_140005510] {u\"\\??\\\"}\n 4? 8d [4-6] // lea rdx, [rel data_140005520] {u\"%ws%ws\"}\n 4? 8d [4-6] // lea rcx, [rsp+0x80 {var_428}]\n ff [4-6] // call qword [rel wsprintfW]\n 4? 8d [3-6] // lea rax, [rsp+0x68 {lpdwDisposition}]\n 4? 89 [3-6] // mov qword [rsp+0x40 {var_468}], rax {lpdwDisposition}\n 4? 8d [3-6] // lea rax, [rsp+0x58 {var_450}]\n 4? 89 [3-6] // mov qword [rsp+0x38 {var_470}], rax {var_450}\n 4? c7 [3] 00 00 00 00 // mov qword [rsp+0x30 {var_478}], 0x0\n c7 44 [2] 3f 00 0f 00 // mov dword [rsp+0x28 {var_480}], 0xf003f\n c7 44 [2] 00 00 00 00 // mov dword [rsp+0x20 {lpData}], 0x0\n 4? 33 ?? // xor r9d, r9d {0x0}\n 4? 33 ?? // xor r8d, r8d {0x0}\n 4? 8d [4-6] // lea rdx, [rsp+0x290 {var_218}]\n 4? c7 ?? 02 00 00 80 // mov rcx, 0xffffffff80000002\n ff [4-6] // call qword [rel RegCreateKeyExW]\n 89 [3-6] // mov dword [rsp+0x50 {var_458_1}], eax\n 83 [1-3] 00 // cmp dword [rsp+0x50 {var_458_1}], 0x0\n 74 // je 0x140003536\n }\n condition:\n 1 of ($s_common_stub*)\n}\n", "rule_count": 1, "rule_names": [ "avneutralizer" ], "rule_creation_date": "2024-07-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.AvNeutralizer" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1134.001", "attack.t1014", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-axiom_hacktool_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571781Z", "creation_date": "2026-03-23T11:46:25.571784Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571789Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mallo-m" ], "name": "axiom_hacktool.yar", "content": "rule axiom_hacktool {\n meta:\n title = \"Axiom HackTool\"\n id = \"567c4075-0b0f-4d95-b5e1-aac09137f7ba\"\n description = \"Detects the Axiom tools.\\nThese tools are used for malicious activities like dumping LSASS memory or loading shellcode using different techniques to avoid being detected by security tools such as EDRs.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://github.com/mallo-m\"\n date = \"2025-03-26\"\n modified = \"2025-07-07\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.privilege_escalation;attack.t1134;attack.t1055\"\n classification = \"Windows.HackTool.Axiom\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6c6a813ab77b186386b2e17c50a95fa971aa3baa3fd0cb4ea83bcf27b3a04d2c\n // 7d2337dff8f058cf2ef1f17d96050ebc69185a6f9f322da021bb6e44b965afbd\n\n $string1 = \"[FAILURE] Bruh\" ascii fullword\n $string2 = \"[FAILURE] Trying a new duplication\" ascii fullword\n $string3 = \"[FAILURE] No more duplication to try, exploit failed :(\" ascii fullword\n $string4 = \"HellsTable init failure\" ascii fullword\n $string5 = \"Malloc failure on new table entry\" ascii fullword\n $string6 = \"AddsToTable malloc failure\" ascii fullword\n $string7 = \"GetImageExportDirectory init failure\" ascii fullword\n $string8 = \"[FAILURE] Too many memory ranges\" ascii fullword\n $string9 = \"[FAILURE] Reading LDR addrss failed\" ascii fullword\n $string10 = \"[FAILURE] Reading LDR base name\" ascii fullword\n $string11 = \"[FAILURE] Reading LDR pointer failed\" ascii fullword\n $string12 = \"[FAILURE] Failed to write the ModuleListStream\" ascii fullword\n $string13 = \"[SYSTEM] Retrieving shellcode...\" ascii fullword\n $string14 = \"[SHENANIGANS] Copying bytes to memory region\" ascii fullword\n $string15 = \"[DUPLICATOR] Looping through all system handles\" ascii fullword\n $string16 = \"[DUPLICATOR] QuerySysInfo success\" ascii fullword\n $string17 = \"[DUPLICATOR] Handle opened towards a Process object: \" ascii fullword\n $string18 = \"[DUPLICATOR] Duplicated HANDLE pointer: 0x%p\" ascii fullword\n $string19 = \"[EXTRACTOR] All snapshots prerequisites ok, extracting memory...\" ascii fullword\n $string20 = \"[EXTRACTOR] Getting memory ranges to dump\" ascii fullword\n $string21 = \"[EXTRACTOR] Enumearted %ld ranges of memory\" ascii fullword\n $string22 = \"[EXTRACTOR] Reading LDR address from memory success\" ascii fullword\n $string23 = \"[EXTRACTOR] Module list address parsed: 0x%p\" ascii fullword\n $string24 = \"[EXTRACTOR] Reading modules head pointer failed\" ascii fullword\n $string25 = \"[EXTRACTOR] Looping over modules\" ascii fullword\n $string26 = \"[EXTRACTOR] New module: %S successfully parsed and integrated into dump\" ascii fullword\n $string27 = \"[EXTRACTOR] Module %ls (hash: %s) discovered at 0x%p\" ascii fullword\n $string28 = \"[EXTRACTOR] Dumping modules success !\" ascii fullword\n\n // AXIOM_DuplicatePrivilegedToken()\n $blacklist_hash1 = {39 65 36 33 32 37 63 36 38 36 31 62 63 32 66 32 61 38 31 61 64 32 36 35 39 38 35 63 36 32 65 61} // winlogon.exe\n $blacklist_hash2 = {31 63 33 37 36 63 30 63 35 34 61 34 63 34 39 66 34 37 63 64 38 31 32 34 37 64 38 61 37 66 32 35} // csrss.exe\n $blacklist_hash3 = {34 32 35 36 63 36 31 38 65 34 36 31 37 63 62 34 31 61 30 64 35 65 66 39 64 32 38 34 63 63 30 63} // svchost.exe\n $blacklist_hash4 = {35 32 33 64 64 32 32 66 30 64 31 34 65 39 31 62 63 31 35 32 62 37 62 36 65 63 34 61 66 64 37 66} // lsass.exe\n $blacklist_hash5 = {35 38 31 35 36 31 37 37 34 34 34 63 66 63 34 65 65 34 65 33 35 38 31 33 34 32 30 33 62 33 38 35} // spoolsv.exe\n $blacklist_hash6 = {62 62 38 31 38 63 36 32 38 39 39 65 61 34 31 34 62 66 33 63 39 35 33 38 31 38 62 62 30 33 30 37} // LsaIso.exe\n\n // ELSASS_ExtractModulesList()\n $important_hash1 = {64 35 33 33 66 33 32 31 31 33 38 31 34 32 64 65 31 31 34 30 39 37 37 62 31 63 33 31 30 62 32 65} // lsasrv.dll\n $important_hash2 = {33 31 32 30 30 30 65 66 34 62 33 38 34 61 39 33 34 36 34 33 64 39 38 35 65 64 34 64 32 63 34 61} // samsrv.dll\n $important_hash3 = {33 61 36 63 37 39 64 35 36 63 33 39 34 36 38 38 64 39 65 35 35 38 33 33 32 31 35 30 62 39 39 30} // ncrypt.dll\n $important_hash4 = {36 65 31 64 31 36 32 62 33 34 65 35 62 64 34 64 64 61 37 65 35 37 39 39 37 32 38 35 66 36 33 36} // kerberos.DLL\n $important_hash5 = {35 65 63 63 34 61 62 35 37 33 33 35 30 61 36 32 36 30 63 36 35 32 33 66 33 34 35 39 35 38 39 66} // cryptdll.dll\n $important_hash6 = {32 36 32 30 34 30 38 63 63 36 33 65 37 34 32 63 61 34 38 31 62 39 61 64 62 64 61 31 31 38 62 30} // msv1_0.dll\n\n $axiom_ssn1 = {65 38 32 30 34 37 34 32 63 36 39 35 64 36 33 37 61 62 61 37 32 32 33 31 37 30 62 32 34 34 39 37} // AXIOM_SSN_NtOpenProcess\n $axiom_ssn2 = {31 65 62 33 31 38 64 64 36 63 62 31 34 64 38 62 32 31 30 62 30 34 65 31 36 35 63 39 35 31 34 30} // AXIOM_SSN_NtQueryInformationProcess\n $axiom_ssn3 = {32 36 35 31 32 33 64 66 39 30 63 39 65 32 35 33 38 39 65 38 34 35 31 35 35 66 38 39 63 37 33 65} // AXIOM_SSN_NtCreateFile\n $axiom_ssn4 = {30 39 31 38 62 62 61 33 64 30 39 39 39 37 32 36 37 39 62 39 62 33 30 61 31 61 61 66 37 63 64 66} // AXIOM_SSN_NtReadFile\n $axiom_ssn5 = {32 31 37 64 34 33 66 30 66 35 64 33 61 30 37 61 37 37 31 36 37 35 31 36 33 65 36 33 31 32 34 31} // AXIOM_SSN_NtLoadDriver\n $axiom_ssn6 = {61 65 64 65 66 65 64 36 33 31 36 61 63 64 30 34 30 36 65 66 64 33 34 65 38 63 38 64 30 66 61 66} // AXIOM_SSN_NtQuerySystemInformation\n $axiom_ssn7 = {31 30 63 32 33 30 32 31 37 30 66 64 61 35 36 62 61 31 62 30 65 39 64 38 30 65 65 66 35 63 33 64} // AXIOM_SSN_NtQueryInformationToken\n $axiom_ssn8 = {31 37 35 35 64 36 62 62 33 65 63 64 39 34 33 61 37 64 61 62 36 66 38 35 66 30 39 35 37 63 31 66} // AXIOM_SSN_NtOpenProcessToken\n $axiom_ssn9 = {38 31 35 36 38 61 36 32 30 37 62 31 30 31 37 64 38 61 34 64 63 38 36 38 31 30 65 38 34 36 30 63} // AXIOM_SSN_NtDuplicateToken\n $axiom_ssn10 = {36 66 32 37 61 66 66 38 37 64 31 63 35 38 62 34 63 33 31 34 66 62 64 36 65 30 37 34 32 65 36 64} // AXIOM_SSN_NtProtectVirtualMemory\n $axiom_ssn11 = {36 31 36 66 30 35 36 38 62 34 33 38 31 36 34 31 65 30 33 61 62 30 33 66 63 31 30 32 30 39 33 38} // AXIOM_SSN_NtWriteVirtualMemory\n $axiom_ssn12 = {61 32 31 61 35 39 30 62 66 33 63 33 61 31 61 66 65 34 33 32 62 39 64 66 36 38 33 33 35 36 61 63} // AXIOM_SSN_NtSetInformationThread\n $axiom_ssn13 = {34 30 62 33 37 62 39 65 66 62 66 32 33 32 62 32 37 31 38 37 37 34 31 65 62 30 61 32 36 31 31 30} // AXIOM_SSN_NtQueryObject\n $axiom_ssn14 = {62 34 34 61 31 38 63 65 33 62 62 34 35 39 33 66 33 62 34 35 32 62 63 34 66 37 33 61 35 38 64 62} // AXIOM_SSN_NtDuplicateObject\n $axiom_ssn15 = {66 64 65 66 62 34 65 65 32 37 61 63 36 31 62 32 33 36 38 32 30 62 66 32 33 39 66 35 65 31 61 39} // AXIOM_SSN_NtQueryVirtualMemory\n $axiom_ssn16 = {64 62 34 37 65 65 62 65 63 64 39 36 31 62 61 64 30 65 61 64 61 63 35 35 65 64 38 33 36 33 30 62} // AXIOM_SSN_NtReadVirtualMemory\n $axiom_ssn17 = {37 63 35 36 33 35 32 65 38 35 30 65 37 37 36 63 38 34 34 62 30 66 33 64 36 37 38 63 38 39 34 37} // AXIOM_SSN_ZwReadVirtualMemory\n $axiom_ssn18 = {38 62 39 36 30 34 33 66 34 62 64 35 66 33 62 32 63 65 39 36 37 61 31 31 34 37 32 64 32 63 62 65} // AXIOM_SSN_NtAdjustPrivilegesToken\n $axiom_ssn19 = {30 39 62 64 31 66 37 37 63 38 65 33 39 30 61 34 37 65 62 35 37 36 39 39 35 38 39 66 66 66 31 66} // AXIOM_SSN_NtClose\n $axiom_ssn20 = {32 33 36 38 65 61 65 61 35 65 35 62 32 39 35 62 65 30 35 38 66 62 34 33 36 64 34 30 37 38 35 30} // AXIOM_SSN_NtCreateUserProcess\n\n $drunk_string = \"%02x\" ascii fullword\n $drunk_md5 = {\n C7 44 ?? ?? 42 42 42 42 // mov [rsp+0A8h+var_80], 42424242h\n [0 - 16]\n C7 44 ?? ?? EF BE AD DE // mov [rsp+0A8h+var_7C], 0DEADBEEFh\n [0 - 16]\n C7 44 ?? ?? 01 20 94 06 // mov [rsp+0A8h+var_78], 6942001h\n [0 - 16]\n C7 44 ?? ?? 37 13 37 13 // mov [rsp+0A8h+var_74], 13371337h\n }\n\n condition:\n (\n uint16(0) == 0x5a4d and\n 5 of ($string*)\n )\n or\n (\n 2 of ($blacklist_hash*) or\n 2 of ($important_hash*) or\n 2 of ($axiom_ssn*) or\n all of ($drunk_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "axiom_hacktool" ], "rule_creation_date": "2025-03-26", "rule_modified_date": "2025-07-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Axiom" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1140", "attack.t1134", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-axiomorphanchild_hacktool_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566341Z", "creation_date": "2026-03-23T11:46:25.566343Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566349Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mallo-m" ], "name": "axiomorphanchild_hacktool.yar", "content": "rule axiomorphanchild_hacktool {\n meta:\n title = \"AxiomOrphanChild HackTool\"\n id = \"97602233-ac95-4829-b034-648752a7fc2e\"\n description = \"Detects the AxiomOrphanChild hacktool used to create a child process via a scheduled task and communicate via named pipe.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://github.com/mallo-m\"\n date = \"2025-11-19\"\n modified = \"2025-11-20\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1559;attack.persistence;attack.privilege_escalation;attack.t1053.005\"\n classification = \"Windows.HackTool.AxiomOrphanChild\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b2e255a8592fafb0c13da884937cc065a2712eca19964f66d9b427b928139983\n\n $s1 = \"[+] SetRegistrationInfo() success\" ascii fullword\n $s2 = \"[+] put_StartWhenAvailable() success\" ascii fullword\n $s3 = \"[+] TriggerCollection->Create() success\" ascii fullword\n $s4 = \"\\\\\\\\.\\\\pipe\\\\axiomsch\" ascii fullword\n $s5 = \"/c %s %s > \\\\\\\\.\\\\pipe\\\\axiomsch\" ascii fullword\n $s6 = \"[!] User and Password are required when using non-interactive mode, use /user: and /password: options\" ascii fullword\n $s7 = \"[+] Found binary at: %s\" ascii fullword\n $s8 = \"[!] ConvertStringSecurityDescriptorToSecurityDescriptor(): %d\" ascii fullword\n\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "axiomorphanchild_hacktool" ], "rule_creation_date": "2025-11-19", "rule_modified_date": "2025-11-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.AxiomOrphanChild" ], "rule_tactic_tags": [ "attack.execution", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1053.005", "attack.t1559" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-axiomsecrets_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590176Z", "creation_date": "2026-03-23T11:46:25.590178Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590183Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mallo-m/AxiomSecrets" ], "name": "axiomsecrets.yar", "content": "rule axiomsecrets_hacktool {\n meta:\n title = \"AxiomSecrets HackTool\"\n id = \"ee18a3aa-3c41-4062-a1fa-4c34bdbd6804\"\n description = \"Detects the AxiomSecrets hacktool, used to extract protected files by directly parsing the raw NTFS drive.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://github.com/mallo-m/AxiomSecrets\"\n date = \"2025-11-21\"\n modified = \"2025-12-29\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1006\"\n classification = \"Windows.HackTool.AxiomSecrets\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // fc8c3078c79cd5f8708ba30fac967006721e56ca581fe121e936998b107c9017\n\n $s1 = \"Volume name error, should be like 'C', 'D'\" ascii fullword\n $s2 = \"Cannot read root directory of volume\" ascii fullword\n $s3 = \"[+] All subdirectories have been traversed\" ascii fullword\n $s4 = \"[!] Can not create backup of file %s: source is a directory\" ascii fullword\n $s5 = \"%s\\\\%s.bak\" ascii fullword\n $s6 = \"[!] Usage: %s FILEPATH_1 [{FILEPATH_2}, {FILEPATH_3}, ...] SAVEDIR_PATH\" ascii fullword\n\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "axiomsecrets_hacktool" ], "rule_creation_date": "2025-11-21", "rule_modified_date": "2025-12-29", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.AxiomSecrets" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1006" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-axiom_trojan_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574065Z", "creation_date": "2026-03-23T11:46:25.574068Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574077Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mallo-m" ], "name": "axiom_trojan.yar", "content": "rule axiom_trojan {\n meta:\n title = \"Axiom Trojan\"\n id = \"79667c8f-92e3-43c4-9aac-df5408c8c8c1\"\n description = \"Detects the Axiom Trojan.\\nThis tool is used to remotely control computers and used different technique to avoid being detected by security tools such as EDRs.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://github.com/mallo-m\"\n date = \"2025-03-26\"\n modified = \"2025-07-07\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.privilege_escalation;attack.t1134;attack.t1055;attack.t1068;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Trojan.Axiom\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 0b3a218ac5f6c7667b7fb93ada43df2e326e616fde7c86e1103fe605cd4f5385\n\n $string1 = \"credz.raw\" ascii fullword\n $string2 = \":ASSET:Tools/ExecAssembly.exe\" ascii fullword\n $string3 = \"C:\\\\Users\\\\Public\\\\Downloads\\\\assembly.xor\" ascii fullword\n $string4 = \"EtwEventRegister\" ascii fullword\n $string5 = \"C:\\\\Windows\\\\Tasks\\\\out.txt\" ascii fullword\n $string6 = \"C:\\\\ProgramData\\\\Logs.txt\" ascii fullword\n\n $cmd1 = \"READY_FOR_INPUT\" ascii fullword\n $cmd2 = \"PPEnum\" ascii fullword\n $cmd3 = \"CanIHasCredz\" ascii fullword\n $cmd4 = \"Legacy-ExecAssembly\" ascii fullword\n $cmd5 = \"portfwd\" ascii fullword\n\n $action1 = \"disable_dse\" ascii fullword\n $action2 = \"list_kernel_callbacks\" ascii fullword\n $action3 = \"start_evil_driver\" ascii fullword\n $action4 = \"get_system\" ascii fullword\n\n $debug1 = \"[!] Unknown AXIOM procedure\" ascii fullword\n $debug2 = \"[+] Service GigaPwn does not exist, requesting file gdrv.sys\" ascii fullword\n $debug3 = \"[*] AxiomDriver.sys driver is not installed and started\" ascii fullword\n $debug4 = \"[+] Service AxiomDriver is already started\" ascii fullword\n $debug5 = \"[EXTRACTOR] All snapshots prerequisites ok, extracting memory...\" ascii fullword\n $debug6 = \"[+] Requesting sacrificial process' file ExecAssembly.exe\" ascii fullword\n $debug7 = \"[%s] Process %S is on blacklist, skipping...\" ascii fullword\n $debug8 = \"[FAILURE] No more duplication to try, exploit failed :(\" ascii fullword\n $debug9 = \"[DUPLICATOR] Looping through all system handles\" ascii fullword\n $debug10 = \"[!!!!] NONUNICODEPATH: %s\" ascii fullword\n\n // EventRegister\n $provider_guid = {\n C7 [1-4] E1 3C 0D 23 // mov [rbp+1250h+ProviderId.Data1], 230D3CE1h\n C7 [1-4] CC BC 4E 12 // mov dword ptr [rbp+1250h+ProviderId.Data2], 124EBCCCh\n C7 [1-4] 93 1B D9 CC // mov dword ptr [rbp+1250h+ProviderId.Data4], 0CCD91B93h\n C7 [1-4] 2E EE 27 E4 // mov dword ptr [rbp+1250h+ProviderId.Data4+4], 0E427EE2Eh\n }\n\n $amsi1 = \"AmsiScanBuffer\" ascii fullword\n $amsi2 = {\n 48 8B D8 // mov rbx, rax\n C7 45 20 B8 57 00 07 // mov dword ptr [rbp+480h+Buffer], 70057B8h\n 66 C7 45 24 80 C3 // mov word ptr [rbp+480h+Buffer+4], 0C380h\n }\n\n $indirect_syscall = {\n (44 8B | 45 8B | 48 8B | 1A 45) ?? // mov r9d, r13d\n (49 8B | 48 8B | C0 33 | C9 33) ?? // mov rdx, r13\n 49 8B 4B 10 // mov rcx, [r11+10h]\n 80 39 ?? // cmp byte ptr [rcx], 65h\n 75 ?? // jnz short loc_14001E408\n }\n\n condition:\n (\n uint16(0) == 0x5a4d and\n (\n 5 of ($string*) or\n all of ($cmd*) or\n all of ($action*) or\n 2 of ($debug*)\n )\n )\n or\n (\n $provider_guid or\n all of ($amsi*) or\n #indirect_syscall > 10\n )\n}\n", "rule_count": 1, "rule_names": [ "axiom_trojan" ], "rule_creation_date": "2025-03-26", "rule_modified_date": "2025-07-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Axiom" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071", "attack.t1134", "attack.t1055", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-azazel_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576782Z", "creation_date": "2026-03-23T11:46:25.576784Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576790Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/chokepoint/azazel/" ], "name": "azazel.yar", "content": "rule linux_library_rootkit_azazel {\n meta:\n title = \"Azazel Rootkit\"\n id = \"b5b4a41f-8d99-4b80-b674-ef78e97db48e\"\n description = \"Detects the publicly available Azazel LD_PRELOAD userland rootkit.\\nThis rootkit enables adversaries to execute malicious payloads by hijacking environment variables used by the dynamic linker to load shared libraries. This can allow attackers to intercept most function calls, establishing persistence on the system.\"\n references = \"https://github.com/chokepoint/azazel/\"\n date = \"2023-12-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.004;attack.persistence;attack.t1574.006;attack.defense_evasion;attack.t1014;attack.t1070;attack.t1564;attack.credential_access;attack.t1556;attack.command_and_control;attack.t1095\"\n classification = \"Linux.Rootkit.Azazel\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a\n // 6af8b3d31101f48911b13e49c660c10ed1d26b60267e8037d2ac174fc0d2f36c\n // 171de88c1b576162fc5384dcfb94b78a8a82ffd536d438ebf4c4c21e2e8acdae\n\n $s0 = \"The whole earth has been corrupted through the works that were taught by Azazel: to him ascribe all sin.\" ascii\n $s1 = \"azazel_init\" ascii fullword\n $s2 = \"drop_shell\" ascii fullword\n $s3 = \"\\x00is_invisible\" ascii\n $s4 = \"is_procnet\" ascii fullword\n $s5 = \"clean_wtmp\" ascii fullword\n $s6 = \"hide_ports\" ascii fullword\n $s7 = \"\\x00read_next_line\\x00\" ascii\n $s8 = \"azazel.so loaded\" ascii\n $s9 = \"Don't scratch the walls\" ascii\n // Encoded constants, as defined in https://github.com/chokepoint/azazel/blob/master/const.h.\n $s10 = { db 9a c4 de db c8 ca a5 ce d3 c7 bf d3 b8 9f d3 98 a3 c4 db a6 de db c8 ca a5 ce d3 c7 bf d3 b8 9f d3 98 a3 c4 db a6 de db a6 de db 92 a6 c4 db 92 a6 de db a6 c4 db 92 a6 de db 92 a6 de db 9a de db 9a de db 92 8b de db cb cf cc 8d f4 }\n $s11 = { d1 9b 8a 9d d1 92 9a d0 8d 91 d0 8e 8c 9b 92 91 9f 9a}\n $s12 = { d1 88 9f 8c d1 92 91 99 d1 8b 8a 93 8e }\n $s13 = { b6 b7 ad aa b8 b7 b2 bb }\n $s14 = { d1 8e 8c 91 9d d1 90 9b 8a d1 8a 9d 8e c8 }\n\n condition:\n (uint32be(0) == 0x7F454c46) // ELF\n and ((uint16be(0x10) == 0x03) or (uint16(0x10) == 0x03)) // ET_DYN\n and (2 of them)\n}\n", "rule_count": 1, "rule_names": [ "linux_library_rootkit_azazel" ], "rule_creation_date": "2023-12-12", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Rootkit.Azazel" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1095", "attack.t1070", "attack.t1564", "attack.t1014", "attack.t1556", "attack.t1574.006", "attack.t1059.004" ], "rule_score": 70, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-azzy_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572973Z", "creation_date": "2026-03-23T11:46:25.572977Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572986Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" ], "name": "azzy.yar", "content": "rule azzy {\n meta:\n title = \"APT28 AZZY Implant\"\n id = \"e65fb49a-d86b-4cc5-a23b-82751e869177\"\n description = \"Detects the APT28 AZZY implant.\\nAPT28, also known as Sofacy, is a notorious cyber threat group known for sophisticated attacks. The AZZY implant is a part of their toolkit, often used for persistence and data exfiltration. This rule detects the presence of AZZY by identifying custom encryption/decryption functions specific to the implant, which are commonly used to avoid detection and maintain persistence.\"\n references = \"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/\"\n tags = \"attack.defense_evasion;attack.t1027.013;attack.t1036;attack.execution;attack.t1129;attack.privilege_escalation;attack.t1055;attack.t1574;attack.t1574.002;attack.discovery;attack.t1018;attack.t1057;attack.t1083;attack.t1518\"\n date = \"2024-07-08\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n classification = \"Windows.Loader.Azzy\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings :\n // Detection for these samples:\n // e917166adf6e1135444f327d8fff6ec6c6a8606d65dda4e24c2f416d23b69d45\n // 1bab1a3e0e501d3c14652ecf60870e483ed4e90e500987c35489f17a44fef26c\n\n $s_key00_00 = { F5 C? 45 ?? 71 C? 45 ?? 65 C? 45 ?? 42 C? 45 ?? E2 C? 45 ?? D1 C? 45 ?? ED C? 45 ?? 10 }\n $s_key00_01 = { de C? 45 ?? 48 C? 45 ?? 9f C? 45 ?? 35 C? 45 ?? 33 C? 45 ?? f5 C? 45 ?? 76 C? 45 ?? 4c }\n $s_key00_02 = { ef C? 45 ?? 12 C? 45 ?? c2 C? 45 ?? d8 C? 45 ?? 93 C? 45 ?? cf C? 45 ?? 55 C? 45 ?? 3f }\n\n $s_custom_decryption_function00 = {\n (c0|c1) ?? 04 // shl ecx, 0x4\n [3] // mov eax, dword [ebp-0x8 {j}]\n 8? ?? 01 // add eax, 0x1\n 33?? // xor edx, edx {0x0}\n b? 08 00 00 00 // mov esi, 0x8\n (f7|f6) ?? // div esi\n [3] // mov eax, dword [ebp+0x14 {key}]\n 0f (b6|b7) ?? ?? // movzx edx, byte [eax+edx]\n 33 ca // xor ecx, edx\n [3] // mov eax, dword [ebp-0x8 {j}]\n 8? ?? 02 // add eax, 0x2\n 33 ?? // xor edx, edx {0x0}\n b? 08 00 00 00 // mov esi, 0x8\n (f7|f6) ?? // div esi\n [3] // mov eax, dword [ebp+0x14 {key}]\n 0f (b6|b7) ?? ?? // movzx esi, byte [eax+edx]\n [12] // mov edx, dword [ebp-0xc {i}]\n // mov eax, dword [ebp-0x8 {j}]\n // lea edi, [eax+edx*8]\n // mov eax, dword [ebp-0x8 {j}]\n 8? ?? 03 // add eax, 0x3\n 33 ?? // xor edx, edx {0x0}\n b? 08 00 00 00 // mov ebx, 0x8\n (f7|f6) ?? // div ebx\n [3] // mov eax, dword [ebp+0x14 {key}]\n 0f (b6|b7) ?? ?? // movzx edx, byte [eax+edx]\n 33 ?? // xor edi, edx\n 23 ?? // and esi, edi\n 0f af ?? // imul ecx, esi\n [12] // mov byte [ebp-0x1 {var_5_1}], cl\n // mov eax, dword [ebp-0xc {i}]\n // mov ecx, dword [ebp-0x8 {j}]\n // lea edx, [ecx+eax*8]\n 0f (b6|b7) ?? ?? // movzx eax, byte [ebp-0x1 {var_5_1}]\n [3] // mov ecx, dword [ebp+0x8 {data}]\n 0f (b6|b7) ?? ?? // movzx edx, byte [ecx+edx]\n 33 ?? // xor edx, eax\n }\n\n $s_key01_00 = { C? 45 ?? 46 9E 7F 55 C? 45 ?? D8 A4 76 04 }\n $s_key01_01 = { C? 45 ?? DE 48 9F 35 C? 45 ?? 33 F5 76 4C }\n\n $s_custom_decryption_function01 = {\n 8? ?? 02 // sub bl, 2\n [2] // mov eax, edi\n 8? ?? 07 // and eax, 7\n [2] // mov dh, bl\n 02 ?? // add dh, bh\n 32 ?? ?? // xor dh, [eax+ecx]\n 8? 4? ?? // mov eax, [ebp+arg_4]\n 8? 4? ?? // mov ecx, [ebp+var_8]\n 83 ?? 07 // and ecx, 7\n 22 ?? ?? // and dh, [ecx+eax]\n 8? 4? ?? // mov ecx, [ebp+var_8]\n 8A [3] // mov dl, [ecx+eax-2]\n 02 ?? // add dl, bl\n 02 ?? // add dl, bh\n (C0|C1) ?? 04 // shl dl, 4\n 49 // dec ecx\n 83 ?? 07 // and ecx, 7\n 32 ?? ?? // xor dl, [ecx+eax]\n [2] // mov al, dh\n (F6|F7) ?? // imul dl\n 30 ?? // xor [esi], al\n }\n\n $s_key03_00 = { 23 a7 b8 d9 f5 83 24 be }\n\n $s_custom_decryption_function02 = {\n 8? ?? 07 // and edx, 0x7\n 8d ?? ?? ?? // lea ecx, [edi+eax+0x1]\n 8? ?? 07 // and ecx, 0x7\n 8? ?? ?? // mov dl, byte [edx+esi]\n (30|31|32|33|34|35) ?? // xor dl, bl\n 8d ?? ?? // lea ebx, [edi+eax]\n 2? ?? ?? // and dl, byte [ecx+esi]\n 8d ?? ?? ?? // lea ecx, [esi+edi-0x1]\n 8? ?? 07 // and ebx, 0x7\n 0f (b6|b7) ?? ?? // movzx ecx, byte [ecx+eax]\n 0f af ?? // imul ecx, eax\n (c0|c1) ?? 07 // shr ecx, 0x7\n (30|31|32|33|34|35) ?? ?? // xor cl, byte [ebx+esi]\n 02 ?? // add dl, cl\n 8? ?? ?? // mov ecx, dword [ebp-0x14 {var_18_1}]\n 30 ?? // xor byte [ecx], dl\n 8? ?? ?? // mov ecx, dword [ebp-0x8 {i_1}]\n 4? // inc ecx\n 4? // inc eax\n 8? ?? 08 // cmp ecx, 0x8\n }\n\n $s_custom_decryption_function03 = {\n 8? ?? 07 // and edx, 0x7\n 03 ?? // add edi, eax\n 02 ?? // add bl, cl\n 8? ?? 07 // and edi, 0x7\n 8? ?? ?? // mov dl, byte [edx+esi]\n (30|31|32|33|34|35) ?? // xor dl, bl\n 2? ?? ?? // and dl, byte [edi+esi]\n 8? ?? ?? // mov edi, dword [ebp-0x4 {var_8_3}]\n 0f (b6|b7) ?? ?? // movzx ebx, byte [eax+edi]\n 8? ?? ?? // mov edi, dword [ebp-0x8 {var_c_1}]\n 0f af ?? // imul ebx, eax\n 03 ?? // add edi, eax\n 8? ?? 07 // and edi, 0x7\n (c0|c1) ?? 07 // shr ebx, 0x7\n (30|31|32|33|34|35) ?? ?? // xor bl, byte [edi+esi]\n 8? ?? ?? // mov edi, dword [ebp+0x8 {arg1}]\n 02 ?? // add dl, bl\n (30|31|32|33|34|35) ?? ?? // xor byte [eax+edi], dl\n 4? // inc ecx\n 4? // inc eax\n }\n\n $s_custom_decryption_function04 = {\n 8? ?? 07 // and ebx, 0x7\n (30|31|32|33|34|35) ?? ?? // xor dl, byte [ebx+esi]\n 8d ?? ?? ?? // lea ebx, [edi+eax+0x1]\n 8? ?? 07 // and ebx, 0x7\n 2? ?? ?? // and dl, byte [ebx+esi]\n 4? // inc ecx\n 8? ?? // mov bl, dl\n 8d ?? ?? ?? // lea edx, [esi+edi-0x1]\n 0f (b6|b7) ?? ?? // movzx edx, byte [edx+eax]\n 0f af ?? // imul edx, eax\n 03 ?? // add edi, eax\n (c0|c1) ?? 07 // shr edx, 0x7\n 8? ?? 07 // and edi, 0x7\n (30|31|32|33|34|35) ?? ?? // xor dl, byte [edi+esi]\n 8? ?? ?? // mov edi, dword [ebp-0x8 {var_c_1}]\n 02 da // add bl, dl\n 8? ?? ?? // mov edx, dword [ebp+0x8 {arg1}]\n (30|31|32|33|34|35) ?? ?? // xor byte [edx+eax], bl\n 4? // inc eax\n 8? ?? 08 // cmp ecx, 0x8\n }\n\n $s_custom_decryption_function05 = {\n 8? ?? 07 // and ecx, 0x7\n 8? ?? 07 // and edi, 0x7\n (30|31|32|33|34|35) ?? ?? // xor bl, byte [edi+esi]\n 8? ?? ?? // mov edi, dword [ebp-0x14 {var_18_1}]\n 2? ?? ?? // and bl, byte [ecx+esi]\n 8? ?? ?? // mov ecx, dword [ebp-0x18 {var_1c_1}]\n 0f (b6|b7) ?? ?? // movzx ecx, byte [eax+ecx]\n 0f af ?? // imul ecx, eax\n 03 ?? // add edi, eax\n (c0|c1) ?? 07 // shr ecx, 0x7\n 8? ?? 07 // and edi, 0x7\n (30|31|32|33|34|35) ?? ?? // xor cl, byte [edi+esi]\n 4? // inc eax\n 02 ?? // add bl, cl\n 8? ?? ?? // mov ecx, dword [ebp+0x8 {arg1}]\n (30|31|32|33|34|35) ?? ?? ?? // xor byte [eax+edx-0x1], bl\n 4? // inc ecx\n }\n\n $s_custom_decryption_function_may2024_06 = {\n (80|81|82|83) ?? 02 // sub bl, 0x2\n 8? ?? // mov bh, bl\n (00|01|02|03|04|05) ?? // add bh, dl\n 8? ?? ?? // mov edx, dword [ebp+0xc {arg3}]\n 8? ?? // mov eax, edi\n 83 ?? 07 // and eax, 0x7\n (30|31|32|33|34|35) ?? ?? // xor bh, byte [eax+edx]\n 8? ?? ?? // mov eax, dword [ebp+0xc {arg3}]\n 8? ?? // mov edx, ecx\n 83 ?? 07 // and edx, 0x7\n 4? // dec ecx\n 2? ?? ?? // and bh, byte [edx+eax]\n 8? ?? ?? ?? // mov dl, byte [eax+ecx-0x1]\n (00|01|02|03|04|05) ?? // add dl, bl\n (00|01|02|03|04|05) ?? ?? // add dl, byte [ebp-0x1 {var_5_1}]\n 83 ?? 07 // and ecx, 0x7\n (c0|c1) ?? 04 // shl dl, 0x4\n (30|31|32|33|34|35) ?? ?? // xor dl, byte [ecx+eax]\n 8? ?? // mov al, bh\n (f6|f7) ?? // imul dl\n (30|31|32|33|34|35) ?? // xor byte [esi], al\n 8? ?? ?? // mov dl, byte [ebp-0x1 {var_5_1}]\n 8? cf // mov ecx, edi\n 8d ?? ?? // lea eax, [ecx-0x2]\n 8? ?? 08 // cmp eax, 0x8\n }\n\n $s_custom_decryption_function_may2024_07 = {\n (80|81|82|83) ?? 02 // sub bl, 0x2\n 8? c7 // mov eax, edi\n 83 ?? 07 // and eax, 0x7\n 8? ?? // mov dh, bl\n 0? ?? // add dh, bh\n (30|31|32|33|34|35) ?? ?? // xor dh, byte [eax+ecx]\n 8? ?? ?? // mov eax, dword [ebp+0xc {arg3}]\n 8? ?? ?? // mov ecx, dword [ebp-0x8 {var_c_1}]\n 83 ?? 07 // and ecx, 0x7\n 2? ?? ?? // and dh, byte [ecx+eax]\n 8? ?? ?? // mov ecx, dword [ebp-0x8 {var_c_1}]\n 4? // dec ecx\n 8? ?? ?? ?? // mov dl, byte [ecx+eax-0x1]\n (00|01|02|03|04|05) ?? // add dl, bl\n (00|01|02|03|04|05) ?? // add dl, bh\n 83 ?? 07 // and ecx, 0x7\n (c0|c1) ?? 04 // shl dl, 0x4\n (30|31|32|33|34|35) ?? ?? // xor dl, byte [ecx+eax]\n 8? ?? ?? // mov ecx, dword [ebp+0xc {arg3}]\n 8? ?? // mov al, dh\n (f6|f7) ?? // imul dl\n (30|31|32|33|34|35) ?? // xor byte [esi], al\n }\n\n $s_custom_decryption_function_08 = {\n 8d ?? ?? // lea eax, [ecx+0x1]\n 8? ?? ?? // mov dword [ebp+0x14 {arg4}], eax\n 8? ?? ?? ?? // mov al, byte [esi+ecx-0x2]\n (00|01|02|03|04|05) ?? // add al, bl\n 8d ?? ?? // lea edx, [ecx-0x2]\n (00|01|02|03|04|05) ?? // add al, dl\n (c0|c1) ?? 04 // shl al, 0x4\n 8d ?? ?? // lea edi, [ecx-0x1]\n 8? ?? 07 // and edi, 0x7\n (30|31|32|33|34|35) ?? ?? // xor al, byte [edi+esi]\n 8? ?? ?? // mov edi, dword [ebp+0x14 {arg4}]\n (00|01|02|03|04|05) ?? // add bl, dl\n 8? ?? 07 // and edi, 0x7\n (30|31|32|33|34|35) ?? ?? // xor bl, byte [edi+esi]\n 8? ?? // mov edx, ecx\n 8? ?? 07 // and edx, 0x7\n 2? ?? ?? // and bl, byte [edx+esi]\n 8? ?? ?? // mov edx, dword [ebp-0x8 {var_c_1}]\n (f6|f7) ?? // imul bl\n (30|31|32|33|34|35) ?? ?? // xor byte [edx+ecx], al\n 8? ?? ?? // mov ecx, dword [ebp+0x14 {arg4}]\n 8d ?? ?? // lea eax, [ecx-0x2]\n 8? ?? 08 // cmp eax, 0x8\n }\n\n $s_custom_decryption_function_09 = {\n 8d ?? ?? // lea ecx, [edx+0x1]\n 8? ?? ?? // mov dword [ebp+0x10 {arg3}], ecx\n 8d ?? ?? // lea ecx, [edx-0x2]\n (00|01|02|03|04|05) ?? // add al, cl\n (00|01|02|03|04|05) ?? // add al, bl\n (c0|c1) ?? 04 // shl al, 0x4\n 8d ?? ?? // lea edi, [edx-0x1]\n 8? ?? 07 // and edi, 0x7\n (30|31|32|33|34|35) ?? ?? // xor al, byte [edi+esi]\n 8? ?? ?? // mov edi, dword [ebp+0x10 {arg3}]\n 8? ?? 07 // and edi, 0x7\n (00|01|02|03|04|05) ?? // add cl, bl\n (30|31|32|33|34|35) ?? ?? // xor cl, byte [edi+esi]\n 8? ?? // mov edi, edx\n 8? ?? 07 // and edi, 0x7\n 2? ?? ?? // and cl, byte [edi+esi]\n (f6|f7) ?? // imul cl\n 8? ?? ?? // mov ecx, dword [ebp+0x8 {arg1}]\n (30|31|32|33|34|35) ?? ?? // xor byte [edx+ecx], al\n 8? ?? ?? // mov edx, dword [ebp+0x10 {arg3}]\n 8d ?? ?? // lea eax, [edx-0x2]\n }\n\n $s_dll_name01 = \"tf394kv.dll\" ascii wide fullword\n $s_dll_name02 = \"msdetltemp.dll\" ascii wide fullword\n\n condition:\n 1 of ($s_*)\n}\n", "rule_count": 1, "rule_names": [ "azzy" ], "rule_creation_date": "2024-07-08", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.Azzy" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.execution", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1518", "attack.t1036", "attack.t1083", "attack.t1018", "attack.t1055", "attack.t1057", "attack.t1574", "attack.t1027.013", "attack.t1129", "attack.t1574.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-backstab_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585387Z", "creation_date": "2026-03-23T11:46:25.585389Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585394Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Yaxser/Backstab/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "backstab.yar", "content": "rule backstab {\n meta:\n title = \"Backstab HackTool\"\n id = \"44d66868-af5c-443d-9eaf-c912ea34384f\"\n description = \"Detects the Backstab hacktool.\\nBackstab is a tool that leverages the Microsoft ProcExp driver to kill protected processes. It loads the Microsoft driver using NtLoadDriver to avoid creating a service, then enumerates process handles and kills the one specified.\\nIt is recommended to investigate for any unusual process termination activities.\"\n references = \"https://github.com/Yaxser/Backstab/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2023-05-26\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001\"\n os = \"Windows\"\n classification = \"Windows.HackTool.Backstab\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 307eb30c7d3640ca11f564b1dbbb7a133236c3c9b45192ddcb317477a9f54b59\n\n $s1 = \"procexp.sys\" wide\n $s2 = \"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\\\\%w\" wide\n $s3 = \"Backstab.pdb\" ascii\n $s4 = \"Handle Type Device\" fullword ascii\n $s5 = \"=======================\" fullword ascii\n $s6 = \"[%#5llx] [%ws] %ws\" fullword ascii\n\n condition:\n 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "backstab" ], "rule_creation_date": "2023-05-26", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Backstab" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bananaphone_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588434Z", "creation_date": "2026-03-23T11:46:25.588436Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588441Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf\nhhttps://github.com/C-Sto/BananaPhone" ], "name": "bananaphone.yar", "content": "rule bananaphone {\n meta:\n title = \"BananaPhone Hell's Gate Technique\"\n id = \"67a10c5e-aa66-4bcd-bc7e-d40729e7a45c\"\n description = \"Detects BananaPhone, an Hell's Gate technique implementation in GoLang.\\nBananaPhone is designed to bypass usermode hooking mechanisms used by EDRs (Endpoint Detection and Response) through direct syscalls. This technique allows it to evade detection by avoiding usermode hooks commonly employed by security tools.\\nIt is recommended to investigate the process that matches this rule for potential malicious content, either within the binary itself or in its memory.\"\n references = \"https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf\\nhhttps://github.com/C-Sto/BananaPhone\"\n date = \"2023-07-10\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Windows.Generic.HellsGate\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // c5af2d7f1813d5388226f88b3791ac6f2d5592c39e3e3e6c6db97dd108518159\n\n // https://github.com/C-Sto/BananaPhone/blob/master/pkg/BananaPhone/asm_x64.s\n $syscall = {\n 48 31 C0 // xor rax, rax\n 66 8B 44 24 08 // mov ax, [rsp+arg_0]\n 51 // push rcx\n 48 8B 4C 24 20 // mov rcx, [rsp+8+arg_10]\n 48 8B 74 24 18 // mov rsi, [rsp+8+arg_8]\n 65 48 8B 3C 25 30 00 00 00 // mov rdi, gs:30h\n C7 47 68 00 00 00 00 // mov dword ptr [rdi+68h], 0\n 48 81 EC 80 00 00 00 // sub rsp, 80h\n 83 F9 04 // cmp ecx, 4\n 7E 11 // jle short loc_4BB560\n 83 F9 10 // cmp ecx, 10h\n 7E 02 // jle short loc_4BB556\n CD 03 // int 3\n\n // loc_4BB556:\n 48 89 E7 // mov rdi, rsp\n FC // cld\n F3 48 A5 // rep movsq\n 48 89 E6 // mov rsi, rsp\n\n // loc_4BB560:\n 48 83 EC 08 // sub rsp, 8\n 48 8B 0E // mov rcx, [rsi]\n 48 8B 56 08 // mov rdx, [rsi+8]\n 4C 8B 46 10 // mov r8, [rsi+10h]\n 4C 8B 4E 18 // mov r9, [rsi+18h]\n 66 48 0F 6E C1 // movq xmm0, rcx\n 66 48 0F 6E CA // movq xmm1, rdx\n 66 49 0F 6E D0 // movq xmm2, r8\n 66 49 0F 6E D9 // movq xmm3, r9\n 49 89 CA // mov r10, rcx\n 0F 05 // syscall\n 48 81 C4 88 00 00 00 // add rsp, 88h\n 59 // pop rcx\n 89 44 24 28 // mov [rsp+arg_20], eax\n C3 // retn\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "bananaphone" ], "rule_creation_date": "2023-07-10", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.HellsGate" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-beavertail_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576543Z", "creation_date": "2026-03-23T11:46:25.576545Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576551Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\nhttps://objective-see.org/blog/blog_0x7A.html\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\nhttps://attack.mitre.org/groups/G0032/" ], "name": "beavertail.yar", "content": "rule beavertail {\n meta:\n title = \"BeaverTail Trojan\"\n id = \"e3693118-2972-411c-9ac6-5fc784ecf40c\"\n description = \"Detects BeaverTail, a Trojan that can be distributed through NPM packages or a fake installer that impersonates a legitimate application.\\nBeaverTail is linked to the Lazarus Group (also known as APT38 or DPRK), a North Korean state-sponsored cyber threat group.\\nThis malware is designed for information theft, including stealing cryptocurrency wallets and credit card information stored in the victim's web browsers.\\nIt is recommended to check for any suspicious activity in the user's web browsers.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\\nhttps://objective-see.org/blog/blog_0x7A.html\\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\\nhttps://attack.mitre.org/groups/G0032/\"\n date = \"2024-10-23\"\n modified = \"2025-07-07\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1539;attack.t1555.003;attack.command_and_control;attack.t1571;attack.exfiltration;attack.t1041\"\n classification = \"Trojan.BeaverTail\"\n context = \"process,memory,thread\"\n os = \"Windows,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 91f96f2ddfa293806ec3effb8e05bc6941660237de90215b23281d706a2bc706\n // 0d8119f01d727beacbe6fe877541b3c11b084ffdc53c8bae436aca3dbc197076\n // 0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd\n // 24b89c77eaeebd4b02c8e8ab6ad3bd7abaa18893ecd469a6a04eda5e374dd305\n\n $s1 = \"form-data; name=\\\"multi_file\\\"; filename=\\\"%1\\\"\" ascii fullword\n $s2 = \"/pdown\" ascii fullword\n $s3 = \"/client/99\" ascii fullword\n $s4 = \"/.pyp/python.exe\" ascii fullword\n $s5 = \"Download Python Success!\" ascii fullword\n\n $data1 = \"/AppData/Local/Google/Chrome/User Data\" ascii fullword\n $data2 = \"/.config/google-chrome\" ascii fullword\n $data3 = \"/Library/Application Support/Google/Chrome\" ascii fullword\n $data4 = \"/AppData/Local/BraveSoftware/Brave-Browser/User Data\" ascii fullword\n $data5 = \"/.config/BraveSoftware/Brave-Browser\" ascii fullword\n $data6 = \"/Library/Application Support/BraveSoftware/Brave-Browser\" ascii fullword\n $data7 = \"/AppData/Roaming/Opera Software/Opera Stable\" ascii fullword\n $data8 = \"/.config/opera\" ascii fullword\n $data9 = \"/Library/Application Support/com.operasoftware.opera\" ascii fullword\n $data10 = \"/Library/Keychains/login.keychain-db\" ascii fullword\n\n $wallet1 = \"nkbihfbeogaeaoehlefnkodbefgpgknn\" ascii fullword\n $wallet2 = \"ejbalbakoplchlghecdalmeeeajnimhm\" ascii fullword\n $wallet3 = \"fhbohimaelbohpjbbldcngcnapndodjp\" ascii fullword\n $wallet4 = \"hnfanknocfeofbddgcijnmhnfnkdnaad\" ascii fullword\n $wallet5 = \"ibnejdfjmmkpcnlpebklmnkoeoihofec\" ascii fullword\n $wallet6 = \"bfnaelmomeimhlpmgjnjophhpkkoljpa\" ascii fullword\n $wallet7 = \"aeachknmefphepccionboohckonoeemg\" ascii fullword\n $wallet8 = \"hifafgmccdpekplomjjkcfgodnhcellj\" ascii fullword\n $wallet9 = \"jblndlipeogpafnldhgmapagcccfchpi\" ascii fullword\n $wallet10 = \"acmacodkjbdgmoleebolmdjonilkdbch\" ascii fullword\n $wallet11 = \"dlcobpjiigpikoobohmabehhmhfoodbb\" ascii fullword\n $wallet12 = \"mcohilncbfahbmgdjkbpemcciiolgcge\" ascii fullword\n $wallet13 = \"agoakfejjabomempkjlepdflaleeobhb\" ascii fullword\n $wallet14 = \"omaabbefbmiijedngplfjmnooppbclkk\" ascii fullword\n $wallet15 = \"aholpfdialjgjfhomihkjbmgjidlcdno\" ascii fullword\n $wallet16 = \"nphplpgoakhhjchkkhmiggakijnkhfnd\" ascii fullword\n $wallet17 = \"penjlddjkjgpnkllboccdgccekpkcbin\" ascii fullword\n $wallet18 = \"lgmpcpglpngdoalbgeoldeajfclnhafa\" ascii fullword\n $wallet19 = \"fldfpgipfncgndfolcbkdeeknbbbnhcc\" ascii fullword\n $wallet20 = \"bhhhlbepdkbapadjdnnojkbgioiodbic\" ascii fullword\n $wallet21 = \"gjnckgkfmgmibbkoficdidcljeaaaheg\" ascii fullword\n $wallet22 = \"afbcbjpbpfadlkmhmclhkeeodmamcflc\" ascii fullword\n\n condition:\n 2 of ($s*) and\n 2 of ($data*) and\n 2 of ($wallet*)\n}\n", "rule_count": 1, "rule_names": [ "beavertail" ], "rule_creation_date": "2024-10-23", "rule_modified_date": "2025-07-07", "rule_os": [ "macos", "windows" ], "rule_classifications": [ "Trojan.BeaverTail" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1555.003", "attack.t1539", "attack.t1571", "attack.t1041" ], "rule_score": 100, "rule_context": [ "thread", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bedevil_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564092Z", "creation_date": "2026-03-23T11:46:25.564094Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564100Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Error996/bdvl\nhttps://dfir.ch/posts/bedevil_dynamic_linker_patching/\nhttps://unit42.paloaltonetworks.com/muddled-libra/" ], "name": "bedevil.yar", "content": "rule bedevil_rootkit {\n meta:\n title = \"Bedevil Rootkit\"\n id = \"2dca504a-0e34-4552-9823-720848c06cc6\"\n description = \"Detects the Bedevil (bdvl) Rootkit.\\nBedevil is a userland rootkit that leverages LD_PRELOAD to patch the dynamic linker.\\nThis allows it to intercept and control most function calls, establishing persistence.\"\n references = \"https://github.com/Error996/bdvl\\nhttps://dfir.ch/posts/bedevil_dynamic_linker_patching/\\nhttps://unit42.paloaltonetworks.com/muddled-libra/\"\n date = \"2024-11-14\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.persistence;attack.t1574;attack.defense_evasion;attack.t1014;attack.t1070.004;attack.t1564;attack.command_and_control;attack.t1095;attack.t1071\"\n classification = \"Linux.Rootkit.Bedevil\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c8a684ff72072f62743b768b41cf648f0845acd688043173157e1b8c31e50540\n // 1cb267482c67365727cc448457757bdb0a0b2cd7fe71d5a8a8a8a88ee634d281\n\n $generic_s1 = \"Removing other bdvl paths\" ascii fullword\n $generic_s2 = \"SELinux is disabled. Good.\" ascii fullword\n $generic_s3 = \"Accept backdoor port:\" ascii\n $generic_s4 = \"Killing ICMP backdoor\" ascii fullword\n $generic_s5 = \"LD_PRELOAD\" ascii fullword\n $generic_s6 = \"/lib/libresid-bui/\" ascii\n $generic_s7 = \"Hidden port(s):\" ascii\n $generic_s8 = \"*/bdvprep\" ascii fullword\n $generic_s9 = \"*ld-*.so\" ascii\n\n // https://github.com/Error996/bdvl/blob/a3c982f8e3ae8fe70227f1956f03c71a893507ef/inc/hooks/libdl/gsym.c#L21\n $stub_hook = {\n C7 85 ?? ?? ?? ?? ?? 00 00 00 // mov dword ptr [rbp-0xD0], 0x08\n C7 85 ?? ?? ?? ?? ?? 00 00 00 // mov dword ptr [rbp-0xCC], 0x30\n 48 8D 45 ?? // lea rax, [rbp+0x10]\n 48 89 85 ?? FF FF FF // mov [rbp-0xC8], rax\n 48 8D 85 ?? FF FF FF // lea rax, [rbp-0xB0]\n 48 89 85 ?? FF FF FF // mov [rbp-0xC0], rax\n EB ?? // jmp .3\n 83 BD ?? FF FF FF 59 // cmp dword ptr [rbp-0xB4], 0x59\n [2-4]\n 48 8B 95 ?? FF FF FF // mov rdx, [rbp-0xD8]\n 8B 85 ?? FF FF FF // mov eax, [rbp-0xB4]\n 48 89 D6 // mov rsi, rdx\n 89 C7 // mov edi, eax\n E8 ?? ?? FF FF // call jmp_get_symbol_pointer()\n }\n\n // https://github.com/Error996/bdvl/blob/a3c982f8e3ae8fe70227f1956f03c71a893507ef/inc/util/install/ldpatch/patch.c#L42\n $stub_ldpatch_memcpy = {\n 8B 45 ?? // mov eax, [rbp-0x??]\n 8D 50 ?? // lea edx, [rax+0x01]\n 89 55 ?? // mov [rbp-0x??], edx\n 48 63 D0 // movsxd rdx, eax\n 48 8B 85 ?? FF FF FF // mov rax, [rbp-0x??]\n [3-4]\n 8B ?5 ?? // mov e?x, [rbp-0x?8]\n 48 63 ?? // movsxd r?x, e?x\n 48 8B ?5 ?? // mov r?x, [rbp-0x?8]\n 48 01 ?? // add rdx, rcx\n [5-16]\n 83 45 ?? 01 // add dword ptr [rbp-0x?8], 0x01\n }\n\n // https://github.com/Error996/bdvl/blob/a3c982f8e3ae8fe70227f1956f03c71a893507ef/inc/util/install/install.c#L13\n $stub_anselinux = {\n E8 ?? ?? FF FF // call _hook\n 48 8B 05 ?? ?? 00 00 // mov rax, qword [rel symbols]\n 48 8B 90 98 01 00 00 // mov rdx, qword [rax+0x198]\n BE 00 00 00 00 // mov esi, 0x0\n 48 8D ?? ?? ?? 00 00 // lea rax, [rel data_18d5c]\n [0-3]\n B8 00 00 00 00 // mov eax, 0x0\n FF D2 // call rdx\n 89 45 FC // mov dword [rbp-0x4], eax\n 83 7D FC 00 // cmp dword [rbp-0x4], 0x0\n 74 13 // je 0xe2ac\n }\n\n condition:\n uint16(0) == 0x457f and (all of ($stub_*) or 6 of ($generic_s*))\n}\n", "rule_count": 1, "rule_names": [ "bedevil_rootkit" ], "rule_creation_date": "2024-11-14", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Rootkit.Bedevil" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1071", "attack.t1070.004", "attack.t1095", "attack.t1564", "attack.t1574", "attack.t1014" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bitter_apt_reverse_shell_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576307Z", "creation_date": "2026-03-23T11:46:25.576310Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576315Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/groups/G1002/" ], "name": "bitter_apt_reverse_shell.yar", "content": "rule bitter_apt_reverse_shell {\n meta:\n title = \"Bitter APT Reverse Shell\"\n id = \"8f996d75-0ec5-4e9a-b6e3-933cd4dd6ae6\"\n description = \"Detects the Bitter APT reverse shell.\\nBitter APT (aka APT17) is a suspected South Asian cyber espionage group active since at least 2013. They employ reverse shells for command and control, and this rule detects a custom built reverse shell attributed to this APT.\\nIt is recommended to investigate related network communication, quarantine detected files and to look for further malicious actions on the host.\"\n references = \"https://attack.mitre.org/groups/G1002/\"\n date = \"2024-10-11\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.initial_access;attack.t1566.001;attack.execution;attack.t1204.002;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Trojan.ReverseShell\"\n context = \"process,memory,thread,file.pe\"\n arch = \"x86,x64\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // bc721a6e24dd92f5f74799e44d6dab58cb69a87e2dd8b48136b31cd19af2bed7\n // 5eb7a6322b37de5b30a8f256f10a4008b600b1345a8ef6f18da6e99f2f19b4f5\n // 5de9131252e6bc5a336516b9de4d7e0e0e2e3cde38ace85dbda39a3a166eb1a5\n\n $f1 = \"\" ascii\n $f2 = \"\" ascii\n $f3 = \"\" ascii\n\n $s1 = \"(?<=^| )(\\\"[^\\\"]*\\\"|\\\\S+)(?=$| )\" wide fullword\n $s2 = \"Attempting to reconnect in 5 seconds...\" wide fullword\n $s3 = \"Failed to upload {0} to {1}: {2}\" wide fullword\n\n condition:\n 2 of ($f*) and 2 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "bitter_apt_reverse_shell" ], "rule_creation_date": "2024-10-11", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.ReverseShell" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.execution", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1566.001", "attack.t1204.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-blackout_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576021Z", "creation_date": "2026-03-23T11:46:25.576023Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576029Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ZeroMemoryEx/Blackout/\nhttps://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "blackout.yar", "content": "rule blackout {\n meta:\n title = \"Blackout HackTool\"\n id = \"22ff49d7-43a4-4641-82c3-012936d91882\"\n description = \"Detects the Blackout HackTool.\\nBlackout is a tool that leverages the gmer64.sys vulnerable driver to terminate protected processes.\"\n references = \"https://github.com/ZeroMemoryEx/Blackout/\\nhttps://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2023-05-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.privilege_escalation;attack.t1068\"\n os = \"Windows\"\n classification = \"Windows.HackTool.Blackout\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // f6831e2507070ad6788784d9295f50e070d1849e219f9fc60ab9a1ccdc181609\n\n $s1 = \"DeviceIoControl failed. Error: %X\" ascii\n $s2 = \"Blackout.pdb\" ascii\n $s3 = \"Terminating Windows Defender ..\" ascii\n $s4 = \"Usage: Blackout.exe -p \" ascii\n $s5 = \"faild to load driver ,try to run the program as administrator!!\" ascii\n $s6 = \"Blackout.sys\" ascii\n\n $killer_device = \"\\\\\\\\.\\\\blackout\" wide ascii\n $killer_winapi_01 = \"CreateFile\" wide ascii\n $killer_winapi_02 = \"DeviceIoControl\" wide ascii\n $killer_winapi_03 = \"CreateToolhelp32Snapshot\" wide ascii\n $killer_winapi_04 = \"Process32First\" wide ascii\n $killer_winapi_05 = \"Process32Next\" wide ascii\n $killer_winapi_06 = \"OpenSCManager\" wide ascii\n $killer_winapi_07 = \"OpenService\" wide ascii\n $killer_winapi_08 = \"StartService\" wide ascii\n $killer_winapi_09 = \"CreateService\" wide ascii\n $killer_ioctl_kill = { (98 76 C0 94|94 c0 76 98) }\n $killer_ioctl_init = { (98 76 C0 04|04 c0 76 98) }\n\n condition:\n 2 of ($s*)\n or all of ($killer_*)\n}\n", "rule_count": 1, "rule_names": [ "blackout" ], "rule_creation_date": "2023-05-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Blackout" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bokuloader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581085Z", "creation_date": "2026-03-23T11:46:25.581088Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581093Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/boku7/BokuLoader\nhttps://www.cobaltstrike.com/product/features/user-defined-reflective-loader\nhttps://attack.mitre.org/software/S0154/" ], "name": "bokuloader.yar", "content": "rule bokuloader {\n meta:\n title = \"BokuLoader Cobalt Strike Reflective Loader\"\n id = \"67807402-9574-4cd6-b850-f4f185486a58\"\n description = \"Detects BokuLoader, a Cobalt Strike User-Defined Reflective Loader (UDRL) written in Assembly & C for advanced evasion capabilities that employs features like sleepmask, cleanup, and obfuscation for evasion.\"\n references = \"https://github.com/boku7/BokuLoader\\nhttps://www.cobaltstrike.com/product/features/user-defined-reflective-loader\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2024-03-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 204c249efc7333d3f1ec9203bb25f70ac64f75f5521ef7289e7674e6be8ba86f\n // 375406fb18237f91d73de296937960f83ce468c417e02b15ea3ebcae4ef1ae8e\n // 7573b38ed00c92326ec123acca758f5a5e27c8ef8f80bcb02fe171dfd191066b\n\n $asm = {\n // spoof_synthetic_callstack:\n 4C 89 E0 // mov rax, r12\n 49 89 FA // mov r10, rdi\n 49 89 F3 // mov r11, rsi\n 41 5C // pop r12\n 48 8B 7C 24 20 // mov rdi, [rsp-8+arg_20]\n 48 8B 74 24 28 // mov rsi, [rsp-8+arg_28]\n 4C 89 57 18 // mov [rdi+18h], r10\n 4C 89 5F 58 // mov [rdi+58h], r11\n 48 89 47 60 // mov [rdi+60h], rax\n 4C 89 6F 68 // mov [rdi+68h], r13\n 4C 89 77 70 // mov [rdi+70h], r14\n 4C 89 7F 78 // mov [rdi+78h], r15\n\n // prepare_synthetic_stack_frames:\n 4D 31 DB // xor r11, r11\n 4C 8B 6C 24 30 // mov r13, [rsp-8+arg_30]\n 4D 31 F6 // xor r14, r14\n 49 83 C6 08 // add r14, 8\n 4C 03 77 38 // add r14, [rdi+38h]\n 4C 03 77 30 // add r14, [rdi+30h]\n 4C 03 77 20 // add r14, [rdi+20h]\n 49 83 EE 20 // sub r14, 20h\n 49 89 E2 // mov r10, rsp\n 49 83 C2 30 // add r10, 30h\n\n // loop_move_api_call_stack_args:\n 4D 31 FF // xor r15, r15\n 4D 39 EB // cmp r11, r13\n 74 1A // jz short create_synthetic_stack_frames\n 49 83 EE 08 // sub r14, 8\n 49 89 E7 // mov r15, rsp\n 4D 29 F7 // sub r15, r14\n 49 83 C2 08 // add r10, 8\n 41 FF 32 // push qword ptr [r10]\n 41 8F 07 // pop qword ptr [r15]\n 49 83 C3 01 // add r11, 1\n EB DE // jmp short loop_move_api_call_stack_args\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "bokuloader" ], "rule_creation_date": "2024-03-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bruteratel_badger_32d0c9b21294_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569676Z", "creation_date": "2026-03-23T11:46:25.569678Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569684Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" ], "name": "bruteratel_badger_32d0c9b21294.yar", "content": "rule bruteratel_badger_32d0c9b21294 {\n meta:\n title = \"Bruteratel Badger (32d0c9b21294)\"\n id = \"a81481e9-8707-4988-9126-32d0c9b21294\"\n description = \"Detects the Bruteratel framework's badger.\\nThe badger is the beacon allowing command and control operations in the Bruteratel framework.\\nThe badger has extensive abilities to spy and control the host computer, as well as defense evasion techniques.\"\n references = \"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\"\n date = \"2022-10-04\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1055.003;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Framework.BruteRatel\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ca703f2e65e858b4cb16285c5f9d6934f01f0947218e7f68f19d7874c21f018e\n // 3a7230ce8b7a79036e540c5cc6017c544e3a95f49733514fc223d3aff4e9dc02\n // dbb0435fc3a6b899b005ad8cda2bf242ac3f85ddf1db7752633d6d1a2c21cc66\n // 14665efaff0218648bd8d69cbeb22b1d10754a5c55725eb9e8bbe6d704c455a2\n // 46477979e3f3fab2b15490eac18cf486d6fdd5870faa5afa5654f1a0deb28c81\n\n\n $syscall_hash_01 = { BD CA 3B D3 } // NtAllocateVirtualMemory\n $syscall_hash_02 = { B2 C1 06 AE } // NtWaitForSingleObject\n $syscall_hash_03 = { 89 4D 39 8C } // NtProtectVirtualMemory\n $syscall_hash_04 = { 74 EB 1D 4D } // NtCreateThreadEx\n $syscall_hash_05 = { 26 25 19 3E } // RtlAllocateHeap\n $syscall_hash_06 = { B8 12 DA 00 } // RtlFreeHeap\n $syscall_hash_07 = { 89 4D 39 8C } // NtProtectVirtualMemory\n $syscall_hash_08 = { 5D 91 6B EC } // LdrGetDllHandleEx\n $syscall_hash_09 = { 07 C4 4C E5 } // LdrGetProcedureAddress\n $syscall_hash_10 = { 5B BC 4A 6A } // kernel32.dll\n $syscall_hash_11 = { B8 0A 4C 53 } // NtFlushInstructionCache\n $syscall_hash_12 = { 8E 4E 0E EC } // LoadLibraryA\n $syscall_hash_13 = { AA FC 0D 7C } // GetProcAddress\n\n // Manuel stack reconstruction\n $stack_recons = {\n ( BE | BF | B9 | BA ) [4] // mov rax, 67685635h\n ( 56 | 57 | 50 | 52 ) // push rax\n }\n\n // Syscall hash calculation\n $fct_1 = {\n 0F BE 13 // movsx edx, byte ptr [ebx]\n 84 D2 // test dl, dl\n 74 ?? // jz short loc_402E92\n D3 C8 // ror eax, cl\n 43 // inc ebx\n 01 D0 // add eax, edx\n EB ?? // jmp short loc_402E84\n }\n\n // Userland hooking search\n $fct_2 = {\n 89 C2 // mov edx, eax\n 83 E8 20 // sub eax, 20h ; ' '\n 0F B6 4A E0 // movzx ecx, byte ptr [edx-20h]\n 80 F9 E9 // cmp cl, 0E9h ; 'é'\n 74 ?? // jz short loc_457761\n 80 78 03 E9 // cmp byte ptr [eax+3], 0E9h ; 'é'\n 75 ?? // jnz short loc_457775\n }\n\n condition:\n #stack_recons > 100\n and 5 of ($syscall_hash_*)\n and 1 of ($fct_*)\n}\n", "rule_count": 1, "rule_names": [ "bruteratel_badger_32d0c9b21294" ], "rule_creation_date": "2022-10-04", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.BruteRatel" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055.003", "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bruteratel_badger_9cf7af8b46ae_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569736Z", "creation_date": "2026-03-23T11:46:25.569738Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569744Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" ], "name": "bruteratel_badger_9cf7af8b46ae.yar", "content": "rule bruteratel_badger_9cf7af8b46ae {\n meta:\n title = \"Bruteratel Badger (9cf7af8b46ae)\"\n id = \"bd6b8fc4-2dd6-431c-88d9-9cf7af8b46ae\"\n description = \"Detects the Bruteratel framework's badger.\\nThe badger is the beacon allowing command and control operations in the Bruteratel framework.\\nThe badger has extensive abilities to spy and control the host computer, as well as defense evasion techniques.\"\n references = \"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\"\n date = \"2022-07-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1055.003;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Framework.BruteRatel\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 31acf37d180ab9afbcf6a4ec5d29c3e19c947641a2d9ce3ce56d71c1f576c069\n // 3ed21a4bfcf9838e06ad3058d13d5c28026c17dc996953a22a00f0609b0df3b9\n // 38df138344f537f004f1d553bf29c896a9f4107a3677b99b3087f918e7aad386\n // 384ea66eb3f27c9adc9d0f23a975d94c226d59fcaf828c64ae259fa303a0115c\n // 2d6db36009e135439a1e43d936a721f53b678073998d2d51239f0c9c36fea372\n // 6ce6d68784199f2bb6890edc6e5304b859810fcee5e78ed7ab56fc30069e4323\n // 25fc7b50fdeee75ec577f456b961b0e4ad1fce9e728c06f95f41e08d60d49320\n // 63fa9da092e2f054035e4d3d8adc2158ac415f15ea582206624d0fb748734d9a\n // 5856c8c6fb4387e174a2b7f072a9bb321aa1378e6aaac64eafb63a944d64e7e4\n // 0527c6a1d42aef486937efa3a3415b668b2247ca87e6c53218abc532f3bf3ec6\n // 48204c5d86ffc68a3abc44423a78240c41fedb8179bea3432e43fe917b0c9a9f\n\n $syscall_hash_01 = { BD CA 3B D3 } // NtAllocateVirtualMemory\n $syscall_hash_02 = { B2 C1 06 AE } // NtWaitForSingleObject\n $syscall_hash_03 = { 89 4D 39 8C } // NtProtectVirtualMemory\n $syscall_hash_04 = { 74 EB 1D 4D } // NtCreateThreadEx\n $syscall_hash_05 = { 26 25 19 3E } // RtlAllocateHeap\n $syscall_hash_06 = { B8 12 DA 00 } // RtlFreeHeap\n $syscall_hash_07 = { 89 4D 39 8C } // NtProtectVirtualMemory\n $syscall_hash_08 = { 5D 91 6B EC } // LdrGetDllHandleEx\n $syscall_hash_09 = { 07 C4 4C E5 } // LdrGetProcedureAddress\n $syscall_hash_10 = { 5B BC 4A 6A } // kernel32.dll\n $syscall_hash_11 = { B8 0A 4C 53 } // NtFlushInstructionCache\n $syscall_hash_12 = { 8E 4E 0E EC } // LoadLibraryA\n $syscall_hash_13 = { AA FC 0D 7C } // GetProcAddress\n\n // Manuel stack reconstruction\n $stack_recons_1 = {\n 48 B8 [8] // mov rax, 6768563361647245h\n 50 // push rax\n }\n\n //\n // Version specific indicators\n //\n\n // --- Pre-leak ---\n\n // Syscall number from hash\n $brute_v1_1 = {\n AC // lodsb\n 84 C0 // test al, al\n 74 ?? // jz short loc_43C90\n C1 CF 0D // ror edi, 0Dh\n 01 C7 // add edi, eax\n EB ?? // jmp short loc_43C84\n 4C 39 C7 // cmp rdi, r8\n 75 ?? // jnz short loc_43C6F\n 8B 42 ?? // mov eax, [rdx+24h]\n 48 01 E8 // add rax, rbp\n }\n\n // Userland hooking bypass\n $brute_v1_2 = {\n 80 7F F? CC // cmp byte ptr [rdi-1], 0CCh\n 74 ?? // jz short loc_43C36\n 0F B6 07 // movzx eax, byte ptr [rdi]\n 3D E9 00 00 00 // cmp eax, 0E9h\n 74 ?? // jz short loc_43C04\n 0F B6 47 ?? // movzx eax, byte ptr [rdi+3]\n 3D E9 00 00 00 // cmp eax, 0E9h\n 8B 07 // mov eax, [rdi]\n 3D 4C 8B D1 B8 // cmp eax, 0B8D18B4Ch\n }\n\n // --- Leaked version ---\n\n // Manuel stack reconstruction\n // New version uses more registers\n $stack_recons_2 = {\n 49 BC [8] // mov r12, 6C56366479583951h\n 41 54 // push r12\n }\n\n // Syscall hash calculation\n $brute_v2_1 = {\n 49 83 C1 01 // add r9, 1\n D3 C8 // ror eax, cl\n 44 01 C0 // add eax, r8d\n 45 0F BE 01 // movsx r8d, byte ptr [r9]\n 45 84 C0 // test r8b, r8b\n 75 ?? // jnz short loc_544B6\n }\n\n // Userland hooking search\n $brute_v2_2 = {\n 48 89 C8 // mov rax, rcx\n 48 83 E9 20 // sub rcx, 20h ; ' '\n 44 0F B6 40 E0 // movzx r8d, byte ptr [rax-20h]\n 41 80 F8 E9 // cmp r8b, 0E9h\n 74 ?? // jz short loc_543CB\n 44 0F B6 49 03 // movzx r9d, byte ptr [rcx+3]\n 41 80 F9 E9 // cmp r9b, 0E9h\n 75 ?? // jnz short loc_543DE\n }\n\n condition:\n #stack_recons_1 > 100\n and 5 of ($syscall_hash_*)\n and (\n (1 of ($brute_v1_*))\n or (1 of ($brute_v2_*) and #stack_recons_2 > 100)\n )\n}\n", "rule_count": 1, "rule_names": [ "bruteratel_badger_9cf7af8b46ae" ], "rule_creation_date": "2022-07-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.BruteRatel" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055.003", "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bruteratel_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578133Z", "creation_date": "2026-03-23T11:46:25.578135Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578141Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" ], "name": "bruteratel_driver.yar", "content": "rule bruteratel_driver {\n meta:\n title = \"Bruteratel Windows Driver\"\n id = \"c04ef65f-4ac7-47c7-b613-b314511ed780\"\n description = \"Detects the Brute Ratel C4 (BRC4) framework's kernel driver. This driver is used by the badger malware to maintain persistence by injecting shellcode into winlogon.exe.\\nThe injected shellcode is executed through a ThreadWorkerFactory, which allows the malware to establish persistence and maintain communication with its command and control infrastructure.\"\n references = \"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\"\n date = \"2022-07-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1543.003;attack.defense_evasion;attack.t1055.002\"\n classification = \"Windows.Malware.BruteRatel\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 31acf37d180ab9afbcf6a4ec5d29c3e19c947641a2d9ce3ce56d71c1f576c069\n\n $s1 = \"winlogon.exe\" fullword ascii\n $s2 = \"D:\\\\Source_Code\\\\rookit\\\\heresy\\\\heresy\\\\x64\\\\Release\\\\heresy.pdb\" fullword ascii\n $s3 = \"\\\\KnownDlls\\\\ntdll.dll\" fullword wide\n\n // WorkerFactory creation\n $op1 = {\n BA 03 00 1F 00 // mov edx, 1F0003h\n 41 FF ?? ?? // call qword ptr [r14+18h]\n 8B D8 // mov ebx, eax\n 85 C0 // test eax, eax\n 78 ?? // js short loc_140048173\n 4C 8B 4D ?? // mov r9, [rbp+CompletionPortHandle]\n 48 8D 4D ?? // lea rcx, [rbp+WorkerFactoryHandleReturn]\n B8 00 80 00 00 // mov eax, 8000h\n 48 89 7D ?? // mov [rbp+WorkerFactoryHandleReturn], rdi\n 48 89 44 24 ?? // mov [rsp+80h+var_38], rax\n 45 33 C0 // xor r8d, r8d\n 48 89 44 24 ?? // mov [rsp+80h+var_40], rax\n BA FF 00 0F 00 // mov edx, 0F00FFh\n 48 8B 45 ?? // mov rax, [rbp+BaseAddress]\n 44 89 64 24 ?? // mov [rsp+80h+var_48], r12d\n 48 89 7C 24 ?? // mov [rsp+80h+var_50], rdi\n 48 89 44 24 ?? // mov qword ptr [rsp+80h+Protect], rax\n 48 83 4C 24 ?? FF // or qword ptr [rsp+80h+AllocationType], 0FFFFFFFFFFFFFFFFh\n 41 FF 16 // call qword ptr [r14]\n }\n\n $op2 = {\n 48 83 65 ?? 00 // and [rbp+var_18], 0\n 48 8D 05 ?? ?? ?? ?? // lea rax, aZwcreateiocomp ; \"ZwCreateIoCompletion\"\n 48 89 45 ?? // mov [rbp+ZwCreateIoCompletionStr.Buffer], rax\n 48 8B F9 // mov rdi, rcx\n 48 8D 05 ?? ?? ?? ?? // lea rax, aPsgetprocessim ; \"PsGetProcessImageFileName\"\n C7 45 ?? 28 00 2A 00 // mov dword ptr [rbp+ZwCreateIoCompletionStr.Length], 2A0028h\n 48 8D 4D ?? // lea rcx, [rbp+ZwCreateIoCompletionStr] ; SystemRoutineName\n 48 89 45 ?? // mov [rbp+PsGetProcessImageFileNameStr.Buffer], rax\n BB 83 01 00 C0 // mov ebx, 0C0000183h\n C7 45 ?? 32 00 34 00 // mov dword ptr [rbp+PsGetProcessImageFileNameStr.Length], 340032h\n FF 15 ?? ?? ?? ?? // call cs:MmGetSystemRoutineAddress\n 48 8D 4D ?? // lea rcx, [rbp+PsGetProcessImageFileNameStr] ; SystemRoutineName\n 48 89 45 ?? // mov [rbp+ZwCreateIoCompletionAddr], rax\n FF 15 ?? ?? ?? ?? // call cs:MmGetSystemRoutineAddress\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:ZwReadFile\n 48 8D 15 ?? ?? ?? ?? // lea rdx, aNtcreateworker ; \"NtCreateWorkerFactory\"\n 41 BE 59 53 52 48 // mov r14d, 'HRSY'\n }\n\n\n condition:\n uint16(0) == 0x5a4d and filesize < 1MB and 3 of ($s*) and 1 of ($op*)\n}\n", "rule_count": 1, "rule_names": [ "bruteratel_driver" ], "rule_creation_date": "2022-07-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.BruteRatel" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1543.003", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bruteratel_injected_badger_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567067Z", "creation_date": "2026-03-23T11:46:25.567069Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567075Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/" ], "name": "bruteratel_injected_badger.yar", "content": "rule bruteratel_injected_badger {\n meta:\n title = \"Bruteratel Memory Injected Badger\"\n id = \"50598b83-c220-4fe6-9ffb-0827860aa613\"\n description = \"Detects the Bruteratel framework's injected badger.\\nThe badger is the beacon allowing command and control operations in the Bruteratel framework.\\nThe badger has extensive abilities to spy and control the host computer, as well as defense evasion techniques.\"\n references = \"https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/\"\n date = \"2022-08-04\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1055.003;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Framework.BruteRatel\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s01 = \"NTPASSWORD\" fullword ascii\n $s02 = \"LMPASSWORD\" fullword ascii\n $s03 = \"mem.dmp\" fullword ascii\n $s04 = \"k[+] Impersonated: '%S\\\\%S'\" fullword wide\n $s05 = \"[+] DLLs loaded in %ls\" fullword wide\n $s06 = \"[+] Hooked: 0x%p\" fullword wide\n $s07 = \"Kerberos\" fullword wide\n $s08 = \"[+] SeDebug enabled\" fullword wide\n $s09 = \"[+] DLL block enabled\" fullword wide\n $s10 = \"ROOT\\\\CIMV2\" fullword wide\n $s11 = \"[+] Token Vault\" fullword wide\n $s12 = \"[+] Domain Password Policy:\" fullword wide\n\n condition:\n 6 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "bruteratel_injected_badger" ], "rule_creation_date": "2022-08-04", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.BruteRatel" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055.003", "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bruteratel_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580659Z", "creation_date": "2026-03-23T11:46:25.580670Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580681Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" ], "name": "bruteratel_loader.yar", "content": "rule bruteratel_loader {\n meta:\n title = \"Bruteratel Loader\"\n id = \"9c390750-6412-4e07-b0b1-8151d3eceefd\"\n description = \"Detects the Bruteratel Loader.\\nThis loader injects the Bruteratel badger payload into process memory. The Bruteratel loader decrypts the payload and uses API calls to inject it into legitimate processes, facilitating the execution of malicious code.\"\n references = \"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/\"\n date = \"2022-07-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1055.003;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Malware.BruteRatel\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c85b92d32dd1d294fadd48befbcb7efefef289de568757bc8542cc4ed149789d\n // ea2876e9175410b6f6719f80ee44b9553960758c7d0f7bed73c0fe9a78d8e669\n // 1fc7b0e1054d54ce8f1de0cc95976081c7a85c7926c03172a3ddaa672690042c\n // 06476a4e84460ff18b9260071e4c1fdf1aab0a8a7f08ac5489af3bf01d4e7139\n\n // badger payload decryption\n $op1 = {\n 4C 8D 0D ?? ?? ?? ?? // lea r9, xorkey ; \"jikoewarfkmzsdlhfnuiwaejrpaw\"\n 66 0F 1F 84 00 00 00 00 00 // nop word ptr [rax+rax+00000000h]\n 48 8B CB // mov rcx, rbx\n 48 83 F8 1C // cmp rax, 1Ch\n 48 0F 45 C8 // cmovnz rcx, rax\n 42 0F B6 04 ?? // movzx eax, byte ptr [rcx+r9]\n 30 02 // xor [rdx], al <- decryption\n 48 8D 41 01 // lea rax, [rcx+1]\n 41 FF C0 // inc r8d\n 48 8D 52 01 // lea rdx, [rdx+1]\n 41 81 F8 ?? ?? ?? ?? // cmp r8d, 493E0h <- badger's shellcode size\n 72 ?? // jb short loc_180002300\n 48 8D 95 ?? ?? ?? ?? // lea rdx, [rbp+49560h+var_49428]\n B1 01 // mov cl, 1\n E8 ?? ?? ?? ?? // call int_NtDelayExecution\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 1MB and $op1\n}\n", "rule_count": 1, "rule_names": [ "bruteratel_loader" ], "rule_creation_date": "2022-07-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.BruteRatel" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055.003", "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-bumblebee_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565412Z", "creation_date": "2026-03-23T11:46:25.565414Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565419Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\nhttps://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/" ], "name": "bumblebee_loader.yar", "content": "rule bumblebee_loader {\n meta:\n title = \"BumbleBee Loader\"\n id = \"3fa72fe6-7fc0-4df7-b58d-069e28841dab\"\n description = \"Detects BumbleBee, a modular Windows-based malware loader used by multiple threat groups for initial access and payload delivery.\\nThe malware is typically distributed through ISO images, malicious MSI installers, and phishing lures. Once executed, BumbleBee establishes command-and-control (C2) communication and is often used to deploy post-exploitation frameworks such as Cobalt Strike, Sliver, or Meterpreter.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee\\nhttps://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/\"\n date = \"2025-12-02\"\n modified = \"2025-12-09\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1218;attack.t1140;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Loader.BumbleBee\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 164c28b8c91faaa76c4cd58bae5f32f278fb118f92667ba072b5ba38af316824\n // 2e18c78ebcf6ba81c65804973b406b7d4c3507722cb7cbbcf9b873dff122430a\n // 9ba6652231b4169411cc3d735a89e396b0b86e79cbde0f11d58af4b87b5f0deb\n // c48fafd962c6d0489a78365f9246aa060babe49cbce394326017940c873fb664\n\n $strings1 = \"http://myexternalip.com/raw\" ascii fullword\n $strings2 = \"Set objShell = CreateObject(\\\"Wscript.Shell\\\")\" ascii fullword\n $strings3 = \"$y4 = [System.Text.Encoding]::ASCII.GetString([Byte[]]$y3); $y4 | iex; }\" ascii\n $strings4 = \"schtasks.exe /F /create /sc minute /mo 4 /TN \\\"\" ascii fullword\n $strings5 = \"CREATE TABLE serverinfo (key TEXT PRIMARY KEY, value TEXT)\" ascii fullword\n\n $decrypt_config1 = {\n 4C 8B C1 // mov r8, rcx\n BA 4F 00 00 00 // mov edx, 4Fh\n 48 8D 0D ?? ?? ?? 00 // lea rcx, byte_1801F8630\n E8 ?? ?? 00 00 // call sub_18000EE1C\n 4C 8B C3 // mov r8, rbx\n 48 8D 0D ?? ?? ?? 00 // lea rcx, byte_1801F8B70\n BA 4F 00 00 00 // mov edx, 4Fh\n E8 ?? ?? 00 00 // call sub_18000EE1C\n 4C 8B C3 // mov r8, rbx\n 48 8D 0D ?? ?? ?? 00 // lea rcx, byte_1801F7540\n BA FF 0F 00 00 // mov edx, 0FFFh\n E8 ?? ?? 00 00 // call sub_18000EE1C\n }\n\n $decrypt_config2 = {\n 44 8B C1 // mov r8d, ecx\n 48 8B D0 // mov rdx, rax\n 48 8D 4C 24 30 // lea rcx, [rsp+148h+var_118]\n E8 ?? ?? FF FF // call sub_180001E90\n 90 // nop\n 44 8B C3 // mov r8d, ebx\n 48 8B D7 // mov rdx, rdi\n 48 8D 4C 24 30 // lea rcx, [rsp+148h+var_118]\n E8 ?? ?? FF FF // call sub_180002210\n 90 // nop\n 48 8D 4C 24 30 // lea rcx, [rsp+148h+var_118]\n E8 ?? ?? FF FF // call sub_1800020A0\n 48 8B 9C 24 50 01 00 00 // mov rbx, [rsp+148h+arg_0]\n 48 81 C4 40 01 00 00 // add rsp, 140h\n 5F // pop rdi\n C3 // retn\n }\n\n $decrypt_config3 = {\n 31 C0 // xor eax, eax\n 0F B6 4C 24 0F // movzx ecx, [rsp+30h+var_21]\n 81 C1 02 8E EE 32 // add ecx, 32EE8E02h\n 83 C1 01 // add ecx, 1\n 81 E9 02 8E EE 32 // sub ecx, 32EE8E02h\n 88 CA // mov dl, cl\n }\n\n $decrypt_config4 = {\n 41 89 CA // mov r10d, ecx\n 41 83 F2 FF // xor r10d, 0FFFFFFFFh\n 89 C6 // mov esi, eax\n 44 21 D6 // and esi, r10d\n 83 F0 FF // xor eax, 0FFFFFFFFh\n 21 C1 // and ecx, eax\n 09 CE // or esi, ecx\n 40 88 F2 // mov dl, sil\n 43 88 14 18 // mov [r8+r11], dl\n 31 C0 // xor eax, eax\n 8B 4C 24 08 // mov ecx, [rsp+30h+var_28]\n 83 E8 01 // sub eax, 1\n 29 C1 // sub ecx, eax\n 89 4C 24 08 // mov [rsp+30h+var_28], ecx\n E9 17 FF FF FF // jmp loc_1800020F3\n }\n\n condition:\n all of ($strings*) or 1 of ($decrypt_config*)\n}\n", "rule_count": 1, "rule_names": [ "bumblebee_loader" ], "rule_creation_date": "2025-12-02", "rule_modified_date": "2025-12-09", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.BumbleBee" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1071", "attack.t1140" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-carbon_dropper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573584Z", "creation_date": "2026-03-23T11:46:25.573586Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573592Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0335/\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "name": "carbon_dropper.yar", "content": "rule carbon_dropper {\n meta:\n title = \"Carbon Dropper\"\n id = \"9937da83-ea7f-4291-9891-f7b3f3304178\"\n description = \"Detects the Carbon Dropper, a sophisticated Turla malware used to spy and exfiltrate data off of sensitive organizations.\\nThe Carbon framework consists of four main components: a dropper, a loader, an orchestrator, and an injected library. This dropper specifically uses the CAST-128 algorithm for encrypting configuration files and tasks. The malware exhibits advanced peer-to-peer capabilities, allowing it to dispatch tasks to other computers on the same network via named pipes or TCP communication.\\nIt is recommended to conduct a thorough investigation of network traffic to identify potential lateral movement or data exfiltration activities.\"\n references = \"https://attack.mitre.org/software/S0335/\\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\"\n date = \"2023-02-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0335;attack.defense_evasion;attack.t1027;attack.persistence;attack.t1543.003;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Malware.Carbon\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 0b5e82d4a737238aa057aef3f5b1170ce5e9980bc9b1ecf5712e73ffee175b78\n // fff5ddb473c6fa667e569b43e952d0ca8d1e28313bd422c33ee99bb86ea673c1\n // d0234f6abd58566ecdcb88b3ecf552da39838257abaa54dfc6fbe09b3c8a7203\n // 493e5fae191950b901764868b065ddddffa4f4c9b497022ee2f998b4a94f0fc2\n // aaa2afe68852cb76bccf7dbb0b541a5d62b7f0b15e47f0a24e63f68f50af167c\n\n $s1 = \"LUCKY STRIKE!!!\" fullword wide\n $s2 = \"TOTAL DOMINATION!!!\" fullword wide\n $s3 = \"Drop res...\" fullword wide\n $s4 = \"SVCHOST group OK\" fullword wide\n $s5 = \"[+] Service group has been fixed\" fullword wide\n $s6 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\%s\\\\Parameters\" fullword wide\n $s7 = \"SERV DLL: %d\" fullword wide\n $s8 = \" ex_file(): SFileSec failed - %d \" fullword wide\n $s9 = \"extract_file(): OK\" fullword wide\n\n condition:\n 4 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "carbon_dropper" ], "rule_creation_date": "2023-02-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Carbon" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1543.003", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-carbon_encryption_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573623Z", "creation_date": "2026-03-23T11:46:25.573625Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573630Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0335/\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "name": "carbon_encryption.yar", "content": "rule carbon_encryption {\n meta:\n title = \"Carbon Encryption\"\n id = \"7076f57f-26de-4638-98d7-69d1dba7f599\"\n description = \"Detects the Carbon samples based on encryption with the CAST-128 algorithm, a sophisticated Turla malware used to spy and exfiltrate data from sensitive organizations.\\nCarbon is a multi-component framework consisting of a dropper, loader, orchestrator, and an injected library. This malware uses CAST-128 encryption for securing configuration files and tasks. It features advanced peer-to-peer capabilities to distribute tasks across networked devices using named pipes or TCP communication.\\nIt is recommended to isolate the affected system and analyze network traffic for signs of P2P communication to identify potential command and control activity.\"\n references = \"https://attack.mitre.org/software/S0335/\\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\"\n date = \"2023-02-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0335;attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Malware.Carbon\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1e340370f2f26aadf82bf26e3a0016df2ae4bae6fbe6b59e95309bdddcd47248\n // 34761da1ca9de0c562203c57f8907fdb6208bbe91ead6542853e8e36d27377bb\n // 51bd477c7c20d457b5427da33b726be2f1086cf2322e1473263b3404ceb95d9f\n // 6e72f55a0e7a1961d10db371f82b7be0b184546c6262767862a5d50eb2fcfc0d\n // 2b969111dd1968d47b02d6390c92fb622cd03570b02ecf9215031ff03611a2b7\n\n $x32_key = {\n C7 45 ?? 12 34 56 78 // mov [ebp+var_20], 78563412h\n C7 45 ?? 9A BC DE F0 // mov [ebp+var_1C], 0F0DEBC9Ah\n C7 45 ?? FE FC BA 98 // mov [ebp+var_18], 98BAFCFEh\n C7 45 ?? 76 54 32 10 // mov [ebp+var_14], 10325476h\n }\n\n $x64_key = {\n C6 [2] 12 // mov byte ptr [rax-18h], 12h\n C6 [2] 34 // mov byte ptr [rax-17h], 34h\n C6 [2] 56 // mov byte ptr [rax-16h], 56h\n C6 [2] 78 // mov byte ptr [rax-15h], 78h\n C6 [2] 9A // mov byte ptr [rax-14h], 9Ah\n C6 [2] BC // mov byte ptr [rax-13h], 0BCh\n C6 [2] DE // mov byte ptr [rax-12h], 0DEh\n C6 [2] F0 // mov byte ptr [rax-11h], 0F0h\n C6 [2] FE // mov byte ptr [rax-10h], 0FEh\n C6 [2] FC // mov byte ptr [rax-0Fh], 0FCh\n C6 [2] BA // mov byte ptr [rax-0Eh], 0BAh\n C6 [2] 98 // mov byte ptr [rax-0Dh], 98h\n C6 [2] 76 // mov byte ptr [rax-0Ch], 76h\n C6 [2] 54 // mov byte ptr [rax-0Bh], 54h\n C6 [2] 32 // mov byte ptr [rax-0Ah], 32h\n C6 [2] 10 // mov byte ptr [rax-9], 10h\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "carbon_encryption" ], "rule_creation_date": "2023-02-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Carbon" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-carbon_injected_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584246Z", "creation_date": "2026-03-23T11:46:25.584248Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584253Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0335/\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "name": "carbon_injected.yar", "content": "rule carbon_injected {\n meta:\n title = \"Carbon Injected Library\"\n id = \"8c4e6c12-590e-4949-b52c-68424fb04414\"\n description = \"Detects the Carbon Loader, a sophisticated Turla malware used to spy and exfiltrate data from sensitive organizations.\\nThe Carbon framework consists of four components: a dropper, a loader, an orchestrator, and an injected library. It employs the CAST-128 algorithm for encrypting configuration files and tasks. The malware features advanced peer-to-peer capabilities, enabling communication within a network via named pipes or TCP.\\nIt is recommended to investigate network traffic for potential peer-to-peer communication.\"\n references = \"https://attack.mitre.org/software/S0335/\\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\"\n date = \"2023-02-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0335;attack.command_and_control;attack.t1071.001;attack.t1095;attack.collection;attack.t1074.001;attack.exfiltration;attack.t1048.003\"\n classification = \"Windows.Malware.Carbon\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 50efba9e715fcb835f5b11bb0fe98ad29346117eb42e280494226a51deb6f76b\n // 22463d04bc6e967ecd00674599be39d2d8be29acd6d5a805387fb633e452c6ea\n // 915ad2650186cabd48befae7e195783e5b3bbdf38f0b4af9e0a9e73726779fa3\n // 51bd477c7c20d457b5427da33b726be2f1086cf2322e1473263b3404ceb95d9f\n // 313af523a1f8cb27520810ebdd08723b962c2b07849c815cff155ac345dc303e\n\n $s1 = \"ST|NOID|\" fullword ascii\n $s2 = \"STOP|FATAL|\" fullword ascii\n $s3 = \"STOP|ZWKER|\" fullword ascii\n $s4 = \"STOP|KILL|\" fullword ascii\n $s5 = \"OPER|Setup last connect|\" fullword ascii\n $s6 = \"user_winmax\" fullword ascii\n $s7 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\5.0\\\\User Agent\\\\Pre Platform\" fullword ascii\n $s8 = \"/javascript/view.php\" fullword ascii\n\n // exclusion for the dropper\n $exclusion = \"Storage Found: %s\" fullword wide\n\n $canary = \"fdcb7995895786b2979a20843c481613b13a9c3f5d2b48cb5b91b3e245c0fdc6\"\n\n condition:\n 5 of ($s*) and not $exclusion and not $canary\n}\n", "rule_count": 1, "rule_names": [ "carbon_injected" ], "rule_creation_date": "2023-02-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Carbon" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1048.003", "attack.t1095", "attack.t1071.001", "attack.t1074.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-carbon_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569829Z", "creation_date": "2026-03-23T11:46:25.569831Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569836Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0335/\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "name": "carbon_loader.yar", "content": "rule carbon_loader {\n meta:\n title = \"Carbon Loader\"\n id = \"20d53d1a-5b98-484e-acd0-2dd29c9ff03d\"\n description = \"Detects the Carbon Loader, a sophisticated Turla malware used to spy and exfiltrate data from sensitive organizations.\\nThe Carbon framework consists of four main components: a dropper, a loader, an orchestrator, and an injected library. This malware employs the CAST-128 algorithm for encrypting configuration files and tasks, and features advanced peer-to-peer capabilities to dispatch tasks across a network using named pipes or TCP.\\nIt is recommended to investigate for any suspicious network activity indicative of command-and-control communication.\"\n references = \"https://attack.mitre.org/software/S0335/\\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\"\n date = \"2023-02-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0335;attack.defense_evasion;attack.t1140;attack.t1027;attack.persistence;attack.t1543.003;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Malware.Carbon\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ba9a87ba0ad1a4f4e81583a1449b20bf703cdbee6b1a639c13f4cbcd1b9eb57f\n // 0b90db3a69aa8cfab36a66cd5390f46c32e3d88d8fcaefce8cd9e00700e10b65\n // 492d7c13c771bb8a9f53e78b238c91613a8559f8a739e06281e3937cccc0508b\n // 899b51b12b9bb9062c23da96f305338ad6a35c0377439ab556e5c45a6b80ced2\n // 050685f211158109fb1b17096b3739750e74049fe9057ad3503d96174b42891a\n\n $s1 = \"ModuleStart\" fullword ascii\n $s2 = \"ModuleStop\" fullword ascii\n $s3 = \"ModStart\" fullword ascii\n $s4 = \"ModStop\" fullword ascii\n $s5 = \"srservice\" fullword wide\n $s6 = \"ipvpn\" fullword wide\n $s7 = \"\\\\inf\\\\\" fullword wide\n $s8 = \"msimghlp.dll\" fullword wide\n $s9 = \"hpexdrvcons.dll\" fullword wide\n\n // exclusion for the dropper\n $exclusion = \"Storage Found: %s\" fullword wide\n\n condition:\n 6 of ($s*) and not $exclusion\n}\n", "rule_count": 1, "rule_names": [ "carbon_loader" ], "rule_creation_date": "2023-02-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Carbon" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1027", "attack.t1543.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-carbon_orchestrator_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573551Z", "creation_date": "2026-03-23T11:46:25.573553Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573559Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0335/\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "name": "carbon_orchestrator.yar", "content": "rule carbon_orchestrator {\n meta:\n title = \"Carbon Orchestrator\"\n id = \"9bb7fd2c-5475-4731-acd7-4ad4ec90a94e\"\n description = \"Detects Carbon Orchestrator, a sophisticated Turla malware used for spying and data exfiltration in sensitive organizations.\\nThe Carbon framework consists of four main components: a dropper, a loader, an orchestrator, and an injected library.\\nThis malware employs the CAST-128 algorithm for encrypting configuration files and tasks.\\nIt features advanced peer-to-peer capabilities, enabling task distribution across networked devices via named pipes or TCP communication.\\nIt is recommended to analyze network connections for potential lateral movement or data exfiltration.\"\n references = \"https://attack.mitre.org/software/S0335/\\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\"\n date = \"2023-02-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0335;attack.defense_evasion;attack.t1055.001;attack.command_and_control;attack.t1071.001;attack.t1095;attack.collection;attack.t1074.001;attack.exfiltration;attack.t1048.003\"\n classification = \"Windows.Malware.Carbon\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e73c6b188d730d171e0596c219602f00ce32ff3d99ba0cc4ffb461caff007edb\n // 34761da1ca9de0c562203c57f8907fdb6208bbe91ead6542853e8e36d27377bb\n // 76e08b003cd2e9c7d1d733d18f993f94af157653b74a7bf1ec4a92eaad448500\n // 26c5b878e5afab6edd6f02034c8ba7ee4deae161d4ec247b11915b9f3fb7cb1b\n // f3aaa091fdbc8772fb7bd3a81665f4d33c3b62bf98caad6fee4424654ba26429\n\n $s1 = \"run_task_system\" fullword ascii\n $s2 = \"Plugin already loaded.\" fullword ascii\n $s3 = \"INJ|-1|MF|\" fullword ascii\n $s4 = \"dsniff.exe\" fullword ascii\n $s5 = \"time2task\" fullword ascii\n $s6 = \"frag_size=32768\" fullword ascii\n\n // exclusion for the dropper\n $exclusion = \"Storage Found: %s\" fullword wide\n\n condition:\n 5 of ($s*) and not $exclusion\n}\n", "rule_count": 1, "rule_names": [ "carbon_orchestrator" ], "rule_creation_date": "2023-02-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Carbon" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1048.003", "attack.t1071.001", "attack.t1095", "attack.t1055.001", "attack.t1074.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-certclone_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577477Z", "creation_date": "2026-03-23T11:46:25.577479Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577485Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/TwoSevenOneT/CertClone" ], "name": "certclone.yar", "content": "rule certclone {\n meta:\n title = \"CertClone HackTool\"\n id = \"b3eb7b51-d18a-4d52-9a5c-fe215b42643b\"\n description = \"Detects CertClone, a tool designed to clone the digital signature of any given program to sign another one and export the cloned certificate.\\nIt is recommended to examine the context in which this tool is executed to determine whether its use is legitimate.\"\n references = \"https://github.com/TwoSevenOneT/CertClone\"\n date = \"2025-10-16\"\n modified = \"2025-10-21\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1036.001\"\n classification = \"Windows.HackTool.CertClone\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 48dc9e4e675ddec0584880a565db35a53a0980b4747f6b9ee7e3c14b5c8fc11e\n\n $s1 = \"CertClone.exe\" wide fullword\n $s2 = \"Two Seven One Three: https://x.com/TwoSevenOneT\" wide fullword\n $s3 = \"=== Digital Signature Clone Tool ===\" wide fullword\n $s4 = \"Usage: CertClone \" wide fullword\n\n $f1 = \"Cert:\\\\CurrentUser\\\\My\" wide fullword\n $f2 = \"$rootCert = Get-PfxCertificate -FilePath '\" wide fullword\n $f3 = \"$clonedRoot = New-SelfSignedCertificate -CloneCert $rootCert -CertStoreLocation '\" wide fullword\n $f4 = \"$pcaCert = Get-PfxCertificate -FilePath '\" wide fullword\n $f5 = \"$clonedPCA = New-SelfSignedCertificate -CloneCert $pcaCert -Signer $clonedRoot -CertStoreLocation '\" wide fullword\n $f6 = \"$leafCert = Get-PfxCertificate -FilePath '\" wide fullword\n $f7 = \"$clonedLeaf = New-SelfSignedCertificate -CloneCert $leafCert -Signer $clonedPCA -CertStoreLocation '\" wide fullword\n $f8 = \"Set-AuthenticodeSignature -Certificate $clonedLeaf -FilePath '\" wide fullword\n $f9 = \"Export-Certificate -Type CERT -FilePath '\" wide fullword\n $f10 = \"' -Cert $clonedRoot\" wide fullword\n $f11 = \"==================================================\" wide fullword\n $f12 = \"PowerShell script execution failed.\" wide fullword\n $f13 = \"PowerShell script executed successfully.\"\n\n condition:\n 2 of ($s*) or (all of ($f*))\n}\n", "rule_count": 1, "rule_names": [ "certclone" ], "rule_creation_date": "2025-10-16", "rule_modified_date": "2025-10-21", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.CertClone" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1036.001" ], "rule_score": 100, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-chaosrat_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577105Z", "creation_date": "2026-03-23T11:46:25.577107Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577112Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/tiagorlampert/CHAOS/\nhttps://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html" ], "name": "chaosrat.yar", "content": "rule chaos_rat {\n meta:\n title = \"Chaos RAT\"\n id = \"853a9767-e979-4598-bf9f-94ff833a4468\"\n description = \"Detects the Chaos RAT Client.\\nChaos RAT is an open-source Remote Access Tool (RAT) written in Go, designed to provide remote control over infected computers.\\nThis tool has been exploited by multiple threat actors and is continuously updated, posing a persistent threat.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/tiagorlampert/CHAOS/\\nhttps://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html\"\n date = \"2024-11-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1219;attack.execution;attack.t1059.003;attack.t1059.004\"\n classification = \"Trojan.ChaosRAT\"\n context = \"process,memory,file.pe,file.elf\"\n os = \"Windows,Linux\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 48360f6641b76b7d59e5045ec1f5700d85719658ee3634536318d1c8d977e56e\n // 08365200a6b2e2d97a13273515e0a6f75cedc063676f27c3f9737d1a86fd0523\n // 2a44b03a580075f0f9c8ac6d785851a9bcb994beb010abf68dbc342a4ff3c7f6\n // 773c935a13ab49cc4613b30e8d2a75f1bde3b85b0bba6303eab756d70f459693\n\n // https://github.com/tiagorlampert/CHAOS/blob/55d14b203bc1444498ee0c2b96a1ab3304d99d77/client/app/entities/device.go#L3\n $str_conf_1 = \"json:\\\"hostname\\\"\" ascii fullword\n $str_conf_2 = \"json:\\\"username\\\"\" ascii fullword\n $str_conf_3 = \"json:\\\"user_id\\\"\" ascii fullword\n $str_conf_4 = \"json:\\\"os_name\\\"\" ascii fullword\n $str_conf_5 = \"json:\\\"os_arch\\\"\" ascii fullword\n $str_conf_6 = \"json:\\\"mac_address\\\"\" ascii fullword\n $str_conf_7 = \"json:\\\"local_ip_address\\\"\" ascii fullword\n $str_conf_8 = \"json:\\\"port\\\"\" ascii fullword\n $str_conf_9 = \"json:\\\"fetched_unix\\\"\" ascii fullword\n\n // https://github.com/tiagorlampert/CHAOS/tree/55d14b203bc1444498ee0c2b96a1ab3304d99d77/client/app\n $str_path_1 = \"/app/services/\" ascii\n $str_path_2 = \"/app/gateways/\" ascii\n $str_path_3 = \"/app/utils\" ascii\n $str_path_4 = \"/app/infrastructure\" ascii\n $str_path_5 = \"/app/environment\" ascii\n $str_path_6 = \"/app/handler\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "chaos_rat" ], "rule_creation_date": "2024-11-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows", "linux" ], "rule_classifications": [ "Trojan.ChaosRAT" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.execution" ], "rule_technique_tags": [ "attack.t1059.003", "attack.t1219", "attack.t1059.004" ], "rule_score": 70, "rule_context": [ "file.elf", "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-chisel_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576634Z", "creation_date": "2026-03-23T11:46:25.576636Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576641Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/jpillora/chisel/\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/" ], "name": "chisel.yar", "content": "rule chisel {\n meta:\n title = \"Chisel Tunneling Tool\"\n id = \"8e8f1b7f-b3ea-4b0d-8746-22f4062056e9\"\n description = \"Detects Chisel, a fast TCP/UDP tunnel transported over HTTP and secured via SSH, written in Go.\\nChisel is a reverse proxy tool commonly used by attackers to establish tunnels into a victim's environment.\\nIt is recommended to monitor network traffic for potential malicious communication and to investigate the process responsible for the execution of Chisel.\"\n references = \"https://github.com/jpillora/chisel/\\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\"\n date = \"2022-10-27\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1572\"\n classification = \"Windows.Tool.Chisel\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451\n\n $s1 = \"chisel\" ascii\n $s2 = \"jpillora\" ascii\n $s3 = \"reverseproxy.go\" ascii\n $s4 = \"The chisel process is listening for:\" ascii\n $s5 = \" \\\"\\\": [\\\"\\\",\\\"\\\"]\" fullword ascii\n\n condition:\n uint16(0) == 0x5a4d and filesize < 20MB and 4 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "chisel" ], "rule_creation_date": "2022-10-27", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Chisel" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1572", "attack.t1071.001" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-chromepass_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565472Z", "creation_date": "2026-03-23T11:46:25.565475Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565480Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/darkarp/chromepass" ], "name": "chromepass.yar", "content": "rule chromepass {\n meta:\n title = \"Chromepass HackTool\"\n id = \"819b61bf-d442-4bdf-b1ad-5d269e921981\"\n description = \"Detects a Chromepass generated binary.\\nChromepass is a python-based framework that generates Rust binaries that extract and exfiltrate information from Chrome-based browsers.\\nIt is recommended to investigate this file to determine its legitimacy.\"\n references = \"https://github.com/darkarp/chromepass\"\n date = \"2026-01-28\"\n modified = \"2026-02-17\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.t1005;attack.credential_access;attack.t1555.003\"\n classification = \"Windows.HackTool.Chromepass\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 71d5600e2e9dbdc446aeca554d1f033a69d6f5cf5a7565d317cc22329c084f51\n // d71a48fb7dc02a14823ceeedd5808e13b6734873f7b1b5c09db433b59eab256e\n // 462de7fc96d2db7af3400b23d32a75d28909c19e756678f0d2f261efde705165\n // f674032061e3d5639d168d68d60a8ff0a53bc249705ec9eb032a385015c20a42\n // b8651be68b419350264c8fe2d2127f0ea0c32851d9ca8462506527162cc6154e\n\n $s1 = \"release\\\\deps\\\\chromepass.pdb\"\n $s2 = \"LOCALAPPDATAGoogleChromeUser DataMicrosoftEdgeChromiumBraveSoftwareBrave-BrowserVivaldiOpera SoftwareOpera Stable\"\n\n // browser::run_robber()\n // if ((NtQueryInformationProcess(ProcessHandle: GetCurrentProcess(),\n // ProcessInformationClass: ProcessDebugPort, &ProcessInformation,\n // ProcessInformationLength: 8, ReturnLength: nullptr) | ProcessInformation) == 0)\n $nt_query_info_process = {\n 48 89 C1 // mov rcx, rax\n BA 07 00 00 00 // mov edx, 0x7\n [0-3] // mov r8, rsi {cbData}\n 41 B9 08 00 00 00 // mov r9d, 0x8\n FF [5] // call qword [rel NtQueryInformationProcess]\n 0B // or eax, dword [rsp+0x80 {ProcessInformation}]\n }\n\n // Latest Chromepass uses the litcrypt crate to XOR strings\n // zmm0 = _mm_shuffle_epi32(\n // _mm_shufflelo_epi16(_mm_unpacklo_epi8(zmm0, zmm0.q), 0), 0x44)\n // int64_t r9 = 0\n //\n // do\n // int128_t zmm2 = *(encrypted_str_2 + r9 + 0x10) ^ zmm0\n // *(rdx + r9) = *(encrypted_str_2 + r9) ^ zmm0\n // *(rdx + r9 + 0x10) = zmm2\n // r9 += 0x20\n // while (rcx_1 != r9)\n $litcrypt_stub = {\n F3 [4-5] // movdqu xmm1, xmmword [rax+r9]\n F3 [4-5] 10 // movdqu xmm2, xmmword [rax+r9+0x10]\n 66 0F EF C8 // pxor xmm1, xmm0\n 66 0F EF D0 // pxor xmm2, xmm0\n F3 [4-5] // movdqu xmmword [rdx+r9], xmm1\n F3 [4-5] 10 // movdqu xmmword [rdx+r9+0x10], xmm2\n }\n\n condition:\n 1 of ($s*) or ($nt_query_info_process and $litcrypt_stub)\n}\n", "rule_count": 1, "rule_names": [ "chromepass" ], "rule_creation_date": "2026-01-28", "rule_modified_date": "2026-02-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Chromepass" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.003", "attack.t1005" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cimplant_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572187Z", "creation_date": "2026-03-23T11:46:25.572189Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572195Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/RedSiege/CIMplant\nhttps://unit42.paloaltonetworks.com/muddled-libra/\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/" ], "name": "cimplant.yar", "content": "rule cimplant {\n meta:\n title = \"CIMplant HackTool\"\n id = \"79063e2d-3b36-4a29-8e78-9a0849bfed39\"\n description = \"Detects CIMplant, a C# port of WMImplant, which uses either CIM or WMI to query remote systems.\\nIt allows for information gathering about a remote system, command execution, data exfiltration, and more.\\nIt is known to be used by different threat actors such as Scattered Spider, or its related actor, Muddled Libra.\\nIt is recommended to verify if the usage of this tool is legitimate.\"\n references = \"https://github.com/RedSiege/CIMplant\\nhttps://unit42.paloaltonetworks.com/muddled-libra/\\nhttps://blog.sekoia.io/scattered-spider-laying-new-eggs/\"\n date = \"2024-11-12\"\n modified = \"2025-03-31\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1652;attack.t1518.001;attack.t1057;attack.t1654;attack.t1012;attack.reconnaissance;attack.t1590.005;attack.execution;attack.t1047;attack.lateral_movement;attack.defense_evasion;attack.t1112;attack.t1562.001\"\n classification = \"Windows.HackTool.CIMplant\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a9c2b1d860dbf2e522d51e0f67f6403810a08d58d03ccabcd0d7f4b5216489bd\n // 6fd2a9c4ff340d1a9f6ed90a135fc2a7c1e5b0f7dea886b441b2c7e65b44ee15\n // 4648f114bf15078e98b21d3beb0bbf76014f96c97adcafdd5adb2d2bf37a6e39\n // 4013646a92e1988103839af430daa2a8f0d739feca86754771873693f6ed25f1\n // 169d05e1ce39022948e8c4fe4e100820abe8765304d3785800acbe04465d1279\n // a899f49c52ac1aa93e1f46a998b8314e3a773ad0475ba16dca5cc90abc737ac6\n // dc013e00357fdf5a7823431050acbfefc0e61038374a93c863a194fcc03566d8\n\n $str_generic_1 = \"Malwarebytes Found!\" wide fullword\n $str_generic_2 = \"SELECT * FROM Win32_Process WHERE Name like '\" wide fullword\n $str_generic_3 = \"[-] Registry key does not exist or another issue occurred\" wide fullword\n $str_generic_4 = \"CIMplant\" ascii fullword\n $str_generic_5 = \"[-] ERROR: Unable to connect using either CIM or WMI.\" wide fullword\n\n $str_pop_1 = \"Tanium.exe\" wide fullword\n $str_pop_2 = \"csagent.sys\" wide fullword\n $str_pop_3 = \"carbonblackk.sys\" wide fullword\n $str_pop_4 = \"regmon.exe\" wide fullword\n\n // CIMplant.ExecuteCim.basic_info()\n $stub_cim_basic_info = {\n 7B ?? 00 00 04 // ldfld\n 7B ?? 00 00 04 // ldfld\n [0-2]\n 7E ?? 00 00 04 // ldsfld\n 72 ?? ?? 00 70 // ldstr \"WQL\"\n 72 ?? ?? 00 70 // ldstr \"SELECT * FROM Win32_OperatingSystem\"\n 6F ?? 00 00 0A // callvirt\n [0-3]\n 6F ?? 00 00 0A // callvirt\n [0-2]\n 38 ?? 01 00 00 // br\n [0-2]\n 6F ?? 00 00 0A // callvirt\n [0-2]\n 72 ?? ?? 00 70 // ldstr \"{0, -20}: {1, -10}\"\n 72 ?? ?? 00 70 // ldstr \"Computer Name\"\n }\n\n // CIMplant.ExecuteWmi.basic_info()\n $stub_wmi_basic_info = {\n 7B ?? 00 00 04 // ldfld\n 7B ?? 00 00 04 // ldfld\n [0-2]\n 72 ?? ?? 00 70 // ldstr \"SELECT * FROM Win32_OperatingSystem\"\n 73 ?? ?? 00 0A // newobj\n [0-3]\n 73 ?? ?? 00 0A // newobj\n [0-2]\n 6F ?? ?? 00 0A // callvirt\n [0-3]\n 6F ?? ?? 00 0A // callvirt\n [0-2]\n 38 ?? 00 00 00 // br\n [0-2] 6F ?? ?? 00 0A // callvirt\n [0-5]\n 74 ?? 00 00 01 // castclass\n [0-2]\n 72 ?? ?? 00 70 // ldstr \"{0, -20}: {1, -10}\"\n 72 ?? ?? 00 70 // ldstr \"Computer Name\"\n }\n\n condition:\n all of ($stub_*) or\n (\n uint16(0) == 0x5a4d and\n (\n 3 of ($str_generic_*) and\n 2 of ($str_pop_*)\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "cimplant" ], "rule_creation_date": "2024-11-12", "rule_modified_date": "2025-03-31", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.CIMplant" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.execution", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1047", "attack.t1654", "attack.t1562.001", "attack.t1518.001", "attack.t1012", "attack.t1652", "attack.t1057", "attack.t1590.005", "attack.t1112" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_sleepmask_d5d229ede052_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571096Z", "creation_date": "2026-03-23T11:46:25.571099Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571104Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5\nhttps://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/\nhttps://attack.mitre.org/software/S0154/" ], "name": "cobalt_sleepmask_d5d229ede052.yar", "content": "rule cobalt_sleepmask_d5d229ede052 {\n meta:\n title = \"Cobalt Strike Sleep Mask (d5d229ede052)\"\n id = \"644354d2-2c89-41e1-bd3f-d5d229ede052\"\n description = \"Detects Cobalt Strike's Sleep Mask Kit for x86.\\nCobalt Strike's Sleep Mask Kit modifies how the sleep mask function looks in memory to evade static signatures identifying beacons.\\nIt uses an XOR key to obfuscate the sleep mask function, which can be changed by modifying a single variable.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5\\nhttps://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2024-01-02\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1140;attack.t1027.005;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b24989e509360a84a9ea48a8e92498008bb4493c70e8f9b66c4155fbdf9fe8a5\n // 9a96f9deb2355b4a28b5dfc4553c019a3b6cc2dc073325d5bc54da2643d1fa99\n // 39682977ed7a3f5f53968995969ef4ee3602d9366e297b5d7a38e56b79bd3e8e\n\n $sleep_mask = {\n 41 55 // push r13\n 41 54 // push r12\n 48 83 EC 28 // sub rsp, 28h\n 45 89 C5 // mov r13d, r8d\n 49 89 CC // mov r12, rcx\n E8 ?? ?? ?? ?? // call mask_sections\n E8 ?? ?? ?? ?? // call mask_heap\n FF 15 ?? ?? ?? ?? // call cs:__imp_KERNEL32$GetCurrentProcess\n 44 89 EA // mov edx, r13d\n 48 89 C1 // mov rcx, rax\n FF 15 ?? ?? ?? ?? // call cs:__imp_KERNEL32$WaitForSingleObject\n 4C 89 E1 // mov rcx, r12\n E8 ?? ?? ?? ?? // call mask_heap\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n 41 5C // pop r12\n 41 5D // pop r13\n\n // loc_DB:\n E9 ?? ?? FF FF // jmp mask_sections\n }\n\n $setup_text_section = {\n 83 3D ?? ?? 00 00 00 // cmp cs:initialized, 0\n 75 3B // jnz short locret_E3\n C7 05 ?? ?? 00 00 01 00 00 00 // mov cs:initialized, 1\n 48 8B 51 08 // mov rdx, [rcx+8]\n\n // loc_B6:\n 8B 02 // mov eax, [rdx]\n 8B 4A 04 // mov ecx, [rdx+4]\n 48 83 C2 08 // add rdx, 8\n 09 C1 // or ecx, eax\n 74 20 // jz short locret_E3\n 3D 00 10 00 00 // cmp eax, 1000h\n 74 19 // jz short locret_E3\n 76 EA // jbe short loc_B6\n 48 BA 01 00 00 00 00 10 00 00 // mov rdx, 100000000001h\n 89 05 ?? ?? ?? 00 // mov cs:dword_210, eax\n 48 89 15 ?? ?? ?? 00 // mov cs:text_section, rdx\n\n // locret_E3:\n C3 // retn\n }\n\n $mask_heap = {\n 53 // push rbx\n 45 31 DB // xor r11d, r11d\n BB 0D 00 00 00 // mov ebx, 0Dh\n\n // loc_5B:\n 48 8B 41 10 // mov rax, [rcx+10h]\n 45 89 DA // mov r10d, r11d\n 49 C1 E2 04 // shl r10, 4\n 4A 83 3C 10 00 // cmp qword ptr [rax+r10], 0\n 74 30 // jz short loc_9D\n 45 31 C9 // xor r9d, r9d\n\n // loc_70:\n 48 8B 41 10 // mov rax, [rcx+10h]\n 45 89 C8 // mov r8d, r9d\n 4C 01 D0 // add rax, r10\n 4C 3B 40 08 // cmp r8, [rax+8]\n 73 18 // jnb short loc_98\n 4C 03 00 // add r8, [rax]\n 31 D2 // xor edx, edx\n 44 89 C8 // mov eax, r9d\n 41 FF C1 // inc r9d\n F7 F3 // div ebx\n 89 D2 // mov edx, edx\n 8A 44 11 18 // mov al, [rcx+rdx+18h]\n 41 30 00 // xor [r8], al\n EB D8 // jmp short loc_70\n\n // loc_98:\n 41 FF C3 // inc r11d\n EB BE // jmp short loc_5B\n\n // loc_9D:\n 5B // pop rbx\n C3 // retn\n }\n\n $NtProtectVirtualMemory_embedded = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 1F 1D 9E 05 // mov ecx, 59E1D1Fh\n E8 ?? ?? ?? ?? // call SW3_GetSyscallNumber\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 49 89 CA // mov r10, rcx\n 0F 05 // syscall\n C3 // retn\n }\n\n $NtProtectVirtualMemory_indirect = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n B9 1F 1D 9E 05 // mov ecx, 59E1D1Fh\n 51 // push rcx\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? ?? ?? // call SW3_GetRandomSyscallAddress\n 48 83 C4 28 // add rsp, 28h\n 59 // pop rcx\n 50 // push rax\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? ?? ?? // call SW3_GetSyscallNumber\n 48 83 C4 28 // add rsp, 28h\n 41 5B // pop r11\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 49 89 CA // mov r10, rcx\n 41 FF E3 // jmp r11\n }\n\n $SW3_HashSyscall = {\n B8 1B 58 7C ED // mov eax, 0ED7C581Bh\n 31 D2 // xor edx, edx\n\n // loc_14CEB5:\n 41 89 D0 // mov r8d, edx\n 42 80 3C 01 00 // cmp byte ptr [rcx+r8], 0\n 74 16 // jz short locret_14CED5\n 41 89 C1 // mov r9d, eax\n 46 0F B7 04 01 // movzx r8d, word ptr [rcx+r8]\n FF C2 // inc edx\n 41 C1 C9 08 // ror r9d, 8\n 45 01 C8 // add r8d, r9d\n 44 31 C0 // xor eax, r8d\n EB E0 // jmp short loc_14CEB5\n\n // locret_14CED5:\n C3 // retn\n }\n\n condition:\n (($sleep_mask or $setup_text_section) and $mask_heap) or\n (\n ($sleep_mask or $setup_text_section or $mask_heap) and\n (1 of ($NtProtectVirtualMemory_*) or $SW3_HashSyscall)\n )\n}\n", "rule_count": 1, "rule_names": [ "cobalt_sleepmask_d5d229ede052" ], "rule_creation_date": "2024-01-02", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_sleepmask_e3274b1c436e_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567196Z", "creation_date": "2026-03-23T11:46:25.567198Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567204Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5\nhttps://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/\nhttps://attack.mitre.org/software/S0154/" ], "name": "cobalt_sleepmask_e3274b1c436e.yar", "content": "rule cobalt_sleepmask_e3274b1c436e {\n meta:\n title = \"Cobalt Strike Sleep Mask (e3274b1c436e)\"\n id = \"5b2f8caa-73ca-4e2d-9997-e3274b1c436e\"\n description = \"Detects Cobalt Strike's Sleep Mask Kit for x86.\\nCobalt Strike's Sleep Mask Kit modifies how the sleep mask function looks in memory to evade static signatures identifying beacons.\\nIt uses an XOR key to obfuscate the sleep mask function, which can be changed by modifying a single variable.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5\\nhttps://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2024-01-02\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1140;attack.t1027.005;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c2f21faeab2084349b7fcafeb9f826bbd5444308f41bbaf49cca2bce5e459457\n // 919feed3654955df33bf65cae52df7cf07ebe94c57f314a127feab15437cf526\n // f42ae5af29d3a433f33464287cbfba6718db3977e73cadee4be2dbf9f16b5fbf\n\n $sleep_mask = {\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 56 // push esi\n 53 // push ebx\n 83 EC 10 // sub esp, 10h\n 8B 5D 08 // mov ebx, [ebp+arg_0]\n 8B 75 10 // mov esi, [ebp+arg_8]\n 89 1C 24 // mov [esp], ebx\n E8 ?? ?? ?? ?? // call _mask_sections\n 89 1C 24 // mov [esp], ebx\n E8 ?? ?? ?? ?? // call _mask_heap\n FF 15 ?? ?? ?? ?? // call ds:__imp__KERNEL32$GetCurrentProcess@0\n 89 74 24 04 // mov [esp+4], esi\n 89 04 24 // mov [esp], eax\n FF 15 ?? ?? ?? ?? // call ds:__imp__KERNEL32$WaitForSingleObject@8\n 50 // push eax\n 50 // push eax\n 89 1C 24 // mov [esp], ebx\n E8 ?? ?? ?? ?? // call _mask_heap\n 89 5D 08 // mov [ebp+arg_0], ebx\n 8D 65 F8 // lea esp, [ebp-8]\n 5B // pop ebx\n 5E // pop esi\n 5D // pop ebp\n E9 ?? ?? FF FF // jmp _mask_sections\n }\n\n $setup_text_section = {\n 83 3D ?? ?? ?? 00 00 // cmp ds:_initialized, 0\n 75 43 // jnz short locret_F9\n 55 // push ebp\n C7 05 ?? ?? ?? 00 01 00 00 00 // mov ds:_initialized, 1\n 89 E5 // mov ebp, esp\n 8B 45 08 // mov eax, [ebp+8]\n 8B 50 04 // mov edx, [eax+4]\n\n // loc_C9:\n 8B 02 // mov eax, [edx]\n 8B 4A 04 // mov ecx, [edx+4]\n 83 C2 08 // add edx, 8\n 09 C1 // or ecx, eax\n 74 22 // jz short loc_F7\n 3D 00 10 00 00 // cmp eax, 1000h\n 74 1B // jz short loc_F7\n 76 EB // jbe short loc_C9\n C7 05 ?? ?? ?? 00 01 00 00 00 // mov ds:_text_section, 1\n C7 05 ?? ?? ?? 00 00 10 00 00 // mov ds:dword_238, 1000h\n A3 ?? ?? ?? 00 // mov ds:dword_23C, eax\n\n // loc_F7:\n 5D // pop ebp\n C3 // retn\n\n // locret_F9:\n C3 // retn\n }\n\n $mask_heap = {\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 57 // push edi\n 56 // push esi\n 53 // push ebx\n 31 DB // xor ebx, ebx\n 52 // push edx\n 8B 75 08 // mov esi, [ebp+arg_0]\n\n // loc_6F:\n 8B 46 08 // mov eax, [esi+8]\n 83 3C 18 00 // cmp dword ptr [eax+ebx], 0\n 74 2F // jz short loc_A7\n 31 C9 // xor ecx, ecx\n\n // loc_7A:\n 8B 46 08 // mov eax, [esi+8]\n 01 D8 // add eax, ebx\n 39 48 04 // cmp [eax+4], ecx\n 76 1E // jbe short loc_A2\n 8B 38 // mov edi, [eax]\n 31 D2 // xor edx, edx\n 89 C8 // mov eax, ecx\n 01 CF // add edi, ecx\n 41 // inc ecx\n 89 7D F0 // mov [ebp+var_10], edi\n BF 0D 00 00 00 // mov edi, 0Dh\n F7 F7 // div edi\n 8A 44 16 0C // mov al, [esi+edx+0Ch]\n 8B 55 F0 // mov edx, [ebp+var_10]\n 30 02 // xor [edx], al\n EB D8 // jmp short loc_7A\n\n // loc_A2:\n 83 C3 08 // add ebx, 8\n EB C8 // jmp short loc_6F\n\n // loc_A7:\n 58 // pop eax\n 5B // pop ebx\n 5E // pop esi\n 5F // pop edi\n 5D // pop ebp\n C3 // retn\n }\n\n $NtProtectVirtualMemory_embedded = {\n 53 // push ebx\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 68 1F 1D 9E 05 // push 59E1D1Fh\n E8 ?? ?? ?? ?? // call _SW3_GetSyscallNumber\n 8D 64 24 04 // lea esp, [esp+4]\n B9 05 00 00 00 // mov ecx, 5\n\n // push_argument:\n 49 // dec ecx\n FF 74 8D 0C // push [ebp+ecx*4+arg_0]\n 75 F9 // jnz short push_argument\n 89 C1 // mov ecx, eax\n E8 ?? ?? ?? ?? // call _local_is_wow64\n 85 C0 // test eax, eax\n 74 1A // jz short is_native\n E8 ?? ?? ?? ?? // call _internal_cleancall_wow64_gate\n 8D 1D ?? ?? ?? 00 // lea ebx, ret_address_epilog\n 53 // push ebx\n 53 // push ebx\n 91 // xchg eax, ecx\n 8D 54 24 08 // lea edx, [esp+8]\n 89 CB // mov ebx, ecx\n 31 C9 // xor ecx, ecx\n FF E3 // jmp ebx\n }\n\n $NtProtectVirtualMemory_indirect = {\n 57 // push edi\n 53 // push ebx\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 68 1F 1D 9E 05 // push 59E1D1Fh\n E8 ?? ?? ?? ?? // call _SW3_GetSyscallAddress\n 89 C7 // mov edi, eax\n 68 1F 1D 9E 05 // push 59E1D1Fh\n E8 ?? ?? ?? ?? // call _SW3_GetSyscallNumber\n 8D 64 24 04 // lea esp, [esp+4]\n B9 05 00 00 00 // mov ecx, 5\n\n // push_argument:\n 49 // dec ecx\n FF 74 8D 10 // push [ebp+ecx*4+arg_0]\n 75 F9 // jnz short push_argument\n 89 C1 // mov ecx, eax\n 89 C8 // mov eax, ecx\n 8D 1D ?? ?? ?? 00 // lea ebx, ret_address_epilog\n 53 // push ebx\n E8 ?? ?? ?? ?? // call do_sysenter_interrupt\n 8D 64 24 04 // lea esp, [esp+4]\n\n // ret_address_epilog:\n 89 EC // mov esp, ebp\n 5D // pop ebp\n 5B // pop ebx\n 5F // pop edi\n C3 // retn\n }\n\n $SW3_HashSyscall = {\n 55 // push ebp\n B8 1B 58 7C ED // mov eax, 0ED7C581Bh\n 89 E5 // mov ebp, esp\n 53 // push ebx\n 8B 55 08 // mov edx, [ebp+arg_0]\n\n // loc_D8:\n 80 3A 00 // cmp byte ptr [edx], 0\n 74 0F // jz short loc_EC\n 0F B7 0A // movzx ecx, word ptr [edx]\n 89 C3 // mov ebx, eax\n 42 // inc edx\n C1 CB 08 // ror ebx, 8\n 01 D9 // add ecx, ebx\n 31 C8 // xor eax, ecx\n EB EC // jmp short loc_D8\n\n // loc_EC:\n 5B // pop ebx\n 5D // pop ebp\n C3 // retn\n }\n\n condition:\n (($sleep_mask or $setup_text_section) and $mask_heap) or\n (\n ($sleep_mask or $setup_text_section or $mask_heap) and\n (1 of ($NtProtectVirtualMemory_*) or $SW3_HashSyscall)\n )\n}\n", "rule_count": 1, "rule_names": [ "cobalt_sleepmask_e3274b1c436e" ], "rule_creation_date": "2024-01-02", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_sleepmask_pivot_6188c6432063_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570760Z", "creation_date": "2026-03-23T11:46:25.570762Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570768Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5\nhttps://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/\nhttps://attack.mitre.org/software/S0154/" ], "name": "cobalt_sleepmask_pivot_6188c6432063.yar", "content": "rule cobalt_sleepmask_pivot_6188c6432063 {\n meta:\n title = \"Cobalt Strike Sleep Mask via Pivot Listener (6188c6432063)\"\n id = \"7beca404-08bf-47b5-8a24-6188c6432063\"\n description = \"Detects Cobalt Strike's Sleep Mask Kit for x86.\\nCobalt Strike's Sleep Mask Kit modifies how the sleep mask function looks in memory to evade static signatures identifying beacons.\\nIt uses an XOR key to obfuscate the sleep mask function, which can be changed by modifying a single variable.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5\\nhttps://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2024-01-02\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1140;attack.t1027.005;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 608ffc7b5c067a61cde43d0e5317257da653baf02a66b554520749e44eb8b705\n\n $sleep_mask = {\n // loc_118:\n 45 31 C9 // xor r9d, r9d\n 45 31 C0 // xor r8d, r8d\n 31 D2 // xor edx, edx\n 48 89 74 24 20 // mov [rsp+58h+var_38], rsi\n 48 C7 44 24 28 00 00 00 00 // mov [rsp+58h+var_30], 0\n 48 8B 4B 18 // mov rcx, [rbx+18h]\n FF 53 40 // call qword ptr [rbx+40h]\n 85 C0 // test eax, eax\n 74 1D // jz short loc_156\n 83 7C 24 3C 00 // cmp [rsp+58h+var_1C], 0\n 75 16 // jnz short loc_156\n FF 15 ?? ?? ?? ?? // call cs:__imp_KERNEL32$GetCurrentProcess\n BA 0A 00 00 00 // mov edx, 0Ah\n 48 89 C1 // mov rcx, rax\n FF 15 ?? ?? ?? ?? // call cs:__imp_KERNEL32$WaitForSingleObject\n EB C2 // jmp short loc_118\n\n // loc_156:\n 4C 89 E1 // mov rcx, r12\n E8 ?? ?? ?? ?? // call mask_heap\n E8 ?? ?? ?? ?? // call mask_sections\n 90 // nop\n 48 83 C4 40 // add rsp, 40h\n 5B // pop rbx\n 5E // pop rsi\n 41 5C // pop r12\n C3 // retn\n }\n\n $mask_heap = {\n 53 // push rbx\n 45 31 DB // xor r11d, r11d\n BB 0D 00 00 00 // mov ebx, 0Dh\n\n // loc_5B:\n 48 8B 41 10 // mov rax, [rcx+10h]\n 45 89 DA // mov r10d, r11d\n 49 C1 E2 04 // shl r10, 4\n 4A 83 3C 10 00 // cmp qword ptr [rax+r10], 0\n 74 30 // jz short loc_9D\n 45 31 C9 // xor r9d, r9d\n\n // loc_70:\n 48 8B 41 10 // mov rax, [rcx+10h]\n 45 89 C8 // mov r8d, r9d\n 4C 01 D0 // add rax, r10\n 4C 3B 40 08 // cmp r8, [rax+8]\n 73 18 // jnb short loc_98\n 4C 03 00 // add r8, [rax]\n 31 D2 // xor edx, edx\n 44 89 C8 // mov eax, r9d\n 41 FF C1 // inc r9d\n F7 F3 // div ebx\n 89 D2 // mov edx, edx\n 8A 44 11 18 // mov al, [rcx+rdx+18h]\n 41 30 00 // xor [r8], al\n EB D8 // jmp short loc_70\n\n // loc_98:\n 41 FF C3 // inc r11d\n EB BE // jmp short loc_5B\n\n // loc_9D:\n 5B // pop rbx\n C3 // retn\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_sleepmask_pivot_6188c6432063" ], "rule_creation_date": "2024-01-02", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_sleepmask_pivot_6d30b1acedef_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570907Z", "creation_date": "2026-03-23T11:46:25.570909Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570915Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5\nhttps://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/\nhttps://attack.mitre.org/software/S0154/" ], "name": "cobalt_sleepmask_pivot_6d30b1acedef.yar", "content": "rule cobalt_sleepmask_pivot_6d30b1acedef {\n meta:\n title = \"Cobalt Strike Sleep Mask via Pivot Listener (6d30b1acedef)\"\n id = \"e0e5a386-491e-45ce-a2f1-6d30b1acedef\"\n description = \"Detects Cobalt Strike's Sleep Mask Kit for x86.\\nCobalt Strike's Sleep Mask Kit modifies how the sleep mask function looks in memory to evade static signatures identifying beacons.\\nIt uses an XOR key to obfuscate the sleep mask function, which can be changed by modifying a single variable.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5\\nhttps://adamsvoboda.net/sleeping-with-a-mask-on-cobaltstrike/\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2024-01-02\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1140;attack.t1027.005;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 4e9ce7e0287ca340f1d47ad1fbdbb1b89ec9f0d6262a1c228c118cb4060213c9\n\n $sleep_mask = {\n // loc_14F:\n 8D 45 F4 // lea eax, [ebp+var_C]\n C7 44 24 14 00 00 00 00 // mov dword ptr [esp+14h], 0\n 89 44 24 10 // mov [esp+10h], eax\n C7 44 24 0C 00 00 00 00 // mov dword ptr [esp+0Ch], 0\n C7 44 24 08 00 00 00 00 // mov dword ptr [esp+8], 0\n C7 44 24 04 00 00 00 00 // mov dword ptr [esp+4], 0\n 8B 43 0C // mov eax, [ebx+0Ch]\n 89 04 24 // mov [esp], eax\n FF 53 20 // call dword ptr [ebx+20h]\n 83 EC 18 // sub esp, 18h\n 85 C0 // test eax, eax\n 74 21 // jz short loc_1A7\n 83 7D F4 00 // cmp [ebp+var_C], 0\n 75 1B // jnz short loc_1A7\n FF 15 ?? ?? ?? ?? // call ds:__imp__KERNEL32$GetCurrentProcess@0\n C7 44 24 04 0A 00 00 00 // mov dword ptr [esp+4], 0Ah\n 89 04 24 // mov [esp], eax\n FF 15 ?? ?? ?? ?? // call ds:__imp__KERNEL32$WaitForSingleObject@8\n 50 // push eax\n 50 // push eax\n EB A8 // jmp short loc_14F\n\n // loc_1A7:\n 89 34 24 // mov [esp], esi\n E8 ?? ?? ?? ?? // call _mask_heap\n 89 34 24 // mov [esp], esi\n E8 ?? ?? ?? ?? // call _mask_sections\n 8D 65 F8 // lea esp, [ebp-8]\n 5B // pop ebx\n 5E // pop esi\n 5D // pop ebp\n C3 // retn\n }\n\n $mask_heap = {\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 57 // push edi\n 56 // push esi\n 53 // push ebx\n 31 DB // xor ebx, ebx\n 52 // push edx\n 8B 75 08 // mov esi, [ebp+arg_0]\n\n // loc_6F:\n 8B 46 08 // mov eax, [esi+8]\n 83 3C 18 00 // cmp dword ptr [eax+ebx], 0\n 74 2F // jz short loc_A7\n 31 C9 // xor ecx, ecx\n\n // loc_7A:\n 8B 46 08 // mov eax, [esi+8]\n 01 D8 // add eax, ebx\n 39 48 04 // cmp [eax+4], ecx\n 76 1E // jbe short loc_A2\n 8B 38 // mov edi, [eax]\n 31 D2 // xor edx, edx\n 89 C8 // mov eax, ecx\n 01 CF // add edi, ecx\n 41 // inc ecx\n 89 7D F0 // mov [ebp+var_10], edi\n BF 0D 00 00 00 // mov edi, 0Dh\n F7 F7 // div edi\n 8A 44 16 0C // mov al, [esi+edx+0Ch]\n 8B 55 F0 // mov edx, [ebp+var_10]\n 30 02 // xor [edx], al\n EB D8 // jmp short loc_7A\n\n // loc_A2:\n 83 C3 08 // add ebx, 8\n EB C8 // jmp short loc_6F\n\n // loc_A7:\n 58 // pop eax\n 5B // pop ebx\n 5E // pop esi\n 5F // pop edi\n 5D // pop ebp\n C3 // retn\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_sleepmask_pivot_6d30b1acedef" ], "rule_creation_date": "2024-01-02", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_api_hashing_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567166Z", "creation_date": "2026-03-23T11:46:25.567168Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567174Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\nhttps://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_api_hashing.yar", "content": "rule cobalt_strike_api_hashing {\n meta:\n title = \"Cobalt Strike API Hashing\"\n id = \"fa52a1f8-d1b8-4fbf-a086-7a8cf1e15220\"\n description = \"Detects API hashing functions in Cobalt Strike Artifact Kit.\\nCobalt Strike is a commercial remote access tool used for adversary simulation, enabling targeted attacks and emulation of advanced threat actors' post-exploitation activities.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2024-06-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012;attack.t1027.007\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e3bc6a18efd0e1c7fdf93050ce0d40c7d824ca3eefea087f862688494e5ea612\n // c46e5704d69c41d14e8d90567302a1b34d1006a7c3082699dded12bb8b694023\n // 3dfc768a4670a52f6dfc3ec80859129f9955fc80341f31ea09eb45c35a30f3b6\n // 089bf4899c09179ac73c40ec314e298b298a0895ce28ca4d9da8353e9fe7afef\n\n $x_hash = {\n 45 0F B7 01 // movzx r8d, word ptr [r9]\n C1 C8 ?? // ror eax, 0Dh\n 41 83 F8 61 // cmp r8d, 61h ; 'a'\n 72 03 // jb short loc_356CC1BFA\n 83 C0 E0 // add eax, 0FFFFFFE0h\n }\n\n $x_virtualfree = {\n BA 17 CA 2B 6E // mov edx, 6E2BCA17h // kernel32.dll\n 41 B8 7B 27 83 E1 // mov r8d, 0E183277Bh // VirtualFree\n 48 8B CE // mov rcx, rsi\n E8 // call GetProcAddressByHash\n }\n\n $x_rtldecompressbuffer = {\n BA F2 DB 74 AD // mov edx, 0AD74DBF2h // ntdll.dll\n 41 B8 00 18 63 8B // mov r8d, 8B631800h // RtlDecompressBuffer\n 48 8B CE // mov rcx, rsi\n E8 // call GetProcAddressByHash\n }\n\n $x_loadlibrarya = {\n 41 B8 76 46 8B 8A // mov r8d, 8A8B4676h // LoadLibraryA\n BA 17 CA 2B 6E // mov edx, 6E2BCA17h // kernel32.dll\n 48 8B F1 // mov rsi, rcx\n E8 // call GetProcAddressByHash\n }\n\n $x_getprocaddress1 = {\n BA 17 CA 2B 6E // mov edx, 6E2BCA17h // kernel32.dll\n 41 B8 7A EE CA 1A // mov r8d, 1ACAEE7Ah // GetProcAddress\n 48 8B CE // mov rcx, rsi\n E8 // call GetProcAddressByHash\n }\n $x_getprocaddress2 = {\n 41 B8 7A EE CA 1A // mov r8d, 1ACAEE7Ah // GetProcAddress\n 41 8B D6 // mov edx, r14d\n 48 8B CE // mov rcx, rsi\n E8 // call GetProcAddressByHash\n }\n\n $x_virtualalloc1 = {\n BA 17 CA 2B 6E // mov edx, 6E2BCA17h // kernel32.dll\n 41 B8 1C BE 2E 30 // mov r8d, 302EBE1Ch // VirtualAlloc\n 48 8B CE // mov rcx, rsi\n E8 // call GetProcAddressByHash\n }\n $x_virtualalloc2 = {\n 41 B8 1C BE 2E 30 // mov r8d, 302EBE1Ch // VirtualAlloc\n 41 8B D6 // mov edx, r14d\n 48 8B CE // mov rcx, rsi\n E8 // call GetProcAddressByHash\n }\n\n $x_ntflushinstructioncache = {\n BA F2 DB 74 AD // mov edx, 0AD74DBF2h // ntdll.dll\n 41 B8 7F 3B 5A D9 // mov r8d, 0D95A3B7Fh // NtFlushInstructionCache\n 48 8B CE // mov rcx, rsi\n E8 // call GetProcAddressByHash\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_api_hashing" ], "rule_creation_date": "2024-06-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1027.007", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_artifact_svc_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575774Z", "creation_date": "2026-03-23T11:46:25.575777Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575782Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_artifact_svc.yar", "content": "rule cobalt_strike_artifact_svc {\n meta:\n title = \"Cobalt Strike Artifact Service DLL\"\n id = \"2aa825db-bd08-4010-b19f-25a126ca1771\"\n description = \"Detects the Cobalt Strike Artifact Service DLL.\\nCobalt Strike is a commercial, full-featured, remote access tool that bills itself as adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors.\\nCobalt Strike's interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2020-12-10\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // This payload use those APIs to inject payload into a new suspended process.\n $s1 = \"WriteProcessMemory\" ascii\n $s2 = \"VirtualAllocEx\" ascii\n $s3 = \"VirtualProtect\" ascii\n $s4 = \"VirtualProtectEx\" ascii\n $s5 = \"VirtualQuery\" ascii\n\n // This payload use those APIs to start an injected thread on the target sacrificial process (by altering thread context).\n $s6 = \"GetThreadContext\"\n $s7 = \"SetThreadContext\"\n $s8 = \"ResumeThread\"\n\n // The hardcoded sacrifical process is rundll32.exe (\"windir\\System32\\rundll32.dll\" path is constructed)\n // GetEnvironmentVariableA(\"windir\", windir_expanded_path, 0x400u);\n $s9 = \"windir\" ascii\n // snprintf(CommandLine, 0x400ui64, \"%s\\\\System32\\\\%s\", windir_expanded_path, executable_path);\n $s10 = \"%s\\\\System32\\\\%s\" ascii\n $s11 = \"rundll32.exe\" ascii\n\n // Detect standard services import used by this payload.\n $s12 = \"RegisterServiceCtrlHandlerA\" ascii\n $s13 = \"StartServiceCtrlDispatcherA\" ascii\n\n // The hardcoded service control name is \"DceRpcSs\"\n $s14 = \"DceRpcSs\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_artifact_svc" ], "rule_creation_date": "2020-12-10", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_beacon_7f9c58fac468_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570967Z", "creation_date": "2026-03-23T11:46:25.570970Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570975Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_beacon_7f9c58fac468.yar", "content": "rule cobalt_strike_beacon_7f9c58fac468 {\n meta:\n title = \"Cobalt Strike Beacon (7f9c58fac468)\"\n id = \"1b6182c5-0ef5-4c7e-a9cf-7f9c58fac468\"\n description = \"Detects an x86 Cobalt Strike Beacon in memory. Cobalt Strike is a commercial remote access tool used for adversary simulation. This rule detects the beacon by identifying specific patterns such as command handlers, configuration decryption, and C2 communication attempts. It is recommended to isolate the system and analyze the process for any signs of unauthorized activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2020-12-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"memory,thread\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n\n // \"HTTP/1.1 200 OK\\r\\nContent-Type: application/octet-stream\\r\\nContent-Length: %d\\r\\n\\r\\n\"\n $clear_string_http_header = {\n 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D\n 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61\n 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74\n 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74\n 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00\n }\n\n $clear_string_uid_fmt = \"%s (admin)\" ascii\n $clear_string_uid_admin_fmt = \"%s (admin)\" ascii\n $clear_string_psexec_service_start_fmt = \"Started service %s on %s\" ascii\n $clear_string_psexec_service_error_fmt = \"%s on %s: %d\" ascii\n $clear_string_start_as_user_error_fmt = \"%s as %s\\\\%s: %d\" ascii\n\n // NOTE: inline_execute is not present on Cobalt Strike 3\n $inline_execute_function_40 = {\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX]\n 89 45 D4 // mov dword ptr [ebp - 0x2c], eax\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX]\n 56 // push esi\n 89 45 DC // mov dword ptr [ebp - 0x24], eax\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX]\n 6A 40 // push 0x40 // PAGE_EXECUTE_READWRITE\n 89 45 D8 // mov dword ptr [ebp - 0x28], eax\n 8B 45 10 // mov eax, dword ptr [ebp + 0x10]\n 68 00 30 00 00 // push 0x3000 // MEM_COMMIT | MEM_RESERVE\n FF 75 0C // push dword ptr [ebp + 0xc]\n 89 45 F0 // mov dword ptr [ebp - 0x10], eax\n 8B 45 14 // mov eax, dword ptr [ebp + 0x14]\n 6A 00 // push 0\n C7 45 E0 ?? ?? ?? ?? // mov dword ptr [ebp - 0x20], 0xXX\n C7 45 E4 ?? ?? ?? ?? // mov dword ptr [ebp - 0x1c], 0xXX\n C7 45 E8 ?? ?? ?? ?? // mov dword ptr [ebp - 0x18], 0xXX\n C7 45 EC ?? ?? ?? ?? // mov dword ptr [ebp - 0x14], 0xXX\n 89 45 F4 // mov dword ptr [ebp - 0xc], eax\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX]\n 8B F0 // mov esi, eax\n 85 F6 // test esi, esi\n 74 ?? // je 0xXX\n FF 75 0C // push dword ptr [ebp + 0xc]\n FF 75 08 // push dword ptr [ebp + 8]\n 56 // push esi\n E8 ?? ?? ?? ?? // call 0xXX\n 83 C4 0C // add esp, 0xc\n 8D 45 D4 // lea eax, [ebp - 0x2c]\n 50 // push eax\n FF D6 // call esi\n 68 00 80 00 00 // push 0x8000 // MEM_RELEASE\n FF 75 0C // push dword ptr [ebp + 0xc]\n 56 // push esi\n FF 15 ?? ?? ?? ?? // call 0xXX\n }\n\n // NOTE: Cobalt Strike 4.2 extended the inline_execute method effectively uninlining it. We match on the context creation function.\n $inline_execute_function_42 = {\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX]\n 89 06 // mov dword ptr [esi], eax\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX]\n 89 46 ?? // mov dword ptr [esi + 0xXX], eax\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX]\n 89 46 ?? // mov dword ptr [esi + 0xXX], eax\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX]\n 83 C4 0C // add esp, 0xc\n 89 46 ?? // mov dword ptr [esi + 0xXX], eax\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n C7 46 ?? ?? ?? ?? ?? // mov dword ptr [esi + 0xXX], 0xXX\n }\n\n $beacon_config_decrypt = {\n (31|33|29) C0 // xor eax, eax or sub eax, eax\n // loop_label:\n 80 b0 ?? ?? ?? ?? (2e|69) // xor byte ptr [eax+0xXX], (0x2e | 0x69)\n 40 // inc eax\n 3D 00 10 00 00 // cmp eax, 0x1000\n 7C F1 // jl short loop_label\n }\n\n // Cobalt Strike always format C2 configuration the same way but use different xored keys depending of the version.\n //\n // C2 configuration xored keys:\n // - 3.x: 0x69\n // - 4.x: 0x2E\n //\n // C2 configuration format is the following:\n // - config_setting_type (u16): the setting type of this entry.\n // - data_type (u16): the type of the data in this entry\n // - data_size (u16): the size of the data in this entry.\n // - data (variable): the data of this entry.\n //\n // config_setting_type is defined as the following:\n // - BEACON_CONFIG_SETTING_PROTOCOL = 0x1\n // - BEACON_CONFIG_SETTING_PORT = 0x2\n // - BEACON_CONFIG_SETTING_SLEEPTIME = 0x3\n // - BEACON_CONFIG_SETTING_MAXGET = 0x4\n // - BEACON_CONFIG_SETTING_JITTER = 0x5\n // - BEACON_CONFIG_SETTING_MAXDNS = 0x6\n // - BEACON_CONFIG_SETTING_PUBKEY = 0x7\n\n $beacon_c2_xored_3xx = {\n 69 68 69 68 69 6B ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_PROTOCOL, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 69 6B 69 68 69 6B ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_PORT, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 69 6A 69 6B 69 6D ?? ?? ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_SLEEPTIME, data_type: BEACON_CONFIG_TYPE_INT, data_size: 4\n 69 6D 69 6B 69 6D ?? ?? ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_MAXGET, data_type: BEACON_CONFIG_TYPE_INT, data_size: 4\n 69 6C 69 68 69 6B ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_JITTER, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 69 6F 69 68 69 6B ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_MAXDNS, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 69 6E 69 6A 68 69 // config_setting_type: BEACON_CONFIG_SETTING_PUBKEY, data_type: BEACON_CONFIG_TYPE_PTR, data_size: 0x100\n }\n\n $beacon_c2_xored_4xx = {\n 2E 2F 2E 2F 2E 2C ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_PROTOCOL, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 2E 2C 2E 2F 2E 2C ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_PORT, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 2E 2D 2E 2C 2E 2A ?? ?? ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_SLEEPTIME, data_type: BEACON_CONFIG_TYPE_INT, data_size: 4\n 2E 2A 2E 2C 2E 2A ?? ?? ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_MAXGET, data_type: BEACON_CONFIG_TYPE_INT, data_size: 4\n 2E 2B 2E 2F 2E 2C ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_JITTER, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 2E 28 2E 2F 2E 2C ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_MAXDNS, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 2E 29 2E 2D 2F 2E // config_setting_type: BEACON_CONFIG_SETTING_PUBKEY, data_type: BEACON_CONFIG_TYPE_PTR, data_size: 0x100\n }\n\n condition:\n 1 of ($inline_execute_function_*) or ((4 of ($clear_string_*) or 1 of ($beacon_c2_xored_*)) and $beacon_config_decrypt)\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_beacon_7f9c58fac468" ], "rule_creation_date": "2020-12-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_beacon_add34c51721d_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581155Z", "creation_date": "2026-03-23T11:46:25.581158Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581163Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_beacon_add34c51721d.yar", "content": "rule cobalt_strike_beacon_add34c51721d {\n meta:\n title = \"Cobalt Strike Beacon (add34c51721d)\"\n id = \"f3f51583-389c-41ff-9788-add34c51721d\"\n description = \"Detects an x64 Cobalt Strike Beacon in memory. Cobalt Strike is a commercial remote access tool used for adversary simulation. This rule detects the beacon by identifying specific patterns such as command handlers, configuration decryption, and C2 communication attempts. It is recommended to isolate the system and analyze the process for any signs of unauthorized activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2020-12-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"memory,thread\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n\n $command_handler_pattern = {\n 4C 8D 05 ?? ?? FF FF // lea r8, [rip - X] // load send_data_callback\n 8B D0 // mov edx, eax // payload_length\n 49 8B CA // mov rcx, r10 // payload\n 48 83 C4 28 // add rsp, 0x28\n E9 ?? ?? ?? ?? // jmp X // jump to command handler\n }\n\n // \"HTTP/1.1 200 OK\\r\\nContent-Type: application/octet-stream\\r\\nContent-Length: %d\\r\\n\\r\\n\"\n $clear_string_http_header = {\n 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D\n 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61\n 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74\n 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74\n 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00\n }\n\n $clear_string_uid_fmt = \"%s (admin)\" ascii\n $clear_string_uid_admin_fmt = \"%s (admin)\" ascii\n $clear_string_psexec_service_start_fmt = \"Started service %s on %s\" ascii\n $clear_string_psexec_service_error_fmt = \"%s on %s: %d\" ascii\n $clear_string_start_as_user_error_fmt = \"%s as %s\\\\%s: %d\" ascii\n\n // NOTE: inline_execute is not present on Cobalt Strike 3\n $inline_execute_function_40 = {\n 48 8B 05 ?? ?? ?? ?? // mov rax, qword ptr [rip + X]\n 48 8B F1 // mov rsi, rcx\n 4D 89 43 E0 // mov [r11 - 0x20], r8\n 49 89 43 A8 // mov [r11 - 0x58], rax\n 48 8B 05 ?? ?? ?? ?? // mov rax, qword ptr [rip + X]\n 45 89 4B E8 // mov [r11 - 0x18], r9d\n 49 89 43 B8 // mov [r11 - 0x48], rax\n 48 8B 05 ?? ?? ?? ?? // mov rax, qword ptr [rip + X]\n 8B FA // mov edi, edx\n 49 89 43 B0 // mov [r11 - 0x50], rax\n 48 8d 05 ?? ?? ?? ?? // lea rax, [rip + X]\n 41 B9 40 00 00 00 // mov r9d, 0x40 // PAGE_EXECUTE_READWRITE\n 49 89 43 C0 // mov [r11 - 0x40], rax\n 48 8d 05 ?? ?? ?? ?? // lea rax, [rip + X]\n 41 B8 00 30 00 00 // mov r8d, 3000 // MEM_COMMIT | MEM_RESERVE\n 49 89 43 C8 // mov [r11 - 0x38], rax\n 48 8d 05 ?? ?? ?? ?? // lea rax, [rip + X]\n 8B D2 // mov edx, edx // size arg\n 49 89 43 D0 // mov [r11 - 0x30], rax\n 48 8d 05 ?? ?? ?? ?? // lea rax, [rip + X]\n 33 C9 // xor ecx, ecx\n 49 89 43 D8 // mov [r11 - 0x28], rax\n FF 15 ?? ?? ?? ?? // call [rip + X]\n 48 8B D8 // mov rbx, rax\n 48 85 C0 // test rax, rax\n 74 ?? // jz X\n 4C 8B C7 // mov r8, rdi\n 48 8B D6 // mov rdx, rsi\n 48 8B C8 // mov rcx, rax\n E8 ?? ?? ?? ?? // call X\n 48 8D 4C 24 20 // lea rcx, [rsp + 0x20]\n FF D3 // call rbx\n 41 B8 00 80 00 00 // mov r8d, 0x8000 // MEM_RELEASE\n 48 8B D7 // mov rdx, rdi\n 48 8B CB // mov rcx, rbx\n FF 15 ?? ?? ?? ?? // call [rip + X]\n }\n\n // NOTE: Cobalt Strike 4.2 extended the inline_execute method effectively uninlining it. We match on the context creation function.\n $inline_execute_function_42 = {\n 48 8B 05 ?? ?? ?? ?? // mov rax, qword ptr [rip + 0xXX]\n 48 89 03 // mov qword ptr [rbx], rax\n 48 8B 05 ?? ?? ?? ?? // mov rax, qword ptr [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8B 05 ?? ?? ?? ?? // mov rax, qword ptr [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8B 05 ?? ?? ?? ?? // mov rax, qword ptr [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 43 ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, [rip + 0xXX]\n 48 89 83 ?? ?? ?? ?? // mov qword ptr [rbx + 0xXX], rax\n }\n\n $beacon_config_decrypt = {\n (48 8D 2D ?? ?? ?? 00| // lea rbp, qword_3B8D0+0B69h\n 41 8B ??) // mov eax, r15d\n // loop_label:\n 80 34 28 ?? // xor byte ptr [rax+rbp], 0xXX\n 48 FF C0 // inc rax\n 48 3D 00 10 00 00 // cmp rax, 0x1000\n 7C F1 // jl short loop_label\n }\n\n // Cobalt Strike always format C2 configuration the same way but use different xored keys depending of the version.\n //\n // C2 configuration xored keys:\n // - 3.x: 0x69\n // - 4.x: 0x2E\n //\n // C2 configuration format is the following:\n // - config_setting_type (u16): the setting type of this entry.\n // - data_type (u16): the type of the data in this entry\n // - data_size (u16): the size of the data in this entry.\n // - data (variable): the data of this entry.\n //\n // config_setting_type is defined as the following:\n // - BEACON_CONFIG_SETTING_PROTOCOL = 0x1\n // - BEACON_CONFIG_SETTING_PORT = 0x2\n // - BEACON_CONFIG_SETTING_SLEEPTIME = 0x3\n // - BEACON_CONFIG_SETTING_MAXGET = 0x4\n // - BEACON_CONFIG_SETTING_JITTER = 0x5\n // - BEACON_CONFIG_SETTING_MAXDNS = 0x6\n // - BEACON_CONFIG_SETTING_PUBKEY = 0x7\n\n $beacon_c2_xored_3xx = {\n 69 68 69 68 69 6B ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_PROTOCOL, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 69 6B 69 68 69 6B ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_PORT, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 69 6A 69 6B 69 6D ?? ?? ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_SLEEPTIME, data_type: BEACON_CONFIG_TYPE_INT, data_size: 4\n 69 6D 69 6B 69 6D ?? ?? ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_MAXGET, data_type: BEACON_CONFIG_TYPE_INT, data_size: 4\n 69 6C 69 68 69 6B ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_JITTER, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 69 6F 69 68 69 6B ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_MAXDNS, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 69 6E 69 6A 68 69 // config_setting_type: BEACON_CONFIG_SETTING_PUBKEY, data_type: BEACON_CONFIG_TYPE_PTR, data_size: 0x100\n }\n\n $beacon_c2_xored_4xx = {\n 2E 2F 2E 2F 2E 2C ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_PROTOCOL, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 2E 2C 2E 2F 2E 2C ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_PORT, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 2E 2D 2E 2C 2E 2A ?? ?? ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_SLEEPTIME, data_type: BEACON_CONFIG_TYPE_INT, data_size: 4\n 2E 2A 2E 2C 2E 2A ?? ?? ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_MAXGET, data_type: BEACON_CONFIG_TYPE_INT, data_size: 4\n 2E 2B 2E 2F 2E 2C ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_JITTER, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 2E 28 2E 2F 2E 2C ?? ?? // config_setting_type: BEACON_CONFIG_SETTING_MAXDNS, data_type: BEACON_CONFIG_TYPE_SHORT, data_size: 2\n 2E 29 2E 2D 2F 2E // config_setting_type: BEACON_CONFIG_SETTING_PUBKEY, data_type: BEACON_CONFIG_TYPE_PTR, data_size: 0x100\n }\n\n // Detection for these samples:\n // 0c6f81baf945c70cbae9b012e2ffa60e2a178643ae47fbba1a7e0fb2d58f9a7a\n // a31dd4dbed030fa616e591a7f181916b2aa4505ccc7681441de6a7ed8679d932\n // d47a55e6d3f1c6fde03f1aec27d434b67c1b0c35f1999597006d640bf73ddede\n $after_beacon_config_decrypt = {\n B8 56 55 55 55 // mov eax, 55555556h\n 41 // inc ecx\n F7 E8 // imul eax\n 8B CA // mov ecx, edx\n C1 E9 1F // shr ecx, 1Fh\n 03 D1 // add edx, ecx\n 8D 04 52 // lea eax, [edx+edx*2]\n 41 // inc ecx\n 8B D0 // mov edx, eax\n 45 // inc ebp\n 03 C6 // add eax, esi\n 2B D0 // sub edx, eax\n 41 // inc ecx\n 0F BE 01 // movsx eax, byte ptr [ecx]\n 4D // dec ebp\n 03 CE // add ecx, esi\n 41 // inc ecx\n 03 D6 // add edx, esi\n 0F B6 C8 // movzx ecx, al\n B8 2F 77 CC AB // mov eax, 0ABCC772Fh\n 0F AF D1 // imul edx, ecx\n 03 D7 // add edx, edi\n 8B FA // mov edi, edx\n F7 E2 // mul edx\n C1 EA 1A // shr edx, 1Ah\n 69 D2 FF E0 F5 05 // imul edx, 5F5E0FFh\n 2B FA // sub edi, edx\n 44 // inc esp\n 3B C6 // cmp eax, esi\n 7C BB // jl short loc_18C78\n }\n\n condition:\n (\n (\n #command_handler_pattern >= 16 or\n 1 of ($inline_execute_function_*) or\n 4 of ($clear_string_*) or\n 1 of ($beacon_c2_xored_*)\n ) and $beacon_config_decrypt\n ) or\n $after_beacon_config_decrypt\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_beacon_add34c51721d" ], "rule_creation_date": "2020-12-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_beacon_f1403adf86ad_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581056Z", "creation_date": "2026-03-23T11:46:25.581058Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581064Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_beacon_f1403adf86ad.yar", "content": "rule cobalt_strike_beacon_f1403adf86ad {\n meta:\n title = \"Cobalt Strike Beacon (f1403adf86ad)\"\n id = \"f00b345a-92d4-456a-b8b7-f1403adf86ad\"\n description = \"Detects Cobalt Strike Beacons.\\nCobalt Strike is a commercial Command & Control (C2) framework. While designed as a legitimate red team tool for security professionals, it has become one of the most widely abused frameworks in cybercrime and state-sponsored operations.\\nIt is recommended to analyze HTTP/HTTPS and DNS requests for unusual patterns, as well as to identify any SMB named pipe communications and any unusual process activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2025-11-06\"\n modified = \"2025-11-12\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // f2bb8708af4cf0750daa836dd57a0519af51afb0692223d1cd1a5ca26fa2cb26\n // b6583ec570937b0f5a1dcb38dd3a513373e4ba1c208974b0aebf4f7a750b9fc5\n // 5622932faa8a67661713095a0203255c148c7de677bc3ce0bb692971f5705f95\n\n $breakpoint_guard = {\n 48 89 4C 24 08 // mov qword [rsp+0x8 {arg_8}], rcx\n CC // int3\n 90 90 90 90 90 90 // nop\n }\n\n $config_decryption_single_xor = {\n 81 7C [4-6] // cmp dword [rsp+0x3c {i}], 0x1000\n 7D ?? // jge 0x1800350ee\n\n 48 63 44 24 ?? // movsxd rax, dword [rsp+0x3c {i}]\n 48 8D 0D [4] // lea rcx, [rel encrypted_config]\n 0F BE 04 01 // movsx eax, byte [rcx+rax]\n 83 F0 ?? // xor eax, 0x2f\n 48 63 4C 24 ?? // movsxd rcx, dword [rsp+0x3c {i}]\n 48 8D 15 [4] // lea rdx, [rel data_75040]\n 88 04 0A // mov byte [rdx+rcx], al\n EB // jmp 0x1800350b6\n }\n\n $config_decryption_double_xor = {\n 81 7C [4-6] // cmp dword [rsp+0x38 {i}], 0x1000\n 7D ?? // jge 0x1800350ee\n\n 48 63 44 24 ?? // movsxd rax, dword [rsp+0x3c {i}]\n 48 8D 0D [4] // lea rcx, [rel encrypted_config]\n 0F BE 04 01 // movsx eax, byte [rcx+rax]\n 83 F0 ?? // xor eax, 0x2f\n 48 63 4C 24 ?? // movsxd rcx, dword [rsp+0x3c {i}]\n 48 8D 15 [4] // lea rdx, [rel data_75040]\n 88 04 0A // mov byte [rdx+rcx], al\n 48 63 44 24 ?? // movsxd rax, dword [rsp+0x38 {i}]\n 48 8D 0D [4] // lea rcx, [rel data_75040]\n 0F BE 04 01 // movsx eax, byte [rcx+rax]\n 35 [4] // xor eax, 0xec\n 48 63 4C 24 ?? // movsxd rcx, dword [rsp+0x38 {i}]\n 48 8D 15 [4] // lea rdx, [rel data_75040]\n 88 04 0A // mov byte [rdx+rcx], al\n EB // jmp 0x2d686\n }\n\n condition:\n 1 of ($config_decryption_*) and $breakpoint_guard\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_beacon_f1403adf86ad" ], "rule_creation_date": "2025-11-06", "rule_modified_date": "2025-11-12", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_beacon_magic_mz_3c65ae1c6a7f_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570938Z", "creation_date": "2026-03-23T11:46:25.570941Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570946Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/\nhttps://www.redteam.cafe/red-team/shellcode-injection/magic_mz_x86-and-magic_mz_x64" ], "name": "cobalt_strike_beacon_magic_mz_3c65ae1c6a7f.yar", "content": "rule cobalt_strike_beacon_magic_mz_3c65ae1c6a7f {\n meta:\n title = \"Cobalt Strike Beacon magic_mz (3c65ae1c6a7f)\"\n id = \"28049624-5723-4667-9976-3c65ae1c6a7f\"\n description = \"Detects Cobalt Strike Beacon instances using the magic_mz_x64 malleable profile in memory.\\nCobalt Strike Beacon is a popular post-exploitation tool that uses malleable profiles to alter its behavior. The magic_mz_x64 profile is used to inject shellcode into processes, creating a persistence mechanism. This rule detects the specific patterns associated with this profile's execution in memory.\\nIt is recommended to monitor process creation and network communication for signs of Cobalt Strike activity.\"\n references = \"https://attack.mitre.org/software/S0154/\\nhttps://www.redteam.cafe/red-team/shellcode-injection/magic_mz_x86-and-magic_mz_x64\"\n date = \"2022-03-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.execution\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // set magic_mz_x64 \"MZAR\";\n $region0 = {\n 4D 5A // pop r10 ; PE magic number\n 41 52 // push r10 ; Bytes on last page of file\n //(55|52 55|45 52 55|54 45 52 55) // push rbp ; Pages in file\n [1-4]\n 48 89 E5 // mov rbp, rsp\n 48 81 EC 20 00 00 00 // sub rsp, 20h ; Size of header in paragraphs\n 48 8D 1D EA FF FF FF // lea rbx, __ImageBase\n 48 89 DF // mov rdi, rbx ; Initial (relative) CS value\n 48 81 C3 ?? ?? ?? 00 // add rbx, 15F88h\n FF D3 // call rbx ; loc_180015F88\n }\n\n // set magic_mz_x64 \"AXAP\";\n $region1 = {\n 41 58 // pop r8\n 41 50 // push r8\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 81 EC 20 00 00 00 // sub rsp, 20h ; CODE XREF: sub_E730+99↓p\n 48 8D 1D EA FF FF FF // lea rbx, loc_0 ; DATA XREF: __alloca_probe+1C↓r\n 48 89 DF // mov rdi, rbx\n 48 81 C3 ?? ?? ?? 00 // add rbx, 15F88h\n FF D3 // call rbx ; sub_15F88\n }\n\n // set magic_mz_x64 \"AYAQ\";\n $region2 = {\n 41 59 // pop r9\n 41 51 // push r9\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 81 EC 20 00 00 00 // sub rsp, 20h ; CODE XREF: sub_E730+99↓p\n 48 8D 1D EA FF FF FF // lea rbx, loc_0\n 48 89 DF // mov rdi, rbx\n 48 81 C3 ?? ?? ?? 00 // add rbx, 15F88h\n FF D3 // call rbx ; sub_15F88\n }\n\n // set magic_mz_x64 \"AZAR\";\n $region3 = {\n 41 5A // pop r10\n 41 52 // push r10\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 81 EC 20 00 00 00 // sub rsp, 20h ; CODE XREF: sub_E730+99↓p\n 48 8D 1D EA FF FF FF // lea rbx, loc_0 ; DATA XREF: __alloca_probe+1C↓r\n 48 89 DF // mov rdi, rbx\n 48 81 C3 ?? ?? ?? 00 // add rbx, 15F88h\n FF D3 // call rbx ; sub_15F88\n }\n\n // set magic_mz_x64 \"^V\";\n $region4 = {\n 5E // pop rsi\n 56 // push rsi\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 81 EC 20 00 00 00 // sub rsp, 20h ; CODE XREF: sub_E730+99↓p\n 48 8D 1D EC FF FF FF // lea rbx, loc_0 ; DATA XREF: __alloca_probe+1C↓r\n 48 89 DF // mov rdi, rbx\n 48 81 C3 ?? ?? ?? 00 // add rbx, 15F88h\n FF D3 // call rbx ; sub_15F88\n }\n\n // set magic_mz_x64 \"A[AS\";\n $region5 = {\n 41 5B // pop r11\n 41 53 // push r11\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 81 EC 20 00 00 00 // sub rsp, 20h ; CODE XREF: sub_E730+99↓p\n 48 8D 1D EA FF FF FF // lea rbx, loc_0 ; DATA XREF: __alloca_probe+1C↓r\n 48 89 DF // mov rdi, rbx\n 48 81 C3 ?? ?? ?? 00 // add rbx, 15F88h\n FF D3 // call rbx ; sub_15F88\n }\n\n $reflectiveloader1 = {\n 81 [1-3] 8E 4E 0E EC // cmp [rsp+68h+var_64], 0EC0E4E8Eh\n 74 ?? // jz short loc_16A0D\n 81 [1-3] AA FC 0D 7C // cmp [rsp+68h+var_64], 7C0DFCAAh\n 74 ?? // jz short loc_16A0D\n 81 [1-3] 54 CA AF 91 // cmp [rsp+68h+var_64], 91AFCA54h\n 74 ?? // jz short loc_16A0D\n 81 [1-3] 1B C6 46 79 // cmp [rsp+68h+var_64], 7946C61Bh\n 74 ?? // jz short loc_16A0D\n 81 [1-3] FC A4 53 07 // cmp [rsp+68h+var_64], 753A4FCh\n 74 ?? // jz short loc_16A0D\n 81 [1-3] 04 49 32 D3 // cmp [rsp+68h+var_64], 0D3324904h\n 0F ?? ?? ?? 00 00 // jnz loc_16B33\n }\n\n condition:\n 1 of ($region*) and 1 of ($reflectiveloader*)\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_beacon_magic_mz_3c65ae1c6a7f" ], "rule_creation_date": "2022-03-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_beacon_magic_mz_c375c8b538df_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580914Z", "creation_date": "2026-03-23T11:46:25.580916Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580921Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/\nhttps://www.redteam.cafe/red-team/shellcode-injection/magic_mz_x86-and-magic_mz_x64" ], "name": "cobalt_strike_beacon_magic_mz_c375c8b538df.yar", "content": "rule cobalt_strike_beacon_magic_mz_c375c8b538df {\n meta:\n title = \"Cobalt Strike Beacon magic_mz (c375c8b538df)\"\n id = \"6cbb0ed2-a041-44b2-92a0-c375c8b538df\"\n description = \"Detects Cobalt Strike Beacon instances using the magic_mz_x86 malleable profile in memory.\\nCobalt Strike Beacon is a popular post-exploitation tool that uses malleable profiles to alter its behavior. The magic_mz_x86 profile is used to inject shellcode into processes, creating a persistence mechanism. This rule detects the specific patterns associated with this profile's execution in memory.\\nIt is recommended to monitor process creation and network communication for signs of Cobalt Strike activity.\"\n references = \"https://attack.mitre.org/software/S0154/\\nhttps://www.redteam.cafe/red-team/shellcode-injection/magic_mz_x86-and-magic_mz_x64\"\n date = \"2022-03-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.execution\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // set magic_mz_x86 \"MZRE\";\n $region0 = {\n 4D // dec ebp\n 5A // pop edx\n 52 // push edx\n 45 // inc ebp\n E8 00 00 00 00 // call $+5\n 5B // pop ebx\n 89 DF // mov edi, ebx\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 81 C3 ?? ?? ?? 00 // add ebx, 7C14h\n FF D3 // call ebx\n }\n\n // set magic_mz_x86 \"H@KC\";\n $region1 = {\n 48 // dec eax\n 40 // inc eax\n 4B // dec ebx\n 43 // inc ebx\n E8 00 00 00 00 // call $+5\n 5B // pop ebx\n 89 DF // mov edi, ebx\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 81 C3 ?? ?? ?? 00 // add ebx, 7C14h\n FF D3 // call ebx\n }\n\n // set magic_mz_x86 \"KCKC\";\n $region2 = {\n 4B // dec ebx\n 43 // inc ebx\n 4B // dec ebx\n 43 // inc ebx\n E8 00 00 00 00 // call $+5\n 5B // pop ebx\n 89 DF // mov edi, ebx\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 81 C3 ?? ?? ?? 00 // add ebx, 7C14h\n FF D3 // call ebx\n }\n\n // set magic_mz_x86 \"@H@H\";\n $region3 = {\n 40 // inc eax\n 48 // dec eax\n 40 // inc eax\n 48 // dec eax\n E8 00 00 00 00 // call $+5\n 5B // pop ebx\n 89 DF // mov edi, ebx\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 81 C3 ?? ?? ?? 00 // add ebx, 7C14h\n FF D3 // call ebx\n }\n\n // set magic_mz_x86 \"]U]U\";\n $region4 = {\n 5D // pop ebp\n 55 // push ebp\n 5D // pop ebp\n 55 // push ebp\n E8 00 00 00 00 // call $+5\n 5B // pop ebx\n 89 DF // mov edi, ebx\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 81 C3 ?? ?? ?? 00 // add ebx, 7C14h\n FF D3 // call ebx\n }\n\n // set magic_mz_x86 \"MEME\";\n $region5 = {\n 4D // dec ebp\n 45 // inc ebp\n 4D // dec ebp\n 45 // inc ebp\n E8 00 00 00 00 // call $+5\n 5B // pop ebx\n 89 DF // mov edi, ebx\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 81 C3 ?? ?? ?? 00 // add ebx, 7C14h\n FF D3 // call ebx\n }\n\n $reflectiveloader1 = {\n 81 [1-2] 8E 4E 0E EC // cmp [ebp+var_10], 0EC0E4E8Eh\n 74 ?? // jz short loc_10008D7B\n 81 [1-2] AA FC 0D 7C // cmp [ebp+var_10], 7C0DFCAAh\n 74 ?? // jz short loc_10008D7B\n 81 [1-2] 54 CA AF 91 // cmp [ebp+var_10], 91AFCA54h\n 74 ?? // jz short loc_10008D7B\n 81 [1-2] 1B C6 46 79 // cmp [ebp+var_10], 7946C61Bh\n 74 ?? // jz short loc_10008D7B\n 81 [1-2] FC A4 53 07 // cmp [ebp+var_10], 753A4FCh\n 74 ?? // jz short loc_10008D7B\n 81 [1-2] 04 49 32 D3 // cmp [ebp+var_10], 0D3324904h\n 0F ?? ?? ?? 00 00 // jnz loc_10008E35\n }\n\n $reflectiveloader2 = {\n 75 ?? // jnz short loc_10001110\n 81 ?? 8E 4E 0E EC // cmp edx, 0EC0E4E8Eh\n 74 ?? // jz short loc_10001137\n 81 ?? AA FC 0D 7C // cmp edx, 7C0DFCAAh\n 74 ?? // jz short loc_10001137\n 81 ?? 54 CA AF 91 // cmp edx, 91AFCA54h\n 75 ?? // jnz short loc_10001184\n }\n\n condition:\n 1 of ($region*) and 1 of ($reflectiveloader*)\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_beacon_magic_mz_c375c8b538df" ], "rule_creation_date": "2022-03-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_crossc2_beacon_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565114Z", "creation_date": "2026-03-23T11:46:25.565117Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565132Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/gloxec/CrossC2\nhttps://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html\nhttps://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf\nhttps://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-dun-threat-group/" ], "name": "cobalt_strike_crossc2_beacon.yar", "content": "rule cobalt_strike_crossc2_beacon {\n meta:\n title = \"Cobalt Strike CrossC2 Beacon\"\n id = \"5de0eac9-a4f9-4a18-bc8f-9a765ca7ed80\"\n description = \"Detects a CrossC2 Cobalt Strike Beacon.\\nCrossC2 is a publicly available tool used to generate Unix Cobalt Strike payloads for cross-platform distributions.\\nIt enables adversaries to deploy and communicate with beaconing malwares across different operating systems.\\nIt is recommended to investigate the execution context and surrounding detection to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/gloxec/CrossC2\\nhttps://www.trendmicro.com/en_us/research/21/j/actors-target-huawei-cloud-using-upgraded-linux-malware-.html\\nhttps://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf\\nhttps://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-dun-threat-group/\"\n date = \"2024-11-26\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Linux.Framework.CobaltStrike\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e46606c9a2559c2a19edc67a69be7bf6869c0a2716ed1e8764bb492d12019baa\n // 99cf3c473afafe8fbcacd93db9d21dbbb441ba65143a59829569700b54abb1be\n // 013659b18ce1945d4702270bbe23d3f6e0d9114c49228369fac739c96a6fb315\n // e6dd401cf11481690791c6cb174d3af21604f4a2c90e21b4087dbd47e69afee4\n\n // \"%s %s HTTP/1.0\\r\\n\"\n $str_http_header_1 = {\n 25 73 20 25 73 20\n 48 54 54 50 2f 31\n 2e 30 0D 0A\n }\n // \"Content-Type: application/ocsp-request\\r\\nContent-Length: %d\\r\\n\\r\\n\"\n $str_http_header_2 = {\n 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61\n 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 73 70\n 2d 72 65 71 75 65 73 74 0D 0A 43 6f 6e 74 65\n 6e 74 2d 4c 65 6e 67 74 68 3a 20 25 64 0D 0A\n 0D 0A\n }\n $str_openssl_config = \"openssl.cnf\" ascii fullword\n\n $stub_cff_x64 = {\n 85 C0 // test eax, eax\n 0F 84 [4] // jz .1\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 10 // sub rsp, 0x10\n E8 [4] // call sub_4125b0()\n C3 // ret\n 58 // pop rax\n 85 C0 // test eax, eax\n 0F 84 [4] // jz sub_4125b0()\n 58 // pop rax\n 48 83 C4 0A // add rsp, 0x0A\n E9 // jmp loc_40bf91\n }\n\n $stub_cff_x32 = {\n 85 C0 // test eax, eax\n 0F 84 [4] // jz .326\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 83 EC 10 // sub esp, 0x10\n 0F 84 [4] // jz .325\n C3 // ret\n 58 // pop eax\n 83 C4 0A // add esp, 0x0A\n E9 // jmp .489\n }\n\n $stub_cff_dispatch = {\n 8B 85 ?? FF FF FF // mov eax, [ebp-0xC8]\n 2D [4] // sub eax, 0x85E72643\n 89 85 ?? FF FF FF // mov [ebp-0xDC], eax\n 0F 84 [2] 00 00 // jz .231\n E9 00 00 00 00 // jmp .15\n }\n\n $stub_http_x64 = {\n 48 8B 7F 20 // mov rdi, [rdi+0x20]\n 48 85 D2 // test rdx, rdx\n 48 89 D1 // mov rcx, rdx\n B8 94 D7 74 00 // mov eax, 0x74D794\n 48 0F 44 C8 // cmovz rcx, rax\n 48 89 F2 // mov rdx, rsi\n 31 C0 // xor eax, eax\n BE 20 09 75 00 // mov esi, \"%s %s HTTP/1.0\\r\\n\"\n E8 [4] // call sub_631690()\n 31 D2 // xor edx, edx\n 85 C0 // test eax, eax\n 7E 08 // jle loc_670ad4\n C7 03 09 10 00 00 // mov dword ptr [rbx], 0x1009\n B2 01 // mov dl, 0x01\n 5B // pop rbx\n 89 D0 // mov eax, edx\n C3 // ret\n }\n\n $stub_http_x32 = {\n 85 C0 // test eax, eax\n 74 34 // jz loc_17ac64\n 89 44 24 0C // mov [esp+0x0C], eax\n 8B 44 24 24 // mov eax, [esp+0x24]\n C7 44 24 04 [4] // mov dword ptr [esp+0x04], \"%s %s HTTP/1.0\\r\\n\"\n 89 44 24 08 // mov [esp+0x08], eax\n 8B 43 10 // mov eax, [ebx+0x10]\n 89 04 24 // mov [esp], eax\n E8 [4] // call sub_139710()\n 31 D2 // xor edx, edx\n 85 C0 // test eax, eax\n 7E 08 // jle loc_17ac5d\n C7 03 [4] // mov dword ptr [ebx], 0x1009\n B2 01 // mov dl, 0x01\n 83 C4 18 // add esp, 0x18\n 89 D0 // mov eax, edx\n 5B // pop ebx\n C3 // ret\n }\n\n $stub_http_rebind_x64 = {\n 48 85 D2 // test rdx, rdx\n 48 89 D1 // mov rcx, rdx\n 48 89 F2 // mov rdx, rsi\n 48 8D 35 [4] // lea rsi, [\"%s %s HTTP/1.0\\r\\n\"]\n 48 0F 44 C8 // cmovz rcx, rax\n 31 C0 // xor eax, eax\n E8 [4] // call sub_149560()\n 31 D2 // xor edx, edx\n 85 C0 // test eax, eax\n 7E ?? // jle .1\n C7 03 [4] // mov dword ptr [rbx], 0x1009\n B2 01 // mov dl, 0x01\n 5B // pop rbx\n 89 D0 // mov eax, edx\n C3 // ret\n }\n\n condition:\n uint16(0) == 0x457f and\n (\n (#stub_cff_x64 >= 2900 or #stub_cff_x32 >= 3000) and\n #stub_cff_dispatch >= 200 and\n 1 of ($stub_http_*) and\n all of ($str_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_crossc2_beacon" ], "rule_creation_date": "2024-11-26", "rule_modified_date": "2025-11-04", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_default_stager_2a8077ab7fa5_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581115Z", "creation_date": "2026-03-23T11:46:25.581117Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581132Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_default_stager_2a8077ab7fa5.yar", "content": "rule cobalt_strike_default_stager_2a8077ab7fa5 {\n meta:\n title = \"Cobalt Strike Default Stager (2a8077ab7fa5)\"\n id = \"c854f1fd-64e1-4dca-8fff-2a8077ab7fa5\"\n description = \"Detects Cobalt Strike's default stager in memory.\\nCobalt Strike's stager is responsible for unpacking and executing the payload within the infected system.\\nThis stager allocates memory and decrypts the payload using a custom routine.\\nThe detection is based on the memory patterns of the stager's unpacking process and encryption techniques.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2021-01-15\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1572;attack.t1071;attack.t1027.005;attack.t1106;attack.t1140\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"memory,thread\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $unpacker_stage_optimized = {\n 41 B9 04 00 00 00 // mov r9d, 4 // PAGE_READWRITE\n 48 63 F2 // movsxd rsi, edx\n 49 89 CC // mov r12, rcx\n 89 D7 // mov edi, edx\n 4C 89 C5 // mov rbp, r8\n 48 89 F2 // mov rdx, rsi // dwSize\n 41 B8 00 (10|30) 00 00 // mov r8d, 0x3000|0x1000 // MEM_COMMIT | MEM_RESERVE or only MEM_COMMIT\n 31 C9 // xor ecx, ecx // lpStartAddress\n FF 15 ?? ?? ?? ?? // call qword ptr [rip + 0xXX] // VirtualAlloc\n 48 89 C3 // mov rbx, rax\n 31 C0 // xor eax, eax\n EB 11 // jmp decrypt_payload\n\n // loop_decrypt_payload:\n 83 E2 03 // and edx, 3\n 8A 54 15 00 // mov dl, [rbp+rdx+0]\n 41 32 14 04 // xor dl, [r12+rax]\n 88 14 03 // mov [rbx+rax], dl\n 48 FF C0 // inc rax\n\n // decrypt_payload:\n 39 F8 // cmp eax, edi\n 89 C2 // mov edx, eax\n 7C E9 // jl loop_decrypt_payload\n 48 89 D9 // mov rcx, rbx\n E8 ?? ?? ?? ?? // call 0xXX\n 4C 8D 4C 24 3C // lea r9, [rsp + 0x3c]\n 48 89 F2 // mov rdx, rsi\n 48 89 D9 // mov rcx, rbx\n 41 B8 20 00 00 00 // mov r8d, 0x20 // PAGE_READEXECUTE\n FF 15 ?? ?? ?? ?? // call qword ptr [rip + 0xXX] // VirtualProtect\n 4C 8D 05 ?? ?? ?? ?? // lea r8, [rip + 0xXX] // lpStartAddress\n 49 89 D9 // mov r9, rbx // lpParameter\n 31 D2 // xor edx, edx // dwStackSize\n 31 C9 // xor ecx, ecx // lpThreadAttributes\n 48 C7 44 24 28 00 00 00 00 // mov qword ptr [rsp + 0x28], 0 // lpThreadId\n C7 44 24 20 00 00 00 00 // mov qword ptr [rsp + 0x20], 0 // dwCreationFlags\n FF 15 ?? ?? ?? ?? // call qword ptr [rip + 0xXX] // CreateThread\n }\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_default_stager_2a8077ab7fa5" ], "rule_creation_date": "2021-01-15", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1071", "attack.t1140", "attack.t1106", "attack.t1572", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_default_stager_4ff51084ff7e_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577687Z", "creation_date": "2026-03-23T11:46:25.577689Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577695Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_default_stager_4ff51084ff7e.yar", "content": "rule cobalt_strike_default_stager_4ff51084ff7e {\n meta:\n title = \"Cobalt Strike Default Stager (4ff51084ff7e)\"\n id = \"aa0868a7-c22d-48db-acb9-4ff51084ff7e\"\n description = \"Detects Cobalt Strike's default stager in memory.\\nCobalt Strike's stager is responsible for unpacking and executing the payload within the infected system.\\nThis stager allocates memory and decrypts the payload using a custom routine.\\nThe detection is based on the memory patterns of the stager's unpacking process and encryption techniques.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2021-01-14\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1572;attack.t1071;attack.t1027.005;attack.t1106;attack.t1140\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"memory,thread\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $unpacker_stage_3x_4x_optimized2 = {\n 8B 75 0C // mov esi, dword ptr [ebp + 0xc]\n C7 44 24 0C 04 00 00 00 // mov dword ptr [esp + 0xc], 4 // PAGE_READWRITE\n C7 44 24 08 00 (10|30) 00 00 // mov dword ptr [esp + 8], 0x1000 | 0x3000 // MEM_COMMIT | MEM_RESERVE or only MEM_COMMIT\n C7 04 24 00 00 00 00 // mov dword ptr [esp], 0 // lpStartAddress\n 89 74 24 04 // mov dword ptr [esp + 4], esi // dwSize\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // VirtualAlloc\n 31 C9 // xor ecx, ecx\n 83 EC 10 // sub esp, 0x10\n 89 C3 // mov ebx, eax\n EB 1A // jmp decrypt_payload\n\n // loop_decrypt_payload:\n 89 C8 // mov eax, ecx\n BF 04 00 00 00 // mov edi, 4\n 99 // cdq\n F7 FF // idiv edi\n 8B 7D 10 // mov edi, dword ptr [ebp + 0x10]\n 8A 04 17 // mov al, byte ptr [edi + edx]\n 8B 7D 08 // mov edi, dword ptr [ebp + 8]\n 32 04 0F // xor al, byte ptr [edi + ecx]\n 88 04 0B // mov byte ptr [ebx + ecx], al\n 41 // inc ecx\n\n // decrypt_payload:\n 39 F1 // cmp ecx, esi\n 7C E2 // jl loop_decrypt_payload\n\n // Cobalt Strike context patching (since 4.0)\n [0-8] // 89 1C 24 // mov dword ptr [esp], ebx\n // E8 ?? ?? ?? ?? // call 0xXXXXX // Modify the context passed to the thread\n\n\n 8D 45 E4 // lea eax, [ebp - 0x1c]\n 89 74 24 04 // mov dword ptr [esp + 4], esi\n 89 1C 24 // mov dword ptr [esp], ebx\n 89 44 24 0C // mov dword ptr [esp + 0xc], eax\n C7 44 24 08 20 00 00 00 // mov dword ptr [esp + 8], 0x20 // PAGE_READEXECUTE\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // VirtualProtect\n 83 EC 10 // sub esp, 0x10\n 89 5C 24 0C // mov dword ptr [esp + 0xc], ebx // lpParameter\n C7 44 24 14 00 00 00 00 // mov dword ptr [esp + 0x14], 0 // lpThreadId\n C7 44 24 10 00 00 00 00 // mov dword ptr [esp + 0x10], 0 // dwCreationFlags\n C7 44 24 08 ?? ?? ?? 00 // mov dword ptr [esp + 8], 0xXX // lpStartAddress\n C7 44 24 04 00 00 00 00 // mov dword ptr [esp + 4], 0 // dwStackSize\n C7 04 24 00 00 00 00 // mov dword ptr [esp], 0 // lpThreadAttributes\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // CreateThread\n }\n\n $unpacker_stage_3x_optimized1 = {\n 8B 45 0C // mov eax, dword ptr [ebp + 0xc]\n C7 44 24 0C 40 00 00 00 // mov dword ptr [esp + 0xc], 0x40 // PAGE_READWRITE\n C7 44 24 08 00 (10|30) 00 00 // mov dword ptr [esp+8], 1000h // MEM_COMMIT | MEM_RESERVE or only MEM_COMMIT\n 89 44 24 04 // mov dword ptr [esp + 4], eax // dwSize\n C7 04 24 00 00 00 00 // mov dword ptr [esp], 0 // lpStartAddress\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX] // VirtualAlloc\n FF D0 // call eax\n 83 EC 10 // sub esp, 0x10\n 89 45 F0 // mov dword ptr [ebp - 0x10], eax\n C7 45 F4 00 00 00 00 // mov dword ptr [ebp - 0xc], 0\n EB 44 // jmp decrypt_payload\n\n // loop_decrypt_payload:\n 8B 45 F4 // mov eax, dword ptr [ebp - 0xc]\n (\n 89 C1 | // mov ecx, eax or\n 50 // push eax\n 59 // pop ecx\n )\n 03 4D 08 // add ecx, dword ptr [ebp + 8]\n 8B 45 F4 // mov eax, dword ptr [ebp - 0xc]\n 03 45 08 // add eax, dword ptr [ebp + 8]\n 0F B6 18 // movzx ebx, byte ptr [eax]\n 8B 45 F4 // mov eax, dword ptr [ebp - 0xc]\n 89 C2 // mov edx, eax\n C1 FA 1F // sar edx, 0x1F\n C1 EA 1E // shr edx, 0x1E\n 01 D0 // add eax, edx\n 83 E0 03 // and eax, 3\n 29 D0 // sub eax, edx\n 03 45 10 // add eax, [ebp+arg_8]\n 0F B6 00 // movzx eax, byte ptr [eax]\n 31 D8 // xor eax, ebx\n 88 01 // mov [ecx], al\n 8B 45 F4 // mov eax, dword ptr [ebp - 0xc]\n (\n 89 C2 | // mov edx, eax or\n 50 // push eax\n 5A // pop edx\n )\n 03 55 08 // add edx, dword ptr [ebp + 8]\n 8B 45 F4 // mov eax, dword ptr [ebp - 0xc]\n 03 45 F0 // add eax, dword ptr [ebp - 0x10]\n 0F B6 12 // movzx edx, byte ptr [edx]\n 88 10 // mov [eax], dl\n 83 45 F4 01 // add dword ptr [ebp - 0xc], 1\n\n // decrypt_payload:\n 8B 45 F4 // mov eax, dword ptr [ebp - 0xc]\n 3B 45 0C // cmp eax, dword ptr [ebp + 0xc]\n 7C B4 // jl loop_decrypt_payload\n\n 8B 45 F0 // mov eax, dword ptr [ebp - 0x10]\n C7 44 24 14 00 00 00 00 // mov dword ptr [esp + 0x14], 0 // lpThreadId\n C7 44 24 10 00 00 00 00 // mov dword ptr [esp + 0x10], 0 // dwCreationFlags\n C7 44 24 0C 00 00 00 00 // mov dword ptr [esp + 0xC], 0 // lpParameter\n 89 44 24 08 // mov dword ptr [esp + 8], eax // lpStartAddress\n C7 44 24 04 00 00 00 00 // mov dword ptr [esp + 4], 0 // dwStackSize\n C7 04 24 00 00 00 00 // mov dword ptr [esp], 0 // lpThreadAttributes\n A1 ?? ?? ?? ?? // mov eax, dword ptr [0xXX] // CreateThread\n FF D0 // call eax\n\n }\n\n $unpacker_stage_3x_unoptimized = {\n 8B 75 0C // mov esi, dword ptr [ebp + 0xc]\n C7 44 24 0C 04 00 00 00 // mov dword ptr [esp + 0xc], 4 // PAGE_READWRITE\n C7 44 24 08 00 (10|30) 00 00 // mov dword ptr [esp + 8], 0x3000 // MEM_COMMIT | MEM_RESERVE\n C7 04 24 00 00 00 00 // mov dword ptr [esp], 0 // lpStartAddress\n 89 74 24 04 // mov dword ptr [esp + 4], esi // dwSize\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // VirtualAlloc\n 29 C9 // sub ecx, ecx\n 83 EC 10 // sub esp, 0x10\n 50 // push eax\n 5B // pop ebx\n EB 1A // jmp decrypt_payload\n\n // loop_decrypt_payload:\n 51 // push ecx\n 58 // pop eax\n BF 04 00 00 00 // mov edi, 4\n 99 // cdq\n F7 FF // idiv edi\n 8B 7D 10 // mov edi, dword ptr [ebp + 0x10]\n 8A 04 17 // mov al, byte ptr [edi + edx]\n 8B 7D 08 // mov edi, dword ptr [ebp + 8]\n 32 04 0F // xor al, byte ptr [edi + ecx]\n 88 04 0B // mov byte ptr [ebx + ecx], al\n 41 // inc ecx\n\n // decrypt_payload:\n 39 F1 // cmp ecx, esi\n 7C E2 // jl loop_decrypt_payload\n\n 8D 45 E4 // lea eax, [ebp - 0x1c]\n 89 74 24 04 // mov dword ptr [esp + 4], esi\n 89 1C 24 // mov dword ptr [esp], ebx\n 89 44 24 0C // mov dword ptr [esp + 0xc], eax\n C7 44 24 08 20 00 00 00 // mov dword ptr [esp + 8], 0x20 // PAGE_READEXECUTE\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // VirtualProtect\n 83 EC 10 // sub esp, 0x10\n 89 5C 24 0C // mov dword ptr [esp + 0xc], ebx // lpParameter\n C7 44 24 14 00 00 00 00 // mov dword ptr [esp + 0x14], 0 // lpThreadId\n C7 44 24 10 00 00 00 00 // mov dword ptr [esp + 0x10], 0 // dwCreationFlags\n C7 44 24 08 ?? ?? ?? 00 // mov dword ptr [esp + 8], 0xXX // lpStartAddress\n C7 44 24 04 00 00 00 00 // mov dword ptr [esp + 4], 0 // dwStackSize\n C7 04 24 00 00 00 00 // mov dword ptr [esp], 0 // lpThreadAttributes\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // CreateThread\n }\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_default_stager_4ff51084ff7e" ], "rule_creation_date": "2021-01-14", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1071", "attack.t1140", "attack.t1106", "attack.t1572", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_hashdump_injected_efc1f710d60b_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567285Z", "creation_date": "2026-03-23T11:46:25.567287Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567293Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_hashdump_injected_efc1f710d60b.yar", "content": "rule cobalt_strike_hashdump_injected_efc1f710d60b {\n meta:\n title = \"Cobalt Strike Hashdump Injected Thread (efc1f710d60b)\"\n id = \"260533ad-6729-40d7-9506-efc1f710d60b\"\n description = \"Detects the Cobalt Strike Hashdump Injected Thread for x64.\\nCobalt Strike is a remote access tool used for adversary simulation. This specific rule identifies the hashdump functionality, which extracts credentials from the system.\\nIt is recommended to isolate the endpoint and monitor for additional suspicious activities.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2020-12-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"memory,thread\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = {\n 48 8D 93 FE 00 00 00 // lea rdx, [rbx + 0xfe]\n 48 8B C8 // mov rcx, rax\n FF 53 08 // call qword ptr [rbx + 8]\n 48 8D 93 0C 01 00 00 // lea rdx, [rbx + 0x10c]\n 49 8B CF // mov rcx, r15\n 48 8B F0 // mov rsi, rax\n 48 89 85 80 00 00 00 // mov qword ptr [rbp + 0x80], rax\n FF 53 08 // call qword ptr [rbx + 8]\n 48 8D 93 26 01 00 00 // lea rdx, [rbx + 0x126]\n 49 8B CF // mov rcx, r15\n 4C 8B F0 // mov r14, rax\n FF 53 08 // call qword ptr [rbx + 8]\n }\n\n $s2 = {\n FF 53 10 // call qword ptr [rbx + 0x10]\n 48 8B 4D A0 // mov rcx, qword ptr [rbp - 0x60]\n FF 53 20 // call qword ptr [rbx + 0x20]\n 48 8B 4D A0 // mov rcx, qword ptr [rbp - 0x60]\n FF 53 28 // call qword ptr [rbx + 0x28]\n 48 8B 4D B0 // mov rcx, qword ptr [rbp - 0x50]\n FF 53 28 // call qword ptr [rbx + 0x28]\n }\n\n $s3 = {\n C7 44 24 44 02 00 00 00 // mov dword ptr [rsp + 0x44], 2\n C7 44 24 38 01 00 00 00 // mov dword ptr [rsp + 0x38], 1\n FF 15 09 A2 00 00 // call qword ptr [rip + 0xa209]\n }\n\n $s4 = {\n FF 15 33 A3 00 00 // call qword ptr [rip + 0xa333]\n 44 8B C3 // mov r8d, ebx\n 33 D2 // xor edx, edx\n B9 FF FF 1F 00 // mov ecx, 0x1fffff\n FF 15 E3 A2 00 00 // call qword ptr [rip + 0xa2e3]\n 48 83 C9 FF // or rcx, 0xffffffffffffffff\n }\n\n $s5 = {\n 48 8B 44 24 30 // mov rax, qword ptr [rsp + 0x30]\n 4C 8B 45 E8 // mov r8, qword ptr [rbp - 0x18]\n 48 8B 50 08 // mov rdx, qword ptr [rax + 8]\n 4A 8B 54 F2 10 // mov rdx, qword ptr [rdx + r14*8 + 0x10]\n FF 55 C8 // call qword ptr [rbp - 0x38]\n }\n\n $s6 = {\n 48 8B 83 88 01 00 00 // mov rax, qword ptr [rbx + 0x188]\n 8B 8D 88 00 00 00 // mov ecx, dword ptr [rbp + 0x88]\n 89 4C 06 08 // mov dword ptr [rsi + rax + 8], ecx\n 48 8B 44 24 30 // mov rax, qword ptr [rsp + 0x30]\n 48 8B 93 88 01 00 00 // mov rdx, qword ptr [rbx + 0x188]\n 48 8B 48 08 // mov rcx, qword ptr [rax + 8]\n 41 B8 20 00 00 00 // mov r8d, 0x20\n 42 8B 04 F1 // mov eax, dword ptr [rcx + r14*8]\n 89 44 16 0C // mov dword ptr [rsi + rdx + 0xc], eax\n 48 8B 8B 88 01 00 00 // mov rcx, qword ptr [rbx + 0x188]\n 48 8B 54 24 48 // mov rdx, qword ptr [rsp + 0x48]\n 48 83 C1 10 // add rcx, 0x10\n 48 03 CE // add rcx, rsi\n FF 55 C8 // call qword ptr [rbp - 0x38]\n }\n\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_hashdump_injected_efc1f710d60b" ], "rule_creation_date": "2020-12-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_hashdump_injected_fcc1efd6e62d_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580940Z", "creation_date": "2026-03-23T11:46:25.580942Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580948Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_hashdump_injected_fcc1efd6e62d.yar", "content": "rule cobalt_strike_hashdump_injected_fcc1efd6e62d {\n meta:\n title = \"Cobalt Strike Hashdump Injected Thread (fcc1efd6e62d)\"\n id = \"c2d23280-53ab-42c8-b4ce-fcc1efd6e62d\"\n description = \"Detects the Cobalt Strike Hashdump Injected Thread for x64.\\nCobalt Strike is a remote access tool used for adversary simulation. This specific rule identifies the hashdump functionality, which extracts credentials from the system.\\nIt is recommended to isolate the endpoint and monitor for additional suspicious activities.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2020-12-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"memory,thread\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = {\n 89 BD 6C FF FF FF // mov dword ptr [ebp - 0x94], edi\n 89 BD 70 FF FF FF // mov dword ptr [ebp - 0x90], edi\n 89 BD 74 FF FF FF // mov dword ptr [ebp - 0x8c], edi\n 89 BD 78 FF FF FF // mov dword ptr [ebp - 0x88], edi\n 89 BD 7C FF FF FF // mov dword ptr [ebp - 0x84], edi\n C7 85 68 FF FF FF 18 00 00 00 // mov dword ptr [ebp - 0x98], 0x18\n FF 55 94 // call dword ptr [ebp - 0x6c]\n }\n\n $s2 = {\n 8B 4E 0C // mov ecx, dword ptr [esi + 0xc]\n 8D 86 4C 01 00 00 // lea eax, [esi + 0x14c]\n 50 // push eax\n 6A 00 // push 0\n 6A 02 // push 2\n FF D1 // call ecx\n }\n\n $s3 = {\n 8B 46 04 // mov eax, dword ptr [esi + 4]\n 8D 56 27 // lea edx, [esi + 0x27]\n 52 // push edx\n 53 // push ebx\n FF D0 // call eax\n 8B 56 04 // mov edx, dword ptr [esi + 4]\n 8D 4E 33 // lea ecx, [esi + 0x33]\n 51 // push ecx\n 8B F8 // mov edi, eax\n 53 // push ebx\n 89 7D C4 // mov dword ptr [ebp - 0x3c], edi\n FF D2 // call edx\n 8B 4E 04 // mov ecx, dword ptr [esi + 4]\n 89 45 E8 // mov dword ptr [ebp - 0x18], eax\n 8D 46 68 // lea eax, [esi + 0x68]\n 50 // push eax\n 53 // push ebx\n FF D1 // call ecx\n 8D 56 42 // lea edx, [esi + 0x42]\n 52 // push edx\n 89 45 C0 // mov dword ptr [ebp - 0x40], eax\n 8B 46 04 // mov eax, dword ptr [esi + 4]\n 53 // push ebx\n FF D0 // call eax\n 8B 56 04 // mov edx, dword ptr [esi + 4]\n 8D 4E 4F // lea ecx, [esi + 0x4f]\n 51 // push ecx\n 53 // push ebx\n 89 45 B0 // mov dword ptr [ebp - 0x50], eax\n FF D2 // call edx\n 8B 4E 04 // mov ecx, dword ptr [esi + 4]\n 89 45 8C // mov dword ptr [ebp - 0x74], eax\n 8D 86 83 00 00 00 // lea eax, [esi + 0x83]\n 50 // push eax\n 53 // push ebx\n FF D1 // call ecx\n 8D 96 A3 00 00 00 // lea edx, [esi + 0xa3]\n 52 // push edx\n 89 45 90 // mov dword ptr [ebp - 0x70], eax\n 8B 46 04 // mov eax, dword ptr [esi + 4]\n 53 // push ebx\n FF D0 // call eax\n 8B 56 04 // mov edx, dword ptr [esi + 4]\n 8D 8E C5 00 00 00 // lea ecx, [esi + 0xc5]\n 51 // push ecx\n 53 // push ebx\n 89 45 A0 // mov dword ptr [ebp - 0x60], eax\n ff d2 // call edx\n }\n\n $s4 = {\n 8D 49 00 // lea ecx, [ecx]\n 8B 4D F4 // mov ecx, dword ptr [ebp - 0xc]\n 8B 51 04 // mov edx, dword ptr [ecx + 4]\n 8B 4D E4 // mov ecx, dword ptr [ebp - 0x1c]\n 8D 45 D8 // lea eax, [ebp - 0x28]\n 50 // push eax\n 8B 04 1A // mov eax, dword ptr [edx + ebx]\n 50 // push eax\n 68 00 00 00 02 // push 0x2000000\n 51 // push ecx\n FF 55 B0 // call dword ptr [ebp - 0x50]\n }\n\n $s5 = {\n 8B 45 D8 // mov eax, dword ptr [ebp - 0x28]\n 8D 55 E0 // lea edx, [ebp - 0x20]\n 52 // push edx\n 6A 12 // push 0x12\n 50 // push eax\n FF 55 8C // call dword ptr [ebp - 0x74]\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_hashdump_injected_fcc1efd6e62d" ], "rule_creation_date": "2020-12-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_invoke_assembly_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567360Z", "creation_date": "2026-03-23T11:46:25.567362Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567368Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cobaltstrike.com/blog/cobalt-strike-3-11-the-snake-that-eats-its-tail\nhttps://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_invoke_assembly.yar", "content": "rule cobalt_strike_invoke_assembly {\n meta:\n title = \"Cobalt Strike Invoke Assembly DLL\"\n id = \"1bf15ffa-4d4a-4543-9308-4ed3d6269433\"\n description = \"Detects Cobalt Strike's in-memory .NET Assembly payload.\\nCobalt Strike is a commercial remote access tool used for adversary simulation. This rule detects its .NET-based payload often used for persistence or lateral movement.\"\n references = \"https://www.cobaltstrike.com/blog/cobalt-strike-3-11-the-snake-that-eats-its-tail\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2020-12-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012;attack.t1027.005;attack.t1106\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $canary = \"b97f6d706e872f3bfcfbe10766c71bc96ed2ff8cc54bd18a92ed261c71fbd8c4\"\n\n $s1 = \"[-] No .NET runtime found. :(\" ascii\n $s2 = \"[-] get_EntryPoint failed.\" ascii\n $s3 = \"[-] GetParameters failed.\" ascii\n $s4 = \"[-] Invoke_3 on EntryPoint failed\" ascii\n $s5 = \"[-] Failed to create the runtime host\" ascii\n $s6 = \"[-] CLR failed to start w/hr 0x%08lx\" ascii\n $s7 = \"[-] ICorRuntimeHost::GetDefaultDomain failed w/hr 0x%08lx\" ascii\n $s8 = \"[-] Failed to get default AppDomain w/hr 0x%08lx\" ascii\n $s9 = \"[-] Failed to load the assembly w/hr 0x%08lx\" ascii\n $s10 = \"ICLRMetaHost::GetRuntime (%S) failed w/hr 0x%08lx\" ascii\n\n condition:\n 5 of ($s*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_invoke_assembly" ], "rule_creation_date": "2020-12-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1106", "attack.t1569.002", "attack.t1055.012", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_keylogger_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581184Z", "creation_date": "2026-03-23T11:46:25.581186Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581191Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_keylogger.yar", "content": "rule cobalt_strike_keylogger {\n meta:\n title = \"Cobalt Strike Keylogger\"\n id = \"fe2aac65-07e6-4002-ab65-d9b0850c160b\"\n description = \"Detects the Cobalt Strike keylogger component.\\nCobalt Strike's keylogger is designed to capture keystrokes and log user activity during attacks. It uses specific named pipes and API calls to establish communication and track input.\\nThis rule identifies keylogger-related patterns, such as the use of named pipes like \\\"\\\\\\\\.\\\\pipe\\\\keylogger\\\" and associated API calls like CreateNamedPipeA and ConnectNamedPipe.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2020-12-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012;attack.t1027.005;attack.t1106\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Clear marker of the DLL name.\n $cobalt_marker_s1 = \"keylogger.x64.dll\" ascii\n $cobalt_marker_s2 = \"keylogger.dll\" ascii\n\n // This payload use this hardcoded named pipe for communication.\n $cobalt_marker_s3 = \"\\\\\\\\.\\\\pipe\\\\keylogger\" ascii\n\n // This payload use this named pipe prefix for communication on Cobalt Strike 4.2+.\n $cobalt_marker_s4 = \"\\\\\\\\.\\\\pipe\\\\postex_\" ascii\n\n // This payload use those APIs to create a communication channel.\n $cobalt_api_import_s1 = \"CreateNamedPipeA\" ascii\n $cobalt_api_import_s2 = \"ConnectNamedPipe\" ascii\n\n // Keylogger logs\n $cobalt_keylogger_marker_s1 = \"[backspace]\" ascii\n $cobalt_keylogger_marker_s2 = \"[tab]\" ascii\n $cobalt_keylogger_marker_s3 = \"[clear]\" ascii\n $cobalt_keylogger_marker_s4 = \"[shift]\" ascii\n $cobalt_keylogger_marker_s5 = \"[control]\" ascii\n $cobalt_keylogger_marker_s6 = \"[alt]\" ascii\n $cobalt_keylogger_marker_s7 = \"[pause]\" ascii\n $cobalt_keylogger_marker_s8 = \"[caps lock]\" ascii\n $cobalt_keylogger_marker_s9 = \"[escape]\" ascii\n $cobalt_keylogger_marker_s10 = \"[page up]\" ascii\n $cobalt_keylogger_marker_s11 = \"[page down]\" ascii\n $cobalt_keylogger_marker_s12 = \"[end]\" ascii\n $cobalt_keylogger_marker_s13 = \"[home]\" ascii\n $cobalt_keylogger_marker_s14 = \"[left]\" ascii\n $cobalt_keylogger_marker_s15 = \"[right]\" ascii\n $cobalt_keylogger_marker_s16 = \"[down]\" ascii\n $cobalt_keylogger_marker_s17 = \"[prtscr]\" ascii\n $cobalt_keylogger_marker_s18 = \"[insert]\" ascii\n $cobalt_keylogger_marker_s19 = \"[delete]\" ascii\n $cobalt_keylogger_marker_s20 = \"[help]\" ascii\n $cobalt_keylogger_marker_s21 = \"[command]\" ascii\n $cobalt_keylogger_marker_s22 = \"[menu]\" ascii\n $cobalt_keylogger_marker_s23 = \"[F10]\" ascii\n $cobalt_keylogger_marker_s24 = \"[F11]\" ascii\n $cobalt_keylogger_marker_s25 = \"[F12]\" ascii\n $cobalt_keylogger_marker_s26 = \"[F13]\" ascii\n $cobalt_keylogger_marker_s27 = \"[F14]\" ascii\n $cobalt_keylogger_marker_s28 = \"[F15]\" ascii\n $cobalt_keylogger_marker_s29 = \"[F16]\" ascii\n $cobalt_keylogger_marker_s30 = \"[F17]\" ascii\n $cobalt_keylogger_marker_s31 = \"[F18]\" ascii\n $cobalt_keylogger_marker_s32 = \"[F19]\" ascii\n $cobalt_keylogger_marker_s33 = \"[F20]\" ascii\n $cobalt_keylogger_marker_s34 = \"[F21]\" ascii\n $cobalt_keylogger_marker_s35 = \"[F22]\" ascii\n $cobalt_keylogger_marker_s36 = \"[F23]\" ascii\n $cobalt_keylogger_marker_s37 = \"[F24]\" ascii\n $cobalt_keylogger_marker_s38 = \"[numlock]\" ascii\n $cobalt_keylogger_marker_s39 = \"[scroll lock]\" ascii\n $cobalt_keylogger_marker_s40 = \"[ctrl]\" ascii\n $cobalt_keylogger_marker_s41 = \"[unknown: %02X]\" ascii\n\n $canary = \"56c9db7b35b2dfb6b0d80e8011844a87b1212e344d2293253dad8058a8591ffb\"\n\n condition:\n 1 of ($cobalt_marker_*) and all of ($cobalt_api_import_*) and 10 of ($cobalt_keylogger_marker_*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_keylogger" ], "rule_creation_date": "2020-12-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1106", "attack.t1569.002", "attack.t1055.012", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_netview_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567323Z", "creation_date": "2026-03-23T11:46:25.567326Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567335Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_netview.yar", "content": "rule cobalt_strike_netview {\n meta:\n title = \"Cobalt Strike Netview\"\n id = \"a1d0611d-b12b-48de-b2a1-d30426275028\"\n description = \"Detects the Cobalt Strike Netview component.\\nCobalt Strike's Netview is a tool used to gather network information and enumerate systems, including domain controllers, users, and shares.\\nIt is recommended to isolate the machine and monitor for additional Cobalt Strike-related processes or network activities.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2021-08-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012;attack.t1027.005;attack.t1106;attack.t1016.001\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Clear marker of the DLL name.\n $cobalt_marker_s1 = \"netview.x64.dll\" ascii\n $cobalt_marker_s2 = \"netview.dll\" ascii\n\n // This payload use this hardcoded named pipe for communication.\n $cobalt_marker_s3 = \"\\\\\\\\.\\\\pipe\\\\netview\" ascii\n\n // This payload use this named pipe prefix for communication on Cobalt Strike 4.2+.\n $cobalt_marker_s4 = \"\\\\\\\\.\\\\pipe\\\\postex_\" ascii\n\n // This payload use those APIs to create a communication channel.\n $cobalt_api_import_s1 = \"CreateNamedPipeA\" ascii\n $cobalt_api_import_s2 = \"ConnectNamedPipe\" ascii\n\n // This payload use those APIs to gather informations about network configuration.\n $cobalt_api_import_s3 = \"NetGetAnyDCName\" ascii\n $cobalt_api_import_s4 = \"NetGroupEnum\" ascii\n $cobalt_api_import_s5 = \"NetServerEnum\" ascii\n $cobalt_api_import_s6 = \"NetUserEnum\" ascii\n $cobalt_api_import_s7 = \"DsEnumerateDomainTrustsA\" ascii\n\n // Netview logs\n $cobalt_netview_marker_s1 = \"Current time at \\\\\\\\%s is %d/%d/%d %02d:%02d:%02d\\n\" ascii\n $cobalt_netview_marker_s2 = \"Computers in domain '%s':\\n\\n\" ascii\n $cobalt_netview_marker_s3 = \"DCs in domain '%s':\\n\\n\" ascii\n $cobalt_netview_marker_s4 = \"Domain Controllers:\\n\\n\" ascii\n $cobalt_netview_marker_s5 = \"Domain Controllers in domain '%s':\\n\\n\" ascii\n $cobalt_netview_marker_s6 = \"List of domain trusts:\\n\\n\" ascii\n $cobalt_netview_marker_s7 = \"List of domain trusts for domain '%s':\\n\\n\" ascii\n $cobalt_netview_marker_s8 = \"Members of %s on \\\\\\\\%s:\\n\\n\" ascii\n $cobalt_netview_marker_s9 = \"Groups for \\\\\\\\%s:\\n\\n\" ascii\n $cobalt_netview_marker_s10 = \"Local groups for \\\\\\\\%s:\\n\\n\" ascii\n $cobalt_netview_marker_s11 = \"Logged on users at \\\\\\\\%s:\\n\\n\" ascii\n $cobalt_netview_marker_s12 = \"Sessions for \\\\\\\\%s:\\n\\n\" ascii\n $cobalt_netview_marker_s13 = \"Shares at \\\\\\\\%s:\\n\\n\" ascii\n $cobalt_netview_marker_s14 = \"Users for \\\\\\\\%s:\\n\\n\" ascii\n $cobalt_netview_marker_s15 = \"Account information for %s on \\\\\\\\%s:\\n\\n\" ascii\n $cobalt_netview_marker_s16 = \"List of hosts for domain '%s':\\n\\n\" ascii\n $cobalt_netview_marker_s17 = \"Password changeable\" ascii\n\n condition:\n 1 of ($cobalt_marker_*) and all of ($cobalt_api_import_*) and 14 of ($cobalt_netview_marker_*)\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_netview" ], "rule_creation_date": "2021-08-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1016.001", "attack.t1027.005", "attack.t1218", "attack.t1106", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_packed_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567035Z", "creation_date": "2026-03-23T11:46:25.567037Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567042Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_packed.yar", "content": "rule packed_cobalt {\n meta:\n title = \"Packed Cobalt Strike\"\n id = \"9e7d8787-fa77-4d85-9b7b-600e7ef05168\"\n description = \"Detects the a packed Cobalt Strike beacon.\\nCobalt Strike is a commercial remote access tool used for targeted attacks and post-exploitation activities.\\nIt enables the emulation of advanced threat actor tactics across the entire ATT&CK framework.\\nIt is recommended to isolate the system and analyze the file for additional indicators of compromise.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2024-08-06\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1572;attack.t1071;attack.defense_evasion;attack.t1027.005;attack.t1106;attack.t1140\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 8c2f671be562a4aae3cbf3502cb5587411b130711dff76eddc8b3bc28c132315\n // 119a3b3b615addc497d12ac51ad2ca719c879de924428170499c1afee1644e51\n\n $s_stub = {\n B8 08 00 00 00 // mov eax, 8\n 48 6B C0 00 // imul rax, 0\n 48 8D 0D [3] 00 // lea rcx, unk_180065AA8\n 48 8B 04 01 // mov rax, [rcx+rax]\n 48 89 [1-8] // mov [rsp+98h+var_50], rax\n 48 8B 84 24 [4] // mov rax, [rsp+98h+arg_0]\n 48 89 44 24 [1] // mov [rsp+98h+lpAddress], rax\n 48 8B 84 24 [4] // mov rax, [rsp+98h+arg_0]\n 48 89 44 24 [1] // mov [rsp+98h+Buf1], rax\n C6 44 24 [1] 48 // mov [rsp+98h+Buf2], 48h ; 'H'\n C6 44 24 [1] B8 // mov [rsp+98h+var_37], 0B8h\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [1] 48 // mov [rsp+98h+var_28], 48h ; 'H'\n C6 44 24 [1] B8 // mov [rsp+98h+var_27], 0B8h\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n C6 44 24 [2]\n 48 B8 [8] // mov rax, 9699D6266568AB96h\n 48 89 44 [2] // mov [rsp+98h+var_40], rax\n 48 8B 44 [2] // mov rax, [rsp+98h+var_40]\n 48 89 [1-8] // mov [rsp+98h+var_18], rax\n C7 44 24 20 00 00 00 00 // mov [rsp+98h+var_78], 0\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "packed_cobalt" ], "rule_creation_date": "2024-08-06", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1071", "attack.t1140", "attack.t1106", "attack.t1572", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_portscan_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567482Z", "creation_date": "2026-03-23T11:46:25.567484Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567490Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_portscan.yar", "content": "rule cobalt_strike_portscan {\n meta:\n title = \"Cobalt Strike Port Scanner\"\n id = \"4a1a3b80-dbca-4b09-a30b-d0acc2615632\"\n description = \"Detects Cobalt Strike's port scan module.\\nCobalt Strike is a remote access tool used for adversary simulation, performing various post-exploitation activities. Its port scanning functionality is used to identify open ports on target systems.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2021-08-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1027.005;attack.t1106;attack.t1016.001;attack.t1595.001\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Clear marker of the DLL name.\n $cobalt_marker_s1 = \"portscan.x64.dll\" ascii\n $cobalt_marker_s2 = \"portscan.dll\" ascii\n\n // This payload use this hardcoded named pipe for communication.\n $cobalt_marker_s3 = \"\\\\\\\\.\\\\pipe\\\\portscan\" ascii\n\n // This payload use this named pipe prefix for communication on Cobalt Strike 4.2+.\n $cobalt_marker_s4 = \"\\\\\\\\.\\\\pipe\\\\postex_\" ascii\n\n // This payload use those APIs to create a communication channel.\n $cobalt_api_import_s1 = \"CreateNamedPipeA\" ascii\n $cobalt_api_import_s2 = \"ConnectNamedPipe\" ascii\n\n // This payload use those APIs to perform a port scan.\n $cobalt_api_import_s3 = \"IcmpSendEcho\" ascii\n $cobalt_api_import_s4 = \"IcmpCreateFile\" ascii\n $cobalt_api_import_s5 = \"IcmpCloseHandle\" ascii\n $cobalt_api_import_s6 = \"SendARP\" ascii\n\n // Port scanner logs\n $cobalt_portscan_marker_s1 = \"(ICMP) Target '%s' is alive. [read %d bytes]\" ascii\n $cobalt_portscan_marker_s2 = \"(ARP) Target '%s' is alive. \" ascii\n $cobalt_portscan_marker_s3 = \"Scanner module is complete\\n\" ascii\n $cobalt_portscan_marker_s4 = \"%s:%d (platform: %d version: %d.%d name: %S domain: %S)\\n\" ascii\n\n condition:\n 1 of ($cobalt_marker_*) and all of ($cobalt_api_import_*) and all of ($cobalt_portscan_marker_*)\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_portscan" ], "rule_creation_date": "2021-08-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1106", "attack.t1016.001", "attack.t1595.001", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_powershell_unmanaged_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575959Z", "creation_date": "2026-03-23T11:46:25.575961Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575967Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cobaltstrike.com/blog/cobalt-strike-3-3-now-with-less-powershell-exe\nhttps://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_powershell_unmanaged.yar", "content": "rule cobalt_strike_powershell_unmanaged {\n meta:\n title = \"Cobalt Strike Unmanaged PowerShell DLL\"\n id = \"5070d420-0be3-4cbd-a90b-62735edd1f4d\"\n description = \"Detects Cobalt Strike's unmanaged PowerShell, a way to run PowerShell scripts without powershell.exe.\\nCobalt Strike is a commercial, full-featured, remote access tool used for simulating adversary activities and executing targeted attacks.\"\n references = \"https://www.cobaltstrike.com/blog/cobalt-strike-3-3-now-with-less-powershell-exe\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2020-12-04\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1059.001;attack.t1027.005;attack.t1106\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 191620ef138c96ac05aec5e9ab76fc2c484735e18a955c584c677291ebe0fb00\n // ec8d8eca6fa26bf2a5b1b0b34d9d8d57e7ecad64bb35935d9d0438d6e0f2ca23\n\n // see https://github.com/leechristensen/UnmanagedPowerShell/blob/master/UnmanagedPowerShell/UnmanagedPowerShell.cpp\n\n $s1 = \"Could not find .NET 4.0 API CLRCreateInstance\" ascii\n $s2 = \"CLRCreateInstance failed w/hr 0x%08lx\" ascii\n $s3 = \"ICLRMetaHost::GetRuntime (v2.0.50727) failed w/hr 0x%08lx\" ascii\n $s4 = \"ICLRMetaHost::GetRuntime (v4.0.30319) failed w/hr 0x%08lx\" ascii\n $s5 = \"ICLRRuntimeInfo::IsLoadable failed w/hr 0x%08lx\" ascii\n $s6 = \".NET runtime [ver %d] cannot be loaded\" ascii\n $s7 = \"ICLRRuntimeInfo::GetInterface failed w/hr 0x%08lx\" ascii\n $s8 = \"CorBindToRuntime\" ascii\n $s9 = \"Could not find API CorBindToRuntime\" ascii\n $s10 = \"CorBindToRuntime failed w/hr 0x%08lx\" ascii\n $s11 = \"Did not understand ver: %d\" ascii\n $s12 = \"Failed to invoke IsAlive w/hr 0x%08lx\" ascii\n $s13 = \"SafeArrayPutElement failed w/hr 0x%08lx\" ascii\n $s14 = \"Failed to invoke InvokePS w/hr 0x%08lx\" ascii\n $s15 = \"Failed to invoke GetOutput w/hr 0x%08lx\" ascii\n $s16 = \"PowerShellRunner.PowerShellRunner\" ascii\n $s17 = \"Failed to create the runtime host\" ascii\n $s18 = \"CLR failed to start w/hr 0x%08lx\" ascii\n $s19 = \"RuntimeClrHost::GetCurrentAppDomainId failed w/hr 0x%08lx\" ascii\n $s20 = \"ICorRuntimeHost::GetDefaultDomain failed w/hr 0x%08lx\" ascii\n $s21 = \"Failed to get default AppDomain w/hr 0x%08lx\" ascii\n $s22 = \"Failed to load the assembly w/hr 0x%08lx\" ascii\n $s23 = \"Failed to get the Type interface w/hr 0x%08lx\" ascii\n\n condition:\n 12 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_powershell_unmanaged" ], "rule_creation_date": "2020-12-04", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1106", "attack.t1027.005", "attack.t1059.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_screenshot_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567255Z", "creation_date": "2026-03-23T11:46:25.567257Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567263Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_screenshot.yar", "content": "rule cobalt_strike_screenshot {\n meta:\n title = \"Cobalt Strike Screenshot\"\n id = \"f9fbdf56-86f9-40a4-a1b7-772d31af6c54\"\n description = \"Detects Cobalt Strike's screenshot functionality.\\nCobalt Strike is a commercial, full-featured, remote access tool that bills itself as adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors.\\nThis rule specifically detects the screenshot functionality which is often used during post-exploitation activities to gather visual information from the compromised system.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2021-08-25\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1027.005;attack.t1106\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Clear marker of the DLL name.\n $cobalt_marker_s1 = \"screenshot.x64.dll\" ascii\n $cobalt_marker_s2 = \"screenshot.dll\" ascii\n\n // This payload use this hardcoded named pipe for communication.\n $cobalt_marker_s3 = \"\\\\\\\\.\\\\pipe\\\\screenshot\" ascii\n\n // This payload use this named pipe prefix for communication on Cobalt Strike 4.2+.\n $cobalt_marker_s4 = \"\\\\\\\\.\\\\pipe\\\\postex_\" ascii\n\n // This payload use those APIs to create a communication channel.\n $cobalt_api_import_s1 = \"CreateNamedPipeA\" ascii\n $cobalt_api_import_s2 = \"ConnectNamedPipe\" ascii\n\n // This payload use those APIs to take a screenshot of the user screen.\n $cobalt_api_import_s3 = \"GetDesktopWindow\" ascii\n $cobalt_api_import_s4 = \"CreateCompatibleBitmap\" ascii\n\n // Those strings are marker of the libjpeg-turbo library used inside this payload. (https://github.com/libjpeg-turbo/libjpeg-turbo)\n $libjpeg_turbo_marker_s1 = \"Adobe APP14 marker: version %d, flags 0x%04x 0x%04x, transform %d\" ascii\n $libjpeg_turbo_marker_s2 = \"CCIR601 sampling not implemented yet\" ascii\n $libjpeg_turbo_marker_s3 = \"Copyright (C) 2010, Thomas G. Lane, Guido Vollbeding\" ascii\n\n $canary = \"607ea59da24785d1c3c84f21f7c27e69ca8d5cdd659da6d3f4585c0a759c9805cb9cfbeaa93f92fa5d3d4f5426e8135a3b15e0eaeb1598c12832e11dfae7ee70\"\n\n condition:\n // NOTE: We want to avoid match only on $cobalt_api_import_* and $libjpeg_turbo_marker_* as those could be legitimate on their own.\n 2 of ($cobalt_marker_*) and 2 of ($cobalt_api_import_*) and 1 of ($libjpeg_turbo_marker_*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_screenshot" ], "rule_creation_date": "2021-08-25", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1106", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_shellcode_bind_0641ab6d588a_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575744Z", "creation_date": "2026-03-23T11:46:25.575746Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575752Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_shellcode_bind_0641ab6d588a.yar", "content": "rule cobalt_strike_shellcode_bind_0641ab6d588a {\n meta:\n title = \"Cobalt Strike Shellcode bind (0641ab6d588a)\"\n id = \"d14452e4-ed49-466a-b80d-0641ab6d588a\"\n description = \"Detects the Cobalt Strike httpstager shellcode.\\nThis shellcode enables attackers to download and execute additional payloads over HTTP.\\nIt creates an HTTP connection to retrieve and execute a secondary payload.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2022-01-10\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1055.002\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_load_librarya_ws2_32 = {\n 68 33 32 00 00 // push 0x3233 // \"32\\0\"\n 68 77 73 32 5F // push 0x5f327377 // \"ws2_\"\n 54 // push esp // push \"ws2_32\\0\"\n 68 4C 77 26 07 // push 0x726774c // \"LoadLibrary\"\n FF D5 // call ebp // LoadLibraryA(\"ws2_32\")\n\n B8 90 01 00 00 // mov eax, 0x190 // EAX = sizeof(struct WSAData)\n 29 C4 // mov esp, eax // allocate space\n 54 // push esp // push a pointer to that space\n 50 // push eax // wVersionRequested\n 68 29 80 6B 00 // push 0x6b8029 // \"WSAStartup\"\n FF D5 // call ebp // WSAStartup(0x0190, &WSAData);\n }\n\n $shellcode_ws2_32_socketa = {\n 50 // push eax // 0\n 50 // push eax // 0\n 50 // push eax // 0\n 50 // push eax // 0\n 40 // inc eax\n 50 // push eax // SOCK_STREAM\n 40 // inc eax\n 50 // push eax // AF_INET\n 68 EA 0F DF E0 // push 0xe0df0fea // \"WSASocketA\"\n FF D5 // call ebp // WSASocketA(AF_INET, SOCK_STREAM, 0, 0, 0, 0);\n }\n\n $shellcode_ws2_32_bind = {\n 68 ?? ?? ?? ?? // push XXXXXXXX // ip: XX.XX.XX.XX\n 68 02 00 ?? ?? // push 0xXXXX0002 // family AF_INET and port XXXX\n 89 E6 // mov esi, esp // save a pointer to sockaddr_in struct\n 6A 10 // push 0x10 // sizeof(struct sockaddr_in)\n 56 // push esi // pointer to the sockaddr_in struct\n 57 // push edi // socket\n 68 C2 DB 37 67 // push 0x6737dbc2 // \"bind\"\n FF D5 // call ebp // bind(s, &sockaddr_in, sizeof(struct sockaddr_in))\n }\n\n $shellcode_ws2_32_listen = {\n 53 // push ebx // backlog\n 57 // push edi // socket\n 68 B7 E9 38 FF // push 0xFF38E9B7 // \"listen\"\n FF D5 // call ebp // listen(s, backlog)\n }\n\n $shellcode_ws2_32_accept = {\n 53 // push ebx // 0\n 57 // push edi // socket\n 68 74 EC 3B E1 // push 0xe13bec74 // \"accept\"\n FF D5 // call ebp // accept(s, 0, 0)\n }\n\n $shellcode_ws2_32_close = {\n 57 // push edi // socket\n 97 // xchg eax, edi // edi = accepted_socket\n 68 75 6E 4D 61 // push 0xe13bec74 // \"closesocket\"\n FF D5 // call ebp // closesocket(s)\n }\n\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_shellcode_bind_0641ab6d588a" ], "rule_creation_date": "2022-01-10", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_shellcode_bind_2160fb19ffbe_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570998Z", "creation_date": "2026-03-23T11:46:25.571000Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571005Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_shellcode_bind_2160fb19ffbe.yar", "content": "rule cobalt_strike_shellcode_bind_2160fb19ffbe {\n meta:\n title = \"Cobalt Strike Shellcode bind (2160fb19ffbe)\"\n id = \"0656419f-30d6-4a5c-b430-2160fb19ffbe\"\n description = \"Detects the Cobalt Strike httpstager shellcode.\\nThis shellcode enables attackers to download and execute additional payloads over HTTP.\\nIt creates an HTTP connection to retrieve and execute a secondary payload.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2022-01-13\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1055.002\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_load_librarya_ws2_32 = {\n 49 BE 77 73 32 5F 33 32 00 00 // movabs r14, 0x32335f327377 // \"ws2_32\\0\"\n 41 56 // push r14 // push\n 49 89 E6 // mov r14, rsp\n 48 81 EC A0 01 00 00 // sub rsp, 0x1a0\n 49 89 E5 // mov r13, rsp\n 49 BC 02 00 ?? ?? ?? ?? ?? ?? // movabs r12, 0xXXXXXXXXXXXX0002 // ip: XX.XX.XX.XX family AF_INET and port XXXX\n 41 54 // push r12\n 49 89 E4 // mov r12, rsp\n 4C 89 F1 // mov rcx, r14\n 41 BA 4C 77 26 07 // mov r10d, 0x726774c // \"LoadLibrary\"\n FF D5 // call rbp // LoadLibraryA(\"ws2_32\")\n 4C 89 EA // mov rdx, r13\n 68 01 01 00 00 // push 0x101 // sizeof(struct WSAData)\n 59 // pop rcx // allocated WSData ptr\n 41 BA 29 80 6B 00 // mov r10d, 0x6b8029 // \"WSAStartup\"\n FF D5 // call rbp // WSAStartup(0x0101, &WSAData);\n }\n\n $shellcode_ws2_32_socketa = {\n 50 // push rax // 0\n 50 // push rax // 0\n 4D 31 C9 // xor r9, r9 // 0\n 4D 31 C0 // xor r8, r8 // 0\n 48 FF C0 // inc rax\n 48 89 C2 // mov rdx, rax // SOCK_STREAM\n 48 FF C0 // inc rax\n 48 89 C1 // mov rcx, rax // AF_INET\n 41 BA EA 0F DF E0 // mov r10d, 0xe0df0fea // \"WSASocketA\"\n FF D5 // call rbp // WSASocketA(AF_INET, SOCK_STREAM, 0, 0, 0, 0);\n }\n\n\n $shellcode_ws2_32_bind = {\n 48 89 C7 // mov rdi, rax // save socket\n 6A 10 // push 0x10 // push sizeof(struct sockaddr_in)\n 41 58 // pop r8 // pop sizeof(struct sockaddr_in)\n 4C 89 E2 // mov rdx, r12 // sockaddr_in pointer\n 48 89 F9 // mov rcx, rdi // socket\n 41 BA C2 DB 37 67 // mov r10d, 0x6737dbc2 // \"bind\"\n FF D5 // call rbp // bind(s, &sockaddr_in, sizeof(struct sockaddr_in))\n }\n\n $shellcode_ws2_32_listen = {\n 48 31 D2 // xor rdx, rdx // backlog\n 48 89 F9 // mov rcx, rdi // socket\n 41 BA B7 E9 38 FF // mov r10d, 0xFF38E9B7 // \"listen\"\n FF D5 // call rbp // listen(s, backlog)\n }\n\n $shellcode_ws2_32_accept = {\n 4D 31 C0 // xor r8, r8 // 0\n 48 31 D2 // xor rdx, rdx // 0\n 48 89 F9 // mov rcx, rdi // socket\n 41 BA 74 EC 3B E1 // mov r10d, 0xe13bec74 // \"accept\"\n FF D5 // call rbp // accept(s, 0, 0)\n }\n\n $shellcode_ws2_32_close = {\n 48 89 F9 // mov rcx, rdi // socket\n 41 BA 74 EC 3B E1 // mov r10d, 0x0E13BEC74 // \"closesocket\"\n FF D5 // call rbp // closesocket(s)\n }\n\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_shellcode_bind_2160fb19ffbe" ], "rule_creation_date": "2022-01-13", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_shellcode_dnsstager_2128b78d18a2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575714Z", "creation_date": "2026-03-23T11:46:25.575716Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575722Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_shellcode_dnsstager_2128b78d18a2.yar", "content": "rule cobalt_strike_shellcode_dnsstager_2128b78d18a2 {\n meta:\n title = \"Cobalt Strike Shellcode dnsstager (2128b78d18a2)\"\n id = \"239277ee-dc18-445f-b677-2128b78d18a2\"\n description = \"Detects the Cobalt Strike httpstager shellcode.\\nThis shellcode enables attackers to download and execute additional payloads over HTTP.\\nIt creates an HTTP connection to retrieve and execute a secondary payload.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2022-01-10\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1055.002\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_load_library_dnsapi = {\n 89 C7 // mov edi, eax\n 50 // push eax\n 31 C0 // xor eax, eax\n B0 70 // mov ah, 'p'\n B4 69 // mov ah, 'i'\n 50 // push eax // push \"pi\\0\"\n 68 64 6E 73 61 // push 0x61736e64 // \"dnsa\"\n 54 // push esp // push a pointer to the \"dnsapi\\0\" string\n 68 4C 77 26 07 // push 0x726774c // \"LoadLibrary\"\n FF D5 // LoadLibraryA(\"dnsapi\")\n }\n\n $shellcode_alloc_space = {\n 5D // pop ebp\n 31 C0 // xor eax, eax\n 6A 40 // push 0x40 // flProtect = PAGE_EXECUTE_READWRITE\n B4 10 // mov ah, 0x10\n 68 00 10 00 00 // push 0x100\n 68 FF FF 07 00 // push 0x7ffff\n 6A 00 // push 0x0\n 68 58 A4 53 E5 // push 0xe553a458 // \"VirtualAlloc\"\n FF D5 // call ebp // VirtualAlloc(NULL, 0x7FFFF, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n }\n\n $shellcode_execute_dnsquerya = {\n 53 // push ebx\n 6A 00 // push 0x0 // pReserved\n 53 // push ebx // ppQueryResultsSet\n 6A 00 // push 0x0 // pExtra\n 68 48 02 00 00 // push 0x248 // Options // DNS_QUERY_RETURN_MESSAGE | DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_BYPASS_CACHE\n 6A 10 // push 0x10 // wType // DNS_TYPE_TEXT\n 50 // push eax // lpstrName\n 68 6A C9 9C C9 // push 0xc99cc96a // \"DnsQuery_A\"\n FF D5 // call ebp // DnsQuery_A(pszName, DNS_TYPE_TEXT, DNS_QUERY_RETURN_MESSAGE | DNS_QUERY_NO_HOSTS_FILE | DNS_QUERY_BYPASS_CACHE, ppQueryResultsSet, pReserved)\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_shellcode_dnsstager_2128b78d18a2" ], "rule_creation_date": "2022-01-10", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_shellcode_httpstager_a8f2c2f55681_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570855Z", "creation_date": "2026-03-23T11:46:25.570857Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570863Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_shellcode_httpstager_a8f2c2f55681.yar", "content": "rule cobalt_strike_shellcode_httpstager_a8f2c2f55681 {\n meta:\n title = \"Cobalt Strike Shellcode httpstager (a8f2c2f55681)\"\n id = \"5429f953-3ee8-4fbf-8543-a8f2c2f55681\"\n description = \"Detects the Cobalt Strike httpstager shellcode.\\nThis shellcode enables attackers to download and execute additional payloads over HTTP.\\nIt creates an HTTP connection to retrieve and execute a secondary payload.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2021-09-06\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1055.002\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_load_library_internetopena = {\n 5D // pop ebp //\n 68 6E 65 74 00 // push 0x74656e // \"net\\0\"\n 68 77 69 6E 69 // push 0x696e6977 // \"wini\"\n 54 // push esp // push a pointer to the \"wininet\\0\" string\n 68 4C 77 26 07 // push 0x726774c // \"LoadLibrary\"\n FF D5 // call ebp // LoadLibrary(\"wininet\")\n [0-5] // possible call for HTTPS/unoptimized version\n 31 FF // xor edi, edi // edi = 0\n 57 // push edi // dwFlags = 0\n 57 // push edi // lpszProxyBypass = 0\n 57 // push edi // lpszProxy = 0\n 57 // push edi // dwAccessType = 0\n 57 // push edi // lpszAgent = NULL\n 68 3A 56 79 A7 // push 0xa779563a // \"InternetOpenA\"\n FF D5 // call ebp // InternetOpenA(0, 0, 0, 0, 0)\n }\n\n $shellcode_internetconnecta = {\n 5B // pop ebx // ebx = server name pointer\n 31 C9 // xor ecx, ecx // ecx = 0\n 51 // push ecx // dwContext = NULL\n 51 // push ecx // dwFlags = 0\n 6A 03 // push 3 // dwService = INTERNET_SERVICE_HTTP\n 51 // push ecx // lpszPassword = NULL\n 51 // push ecx // lpszUserName = NULL\n 68 ?? ?? ?? ?? // push 0xXXXXXXXX // nServerPort (patched by the server)\n 53 // push ebx // lpszServerName\n 50 // push eax // hInternet\n 68 57 89 9F C6 // push 0xc69f8957 // \"InternetConnectA\"\n FF D5 // call ebp // InternetConnectA(hInternet, lpszServerName, nServerPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, NULL)\n }\n\n $shellcode_httpopenrequesta = {\n 5B // pop ebx // ebx = object name ptr\n 31 D2 // xor edx, edx // edx = 0\n 52 // push edx // dwContext = NULL\n 68 ?? ?? ?? ?? // push 0xXXXXXXXX // dwFlags (patched by the server)\n 52 // push edx // lplpszAcceptTypes = NULL\n 52 // push edx // lpszReferrer = NULL\n 52 // push edx // lpszVersion = NULL\n 53 // push ebx // lpszObjectName (user url found in the middle of the payload)\n 52 // push edx // lpszVerb = NULL\n 50 // push eax // hConnect\n 68 EB 55 2E 3B // push 0x3b2e55eb // \"HttpOpenRequestA\"\n FF D5 // call ebp // HttpOpenRequestA(hConnect, NULL, lpszObjectName, NULL, NULL, NULL, dwFlags, NULL)\n 89 C6 // mov esi, eax\n 83 C3 50 // add ebx, 0x50 // Move ebx to the position of the user agent header.\n 31 FF // xor edi, edi // edi = 0\n 57 // push edi // dwOptionalLength = 0\n 57 // push edi // lpOptional = NULL\n 6A FF // push -1 // dwHeadersLength = -1\n 53 // push ebx // lpszHeaders\n 56 // push esi // hRequest\n 68 2D 06 18 7B // push 0x7b18062d // \"HttpSendRequestA\"\n FF D5 // call ebp // HttpSendRequestA(hRequest, lpszHeaders, -1, NULL, 0)\n }\n\n $shellcode_httpopenrequesta_https = {\n 5B // pop ebx // ebx = object name ptr\n 31 D2 // xor edx, edx // edx = 0\n 52 // push edx // dwContext = NULL\n 68 ?? ?? ?? ?? // push 0xXXXXXXXX // dwFlags (patched by the server)\n 52 // push edx // lplpszAcceptTypes = NULL\n 52 // push edx // lpszReferrer = NULL\n 52 // push edx // lpszVersion = NULL\n 53 // push ebx // lpszObjectName (user url found in the middle of the payload)\n 52 // push edx // lpszVerb = NULL\n 50 // push eax // hConnect\n 68 EB 55 2E 3B // push 0x3b2e55eb // \"HttpOpenRequestA\"\n FF D5 // call ebp // HttpOpenRequestA(hConnect, NULL, lpszObjectName, NULL, NULL, NULL, dwFlags, NULL)\n 89 C6 // mov esi, eax\n 83 C3 50 // add ebx, 0x50 // Move ebx to the position of the user agent header.\n 68 80 33 00 00 // push 0x3380 //\n 89 E0 // mov eax, esp //\n 6A 04 // push 4 // dwBufferLength = 4\n 50 // push eax // lpBuffer\n 6A 1F // push 0x1f // dwOption = INTERNET_OPTION_SECURITY_FLAGS\n 56 // push esi // hInternet\n 68 75 46 9E 86 // push 0x869E4675 // \"InternetSetOptionA\"\n FF D5 // call ebp // InternetSetOptionA(hInternet, INTERNET_OPTION_SECURITY_FLAGS, lpBuffer, 4)\n 5F // pop edi //\n 31 FF // xor edi, edi // edi = 0\n 57 // push edi // dwOptionalLength = 0\n 57 // push edi // lpOptional = NULL\n 6A FF // push -1 // dwHeadersLength = -1\n 53 // push ebx // lpszHeaders\n 56 // push esi // hRequest\n 68 2D 06 18 7B // push 0x7b18062d // \"HttpSendRequestA\"\n FF D5 // call ebp // HttpSendRequestA(hRequest, lpszHeaders, -1, NULL, 0)\n }\n\n $shellcode_receive_payload = {\n 6A 40 // push 0x40 // flProtect = PAGE_EXECUTE_READWRITE\n 68 00 10 00 00 // push 0x1000 // flAllocationType = MEM_COMMIT\n 68 00 00 40 00 // push 0x400000 // dwLength = 0x400000\n 57 // push edi // lpAddress = NULL\n 68 58 A4 53 E5 // push 0xe553a458 // \"VirtualAlloc\"\n FF D5 // call ebp // VirtualAlloc(NULL, 0x400000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n 93 // xchg eax, ebx\n\n B9 ?? ?? ?? ?? // mov ecx, 0xXXXXXXXX // skip offset (patched by the server)\n 01 D9 // add ecx, ebx // ecx = allocated_ptr + skip_offset\n 51 // push ecx // push the address with offset\n 53 // push ebx // push the base address\n 89 E7 // mov edi, esp\n\n // continue_transfer:\n 57 // push edi // lpdwNumberOfBytesRead\n 68 00 20 00 00 // push 0x2000 // dwNumberOfBytesToRead = 0x2000\n 53 // push ebx // lpBuffer\n 56 // push esi // hRequest\n 68 12 96 89 E2 // push 0xe2899612 // \"InternetReadFile\"\n FF D5 // call ebp // InternetReadFile(hRequest, lpBuffer, 0x2000, lpdwNumberOfBytesRead)\n 85 C0 // test eax, eax // result_code == SUCCESS\n 74 ?? // je exit_thunk // call exit on error\n 8B 07 // mov eax, dword ptr [edi] // eax = lpdwNumberOfBytesRead\n 01 C3 // add ebx, eax // buffer += lpdwNumberOfBytesRead\n 85 C0 // test eax, eax // lpdwNumberOfBytesRead == 0\n 75 E5 // jne continue_transfer // continue the transfer if there is still data to read.\n 58 // pop eax // eax = end_of_payload_addr\n C3 // ret // Return ready to jump now!\n }\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_shellcode_httpstager_a8f2c2f55681" ], "rule_creation_date": "2021-09-06", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_shellcode_httpstager_c0807cea091c_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567226Z", "creation_date": "2026-03-23T11:46:25.567228Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567234Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_shellcode_httpstager_c0807cea091c.yar", "content": "rule cobalt_strike_shellcode_httpstager_c0807cea091c {\n meta:\n title = \"Cobalt Strike Shellcode httpstager (c0807cea091c)\"\n id = \"c79112ba-b266-4108-8e79-c0807cea091c\"\n description = \"Detects the Cobalt Strike httpstager shellcode.\\nThis shellcode enables attackers to download and execute additional payloads over HTTP.\\nIt creates an HTTP connection to retrieve and execute a secondary payload.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2021-09-07\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1055.002\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_load_library_internetopena = {\n 5D // pop rbp\n 6A 00 // push 0\n 49 BE 77 69 6E 69 6E 65 74 00 // movabs r14, 0x74656e696e6977 // \"wininet\\0\"\n 41 56 // push r14 // push a pointer to the \"wininet\\0\" string\n 49 89 E6 // mov r14, rsp // r14 = pointer to \"wininet\\0\"\n 4C 89 F1 // mov rcx, r14 // first argument (pointer to \"wininet\\0\")\n 41 BA 4C 77 26 07 // mov r10d, 0x726774c // \"LoadLibrary\"\n FF D5 // call rbp // LoadLibrary(\"wininet\")\n 48 31 C9 // xor rcx, rcx // lpszAgent = NULL\n 48 31 D2 // xor rdx, rdx // dwAccessType = 0\n 4D 31 C0 // xor r8, r8 // lpszProxy = 0\n 4D 31 C9 // xor r9, r9 // lpszProxyBypass = 0\n 41 50 // push r8 // dwFlags = 0\n 41 50 // push r8 // Mistake by HelpSystems? This is not used...\n 41 BA 3A 56 79 A7 // mov r10d, 0xa779563a // \"InternetOpenA\"\n FF D5 // call rbp // InternetOpenA(0, 0, 0, 0, 0)\n }\n\n $shellcode_internetconnecta = {\n 5A // pop rdx // rdx = server name pointer\n 48 89 C1 // mov rcx, rax // hInternet\n 41 B8 ?? ?? ?? ?? // mov r8d, 0xXXXXXXXX // nServerPort (patched by the server)\n 4D 31 C9 // xor r9, r9 // lpszUserName = NULL\n 41 51 // push r9 // dwContext = NULL\n 41 51 // push r9 // dwFlags = 0\n 6A 03 // push 3 // dwService = INTERNET_SERVICE_HTTP\n 41 51 // push r9 // lpszPassword = NULL\n 41 BA 57 89 9F C6 // mov r10d, 0xc69f8957 // \"InternetConnectA\"\n FF D5 // call rbp // InternetConnectA(hInternet, lpszServerName, nServerPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, NULL)\n }\n\n $shellcode_httpopenrequesta = {\n 5B // pop rbx // rbx = object name ptr\n 48 89 C1 // mov rcx, rax // hConnect\n 48 31 D2 // xor rdx, rdx // lpszVerb = NULL\n 49 89 D8 // mov r8, rbx // lpszObjectName = NULL\n 4D 31 C9 // xor r9, r9 // lpszVersion = NULL\n 52 // push rdx // dwContext = NULL\n 68 ?? ?? ?? ?? // push 0xXXXXXXXXXXXXXXXX // dwFlags (patched by the server)\n 52 // push rdx // lplpszAcceptTypes = NULL\n 52 // push rdx // lpszReferrer = NULL\n 41 BA EB 55 2E 3B // mov r10d, 0x3b2e55eb // \"HttpOpenRequestA\"\n FF D5 // call rbp // HttpOpenRequestA(hConnect, NULL, lpszObjectName, NULL, NULL, NULL, dwFlags, NULL)\n 48 89 C6 // mov rsi, rax\n 48 83 C3 50 // add rbx, 0x50 // Move rsi to the position of the user agent header.\n 6A 0A // push 0xa //\n 5F // pop rdi //\n 48 89 F1 // mov rcx, rsi // hRequest\n 48 89 DA // mov rdx, rbx // lpszHeaders\n 49 C7 C0 FF FF FF FF // mov r8, -1 // dwHeadersLength = -1\n 4D 31 C9 // xor r9, r9 // lpOptional = NULL\n 52 // push rdx // dwOptionalLength = 0\n 52 // push rdx // Mistake by HelpSystems? This is not used...\n 41 BA 2D 06 18 7B // mov r10d, 0x7b18062d // \"HttpSendRequestA\"\n FF D5 // call rbp // HttpSendRequestA(hRequest, lpszHeaders, -1, NULL, 0)\n }\n\n $shellcode_httpopenrequesta_https = {\n 5B // pop rbx // rbx = object name ptr\n 48 89 C1 // mov rcx, rax // hConnect\n 48 31 D2 // xor rdx, rdx // lpszVerb = NULL\n 49 89 D8 // mov r8, rbx // lpszObjectName = NULL\n 4D 31 C9 // xor r9, r9 // lpszVersion = NULL\n 52 // push rdx // dwContext = NULL\n 68 ?? ?? ?? ?? // push 0xXXXXXXXXXXXXXXXX // dwFlags (patched by the server)\n 52 // push rdx // lplpszAcceptTypes = NULL\n 52 // push rdx // lpszReferrer = NULL\n 41 BA EB 55 2E 3B // mov r10d, 0x3b2e55eb // \"HttpOpenRequestA\"\n FF D5 // call rbp // HttpOpenRequestA(hConnect, NULL, lpszObjectName, NULL, NULL, NULL, dwFlags, NULL)\n 48 89 C6 // mov rsi, rax\n 48 83 C3 50 // add rbx, 0x50 // Move rsi to the position of the user agent header.\n 6A 0A // push 0xa //\n 5F // pop rdi //\n\n 48 89 F1 // mov rcx, rsi // hInternet\n BA 1F 00 00 00 // mov edx, 0x1f // dwOption = INTERNET_OPTION_SECURITY_FLAGS\n 6A 00 // push 0\n 68 80 33 00 00 // push 0x3380\n 49 89 E0 // mov r8, rsp // lpBuffer\n 41 B9 04 00 00 00 // mov r9d, 4 // dwBufferLength = 4\n 41 BA 75 46 9E 86 // mov r10d, 0x869e4675 // \"InternetSetOptionA\"\n FF D5 // call rbp // InternetSetOptionA(hInternet, INTERNET_OPTION_SECURITY_FLAGS, lpBuffer, 4)\n\n 48 89 F1 // mov rcx, rsi // hRequest\n 48 89 DA // mov rdx, rbx // lpszHeaders\n 49 C7 C0 FF FF FF FF // mov r8, -1 // dwHeadersLength = -1\n 4D 31 C9 // xor r9, r9 // lpOptional = NULL\n 52 // push rdx // dwOptionalLength = 0\n 52 // push rdx // Mistake by HelpSystems? This is not used...\n 41 BA 2D 06 18 7B // mov r10d, 0x7b18062d // \"HttpSendRequestA\"\n FF D5 // call rbp // HttpSendRequestA(hRequest, lpszHeaders, -1, NULL, 0)\n }\n\n $shellcode_receive_payload = {\n 48 31 C9 // xor rcx, rcx // lpAddress = NULL\n BA 00 00 40 00 // mov edx, 0x400000 // dwLength = 0x400000\n 41 B8 00 10 00 00 // mov r8d, 0x1000 // flAllocationType = MEM_COMMIT\n 41 B9 40 00 00 00 // mov r9d, 0x40 // flProtect = PAGE_EXECUTE_READWRITE\n 41 BA 58 A4 53 E5 // mov r10d, 0xe553a458 // \"VirtualAlloc\"\n FF D5 // call rdp // VirtualAlloc(NULL, 0x400000, MEM_COMMIT, PAGE_EXECUTE_READWRITE)\n 48 93 // xchg rax, rbx\n\n 53 // push rbx\n 53 // push rbx\n\n // continue_transfer:\n 48 89 E7 // mov rdi, rsp\n 48 89 F1 // mov rcx, rsi // hRequest\n 48 89 DA // mov rdx, rbx // lpBuffer\n 41 B8 00 20 00 00 // mov r8d, 0x2000 // dwNumberOfBytesToRead = 0x2000\n 49 89 F9 // mov r9, rdi // lpdwNumberOfBytesRead\n 41 BA 12 96 89 E2 // mov r10d, 0xe2899612 // \"InternetReadFile\"\n FF D5 // call rdp // InternetReadFile(hRequest, lpBuffer, 0x2000, lpdwNumberOfBytesRead)\n 48 83 C4 20 // add rsp, 0x20\n 85 C0 // test eax, eax // result_code == SUCCESS\n 74 ?? // je exit_thunk // call exit on error\n 66 8B 07 // mov ax, word ptr [rdi] // ax = lpdwNumberOfBytesRead\n 48 01 C3 // add rbx, rax // buffer += lpdwNumberOfBytesRead\n 85 C0 // test eax, eax // lpdwNumberOfBytesRead == 0\n 75 D7 // jne continue_transfer // continue the transfer if there is still data to read.\n 58 // pop rax\n 58 // pop rax\n 58 // pop rax\n 48 05 ?? ?? ?? ?? // add rax, 0xXXXXXXXX // skip offset (patched by the server)\n 50 // push rax\n C3 // ret\n\n }\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_shellcode_httpstager_c0807cea091c" ], "rule_creation_date": "2021-09-07", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_shellcode_reverse_tcp_3ab53fc99474_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567511Z", "creation_date": "2026-03-23T11:46:25.567513Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567519Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_shellcode_reverse_tcp_3ab53fc99474.yar", "content": "rule cobalt_strike_shellcode_reverse_tcp_3ab53fc99474 {\n meta:\n title = \"Cobalt Strike Shellcode reverse tcp (3ab53fc99474)\"\n id = \"8d264819-1fc9-4d60-b791-3ab53fc99474\"\n description = \"Detects the Cobalt Strike httpstager shellcode.\\nThis shellcode enables attackers to download and execute additional payloads over HTTP.\\nIt creates an HTTP connection to retrieve and execute a secondary payload.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2022-01-14\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1055.002\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_load_librarya_ws2_32 = {\n 49 BE 77 73 32 5F 33 32 00 00 // movabs r14, 0x32335f327377 // \"ws2_32\\0\"\n 41 56 // push r14 // push\n 49 89 E6 // mov r14, rsp\n 48 81 EC A0 01 00 00 // sub rsp, 0x1a0\n 49 89 E5 // mov r13, rsp\n 49 BC 02 00 ?? ?? ?? ?? ?? ?? // movabs r12, 0xXXXXXXXXXXXX0002 // ip: XX.XX.XX.XX family AF_INET and port XXXX\n 41 54 // push r12\n 49 89 E4 // mov r12, rsp\n 4C 89 F1 // mov rcx, r14\n 41 BA 4C 77 26 07 // mov r10d, 0x726774c // \"LoadLibrary\"\n FF D5 // call rbp // LoadLibraryA(\"ws2_32\")\n 4C 89 EA // mov rdx, r13\n 68 01 01 00 00 // push 0x101 // sizeof(struct WSAData)\n 59 // pop rcx // allocated WSData ptr\n 41 BA 29 80 6B 00 // mov r10d, 0x6b8029 // \"WSAStartup\"\n FF D5 // call rbp // WSAStartup(0x0101, &WSAData);\n }\n\n $shellcode_ws2_32_socketa = {\n 50 // push rax // 0\n 50 // push rax // 0\n 4D 31 C9 // xor r9, r9 // 0\n 4D 31 C0 // xor r8, r8 // 0\n 48 FF C0 // inc rax\n 48 89 C2 // mov rdx, rax // SOCK_STREAM\n 48 FF C0 // inc rax\n 48 89 C1 // mov rcx, rax // AF_INET\n 41 BA EA 0F DF E0 // mov r10d, 0xe0df0fea // \"WSASocketA\"\n FF D5 // call rbp // WSASocketA(AF_INET, SOCK_STREAM, 0, 0, 0, 0);\n }\n\n $shellcode_ws2_32_connect = {\n 48 89 C7 // mov rdi, rax // save socket\n 6A 10 // push 0x10 // push sizeof(struct sockaddr_in)\n 41 58 // pop r8 // pop sizeof(struct sockaddr_in)\n 4C 89 E2 // mov rdx, r12 // sockaddr_in pointer\n 48 89 F9 // mov rcx, rdi // socket\n 41 BA 99 A5 74 61 // mov r10d, 0x6174a599 // \"connect\"\n FF D5 // call rbp // connect(s, &sockaddr_in, sizeof(struct sockaddr_in))\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_shellcode_reverse_tcp_3ab53fc99474" ], "rule_creation_date": "2022-01-14", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_shellcode_reverse_tcp_94a44304793f_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575685Z", "creation_date": "2026-03-23T11:46:25.575687Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575693Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_shellcode_reverse_tcp_94a44304793f.yar", "content": "rule cobalt_strike_shellcode_reverse_tcp_94a44304793f {\n meta:\n title = \"Cobalt Strike Shellcode reverse tcp (94a44304793f)\"\n id = \"d464e96a-83a6-421b-874e-94a44304793f\"\n description = \"Detects the Cobalt Strike httpstager shellcode.\\nThis shellcode enables attackers to download and execute additional payloads over HTTP.\\nIt creates an HTTP connection to retrieve and execute a secondary payload.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2022-01-14\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1055.002\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_load_librarya_ws2_32 = {\n 68 33 32 00 00 // push 0x3233 // \"32\\0\"\n 68 77 73 32 5F // push 0x5f327377 // \"ws2_\"\n 54 // push esp // push \"ws2_32\\0\"\n 68 4C 77 26 07 // push 0x726774c // \"LoadLibrary\"\n FF D5 // call ebp // LoadLibraryA(\"ws2_32\")\n\n B8 90 01 00 00 // mov eax, 0x190 // EAX = sizeof(struct WSAData)\n 29 C4 // mov esp, eax // allocate space\n 54 // push esp // push a pointer to that space\n 50 // push eax // wVersionRequested\n 68 29 80 6B 00 // push 0x6b8029 // \"WSAStartup\"\n FF D5 // call ebp // WSAStartup(0x0190, &WSAData);\n }\n\n $shellcode_ws2_32_socketa = {\n 50 // push eax // 0\n 50 // push eax // 0\n 50 // push eax // 0\n 50 // push eax // 0\n 40 // inc eax\n 50 // push eax // SOCK_STREAM\n 40 // inc eax\n 50 // push eax // AF_INET\n 68 EA 0F DF E0 // push 0xe0df0fea // \"WSASocketA\"\n FF D5 // call ebp // WSASocketA(AF_INET, SOCK_STREAM, 0, 0, 0, 0);\n }\n\n $shellcode_ws2_32_connect = {\n 68 ?? ?? ?? ?? // push XXXXXXXX // ip: XX.XX.XX.XX\n 68 02 00 ?? ?? // push 0xXXXX0002 // family AF_INET and port XXXX\n 89 E6 // mov esi, esp // save a pointer to sockaddr_in struct\n 6A 10 // push 0x10 // sizeof(struct sockaddr_in)\n 56 // push esi // pointer to the sockaddr_in struct\n 57 // push edi // socket\n 68 99 A5 74 61 // push 0x6174a599 // \"connect\"\n FF D5 // call ebp // connect(s, &sockaddr_in, sizeof(struct sockaddr_in))\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_shellcode_reverse_tcp_94a44304793f" ], "rule_creation_date": "2022-01-14", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_shellcode_smbstager_9f71ce10b1fe_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581212Z", "creation_date": "2026-03-23T11:46:25.581214Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581220Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_shellcode_smbstager_9f71ce10b1fe.yar", "content": "rule cobalt_strike_shellcode_smbstager_9f71ce10b1fe {\n meta:\n title = \"Cobalt Strike Shellcode smbstager (9f71ce10b1fe)\"\n id = \"8865265b-5b31-47b7-8da4-9f71ce10b1fe\"\n description = \"Detects the Cobalt Strike httpstager shellcode.\\nThis shellcode enables attackers to download and execute additional payloads over HTTP.\\nIt creates an HTTP connection to retrieve and execute a secondary payload.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2022-01-14\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1055.002\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_alloc_space = {\n 5D // pop ebp\n 31 C0 // xor eax, eax\n 6A 40 // push 0x40 // flProtect = PAGE_EXECUTE_READWRITE\n 68 00 10 00 00 // push 0x100\n 68 FF FF 07 00 // push 0x7ffff\n 6A 00 // push 0x0\n 68 58 A4 53 E5 // push 0xe553a458 // \"VirtualAlloc\"\n FF D5 // call ebp // VirtualAlloc(NULL, 0x7FFFF, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n }\n\n $shellcode_create_named_pipe = {\n 31 C9 // xor ecx, ecx\n 51 // push ecx // lpSecurityAttributes = NULL\n 51 // push ecx // nDefaultTimeOut = 0\n 68 00 B0 04 00 // push 0x4B000 // nInBufferSize = 0x4B000\n 68 00 B0 04 00 // push 0x4B000 // nOutBufferSize = 0x4B000\n 6A 01 // push 0x1 // nMaxInstances = 1\n 6A 06 // push PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE\n 6A 03 // push PIPE_ACCESS_DUPLEX\n 52 // push edx // lpName\n 68 45 70 DF D4 // push 0xD4DF7045 // \"CreateNamedPipeA\"\n FF D5 // call ebp // CreateNamedPipeA(lpName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE, 0x1, 0x4B000, 0x4B000, 0, NULL)\n }\n\n $shellcode_connnect_named_pipe = {\n 8B 14 24 // mov edx, dword ptr [esp] // grab hNamedPipe\n 6A 00 // push 0x0 // NULL\n 52 // push edx // hNamedPipe\n 68 28 6F 7D E2 // push 0xE27D6F28 // \"ConnectNamedPipe\"\n FF D5 // call ebp // ConnectNamedPipe(hNamedPipe, NULL)\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_shellcode_smbstager_9f71ce10b1fe" ], "rule_creation_date": "2022-01-14", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_specific_stager_03658f107439_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577656Z", "creation_date": "2026-03-23T11:46:25.577658Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577664Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_specific_stager_03658f107439.yar", "content": "rule cobalt_strike_specific_stager_03658f107439 {\n meta:\n title = \"Cobalt Strike Specific Stager (03658f107439)\"\n id = \"b78b0a68-7a86-470e-be6b-03658f107439\"\n description = \"Detects Cobalt Strike's Specific Stager x86.\\nCobalt Strike's specific stager x86 is a 32-bit executable used to establish persistence or communicate with a command-and-control server. This stager is typically generated by the Cobalt Strike artefact kit and is designed to execute specific commands or download additional payloads.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2022-06-24\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1140;attack.t1027.005;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = \"_matherr(): %s in %s(%g, %g) (retval=%g)\" fullword ascii\n $s2 = \"Address %p has no image-section\" fullword ascii\n $s3 = \"Mingw-w64 runtime failure:\" ascii\n $s4 = \"StartW\" fullword ascii\n $s5 = \"CreateThread\" fullword ascii\n $s6 = \"rundll32.exe\" fullword ascii\n\n // Detection for these samples :\n // 022566a473144cae9463bcdaab11b0c2b255443bff432dcf6c125c7f07574913\n // 6597b65ee63a4091c2a3fa9aca89125ce19e6138253f817e89ff13623124706b\n // d9882283ee2dc487c2a5fb97f8067051c259c4721cd4aea8c435302fe6b274c4\n\n $unpack_stager_artefact_kit_64_v1 = {\n 31 C0 // xor eax, eax\n EB 0F // jmp short loc_6BAC17E7\n\n // loc_6BAC17D8:\n 41 83 E1 03 // and r9d, 3\n 47 8A 0C 08 // mov r9b, [r8+r9]\n 44 30 0C 01 // xor [rcx+rax], r9b\n 48 FF C0 // inc rax\n\n // loc_6BAC17E7:\n 39 D0 // cmp eax, edx\n 41 89 C1 // mov r9d, eax\n 7C EA // jl short loc_6BAC17D8\n }\n\n // Detection for these samples :\n // 1d1c844dbe07f096650e5da95cc0b9fbcddd21da73917f394c0f3a61edc66c27\n // caeaf1b0ac8b3125fd33440cfa528d740b4f7b650e6497e615235f2ecac9214e\n // fab938a33834395907761d700170d7757f6afe264c0620fa51838d449de98b35\n\n $unpack_stager_artefact_kit_64_v2 = {\n 31 C0 // xor eax, eax\n EB 11 // jmp short loc_6BAC15E7\n\n // loc_6BAC15D6:\n 83 E2 03 // and edx, 3\n 8A 54 15 00 // mov dl, [rbp+rdx+0]\n 41 32 14 04 // xor dl, [r12+rax]\n 88 14 03 // mov [rbx+rax], dl\n 48 FF C0 // inc rax\n\n // loc_6BAC15E7:\n 39 F8 // cmp eax, edi\n 89 C2 // mov edx, eax\n 7C E9 // jl short loc_6BAC15D6\n }\n\n // Detection for these samples :\n // d61d3d66e3b1f0bc7da874b6ccc5554669270dc091ab3d6c3fca39bde600dcec\n // 82fec2ec1c34b627aea689f08336fcd02c190e5dae057bd57fcb5e35b5abf3bc\n // c1cffa8743fe87b4a312baf1063bc20be8892e6e4489e48f489f4f73eba21393\n // 72495c93e964a762f7c68b90abe67e4ff929f7be0dc6aa8f3482a38ba382c1b1\n // 8295ac3b2d09743c5aaae6d61b972db8775d0fd33c44a4e6b9fd56448a0eb0aa\n // 6ce666be5751ce11a4c10d7524e6c975766cb53aafcf50da944e1c2ea16ff3cc\n // d32a1f3532d271c198cd256af4401b20802a83dfe36867d9517f7a91e657b49e\n // fefae2f27ce0790dd2d96984cbbafde30ea528b4a2df016f05cec266bfecf004\n // 0e4a396ffa74666e9db4c01810b291a677e64442f53f21b1295713e20850a448\n // 2ac64b32604150197add3ae81d5f39ded56cd4bee9dac8bbbd097dfcdb2a10b3\n // f515f48238e8274af40839b4b4a54a610664d9f389544b9804633dbf41ed6175\n // f2c7ca7797210de3c38a21af4e9e104dc5e14e0d291350e19dc89be96c5f9792\n // 3e9b33f7ff94bdbb8f72ef46c7d2e07a135463b4d8baaa2891e877f1d9fa9c10\n // 47d531fb00a9f8006ebc8c0aaa18e523207b3dd964ec3c264ad8af61fbdc8052\n\n $unpack_stager_artefact_kit_64_v3 = {\n 4? 89 C? // mov rbx, rax\n 31 C0 // xor eax, eax\n\n // loc_4015C7:\n 39 ?? // cmp esi, eax\n 7? 1? // jle short loc_4015E0\n 48 89 C2 // mov rdx, rax\n 83 E2 03 // and edx, 3\n (\n 8A 54 15 00 | // mov dl, [rbp+rdx+0]\n 8A 14 17 | // mov dl, [rdi+rdx]\n 41 8A 14 1? // mov dl, [r12+rdx]\n )\n (\n 32 14 0? | // xor dl, [rdi+rax]\n 32 54 05 00 | // xor dl, [rbp+rax+0]\n 41 32 54 05 00 // xor dl, [r13+rax+0]\n )\n (\n 88 14 03 | // mov [rbx+rax], dl\n 41 88 14 01 // mov [r9+rax], dl\n )\n 48 FF C0 // inc rax\n EB E? // jmp short loc_4015C7\n }\n\n // Detection for these samples :\n // 4ba7bff2e9ab6ccf42782911b496126275fa3f255dda9f41f11cb4f285bfab4f\n // e88562e931313d2ec06885ac6b28d724b1214727738cf80f9fb853fa4ad34d0a\n // f760304b597fa61eea7250b4947eb2bdd231e58a56f762f482e1599bb650b8ea\n // b925a6abbaf39c7422d484390f4afb10331ed713c3f4a3ed0d518276eaf5f111\n\n $unpack_stager_artefact_kit_64_v4 = {\n 31 D2 // xor edx, edx\n 49 89 C1 // mov r9, rax\n\n // loc_401595:\n 39 D? // cmp ebx, edx\n 7? 15 // jle short loc_4015AE\n 48 89 D0 // mov rax, rdx\n 83 E0 03 // and eax, 3\n 8A 0C 07 // mov cl, [rdi+rax]\n 32 0C 16 // xor cl, [rsi+rdx]\n 41 88 0C 11 // mov [r9+rdx], cl\n 48 FF C2 // inc rdx\n EB E7 // jmp short loc_401595\n }\n\n // Detection for this sample :\n // 8197a053d24a8e909e329029d73d9a4b50f9cac6f479f9b6ea70a76c3a3cbda7\n\n $unpack_stager_artefact_kit_64_v5 = {\n 31 C0 // xor eax, eax\n\n // loc_6BAC1999:\n 48 8B 4C 24 70 // mov rcx, [rsp+0A8h+var_38]\n 39 84 24 B8 00 00 00 // cmp [rsp+0A8h+arg_8], eax\n 7E 14 // jle short loc_6BAC19BB\n 48 89 C2 // mov rdx, rax\n 83 E2 03 // and edx, 3\n 8A 14 17 // mov dl, [rdi+rdx]\n 32 14 06 // xor dl, [rsi+rax]\n 88 14 01 // mov [rcx+rax], dl\n 48 FF C0 // inc rax\n EB DE // jmp short loc_6BAC1999\n }\n\n // Detection for these samples :\n // f3f12a093eff9e1f33054ac9536dfa0e3e41a536b3c1aab24cb20a2a09e0d384\n // 82854bb6cea65426f0fade44ee6a211fdda562e894fc5cf8ca0de6217b9f8f5c\n // 429fdaa93edc5c0fa3275d4d45c24bcfcebef06151fbf5b4f06abf04d75ca26e\n\n $unpack_stager_artefact_kit_64_v6 = {\n 31 C9 // xor ecx, ecx\n 4? 89 C? // mov rbx, rax\n 41 B? 04 00 00 00 // mov r8d, 4\n\n // loc_40161D:\n 39 ?9 // cmp ecx, edi\n 89 C8 // mov eax, ecx\n 7D ?? // jge short loc_40163A\n 99 // cdq\n 41 F7 F? // idiv r8d\n 48 63 C2 // movsxd rax, edx\n (\n 41 8A 04 04 | // mov al, [r12+rax]\n 8A 04 07 // mov al, [rdi+rax]\n )\n (\n 32 44 0D 00 | // xor al, [rbp+rcx+0]\n 32 04 0E // xor al, [rsi+rcx]\n )\n (\n 88 04 0B | // mov [rbx+rcx], al\n 88 44 0D 00 // mov [rbp+rcx+0], al\n 88 04 0B | // mov [rbx+rcx], al\n 88 04 0E // mov [rsi+rcx], al\n 41 88 04 08 // mov [r8+rcx], al\n )\n 48 FF C1 // inc rcx\n EB ?? // jmp short loc_40161D\n }\n\n // Detection for these samples :\n // 2885a5dc4b28286ef267b1637547c419c700a8a294eac7e939bdb634a2dff167\n // 429e5ef710888f35b2ccb74f15bad64aa2d1a93d9d27652741b389fd83fa332d\n // d0b9a1cacae0bbba1e785327d39b4fb3124bbad3d2b545b853b9f22258321d4b\n\n $unpack_stager_artefact_kit_64_v7 = {\n 45 31 D2 // xor r10d, r10d\n 48 89 C3 // mov rbx, rax\n B9 04 00 00 00 // mov ecx, 4\n\n // loc_6BAC15CB:\n 41 39 FA // cmp r10d, edi\n 44 89 D0 // mov eax, r10d\n 7D 18 // jge short loc_6BAC15EB\n 99 // cdq\n F7 F9 // idiv ecx\n 48 63 C2 // movsxd rax, edx\n 41 8A 04 04 // mov al, [r12+rax]\n 42 32 44 15 00 // xor al, [rbp+r10+0]\n 42 88 04 13 // mov [rbx+r10], al\n 49 FF C2 // inc r10\n EB E0 // jmp short loc_6BAC15CB\n }\n\n // Detection for this sample :\n // 2dfee99207e7b13fa289784ede1629cdef3f3bb4074ebcd84695bd051a5b85c4\n\n $unpack_stager_artefact_kit_64_v8 = {\n // loc_401532:\n 89 C8 // mov eax, ecx\n FF C1 // inc ecx\n 99 // cdq\n 41 F7 F8 // idiv r8d\n 48 63 D2 // movsxd rdx, edx\n 41 8A 04 14 // mov al, [r12+rdx]\n 30 45 00 // xor [rbp+0], al\n 8A 45 00 // mov al, [rbp+0]\n 41 88 04 29 // mov [r9+rbp], al\n 48 FF C5 // inc rbp\n\n // loc_40154E:\n 39 F9 // cmp ecx, edi\n 7C E0 // jl short loc_401532\n }\n\n // Detection for these samples :\n // 68081a431396a2876a1f57b55ebfc2bfb762abcc4feb5d29e9b0415ef415d10e\n // 746e83c923dea91ab6746885d1eb9cabfa0990923d91837efc798ace2f070ee9\n\n $unpack_stager_artefact_kit_64svc_v1 = {\n 48 83 EC ?8 // sub rsp, 28h\n 31 C0 // xor eax, eax\n 4? 89 ?? // mov r9d, edx\n\n // loc_4017D7:\n (\n 41 39 C1 | // cmp r9d, eax\n 39 C2 // cmp edx, eax\n )\n 7E 1? // jle short loc_4017EE\n 48 89 C? // mov rdx, rax\n 83 E? 03 // and edx, 3\n 41 8A ?? ?? // mov dl, [r8+rdx]\n (\n 30 14 01 | // xor [rcx+rax], dl\n 41 30 0C 01 // xor [r9+rax], cl\n )\n 48 FF C0 // inc rax\n EB E9 // jmp short loc_4017D7\n }\n\n // Detection for these samples :\n // 2ae02a10158befdd5f0f28e6cb2c31fed49824f87e66399df4ce62d900135f7c\n // add57fe667c8df7a4a27002830547652fbde21db9035f10d5be13b60d8eb40d1\n // ebf50d7ab7d2b03a72c0385b09d18664be911e76a5011bcd6c4059090391a525\n\n $unpack_stager_artefact_kit_64svc_v2 = {\n 31 C0 // xor eax, eax\n\n // loc_6BAC1807:\n 39 ?? // cmp eax, edx\n 7? 14 // jge short loc_6BAC181F\n 49 89 C1 // mov r9, rax\n 41 83 E1 03 // and r9d, 3\n 47 8A 0C 08 // mov r9b, [r8+r9]\n 44 30 0C 01 // xor [rcx+rax], r9b\n 48 FF C0 // inc rax\n EB E8 // jmp short loc_6BAC1807\n }\n\n // Detection for this sample :\n // 743215d8d4d04d68ec91143fc65300678c3c2876612180816ebfc057ba301f21\n\n $unpack_stager_artefact_kit_64svc_v3 = {\n 83 E1 03 // and ecx, 3\n 41 8A 0C 08 // mov cl, [r8+rcx]\n 30 0C 03 // xor [rbx+rax], cl\n 48 FF C0 // inc rax\n\n // loc_401763:\n 39 D0 // cmp eax, edx\n 89 C1 // mov ecx, eax\n 7C ED // jl short loc_401756\n // 48 89 D9 // mov rcx, rbx\n // 89 54 24 28 // mov [rsp+38h+var_10], edx\n }\n\n // Detection for these samples :\n // 443430be600ab17dc37e4f7871b593e1c144f44c62077aa56a0b995877b85c7b\n // 7ec880bca6d3abe7509a150caa98c6b0cad33d80e0502a19f6ae9911a3bd6049\n // fe8d4f677eb665827104807a63d29b1cf1d000cd118e3b5c9766aedd9060c71cxœ\n\n $unpack_stager_artefact_kit_64svc_v4 = {\n 8B 45 FC // mov eax, [rbp+var_4]\n 48 98 // cdqe\n 48 89 C1 // mov rcx, rax\n 48 03 4D 10 // add rcx, [rbp+arg_0]\n 8B 45 FC // mov eax, [rbp+var_4]\n 48 98 // cdqe\n 48 03 45 10 // add rax, [rbp+arg_0]\n 44 0F B6 00 // movzx r8d, byte ptr [rax]\n 8B 45 FC // mov eax, [rbp+var_4]\n 89 C2 // mov edx, eax\n C1 FA 1F // sar edx, 1Fh\n C1 EA 1E // shr edx, 1Eh\n 01 D0 // add eax, edx\n 83 E0 03 // and eax, 3\n 29 D0 // sub eax, edx\n 48 98 // cdqe\n 48 03 45 20 // add rax, [rbp+arg_10]\n 0F B6 00 // movzx eax, byte ptr [rax]\n 44 31 C0 // xor eax, r8d\n 88 01 // mov [rcx], al\n }\n\n condition:\n 4 of ($s*) and 1 of ($unpack_stager_*)\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_specific_stager_03658f107439" ], "rule_creation_date": "2022-06-24", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_specific_stager_fa439c2b9a2c_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571194Z", "creation_date": "2026-03-23T11:46:25.571196Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571202Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_specific_stager_fa439c2b9a2c.yar", "content": "rule cobalt_strike_specific_stager_fa439c2b9a2c {\n meta:\n title = \"Cobalt Strike Specific Stager (fa439c2b9a2c)\"\n id = \"3ab442c2-0f4c-4fa1-8fb8-fa439c2b9a2c\"\n description = \"Detects Cobalt Strike's Specific Stager x86.\\nCobalt Strike's specific stager x86 is a 32-bit executable used to establish persistence or communicate with a command-and-control server. This stager is typically generated by the Cobalt Strike artefact kit and is designed to execute specific commands or download additional payloads.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2022-06-24\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.defense_evasion;attack.t1140;attack.t1027.005;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = \"_matherr(): %s in %s(%g, %g) (retval=%g)\" fullword ascii\n $s2 = \"Address %p has no image-section\" fullword ascii\n $s3 = \"Mingw-w64 runtime failure:\" ascii\n $s4 = \"StartW\" fullword ascii\n $s5 = \"CreateThread\" fullword ascii\n $s6 = \"rundll32.exe\" fullword ascii\n\n // Detection for these samples :\n // 1544f89640fd8ca64620007d2464265ec678ddccfe090151c2188fdfa6145048\n // a246ea3ba29911fffcee758898316c57ff4d510f9b26bc9687f0b2dd207940db\n // d1c09435c94c14740e88eb3ebdc086d7ffefda3ea3cdf8b808e09cce53ae61fb\n // fae7f3543def745069c296f4ee81a1f9308227884e1edda8f6e65dba805aa6aa\n // 37cbb8074087f0640a259eab3e591cde1dc360d2288a6d9fbb92a5fb3c1b68ba\n // 91c96360ae21df783a98ded6dca0cf027a1b1fdd7fbdd201fa56894ffb9f47a4\n // 68e7bd3cf41bbc3df1159a3481e911d2d4fd588dfdbedcfe5a96dee3777eb920\n // 709a63b1e27448509a7963c2f779d97d8c325612d2715c15e474d6e3bfbad394\n\n $unpack_stager_artefact_kit32_v1 = {\n 89 C? // mov esi, eax\n 83 EC ?? // sub esp, 10h\n 31 C0 // xor eax, eax\n\n // loc_40159F:\n 39 D8 // cmp eax, ebx\n 7D 17 // jge short loc_4015BA\n (\n 8B ?? 10 | // mov ecx, [ebp+arg_8]\n 89 C? // mov edx, eax\n )\n (\n 89 C? | // mov edx, eax\n 8B ?? 10 // mov ecx, [ebp+arg_8]\n )\n 83 E? 03 // and edx, 3\n 8A ?? ?? // mov dl, [ecx+edx]\n (\n 8B ?? 08 | // mov ecx, [ebp+arg_0]\n 32 14 06 // xor dl, [esi+eax]\n )\n (\n 32 ?? 0? | // xor dl, [ecx+eax]\n 88 14 06 // mov [esi+eax], dl\n )\n 88 ?? 0? // mov [esi+eax], dl\n 40 // inc eax\n EB E5 // jmp short loc_40159F\n }\n\n // Detection for this sample :\n // c123ab5c6094a066fddb5cd8eaabebf10fd58dda7345f321272ba95f1838a4f9\n\n $unpack_stager_artefact_kit32_v2 = {\n 31 C9 // xor ecx, ecx\n 83 EC 10 // sub esp, 10h\n 89 C3 // mov ebx, eax\n\n // loc_6BAC160A:\n 39 F1 // cmp ecx, esi\n 7D 17 // jge short loc_6BAC1625\n 89 C8 // mov eax, ecx\n 99 // cdq\n F7 FF // idiv edi\n 8B 45 10 // mov eax, [ebp+arg_8]\n 8A 04 10 // mov al, [eax+edx]\n 8B 55 08 // mov edx, [ebp+arg_0]\n 32 04 0A // xor al, [edx+ecx]\n 88 04 0B // mov [ebx+ecx], al\n 41 // inc ecx\n EB E5 // jmp short loc_6BAC160A\n }\n\n // Detection for these samples :\n // df9a4043350f178376528ace41119578cd18b2ec7501b48510b93a3efa8a4d76\n // c5d752fa54d7093d09846687b25eee2853fd96f4f0870c78e9d4eda2ec22635a\n // 61f32e3ae521795c8a2e048591eb39937f65e4702cde23456f86ca086f301495\n // 9f0e200454059143f2e70543feb51673a12c75fc2686bd6ad20312a68d5e3dc1\n\n $unpack_stager_artefact_kit32_v3 = {\n 31 ?? // xor edx, edx\n 83 EC ?? // sub esp, 0Ch\n\n // loc_6BAC15EA:\n 3B ?5 0C // cmp edx, [ebp+arg_4]\n 7? 1? // jge short loc_6BAC1606\n\n (\n 89 ?1 | // mov ecx, edx\n 8B 5? 10 // mov edx, [ebp+arg_8]\n )\n (\n 8B 5? 10 | // mov ebx, [ebp+arg_8]\n 89 ?1 // mov ecx, eax\n )\n 83 E1 03 // and ecx, 3\n\n 8A 0C 0? // mov cl, [ebx+ecx]\n 8B 5? 08 // mov ebx, [ebp+arg_0]\n\n (\n 32 0C 13 | // xor cl, [ebx+edx]\n 32 0C 02 // xor cl, [edx+eax]\n 88 0C 02 // mov [edx+eax], cl\n )\n 88 0C ?? // mov [eax+edx], cl\n 4? // inc edx\n EB E? // jmp short loc_6BAC15EA\n }\n\n // Detection for these samples :\n // 4b1763dd1f7652d5629de0715fa7d2f6a6aae8970a6d9e8414504e2c7e426663\n // a70b4d9ddf306268e4ad84402f0cb07f362eb547514be779bcafab6fcc792ae1\n\n $unpack_stager_artefact_kit32_v4 = {\n // loc_6BAC1690:\n 89 C8 // mov eax, ecx\n BF 04 00 00 00 // mov edi, 4\n 99 // cdq\n F7 FF // idiv edi\n 8B 7D 10 // mov edi, [ebp+arg_8]\n 8A 04 17 // mov al, [edi+edx]\n 30 03 // xor [ebx], al\n 8A 03 // mov al, [ebx]\n 43 // inc ebx\n 88 04 0E // mov [esi+ecx], al\n 41 // inc ecx\n 3B 4D E4 // cmp ecx, [ebp+var_1C]\n 7C E2 // jl short loc_6BAC1690\n }\n\n // Detection for these samples :\n // a5ecd877717377252fe715a7208ba9a8d42c3b2ccde24672bc14a42baa05adc2\n // f03d4bb2776ed8768a53e1c30d0da96e35030a6421e7e7b2e1a6c66f0398ef01\n // d87d92da759fd766645ad9f9acbffb5a376ae7df3272dcd6c11b0780ddffb338\n // 5ee5be86fa2ee00ade067fed2aea1776718d91f99fbd90c3032de93a4ae5d290\n // c573276c0753ebfd01e4decd9ae4daf0b8ff2a52905a94fa7cece7054484234d\n // 0fbd01ca9f316cc9804d9668eb8242acd71304465f69a0e0ee73dde483bad613\n // 234e4df3d9304136224f2a6c37cb6b5f6d8336c4e105afce857832015e97f27a\n // 44e70e41ef57b67de13150ba7fc226df3a4c644e489d2aafccc684a6833e5ee1\n\n $unpack_stager_artefact_kit_32svc_v1 = {\n 55 // push ebp\n 31 C0 // xor eax, eax\n 89 E5 // mov ebp, esp\n\n (\n 56 // push esi\n 53 // push ebx\n 83 EC 10 // sub esp, 10h\n 8B 5D 08 // mov ebx, [ebp+arg_0]\n 8B 75 0C // mov esi, [ebp+arg_4]\n 8B 55 10 // mov edx, [ebp+arg_8]\n |\n 57 // push edi\n 8B 4D 0C // mov ecx, [ebp+arg_4]\n 8B 7D 08 // mov edi, [ebp+arg_0]\n 56 // push esi\n 53 // push ebx\n 8B 5D 10 // mov ebx, [ebp+arg_8]\n )\n\n // loc_4017A4:\n 39 ?? // cmp eax, esi\n 7D 0E // jge short loc_4017B6\n 89 C? // mov ecx, eax\n 83 E? 03 // and ecx, 3\n 8A ?? ?? // mov cl, [edx+ecx]\n 30 ?? 0? // xor [ebx+eax], cl\n 40 // inc eax\n EB EE // jmp short loc_4017A4\n }\n\n // Detection for this sample :\n // a044426ee0f6bf029ece86d9292300c9f8e8577bb769dcbb2d0ccb7e22709826\n\n $unpack_stager_artefact_kit_32svc_v2 = {\n 55 // push ebp\n 31 C9 // xor ecx, ecx\n 89 E5 // mov ebp, esp\n 57 // push edi\n 56 // push esi\n 53 // push ebx\n 83 EC 1C // sub esp, 1Ch\n 8B 45 10 // mov eax, [ebp+arg_8]\n 8B 5D 08 // mov ebx, [ebp+arg_0]\n 8B 75 0C // mov esi, [ebp+arg_4]\n 89 45 E4 // mov [ebp+var_1C], eax\n\n // loc_40176A:\n 39 F1 // cmp ecx, esi\n 7D 16 // jge short loc_401784\n 89 C8 // mov eax, ecx\n BF 04 00 00 00 // mov edi, 4\n 99 // cdq\n F7 FF // idiv edi\n 8B 45 E4 // mov eax, [ebp+var_1C]\n 8A 04 10 // mov al, [eax+edx]\n 30 04 0B // xor [ebx+ecx], al\n 41 // inc ecx\n EB E6 // jmp short loc_40176A\n }\n\n // Detection for these samples :\n // 9cc20e58e1815795183cb214e5d2abe70f77c853118d19aad5fe9dd8acad6ba4\n // c0fc006ffa92d0111197f8e3a1d2ba06a326eddc3d0b28111727df8e52805cf8\n // fd248df8f77b876775515d6ad3ca5945af7ec408f79d61bda5fbadf24b424df6\n\n $unpack_stager_artefact_kit_32svc_v3 = {\n // loc_6BAC18E5:\n 89 C8 // mov eax, ecx\n BF 04 00 00 00 // mov edi, 4\n 99 // cdq\n F7 FF // idiv edi\n 8B 7D E0 // mov edi, [ebp+var_20]\n 8A 04 17 // mov al, [edi+edx]\n 30 04 0B // xor [ebx+ecx], al\n 41 // inc ecx\n 39 F1 // cmp ecx, esi\n 7C E8 // jl short loc_6BAC18E5\n }\n\n condition:\n 4 of ($s*) and 1 of ($unpack_stager_*)\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_specific_stager_fa439c2b9a2c" ], "rule_creation_date": "2022-06-24", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cobalt_strike_sshagent_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580997Z", "creation_date": "2026-03-23T11:46:25.580999Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581034Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0154/" ], "name": "cobalt_strike_sshagent.yar", "content": "rule cobalt_strike_sshagent {\n meta:\n title = \"Cobalt Strike SSH Agent DLL\"\n id = \"0f0291cd-8bc4-4b5d-88c9-1f97e7ed8ad5\"\n description = \"Detects the Cobalt Strike SSH Agent DLL.\\nCobalt Strike is a commercial remote access tool used for simulating adversary tactics and conducting targeted attacks.\\nThis rule identifies the SSH Agent component, which is used for establishing communication between different stages of the attack.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0154/\"\n date = \"2021-02-22\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0154;attack.t1572;attack.t1071;attack.t1027.005;attack.t1106;attack.t1021.004\"\n classification = \"Windows.Framework.CobaltStrike\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // This payload use those APIs to create a communication channel.\n $s1 = \"CreateNamedPipeA\" ascii\n $s2 = \"ConnectNamedPipe\" ascii\n\n // This payload use this hardcoded named pipe for communication.\n $s3 = \"\\\\\\\\.\\\\pipe\\\\sshagent\" ascii\n\n // This payload use this named pipe prefix for communication on Cobalt Strike 4.2+.\n $s4 = \"\\\\\\\\.\\\\pipe\\\\postex_\" ascii\n\n // Unique lgger strings found in this payload.\n $s5 = \"FAIL credential material not available\" ascii\n $s6 = \"FAIL Could not resolve %s\" ascii\n $s7 = \"FAIL authentication method not supported. Allowed methods: %s\" ascii\n $s8 = \"INFO Server accepted NONE authentication. (What?!?)\" ascii\n $s9 = \"SUCCESS %s@%s:%d %s\" ascii\n\n condition:\n 8 of them\n}\n", "rule_count": 1, "rule_names": [ "cobalt_strike_sshagent" ], "rule_creation_date": "2021-02-22", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.CobaltStrike" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1071", "attack.t1106", "attack.t1021.004", "attack.t1572", "attack.t1027.005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-comratv4_injected_8f531c21e603_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575034Z", "creation_date": "2026-03-23T11:46:25.575036Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575041Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\nhttps://attack.mitre.org/software/S0126/" ], "name": "comratv4_injected_8f531c21e603.yar", "content": "rule comratv4_injected_8f531c21e603 {\n meta:\n title = \"ComRAT v4 Injected Library (8f531c21e603)\"\n id = \"72ea4b5d-f6c8-41a2-a56d-8f531c21e603\"\n description = \"Detects the 64-bit version of the ComRAT v4 injected library, a malware used by Turla first identified in 2007.\\nComRAT is a second stage implant suspected of being a descendant of Agent.btz.\\nThe malware is known for its Virtual File System (VFS) feature in FAT16 format and its capability to use Gmail for command and control communication.\"\n references = \"https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\\nhttps://attack.mitre.org/software/S0126/\"\n date = \"2024-07-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.001;attack.t1059.003;attack.t1106;attack.defense_evasion;attack.t1070.004;attack.t1218.011;attack.command_and_control;attack.t1573.001;attack.t1105;attack.s0126\"\n classification = \"Windows.Backdoor.ComRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405\n\n // OutputODFADebugString\n $odfa = {\n C6 44 [2] 4F // mov [rsp+1038h+var_1018], 4Fh ; 'O'\n C6 44 [2] 44 // mov [rsp+1038h+var_1018+1], 44h ; 'D'\n C6 44 [2] 46 // mov [rsp+1038h+var_1018+2], 46h ; 'F'\n C6 44 [2] 41 // mov [rsp+1038h+var_1018+3], 41h ; 'A'\n C6 44 [2] 3A // mov [rsp+1038h+var_1018+4], 3Ah ; ':'\n C6 44 [2] 20 // mov [rsp+1038h+var_1018+5], 20h ; ' '\n C6 44 [2] 25 // mov [rsp+1038h+var_1018+6], 25h ; '%'\n C6 44 [2] 75 // mov [rsp+1038h+var_1018+7], 75h ; 'u'\n C6 44 [2] 20 // mov [rsp+1038h+var_1018+8], 20h ; ' '\n C6 44 [2] 25 // mov [rsp+1038h+var_1018+9], 25h ; '%'\n C6 44 [2] 64 // mov [rsp+1038h+var_1018+0Ah], 64h ; 'd'\n C6 44 [2] 20 // mov [rsp+1038h+var_1018+0Bh], 20h ; ' '\n C6 44 [2] 25 // mov [rsp+1038h+var_1018+0Ch], 25h ; '%'\n C6 44 [2] 75 // mov [rsp+1038h+var_1018+0Dh], 75h ; 'u'\n C6 44 [2] 0A // mov [rsp+1038h+var_1018+0Eh], 0Ah\n C6 44 [2] 00 // mov [rsp+1038h+var_1018+0Fh], 0\n }\n\n $xor55 = {\n 41 80 31 55 // xor byte ptr [r9], 55h\n 4D 03 CF // add r9, r15\n 4D 2B E7 // sub r12, r15\n 75 F4 // jnz short loc_18000BA20\n }\n\n // GetComputerNameHash\n // %08x\n $getpipename1 = {\n B8 25 00 00 00 // mov eax, 25h ; '%'\n 48 8B F9 // mov rdi, rcx\n 49 8D 53 10 // lea rdx, [r11+10h]\n 66 89 44 24 20 // mov [rsp+248h+var_228], ax\n B8 30 00 00 00 // mov eax, 30h ; '0'\n 48 8D 4C 24 30 // lea rcx, [rsp+248h+var_218]\n 66 89 44 24 22 // mov [rsp+248h+var_226], ax\n B8 38 00 00 00 // mov eax, 38h ; '8'\n 33 F6 // xor esi, esi\n 66 89 44 24 24 // mov [rsp+248h+var_224], ax\n B8 78 00 00 00 // mov eax, 78h ; 'x'\n 49 8B D8 // mov rbx, r8\n 66 89 74 24 28 // mov [rsp+248h+var_220], si\n 41 C7 43 10 04 01 00 00 // mov dword ptr [r11+10h], 104h\n }\n\n // Generate pipe name based on GetComputerName\n $getpipename2 = {\n 41 0F B6 ?? // movzx ecx, byte ptr [r8]\n 41 8B C1 // mov eax, r9d\n 44 03 DA // add r11d, edx\n 83 C9 04 // or ecx, 4\n C1 E8 03 // shr eax, 3\n 44 8B C9 // mov r9d, ecx\n 44 0F AF C8 // imul r9d, eax\n 49 FF ?? // inc r8\n }\n\n condition:\n $odfa or\n #xor55 > 10 or\n 1 of ($getpipename*)\n}\n", "rule_count": 1, "rule_names": [ "comratv4_injected_8f531c21e603" ], "rule_creation_date": "2024-07-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.ComRAT" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1059.003", "attack.t1070.004", "attack.t1218.011", "attack.t1106", "attack.t1059.001", "attack.t1105", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-comratv4_injected_e7aa80138037_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584004Z", "creation_date": "2026-03-23T11:46:25.584006Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584011Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\nhttps://attack.mitre.org/software/S0126/" ], "name": "comratv4_injected_e7aa80138037.yar", "content": "rule comratv4_injected_e7aa80138037 {\n meta:\n title = \"ComRAT v4 Injected Library (e7aa80138037)\"\n id = \"abe81fba-eff0-4819-b4ad-e7aa80138037\"\n description = \"Detects the 32-bit version of the ComRAT v4 injected library, a malware used by Turla first identified in 2007.\\nComRAT is a second stage implant suspected of being a descendant of Agent.btz.\\nThe malware is known for its Virtual File System (VFS) feature in FAT16 format and its capability to use Gmail for command and control communication.\"\n references = \"https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\\nhttps://attack.mitre.org/software/S0126/\"\n date = \"2024-07-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.001;attack.t1059.003;attack.t1106;attack.defense_evasion;attack.t1070.004;attack.t1218.011;attack.command_and_control;attack.t1573.001;attack.t1105;attack.s0126\"\n classification = \"Windows.Backdoor.ComRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d\n\n $xor55 = {\n 30 ?? 05 [1] // xor [ebp+eax+var_48], dl\n 40 // inc eax\n 83 F8 ?? // cmp eax, 9\n 72 F6 // jb short loc_7B017\n }\n\n // \\\\.\\pipe\\%08x\n $getpipename1 = {\n 6A 5C // push 5Ch ; '\\'\n 58 // pop eax\n 6A 2E // push 2Eh ; '.'\n 8B C8 // mov ecx, eax\n 66 89 4D ?? // mov [ebp+var_20], cx\n 66 89 4D ?? // mov [ebp+var_1E], cx\n 59 // pop ecx\n 6A 70 // push 70h ; 'p'\n 66 89 4D ?? // mov [ebp+var_1C], cx\n 8B C8 // mov ecx, eax\n 66 89 4D ?? // mov [ebp+var_1A], cx\n 59 // pop ecx\n 6A 69 // push 69h ; 'i'\n 66 89 4D ?? // mov [ebp+var_18], cx\n 59 // pop ecx\n 6A 70 // push 70h ; 'p'\n 66 89 4D ?? // mov [ebp+var_16], cx\n 59 // pop ecx\n 6A 65 // push 65h ; 'e'\n 66 89 45 ?? // mov [ebp+var_10], ax\n 66 89 4D ?? // mov [ebp+var_14], cx\n 59 // pop ecx\n 6A 25 // push 25h ; '%'\n 58 // pop eax\n 6A 30 // push 30h ; '0'\n 66 89 45 ?? // mov [ebp+var_E], ax\n 58 // pop eax\n 6A 38 // push 38h ; '8'\n 66 89 45 ?? // mov [ebp+var_C], ax\n 58 // pop eax\n 6A 78 // push 78h ; 'x'\n }\n\n // Generate pipe name based on GetComputerName\n $getpipename2 = {\n 0F B6 11 // movzx edx, byte ptr [ecx]\n FF 4C 24 04 // dec [esp+arg_0]\n 83 CA 04 // or edx, 4\n C1 E8 03 // shr eax, 3\n 0F AF C2 // imul eax, edx\n 41 // inc ecx\n }\n\n condition:\n #xor55 > 10 or\n 1 of ($getpipename*)\n}\n", "rule_count": 1, "rule_names": [ "comratv4_injected_e7aa80138037" ], "rule_creation_date": "2024-07-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.ComRAT" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1059.003", "attack.t1070.004", "attack.t1218.011", "attack.t1106", "attack.t1059.001", "attack.t1105", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-comratv4_orchestrator_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575133Z", "creation_date": "2026-03-23T11:46:25.575135Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575140Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0126/\nhttps://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a" ], "name": "comratv4_orchestrator.yar", "content": "rule comratv4_orchestrator {\n meta:\n title = \"ComRAT v4 Orchestrator\"\n id = \"db1069ef-9285-41f6-a3e1-976375f7b4b9\"\n description = \"Detects the ComRAT V4 Orchestrator, a malware used by the Turla APT first identified in 2007.\\nComRAT is a second stage implant suspected of being a descendant of Agent.btz. The malware features a Virtual File System (VFS) in FAT16 format and can use Gmail to receive commands and exfiltrate information.\"\n references = \"https://attack.mitre.org/software/S0126/\\nhttps://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\\nhttps://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a\"\n date = \"2024-07-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.001;attack.t1059.003;attack.t1106;attack.defense_evasion;attack.t1070.004;attack.t1218.011;attack.command_and_control;attack.t1573.001;attack.t1105;attack.exfiltration;attack.t1029;attack.s0126\"\n classification = \"Windows.Backdoor.ComRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 303f2983b32519d32b3a408a08fe108b96657ff25c5500602f836689d8ad9731\n // 44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316\n\n $s1 = \".c4as\" ascii fullword\n $s2 = \"/var/output/\" ascii fullword\n $s3 = \"x64_Release.dll\" ascii fullword\n\n $pdb = \"C:\\\\Projects\\\\chinch_4_0\\\\projects\\\\chinch4\\\\Build\\\\x64\\\\Release\\\\x64_Release.pdb\" ascii fullword\n\n // HARDCODED KEY FOR FAT16FS IN DATA SECTION\n $fat16fs_key = {\n C7 45 ?? 27 82 3B D3 // mov [rbp+57h+vFixedKey], 0D33B8227h\n C7 45 ?? 3E D5 EA 8D // mov [rbp+57h+vFixedKey+4], 8DEAD53Eh\n C7 45 ?? 55 FB C0 7E // mov [rbp+57h+vFixedKey+8], 7EC0FB55h\n C7 45 ?? 6F 41 FE 37 // mov [rbp+57h+vFixedKey+0Ch], 37FE416Fh\n C7 45 ?? E0 53 8D DF // mov [rbp+57h+vFixedKey+10h], 0DF8D53E0h\n C7 45 ?? 60 DD 0A 70 // mov [rbp+57h+vFixedKey+14h], 700ADD60h\n C7 45 ?? 88 13 FC 88 // mov [rbp+57h+vFixedKey+18h], 88FC1388h\n C7 45 ?? 3E FD 99 49 // mov [rbp+57h+vFixedKey+1Ch], 4999FD3Eh\n }\n\n // DecryptString (DecryptMultiByte, DecryptWideChar)\n $decryptstring = {\n C7 45 ?? 6F 61 72 FF // mov dword ptr [rbp+aBegin], 0FF72616Fh\n C7 45 ?? 04 27 E7 AA // mov dword ptr [rbp+aBegin+4], 0AAE72704h\n C7 45 ?? A8 0E AF 05 // mov dword ptr [rbp+aBegin+8], 5AF0EA8h\n C7 45 ?? A2 42 9D 16 // mov dword ptr [rbp+aBegin+0Ch], 169D42A2h\n C7 45 ?? 15 A6 BF CF // mov dword ptr [rbp+aBegin+10h], 0CFBFA615h\n C7 45 ?? 60 FB E8 21 // mov dword ptr [rbp+aBegin+14h], 21E8FB60h\n C7 45 ?? 2B A9 B1 87 // mov dword ptr [rbp+aBegin+18h], 87B1A92Bh\n C7 45 ?? 3A 1E 4B C0 // mov dword ptr [rbp+aBegin+1Ch], 0C04B1E3Ah\n }\n\n // DecryptXor55\n $decrypt_xor55 = {\n 8B 44 ?? ?? // mov eax, [rsp+18h+var_14]\n 48 8B 4C ?? ?? // mov rcx, [rsp+18h+arg_0]\n 0F B6 04 ?? // movzx eax, byte ptr [rcx+rax]\n 8B 0C ?? // mov ecx, [rsp+18h+vSeed]\n 03 C8 // add ecx, eax\n 8B C1 // mov eax, ecx\n 89 04 ?? // mov [rsp+18h+vSeed], eax\n 8B 44 ?? ?? // mov eax, [rsp+18h+var_14]\n 48 8B 4C ?? ?? // mov rcx, [rsp+18h+arg_0]\n 0F B6 04 ?? // movzx eax, byte ptr [rcx+rax]\n 83 F0 55 // xor eax, 55h\n 8B 4C ?? ?? // mov ecx, [rsp+18h+var_14]\n 48 8B 54 ?? ?? // mov rdx, [rsp+18h+arg_0]\n 88 04 0A // mov [rdx+rcx], al\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 00 // imul rax, 0\n 48 8B 4C ?? ?? // mov rcx, [rsp+18h+arg_0]\n 0F B6 04 ?? // movzx eax, byte ptr [rcx+rax]\n 8B 0C ?? // mov ecx, [rsp+18h+vSeed]\n 03 C8 // add ecx, eax\n 8B C1 // mov eax, ecx\n 89 04 ?? // mov [rsp+18h+vSeed], eax\n EB ?? // jmp short loc_1800721A7\n }\n\n // GetPipeName\n // \\\\.\\pipe\\%08x\n $getpipename1 = {\n C7 44 [2] 5C 00 5C 00 // mov dword ptr [rsp+278h+aFmt], 5C005Ch\n C7 44 [2] 2E 00 5C 00 // mov dword ptr [rsp+278h+aFmt+4], 5C002Eh\n C7 44 [2] 70 00 69 00 // mov dword ptr [rsp+278h+aFmt+8], 690070h\n C7 44 [2] 70 00 65 00 // mov dword ptr [rsp+278h+aFmt+0Ch], 650070h\n C7 44 [2] 5C 00 25 00 // mov dword ptr [rsp+278h+aFmt+10h], 25005Ch\n C7 44 [2] 30 00 38 00 // mov dword ptr [rsp+278h+aFmt+14h], 380030h\n C7 44 [2] 78 00 00 00 // mov dword ptr [rsp+278h+aFmt+18h], 78h ; 'x'\n C7 44 [2] 04 01 00 00 // mov [rsp+278h+vComputerNameLen], 104h\n }\n\n // GetPipeName\n // Generate pipe name based on GetComputerName\n $getpipename2 = {\n 41 0F B6 ?? // movzx ecx, byte ptr [r10]\n 41 8B C1 // mov eax, r9d\n 4D 8D ?? 01 // lea r10, [r10+1]\n 83 C9 04 // or ecx, 4\n C1 E8 03 // shr eax, 3\n 44 8B C9 // mov r9d, ecx\n 44 0F AF C8 // imul r9d, eax\n 41 FF C8 // dec r8d\n 75 ?? // jnz short loc_180047A20\n }\n\n condition:\n all of ($s*) or\n $pdb or\n $fat16fs_key or\n $decryptstring or\n $decrypt_xor55 or\n 1 of ($getpipename*)\n}\n", "rule_count": 1, "rule_names": [ "comratv4_orchestrator" ], "rule_creation_date": "2024-07-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.ComRAT" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1029", "attack.t1059.003", "attack.t1070.004", "attack.t1218.011", "attack.t1106", "attack.t1059.001", "attack.t1105", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-copperstealer_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575383Z", "creation_date": "2026-03-23T11:46:25.575385Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575390Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://twitter.com/jaydinbas/status/1646475092006785027" ], "name": "copperstealer_driver.yar", "content": "rule copperstealer_driver {\n meta:\n title = \"CopperStealer Windows Driver\"\n id = \"8542a63b-fda2-41ed-897b-f64cb028783f\"\n description = \"Detects the CopperStealer Windows driver.\\nCopperStealer is a malicious kernel driver that acts as a command-and-control (C2) beacon.\\nIt has the ability to inject code into userland processes, establish persistence, and steal sensitive information from the system.\\nThe driver communicates with its C2 server via HTTP protocol to receive commands and exfiltrate data.\"\n references = \"https://twitter.com/jaydinbas/status/1646475092006785027\"\n date = \"2023-04-24\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.defense_evasion;attack.t1014;attack.privilege_escalation;attack.t1055\"\n classification = \"Windows.Rootkit.CopperStealer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5\n // e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d\n\n // First ensure that we are indeed scanning a kernel driver\n $kernel_driver_1 = \"IoDeleteDevice\" fullword ascii\n $kernel_driver_2 = \"IoDetachDevice\" fullword ascii\n $kernel_driver_3 = \"ExFreePoolWithTag\" fullword ascii\n $kernel_driver_4 = \"ExAllocatePoolWithTag\" fullword ascii\n $kernel_driver_5 = \"MmGetSystemRoutineAddress\" fullword ascii\n $kernel_driver_6 = \"MmProbeAndLockPages\" fullword ascii\n $kernel_driver_7 = \"IoCreateDevice\" fullword ascii\n $kernel_driver_8 = \"ZwReadFile\" fullword ascii\n $kernel_driver_9 = \"ZwSetValueKey\" fullword ascii\n $kernel_driver_10 = \"KeWaitForSingleObject\" fullword ascii\n\n $network_comm_1 = \"HTTP/1.1\" fullword ascii\n $network_comm_2 = \"HTTP/1.0\" fullword ascii\n $network_comm_3 = \"8.8.8.8\" fullword ascii\n $network_comm_4 = \"content-length\" fullword ascii\n\n $network_device_1 = \"Device\\\\Tcp\" fullword wide\n $network_device_2 = \"Device\\\\Udp\" fullword wide\n\n // GET %s HTTP/1.0\\r\\nHost: %s:%d\\r\\nConnection: Close\\r\\n\\r\\n\n $http_req_1 = { 47 45 54 20 25 73 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 25 73 3A 25 64 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 0D 0A 00 }\n // GET %s HTTP/1.0\\r\\nHost: %s\\r\\nConnection: Close\\r\\n\\r\\n\n $http_req_2 = { 47 45 54 20 25 73 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 25 73 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 0D 0A 00 }\n\n condition:\n 5 of ($kernel_driver_*) and\n all of ($network_comm_*) and\n all of ($network_device_*) and\n 1 of ($http_req_*)\n}\n", "rule_count": 1, "rule_names": [ "copperstealer_driver" ], "rule_creation_date": "2023-04-24", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Rootkit.CopperStealer" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1014", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-covenant_grunt_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580842Z", "creation_date": "2026-03-23T11:46:25.580844Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580850Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/cobbr/Covenant" ], "name": "covenant_grunt.yar", "content": "rule covenant_grunt_yar {\n meta:\n title = \"Covenant Grunt\"\n id = \"372da4a1-37e2-4ae5-ad46-101ca299c80d\"\n description = \"Detects the Covenant Grunt malware.\\nCovenant is a .NET command and control framework designed to highlight the attack surface of .NET and simplify offensive .NET tradecraft. Grunt is a component of this framework that serves as a collaborative command and control platform for red teamers.\\nIt is recommended to scan for additional signs of malicious activity on the host.\"\n references = \"https://github.com/cobbr/Covenant\"\n date = \"2020-12-16\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1572\"\n classification = \"Windows.Framework.Covenant\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // https://github.com/cobbr/Covenant/blob/f5014ba319517e262f745334f16a724657c2998e/Covenant/Data/Grunt/GruntBridge/GruntBridgeStager.cs#L42\n $name = \"{{\\\"GUID\\\":\\\"{0}\\\",\\\"Type\\\":{1},\\\"Meta\\\":\\\"{2}\\\",\\\"IV\\\":\\\"{3}\\\",\\\"EncryptedMessage\\\":\\\"{4}\\\",\\\"HMAC\\\":\\\"{5}\\\"}}\" wide\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "covenant_grunt_yar" ], "rule_creation_date": "2020-12-16", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Covenant" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1572", "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cpp_execassembly_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585792Z", "creation_date": "2026-03-23T11:46:25.585794Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585799Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mallo-m/Cpp-ExecAssembly" ], "name": "cpp_execassembly.yar", "content": "rule cpp_execassembly {\n meta:\n title = \"Cpp-ExecAssembly HackTool\"\n id = \"ffb4df15-f60b-493e-b562-f3643acbeedb\"\n description = \"Detects Cpp-ExecAssembly, a C++ tool to load and execute assemblies in-memory, without triggering AV/EDR alerts.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://github.com/mallo-m/Cpp-ExecAssembly\"\n date = \"2025-11-19\"\n modified = \"2025-11-20\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1620\"\n classification = \"Windows.HackTool.Cpp-ExecAssembly\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 3f98178b7077391d314516d0d83a8105d2008697c944eb476705d5e0066c7226\n\n $string1 = \"[+] InitMetaHost success\" ascii fullword\n $string2 = \"[!] Could not load Default Domain failed\" ascii fullword\n $string3 = \"[!] Default Domain has no interface ???\" ascii fullword\n $string4 = \"[+] InitAssemblyMemory success\" ascii fullword\n $string5 = \"[!] Could not retrieve assembly's entry point\" ascii fullword\n $string6 = \"[!] Failed to invoke Assembly, is Main's signature matching: static void Main(string[] args) ? hr = %X\" ascii fullword\n\n condition:\n 4 of ($string*)\n}\n", "rule_count": 1, "rule_names": [ "cpp_execassembly" ], "rule_creation_date": "2025-11-19", "rule_modified_date": "2025-11-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Cpp-ExecAssembly" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1620" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-crackaccount_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583757Z", "creation_date": "2026-03-23T11:46:25.583759Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583764Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1110/" ], "name": "crackaccount.yar", "content": "rule crackaccount {\n meta:\n title = \"CrackAccount Malware\"\n id = \"d9f5e278-a827-46f4-8998-80bd48d9b6ea\"\n description = \"Detects the CrackAccount credential stealer binary.\\nCrackAccount is a malicious credential stealer designed to extract user credentials from compromised systems. It attempts to steal passwords and may be used by adversaries for initial access, lateral movement, or privilege escalation.\"\n references = \"https://attack.mitre.org/techniques/T1110/\"\n date = \"2023-03-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1110\"\n classification = \"Windows.Stealer.CrackAccount\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // e97bdf7fafb1cb2a2bf0a4e14f51e18a34f3ff2f6f7b99731e93070d50801bef\n\n $s1 = \"Download Pass\" fullword ascii\n $s2 = \"FileOpenCommand+\" fullword ascii\n $s3 = \"FromShowQuestion+\" fullword ascii\n $s4 = \"\\\\passwords.txt\" fullword wide\n $s5 = \",computer\" fullword wide\n $s6 = \"LDAP://{0}\" fullword wide\n $s7 = \" (*.txt)|*.txt|\" fullword wide\n $s8 = \"view/mainwindow.baml\" fullword wide\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "crackaccount" ], "rule_creation_date": "2023-03-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.CrackAccount" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1110" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-csharp_streamer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569241Z", "creation_date": "2026-03-23T11:46:25.569243Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569249Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/" ], "name": "csharp_streamer.yar", "content": "rule csharp_streamer {\n meta:\n title = \"CSharp Streamer RAT\"\n id = \"ea4b0539-e381-43bf-8154-720629459e17\"\n description = \"Detects CSharp Streamer, a .NET Remote Access Tool embedding multiple post exploitation and defense evasion .NET libraries.\\nCSharp Streamer is a Remote Access Tool (RAT) that integrates various .NET libraries to perform post-exploitation activities and evade detection. It is commonly used in ransomware campaigns, leveraging techniques such as AMSI hooking and process injection to maintain persistence and evade security measures. The tool can establish communication channels, including ICMP-based C2 protocols, and is often used to execute malicious commands on compromised systems.\\nIt is recommended to analyze network traffic for potential C2 communication patterns.\"\n references = \"https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/\"\n date = \"2024-07-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1105;attack.discovery;attack.t1087.001;attack.t1087.002;attack.t1057;attack.t1046;attack.credential_access;attack.t1003;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Malware.CSharpStreamer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 056cf0d4afdf17648e83739e3e96b53fa802bd0750fe6e74cdbe2fcea2b03c7e\n // 6a082dd209ec019de653f71e0ee22e6613ce5e9010b8fa089b02f79a1a90652a\n\n $rat = \"csharp_streamer\" wide\n\n $s1 = \"windows identify before impersonation:\" wide\n $s2 = \"VirtualProtectEx error [change protection]\" wide\n $s3 = \"AmsiScanBuffer hooked successfully\" wide\n $s4 = \"The injection method provided was invalid\" wide\n $s5 = \"[POWERSHELL OUTPUT {0}] : --- begin of execution ---\" wide\n $s6 = \"Connecting to ICMP\" wide\n\n condition:\n ($rat and 3 of ($s*)) or all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "csharp_streamer" ], "rule_creation_date": "2024-07-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.CSharpStreamer" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.discovery", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1046", "attack.t1003", "attack.t1071.001", "attack.t1041", "attack.t1087.001", "attack.t1087.002", "attack.t1057", "attack.t1105" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_call_stack_10e4552cd40d_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.562885Z", "creation_date": "2026-03-23T11:46:25.562889Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.562898Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\nhttps://github.com/kyleavery/AceLdr" ], "name": "custom_call_stack_10e4552cd40d.yar", "content": "rule return_addr_spoofing_10e4552cd40d {\n meta:\n title = \"Return Address Spoofing Technique (10e4552cd40d)\"\n id = \"e649f410-4b83-42ce-a9d6-10e4552cd40d\"\n description = \"Detects usage of return address spoofing.\\nThis technique hijacks execution to execute malicious API calls with a legitimized call stack. The malware modifies a parameter structure to intercept execution flow: it saves the target function pointer, overwrites the structure with a return trampoline address, and stores the original return address within the structure itself. When the target API executes, EDR stack inspection sees a clean call chain originating from legitimate Windows internals rather than suspicious RX regions.\\nThe technique consists of two key components:\\n1. setup_threadpool_callback_proxy: Manipulates the structure before calling the target API, installing a return handler\\n2. threadpool_callback_return_handler: Restores execution flow after the API returns\\nThis bypasses EDR call stack inspection that would normally flag direct calls from shellcode/injected regions to sensitive APIs like NtAllocateVirtualMemory, NtProtectVirtualMemory, or NtCreateThreadEx.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\\nhttps://github.com/kyleavery/AceLdr\"\n date = \"2025-11-05\"\n modified = \"2025-11-12\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.RetAddrSpoofing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b05f4dcd41d6732da10c5b64724ea42e591eabab3ef745440c7b795b2f68d8f8\n // d9a1479142464d9c524806119cf3f78f13b3972027486378d37fc2f82a2210d5\n // 3842d0d806f854f5be0e39bb2c53849fe6bb318d6e4469bc90721eaac0e659eb\n\n // int64_t prepare_context_api_call(int64_t arg1, int64_t arg2, int64_t arg3 @ rbx, int64_t arg4 @ r12, int64_t arg5 @ r13, int64_t arg6 @ r14,\n // int64_t arg7 @ r15, int64_t (** arg8)(int64_t arg1 @ rax, void* arg2 @ rbx), int64_t arg9)\n // arg8[3] = arg1\n // arg8[0xb] = arg2\n // arg8[0xc] = arg4\n // arg8[0xd] = arg5\n // arg8[0xe] = arg6\n // arg8[0xf] = arg7\n // int64_t i = 0\n // int64_t arg_38\n // int64_t r13 = arg_38\n // int64_t r14_3 = 0x208 + arg8[7] + arg8[6] + arg8[4] - 0x20\n // int64_t* r10_1 = &arg_38\n //\n // for (; i != r13; i += 1)\n // r14_3 -= 8\n // r10_1 = &r10_1[1]\n // void arg_8\n // *(&arg_8 - r14_3) = *r10_1\n //\n // int64_t var_200 = 0\n // int64_t* rsp = &var_200 - arg8[7]\n // *rsp = arg8[8]\n // int64_t* rsp_1 = rsp - arg8[4]\n // *rsp_1 = arg8[5]\n // *(rsp_1 - arg8[6]) = arg8[0xa]\n // arg8[1] = __return_addr\n // arg8[2] = arg3\n // *arg8 = return_trampoline_stub\n // arg8[9]\n // jump(arg9)\n\n // int64_t return_trampoline_stub(int64_t arg1 @ rax, void* arg2 @ rbx)\n // void arg_200\n // void* rsp_2 = &arg_200 + *(arg2 + 0x30) + *(arg2 + 0x20) + *(arg2 + 0x38)\n // *(arg2 + 0x10)\n // *(arg2 + 0x18)\n // *(arg2 + 0x58)\n // *(arg2 + 0x60)\n // *(arg2 + 0x68)\n // *(arg2 + 0x70)\n // *(arg2 + 0x78)\n // *(rsp_2 - 8) = arg1\n // *(rsp_2 - 8)\n // jump(*(arg2 + &data_8))\n\n\n $work_callback_and_ret_handler = {\n 48 8B DF // mov rbx, rdi\n 4C 8B D1 // mov r10, rcx\n 48 8B 47 48 // mov rax, qword [rdi+0x48]\n 41 FF E3 // jmp r11\n\n // int64_t return_trampoline_stub(int64_t arg1 @ rax, void* arg2 @ rbx)\n 48 8B CB // mov rcx, rbx\n 48 81 C4 00 02 00 00 // add rsp, 0x200\n 48 03 63 30 // add rsp, qword [rbx+0x30]\n 48 03 63 20 // add rsp, qword [rbx+0x20]\n 48 03 63 38 // add rsp, qword [rbx+0x38]\n }\n\n condition:\n $work_callback_and_ret_handler\n}\n", "rule_count": 1, "rule_names": [ "return_addr_spoofing_10e4552cd40d" ], "rule_creation_date": "2025-11-05", "rule_modified_date": "2025-11-12", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RetAddrSpoofing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_call_stack_2d3b1da30907_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590141Z", "creation_date": "2026-03-23T11:46:25.590144Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590153Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\nhttps://github.com/klezVirus/Moonwalk--/" ], "name": "custom_call_stack_2d3b1da30907.yar", "content": "rule return_addr_spoofing_2d3b1da30907 {\n meta:\n title = \"Return Address Spoofing Technique (2d3b1da30907)\"\n id = \"184d0db3-6fa9-4958-86e0-2d3b1da30907\"\n description = \"Detects usage of return address spoofing.\\nThis technique hijacks execution to execute malicious API calls with a legitimized call stack. The malware modifies a parameter structure to intercept execution flow: it saves the target function pointer, overwrites the structure with a return trampoline address, and stores the original return address within the structure itself. When the target API executes, EDR stack inspection sees a clean call chain originating from legitimate Windows internals rather than suspicious RX regions.\\nThe technique consists of two key components:\\n1. Manipulating the stack structure before calling the target API, installing a return handler\\n2. Restoring execution flow after the API returns.\\nThis bypasses EDR call stack inspection that would normally flag direct calls from shellcode/injected regions to sensitive APIs like NtAllocateVirtualMemory, NtProtectVirtualMemory, or NtCreateThreadEx.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\\nhttps://github.com/klezVirus/Moonwalk--/\"\n date = \"2025-12-16\"\n modified = \"2025-12-22\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.RetAddrSpoofing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 841bde640f5a619d560daef63b9fbdf9337d4d24ceb2a70a5f5a5ad86f0d6bad\n\n // This is a very generic signature, it has a gadget that saves the stack pointer and one\n // that saves non-volatile registers.\n\n $get_rsp = {\n 48 8B C4 // mov rax, rsp {__return_addr}\n 48 83 C0 08 // add rax {arg_8}, 0x8\n C3 // retn {__return_addr}\n }\n\n $saving_non_vol_regs = {\n 48 89 6C 24 08 // mov qword [rsp+0x8 {arg_8}], rbp\n 48 89 5C 24 10 // mov qword [rsp+0x10 {arg_10}], rbx\n 49 8B C9 // mov rcx, r9\n 4C 8B D9 // mov r11, rcx\n }\n\n condition:\n $get_rsp and $saving_non_vol_regs\n}\n", "rule_count": 1, "rule_names": [ "return_addr_spoofing_2d3b1da30907" ], "rule_creation_date": "2025-12-16", "rule_modified_date": "2025-12-22", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RetAddrSpoofing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_call_stack_60d336d6cd97_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.562824Z", "creation_date": "2026-03-23T11:46:25.562828Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.562837Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\nhttps://github.com/kyleavery/AceLdr" ], "name": "custom_call_stack_60d336d6cd97.yar", "content": "rule return_addr_spoofing_60d336d6cd97 {\n meta:\n title = \"Return Address Spoofing Technique (60d336d6cd97)\"\n id = \"84c489f4-0ab5-4fa1-8538-60d336d6cd97\"\n description = \"Detects usage of return address spoofing.\\nThis technique hijacks execution to execute malicious API calls with a legitimized call stack. The malware modifies a parameter structure to intercept execution flow: it saves the target function pointer, overwrites the structure with a return trampoline address, and stores the original return address within the structure itself. When the target API executes, EDR stack inspection sees a clean call chain originating from legitimate Windows internals rather than suspicious RX regions.\\nThe technique consists of two key components:\\n1. setup_threadpool_callback_proxy: Manipulates the structure before calling the target API, installing a return handler\\n2. threadpool_callback_return_handler: Restores execution flow after the API returns\\nThis bypasses EDR call stack inspection that would normally flag direct calls from shellcode/injected regions to sensitive APIs like NtAllocateVirtualMemory, NtProtectVirtualMemory, or NtCreateThreadEx.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\\nhttps://github.com/kyleavery/AceLdr\"\n date = \"2025-11-05\"\n modified = \"2025-11-12\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.RetAddrSpoofing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // bb5cf9427657965cea4117ab5308dc09d032851ad2265cb4f2ffcccef639194e\n // 8a5f8ddeaa2fa210651187c93ce9437dad5e3132cc83cc3804181dec09239f7d\n // 53a5485f534232ba748aba240bde8d2648743f29892230e53f2fa35d0bee7763\n\n $work_callback = {\n 48 89 D3 // mov rbx, rdx\n 48 8B 03 // mov rax, qword [rbx]\n 48 8B 4B 08 // mov rcx, qword [rbx+0x8]\n 48 8B 53 10 // mov rdx, qword [rbx+0x10]\n 4D 31 C0 // xor r8, r8 {0x0}\n 4C 8B 4B 18 // mov r9, qword [rbx+0x18]\n [4-6] // mov r10d, 0x4\n 4C 89 54 24 30 // mov qword [rsp+0x30 {arg_30}], r10 {0x4}\n [4-6] // mov r10d, 0x3000\n 4C 89 54 24 28 // mov qword [rsp+0x28 {arg_28}], r10 {0x3000}\n FF E0 // jmp rax\n }\n\n condition:\n $work_callback\n}\n", "rule_count": 1, "rule_names": [ "return_addr_spoofing_60d336d6cd97" ], "rule_creation_date": "2025-11-05", "rule_modified_date": "2025-11-12", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RetAddrSpoofing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_call_stack_9aea64230cd6_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.562734Z", "creation_date": "2026-03-23T11:46:25.562748Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.562763Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\nhttps://github.com/kyleavery/AceLdr" ], "name": "custom_call_stack_9aea64230cd6.yar", "content": "rule return_addr_spoofing_9aea64230cd6 {\n meta:\n title = \"Return Address Spoofing Technique (9aea64230cd6)\"\n id = \"54041a86-8a8a-403d-b7d5-9aea64230cd6\"\n description = \"Detects usage of return address spoofing.\\nThis technique hijacks execution to execute malicious API calls with a legitimized call stack. The malware modifies a parameter structure to intercept execution flow: it saves the target function pointer, overwrites the structure with a return trampoline address, and stores the original return address within the structure itself. When the target API executes, EDR stack inspection sees a clean call chain originating from legitimate Windows internals rather than suspicious RX regions.\\nThe technique consists of two key components:\\n1. setup_threadpool_callback_proxy: Manipulates the structure before calling the target API, installing a return handler\\n2. threadpool_callback_return_handler: Restores execution flow after the API returns\\nThis bypasses EDR call stack inspection that would normally flag direct calls from shellcode/injected regions to sensitive APIs like NtAllocateVirtualMemory, NtProtectVirtualMemory, or NtCreateThreadEx.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\\nhttps://github.com/kyleavery/AceLdr\"\n date = \"2025-11-05\"\n modified = \"2025-11-12\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.RetAddrSpoofing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3114f349c989c71f349de84357c8c21afe67e88d7bb6438d130525ebf041809f\n // dac3c7b37e0504da56156a0a36042914dfa85ea4ec0ba70c561432c0cf0ddfbe\n // 2a4c193d0beb165893cc65f588ecc32f0cbc68db3a42acb2b0e692ac95486db8\n\n // int64_t work_callback(int64_t arg1 @ rbx, int64_t* arg2)\n // int64_t arg_10 = *arg2\n // int64_t r10_1 = arg2[1]\n // arg2[1] = __return_addr\n // arg2[2] = arg1\n // *arg2 = threadpool_callback_return_handler\n // jump(r10_1)\n //\n // int64_t threadpool_callback_return_handler(void* arg1 @ rbx)\n // *(arg1 + 0x10)\n // jump(*(arg1 + 8))\n\n $work_callback_and_ret_handler = {\n // int64_t setup_threadpool_callback_proxy(int64_t arg1 @ rbx, int64_t* arg2)\n 41 5B // pop r11 {__return_addr}\n 48 83 C4 08 // add rsp, 0x8\n 48 8B 44 24 18 // mov rax, qword [rsp+0x18 {arg2}]\n 4C 8B 10 // mov r10, qword [rax]\n 4C 89 14 24 // mov qword [rsp {arg_10}], r10\n 4C 8B 50 08 // mov r10, qword [rax+0x8]\n 4C 89 58 08 // mov qword [rax+0x8], r11\n 48 89 58 10 // mov qword [rax+0x10], rbx\n 48 8D 1D 09 00 00 00 // lea rbx, [rel threadpool_callback_return_handler]\n 48 89 18 // mov qword [rax], rbx {threadpool_callback_return_handler}\n 48 8B D8 // mov rbx, rax\n 41 FF E2 // jmp r10\n\n // int64_t threadpool_callback_return_handler(void* arg1 @ rbx)\n 48 83 EC 10 // sub rsp, 0x10\n 48 8B CB // mov rcx, rbx\n 48 8B 59 10 // mov rbx, qword [rcx+0x10]\n FF 61 08 // jmp qword [rcx+0x8]\n }\n\n condition:\n $work_callback_and_ret_handler\n}\n", "rule_count": 1, "rule_names": [ "return_addr_spoofing_9aea64230cd6" ], "rule_creation_date": "2025-11-05", "rule_modified_date": "2025-11-12", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RetAddrSpoofing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_call_stack_a511033955ba_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577537Z", "creation_date": "2026-03-23T11:46:25.577539Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577544Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\nhttps://github.com/AlmondOffSec/LibTPLoadLib/" ], "name": "custom_call_stack_a511033955ba.yar", "content": "rule return_addr_spoofing_a511033955ba {\n meta:\n title = \"Return Address Spoofing Technique (a511033955ba)\"\n id = \"f10b1ae6-9fa7-461d-a7ca-a511033955ba\"\n description = \"Detects usage of return address spoofing.\\nThis technique hijacks execution to execute malicious API calls with a legitimized call stack. The malware modifies a parameter structure to intercept execution flow: it saves the target function pointer, overwrites the structure with a return trampoline address, and stores the original return address within the structure itself. When the target API executes, EDR stack inspection sees a clean call chain originating from legitimate Windows internals rather than suspicious RX regions.\\nThe technique consists of two key components:\\n1. Manipulating the stack structure before calling the target API, installing a return handler\\n2. Restoring execution flow after the API returns.\\nThis bypasses EDR call stack inspection that would normally flag direct calls from shellcode/injected regions to sensitive APIs like NtAllocateVirtualMemory, NtProtectVirtualMemory, or NtCreateThreadEx.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\\nhttps://github.com/AlmondOffSec/LibTPLoadLib/\"\n date = \"2025-11-18\"\n modified = \"2025-11-25\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.RetAddrSpoofing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // d013c1fb55b9320d6db542a0f54fc8ed193867a5a721717afdc169c9f0385062\n // a23a27dc1dceeb289d2b3f4f9c2ce460a1a0bee0a633dfdb461f4ef60bda9234\n\n // This detection is based on the LibTPLoadLib implementation - seen in Conti ransomware samples dating from 11/2025 marked above\n\n $s1 = \"TpAllocWork\" ascii fullword\n $s2 = \"TpPostWork\" ascii fullword\n $s3 = \"TpWaitForWork\" ascii fullword\n $s4 = \"TpReleaseWork\" ascii fullword\n $s5 = \"dsdmo_10.0.26100.1882.dll\" ascii fullword\n\n $work_callback = {\n 48 83 EC 28 // sub rsp, 0x28\n 4C 8B 52 08 // mov r10, qword [rdx+0x8]\n 4C 8B 5A 10 // mov r11, qword [rdx+0x10]\n 48 8B 0A // mov rcx, qword [rdx]\n 48 31 D2 // xor rdx, rdx {0x0}\n 4D 31 C0 // xor r8, r8 {0x0}\n 41 FF E3 // jmp r11\n }\n\n condition:\n all of ($s*) or $work_callback\n}\n", "rule_count": 1, "rule_names": [ "return_addr_spoofing_a511033955ba" ], "rule_creation_date": "2025-11-18", "rule_modified_date": "2025-11-25", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RetAddrSpoofing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_call_stack_d613dacd109b_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566148Z", "creation_date": "2026-03-23T11:46:25.566151Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566158Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\nhttps://github.com/rasta-mouse/LibTP\nhttps://github.com/evilashz/PigSyscall" ], "name": "custom_call_stack_d613dacd109b.yar", "content": "rule return_addr_spoofing_d613dacd109b {\n meta:\n title = \"Return Address Spoofing Technique (d613dacd109b)\"\n id = \"78a2cc2b-3b0a-4a94-b4e8-d613dacd109b\"\n description = \"Detects usage of return address spoofing.\\nThis technique hijacks execution to execute malicious API calls with a legitimized call stack. The malware modifies a parameter structure to intercept execution flow: it saves the target function pointer, overwrites the structure with a return trampoline address, and stores the original return address within the structure itself. When the target API executes, EDR stack inspection sees a clean call chain originating from legitimate Windows internals rather than suspicious RX regions.\\nThe technique consists of two key components:\\n1. Manipulating the stack structure before calling the target API, installing a return handler\\n2. Restoring execution flow after the API returns.\\nThis bypasses EDR call stack inspection that would normally flag direct calls from shellcode/injected regions to sensitive APIs like NtAllocateVirtualMemory, NtProtectVirtualMemory, or NtCreateThreadEx.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\\nhttps://github.com/rasta-mouse/LibTP\\nhttps://github.com/evilashz/PigSyscall\"\n date = \"2025-11-18\"\n modified = \"2025-11-25\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.RetAddrSpoofing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // d95d43bfda094adc3be2a205212905a6b43896e382eaf4a4306dc617f71f193b\n // 590a55a11b518dbe1b925b345c3d58af783f53c9213c882445486a9816c4da0f\n // 90ba66d88988961d754b31a41113f9cfd60ce2766b0a9e759c369cce619b2663\n\n // This one is based on the trampoline seen in RastaMouse's LibTP implementation and PigSyscall\n\n $work_callback = {\n // int64_t WorkCallback(int64_t arg1, int64_t* arg2)\n 48 89 D3 // mov rbx, rdx\n 48 8B 03 // mov rax, qword [rbx]\n 48 8B 4B 08 // mov rcx, qword [rbx+0x8]\n 48 8B 53 10 // mov rdx, qword [rbx+0x10]\n 4C 8B 43 18 // mov r8, qword [rbx+0x18]\n 4C 8B 4B 20 // mov r9, qword [rbx+0x20]\n 4C 8B 53 30 // mov r10, qword [rbx+0x30]\n 4C 89 54 24 30 // mov qword [rsp+0x30 {arg_30}], r10\n 4C 8B 53 28 // mov r10, qword [rbx+0x28]\n 4C 89 54 24 28 // mov qword [rsp+0x28 {arg_28}], r10\n FF E0 // jmp rax\n }\n\n condition:\n all of them\n}", "rule_count": 1, "rule_names": [ "return_addr_spoofing_d613dacd109b" ], "rule_creation_date": "2025-11-18", "rule_modified_date": "2025-11-25", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RetAddrSpoofing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_call_stack_e652623d09ba_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566226Z", "creation_date": "2026-03-23T11:46:25.566228Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566234Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\nhttps://github.com/klezVirus/SilentMoonwalk/\nhttps://github.com/Kudaes/Unwinder" ], "name": "custom_call_stack_e652623d09ba.yar", "content": "rule return_addr_spoofing_e652623d09ba {\n meta:\n title = \"Return Address Spoofing Technique (e652623d09ba)\"\n id = \"52c39720-8a04-4f7e-b04f-e652623d09ba\"\n description = \"Detects usage of return address spoofing.\\nThis technique hijacks execution to execute malicious API calls with a legitimized call stack. The malware modifies a parameter structure to intercept execution flow: it saves the target function pointer, overwrites the structure with a return trampoline address, and stores the original return address within the structure itself. When the target API executes, EDR stack inspection sees a clean call chain originating from legitimate Windows internals rather than suspicious RX regions.\\nThe technique consists of two key components:\\n1. Manipulating the stack structure before calling the target API, installing a return handler\\n2. Restoring execution flow after the API returns.\\nThis bypasses EDR call stack inspection that would normally flag direct calls from shellcode/injected regions to sensitive APIs like NtAllocateVirtualMemory, NtProtectVirtualMemory, or NtCreateThreadEx.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\\nhttps://github.com/klezVirus/SilentMoonwalk/\\nhttps://github.com/Kudaes/Unwinder\"\n date = \"2025-11-18\"\n modified = \"2025-11-25\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.RetAddrSpoofing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 205693dcaac70b9aaf7eba05b23e33d163b0bd57819a69da79c3c44d998b5965\n // c300a89bd40b4bc5b62c99b666fa1e6a1fd79647082b9184a0d72f0e14ab75e6\n // 27f457698c50441153bb67510124de1a36a62774e08fb231f365f291594b2e14\n // ab1f157855332fa1e4ed5353e2e99e6b976c8c0d321e366bbdfadedc7e73777f\n // 4eadde084c30b4d3a0b5413d83ac8d0ad29a605c7557bdb5ecf36043e28ce7a4\n // faa5e504f256e5dc0955b126d63a76c903e482fe413a7b24bf3bc6e308a6112d\n\n\n // This detection is based on the SilentMoonwalk and Unwinder implementations.\n // They use parameter_handler assembly functions to adjust the stack according to the number of parameters\n // given to an API call.\n\n // parameter_handler proc\n // \tmov\t\tr9, rax\n // \tmov\t\trax, 8\n // \tmov\t\tr8, [rcx].SPOOFER.Nargs\n // \tmul\t\tr8\n // ;\tpop\t\trdx\n // ;\tsub\t\trsp, rax -- Not necessary\n // ;\tpush\trdx\n // \txchg\tr9, rax\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 8\n // \tje\t\thandle_eight\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 7\n // \tje\t\thandle_seven\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 6\n // \tje\t\thandle_six\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 5\n // \tje\t\thandle_five\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 4\n // \tje\t\thandle_four\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 3\n // \tje\t\thandle_three\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 2\n // \tje\t\thandle_two\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 1\n // \tje \t\thandle_one\n // \tcmp\t\t[rcx].SPOOFER.Nargs, 0\n // \tje \t\thandle_none\n // parameter_handler endp\n\n $place_args_for_call = {\n 41 57 // push r15\n 4C 8B B9 ?? 00 00 00 // mov r15, qword [rcx+0xc8]\n 4C 89 7C 24 30 // mov qword [rsp+0x30], r15\n 41 5F // pop r15\n EB 00 // jmp 0x140003362\n 4C 8B 89 ?? 00 00 00 // mov r9, qword [rcx+0xc0]\n EB 00 // jmp 0x14000336b\n 4C 8B 81 ?? 00 00 00 // mov r8, qword [rcx+0xb8]\n EB 00 // jmp 0x140003374\n 48 8B 91 ?? 00 00 00 // mov rdx, qword [rcx+0xb0]\n EB 00 // jmp 0x14000337d\n }\n\n $parameter_handler_long_jmp = {\n 48 83 [2-6] 04 // cmp qword [rcx+0x78], 0x4\n 0F 84 [2] 00 00 // je 0x1400263de\n 48 83 [2-6] 03 // cmp qword [rcx+0x78], 0x3\n 0F 84 [2] 00 00 // je 0x1400263e7\n 48 83 [2-6] 02 // cmp qword [rcx+0x78], 0x2\n 0F 84 [2] 00 00 // je 0x1400263f0\n 48 83 [2-6] 01 // cmp qword [rcx+0x78], 0x1\n 0F 84 [2] 00 00 // je 0x1400263f9\n 48 83 [2-6] 00 // cmp qword [rcx+0x78], 0x0\n 0F 84 [2] 00 00 // je 0x14002640b\n }\n\n $parameter_handler_short_jmp = {\n 48 83 [2] 00 00 00 04 // cmp qword [rcx+0xa0], 0x4\n (74|75|76) ?? // je 0x140003362\n 48 83 [2] 00 00 00 03 // cmp qword [rcx+0xa0], 0x3\n (74|75|76) ?? // je 0x14000336b\n 48 83 [2] 00 00 00 02 // cmp qword [rcx+0xa0], 0x2\n (74|75|76) ?? // je 0x140003374\n 48 83 [2] 00 00 00 01 // cmp qword [rcx+0xa0], 0x1\n (74|75|76) ?? // je 0x14000337d\n 48 83 [2] 00 00 00 00 // cmp qword [rcx+0xa0], 0x0\n (74|75|76) ?? // je 0x140003386\n }\n\n condition:\n 1 of ($parameter_handler_*) and $place_args_for_call\n}\n", "rule_count": 1, "rule_names": [ "return_addr_spoofing_e652623d09ba" ], "rule_creation_date": "2025-11-18", "rule_modified_date": "2025-11-25", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RetAddrSpoofing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_call_stack_f25fb1cf3993_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566079Z", "creation_date": "2026-03-23T11:46:25.566081Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566087Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\nhttps://github.com/JLospinoso/gargoyle/" ], "name": "custom_call_stack_f25fb1cf3993.yar", "content": "rule return_addr_spoofing_f25fb1cf3993 {\n meta:\n title = \"Return Address Spoofing Technique (f25fb1cf3993)\"\n id = \"58c7bb28-0578-4f60-87b8-f25fb1cf3993\"\n description = \"Detects usage of return address spoofing.\\nThis technique hijacks execution to execute malicious API calls with a legitimized call stack. The malware modifies a parameter structure to intercept execution flow: it saves the target function pointer, overwrites the structure with a return trampoline address, and stores the original return address within the structure itself. When the target API executes, EDR stack inspection sees a clean call chain originating from legitimate Windows internals rather than suspicious RX regions.\\nThe technique consists of two key components:\\n1. Manipulating the stack structure before calling the target API, installing a return handler\\n2. Restoring execution flow after the API returns.\\nThis bypasses EDR call stack inspection that would normally flag direct calls from shellcode/injected regions to sensitive APIs like NtAllocateVirtualMemory, NtProtectVirtualMemory, or NtCreateThreadEx.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html\\nhttps://0xdarkvortex.dev/hiding-in-plainsight/\\nhttps://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/\\nhttps://github.com/JLospinoso/gargoyle/\"\n date = \"2025-11-17\"\n modified = \"2025-11-24\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.RetAddrSpoofing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e5fbc107114e21867fd8af958664823780fba55cd62676468f95ab75d7cc882d\n // c3218412d5192d0487bace7295c19c263d04d520b9b7cf1f8b6291e1967b4e7a\n\n // This detection is based on the Gargoyle setup assembly implementation - for further detection on the PE directly, see the ROP gadget search Yara\n\n // mov ebx, [esp+4] ; Configuration in ebx now\n // lea esp, [ebx + Configuration.trampoline - 4] ; Bottom of \"stack\"\n // mov ebp, esp\n // ; If we're initialized, skip to trampoline fixup\n // mov edx, [ebx + Configuration.initialized]\n // cmp edx, 0\n // jne reset_trampoline\n\n $trampoline_configuration = {\n 8B 5C 24 04 // mov ebx, [rsp+4]\n 8D A3 34 00 01 00 // lea esp, [rbx+0x10034]\n 89 E5 // mov ebp, esp\n 8B 13 // mov edx, [rbx]\n 83 FA 00 // cmp edx, 0\n (74|75|76) // jne +47\n }\n\n // ; Setup arguments for WaitForSingleObjectEx x1\n // push 1\n // push 0xFFFFFFFF\n // mov ecx, [ebx + Configuration.sleep_handle]\n // push ecx\n // push 0 ; Return address never ret'd\n // ; Setup arguments for WaitForSingleObjectEx x2\n // push 1\n // push 0xFFFFFFFF\n // mov ecx, [ebx + Configuration.sleep_handle]\n // push ecx\n // ; Tail call to WaitForSingleObjectEx\n // mov ecx, [ebx + Configuration.WaitForSingleObjectEx]\n // push ecx\n\n $waitforsingleobjectexcall = {\n 6A 01 // push 1\n 6A FF // push -1\n 8B 4B 24 // mov ecx\n 51 // push rcx\n 6A 00 // push 0\n 6A 01 // push 1\n 6A FF // push -1\n 8B 4B 24 // mov ecx, [rbx+0x24]\n 51 // push rcx\n 8B 4B 10 // mov ecx, [rbx+0x10]\n 51 // push rcx\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "return_addr_spoofing_f25fb1cf3993" ], "rule_creation_date": "2025-11-17", "rule_modified_date": "2025-11-24", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RetAddrSpoofing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-custom_mythic_loki_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576339Z", "creation_date": "2026-03-23T11:46:25.576341Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576346Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/loki-agent-for-mythic/113596/\nhttps://attack.mitre.org/software/S0699/" ], "name": "custom_mythic_loki_loader.yar", "content": "rule custom_mythic_loki_loader {\n meta:\n title = \"Custom Mythic Loki Loader\"\n id = \"bf31a64b-3b80-43a2-9c03-f018aa61ddd1\"\n description = \"Detects a custom Mythic Loki loader.\\nLoki is a private agent of the Mythic Framework, an open-source cross-platform post-exploitation framework designed for red teaming and security testing.\\nIt is recommended to investigate parent processes or initial access vectors on the machine and to look for further signs of malicious actions on the host.\"\n references = \"https://securelist.com/loki-agent-for-mythic/113596/\\nhttps://attack.mitre.org/software/S0699/\"\n date = \"2024-09-09\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.s0699;attack.execution;attack.defense_evasion;attack.t1055;attack.t1059;attack.command_and_control;attack.t1071;attack.t1572\"\n classification = \"Windows.Loader.MythicLoki\"\n context = \"process,memory,thread,file.pe\"\n arch = \"x64\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // aa544118deb7cb64ded9fdd9455a277d0608c6985e45152a3cbb7422bd9dc916\n\n $resolve_ntdll = {\n 3c // movsxd rdx, dword [rdx+0x3c]\n ??????88000000 // mov eax, dword [rbx+rdx+0x88]\n ???? // test eax, eax\n ???? // je 0x406710\n ???????? // lea r9, [rbx+rax]\n ??????0c // mov edx, dword [r9+0xc]\n 4????? // add rdx, rbx\n 4????? // mov r8d, dword [rdx]\n ??????20202020 // or r8d, ' '\n ??????6e74646c // cmp r8d, 0x6c64746e\n 7??? // jne 0x406710\n ?????? // mov eax, dword [rdx+0x4]\n ??20202020 // or eax, ' '\n 3d6c2e646c // cmp eax, 'l.dl'\n }\n\n condition:\n $resolve_ntdll\n}\n", "rule_count": 1, "rule_names": [ "custom_mythic_loki_loader" ], "rule_creation_date": "2024-09-09", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.MythicLoki" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1071", "attack.t1059", "attack.t1055", "attack.t1572" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2019-13272_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586608Z", "creation_date": "2026-03-23T11:46:25.586611Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586620Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://nvd.nist.gov/vuln/detail/cve-2019-13272\nhttps://github.com/jas502n/CVE-2019-13272" ], "name": "cve-2019-13272.yar", "content": "rule cve_2019_13272 {\n meta:\n title = \"CVE-2019-13272 LPE Exploit\"\n id = \"fb471bcb-8b82-4d4d-b837-fe6120fd3914\"\n description = \"Detects an exploit targeting the CVE-2019-13272 vulnerability in Linux kernels before 5.1.17.\\nThe CVE-2019-13272 vulnerability, located in ptrace_link within \\\"kernel/ptrace.c\\\", allows local users to gain root privileges by improperly handling process credentials during ptrace relationship creation.\\nThis exploit enables unprivileged users to escalate privileges on the system.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://nvd.nist.gov/vuln/detail/cve-2019-13272\\nhttps://github.com/jas502n/CVE-2019-13272\"\n date = \"2023-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2019-13272\"\n classification = \"Linux.Exploit.CVE-2019-13272\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 77c96e6fd44a70046817e1fdb67cc8f38e01fceb4b20a24a7d019c33553c9652\n\n $s1 = \"[.] Checking environment ...\" fullword ascii\n $s2 = \"[~] Done, looks good\" fullword ascii\n $s3 = \"[.] Spawning suid process (%s) ...\" fullword ascii\n $s4 = \"[.] Tracing midpid ...\" fullword ascii\n\n $exploit0 = \"/usr/bin/pkaction\" fullword ascii\n $exploit1 = \"/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper\" fullword ascii\n $exploit2 = \"Uid:\\t%d\\t0\\t\" fullword ascii\n $exploit3 = \"implicit active:\" fullword ascii\n $exploit4 = \"/xf86-video-intel-backlight-helper\" fullword ascii\n $exploit5 = \"/proc/%d/comm\" fullword ascii\n\n condition:\n uint16(0) == 0x457f and (all of ($s*) or all of ($exploit*))\n}\n", "rule_count": 1, "rule_names": [ "cve_2019_13272" ], "rule_creation_date": "2023-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.CVE-2019-13272" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2019-18935_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566431Z", "creation_date": "2026-03-23T11:46:25.566433Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566438Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://nvd.nist.gov/vuln/detail/cve-2019-18935\nhttps://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui" ], "name": "cve-2019-18935_loader.yar", "content": "rule cve_2019_18935_exploitation {\n meta:\n title = \"CVE-2019-18935 RCE Exploitation\"\n id = \"ab127a7f-5f4e-4de1-b12d-2312aba04dfa\"\n description = \"Detects a payload used in the exploitation of the CVE-2019-18935 Remote Code Execution vulnerability related to a .NET JSON deserialization vulnerability in Telerik UI.\\nThis vulnerability allows the execution of a previously uploaded binary via a mix mode assembly DLL.\\nIt is recommended to analyze the suspicious DLL loaded by the IIS worker process (w3wp.exe).\"\n references = \"https://nvd.nist.gov/vuln/detail/cve-2019-18935\\nhttps://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui\"\n date = \"2025-09-12\"\n modified = \"2025-09-30\"\n author = \"HarfangLab\"\n tags = \"attack.initial_access;attack.t1190;attack.execution;attack.t1203;cve.2019-18935\"\n classification = \"Windows.Exploit.CVE-2019-18935\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 469ca6c37b6dc3f284fd709de94c26c415296bb936e5b27a78c877a3931442cf\n // fb645d718596726a9f6a2b2dc1ef239e39bbf78c7f209b311168c836617c5829\n // 82bfd4386b481571eacb0108f3640e84fbf173ae219280e12373e63f5dffc3e3\n // eeeb01aacdcbe10c1c0dddaa3472cb9edbcafa5b9a962670a29cdc4107dffb32\n\n $stub_memset_createprocess_x64 = {\n 41 b8 68 00 00 00 // mov r8d, 0x68\n 33 d2 // xor edx, edx {0x0}\n 48 8d 4c 24 70 // lea rcx, [rsp+0x70 {lpStartupInfo}]\n e8 db 0b 00 00 // call memset\n c7 44 24 70 68 00 00 00 // mov dword [rsp+0x70 {lpStartupInfo}], 0x68\n 41 b8 18 00 // mov r8d, 0x18\n }\n\n $stub_memset_createprocess_x86 = {\n 6a 44 // push 0x44 {var_5c}\n 6a 00 // push 0x0 {var_60}\n 8d 45 ac // lea eax, [ebp-0x54 {lpStartupInfo}]\n 50 // push eax {lpStartupInfo} {var_64_1}\n e8 57 0c 00 00 // call _memset\n 83 c4 0c // add esp, 0xc\n c7 45 ac 44 00 00 00 // mov dword [ebp-0x54 {lpStartupInfo}], 0x44\n 6a 10 // push 0x10 {var_5c}\n 6a 00 // push 0x0 {var_60}\n }\n\n condition:\n 1 of ($stub_memset*)\n}\n", "rule_count": 1, "rule_names": [ "cve_2019_18935_exploitation" ], "rule_creation_date": "2025-09-12", "rule_modified_date": "2025-09-30", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Exploit.CVE-2019-18935" ], "rule_tactic_tags": [ "attack.execution", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1203", "attack.t1190" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2021-22555_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576816Z", "creation_date": "2026-03-23T11:46:25.576818Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576824Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/google/security-research/blob/master/pocs/linux/cve-2021-22555/writeup.md" ], "name": "cve-2021-22555.yar", "content": "rule cve_2021_22555 {\n meta:\n title = \"CVE-2021-22555 LPE Exploit\"\n id = \"124cd391-d12c-4929-b019-e3a576bfe0c5\"\n description = \"Detects the exploitation of the CVE-2021-22555 vulnerability in the Linux Netfilter module.\\nThis vulnerability is a 15-year-old heap out-of-bounds write flaw that allows an attacker to bypass modern security mitigations and achieve kernel code execution.\\nIt has been exploited in kCTF to attack Kubernetes pods and achieve container escape, leading to potential unauthorized access.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/google/security-research/blob/master/pocs/linux/cve-2021-22555/writeup.md\"\n date = \"2023-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2021-22555\"\n classification = \"Linux.Exploit.CVE-2021-22555\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 708b6d59201d7168bd9c935362408cf5b42c6d0d96fd4aa6bce510d31ffc464c\n\n $s1 = \"[*] Searching for corrupted primary message...\" fullword ascii\n $s2 = \"[*] Leaking adjacent secondary message...\" fullword ascii\n $s3 = \"[+] kheap_addr: %llx\" fullword ascii\n $s4 = \"[-] Error kernel heap address is incorrect.\" fullword ascii\n $s5 = \"[*] Spraying pipe_buffer objects...\" fullword ascii\n $s6 = \"[+] Root privileges gained.\" fullword ascii\n\n $exploit1 = \"__socketpair\" fullword ascii\n $exploit2 = \"__socket\" fullword ascii\n $exploit3 = \"/proc/1/ns/mnt\" fullword ascii\n $exploit4 = \"/proc/1/ns/pid\" fullword ascii\n $exploit5 = \"/proc/1/ns/net\" fullword ascii\n\n condition:\n uint16(0) == 0x457f and (4 of ($s*) or all of ($exploit*))\n}\n", "rule_count": 1, "rule_names": [ "cve_2021_22555" ], "rule_creation_date": "2023-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.CVE-2021-22555" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2021-33909_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586666Z", "creation_date": "2026-03-23T11:46:25.586668Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586674Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909" ], "name": "cve-2021-33909.yar", "content": "rule cve_2021_33909 {\n meta:\n title = \"CVE-2021-33909 LPE Exploit\"\n id = \"b13659d5-1de5-4c6e-bf37-e627f8dbb8ec\"\n description = \"Detects an exploit for the CVE-2021-33909 LPE vulnerability, also known as Sequoia.\\nThis vulnerability allows unprivileged users to gain root privileges by exploiting a flaw in the Linux filesystem layer.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909\"\n date = \"2023-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2021-33909\"\n classification = \"Linux.Exploit.CVE-2021-33909\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 87f491a7783f7715f1ea664a7c3a8aa8a296ddf853e0ee76e4b126af576012dc\n\n $s1 = \"creating directories, please wait...\" fullword ascii\n $s2 = \"crashing...\" fullword ascii\n $s3 = \"died in %s: %u\" fullword ascii\n\n $exploit1 = \"/proc/self/mountinfo\" fullword ascii\n $exploit2 = \"\\\\134\" fullword ascii\n $exploit3 = \"/proc/%ld/setgroups\" fullword ascii\n $exploit4 = \"/proc/%ld/uid_map\" fullword ascii\n $exploit5 = \"0 %ld 1\" fullword ascii\n $exploit6 = \"/proc/%ld/gid_map\" fullword ascii\n\n condition:\n uint16(0) == 0x457f and (all of ($s*) or all of ($exploit*))\n}\n", "rule_count": 1, "rule_names": [ "cve_2021_33909" ], "rule_creation_date": "2023-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.CVE-2021-33909" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2021-3493_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576888Z", "creation_date": "2026-03-23T11:46:25.576890Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576896Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://ubuntu.com/security/CVE-2021-3493\nhttps://github.com/briskets/CVE-2021-3493" ], "name": "cve-2021-3493.yar", "content": "rule cve_2021_3493 {\n meta:\n title = \"CVE-2021-3493 LPE Exploit\"\n id = \"9e36ace6-19f8-414c-a918-ef85fbf55594\"\n description = \"Detects the exploitation of the CVE-2021-3493 vulnerability in OverlayFS, Ubuntu-specific.\\nThe vulnerability arises from improper validation of file capabilities in OverlayFS, allowing attackers to gain elevated privileges.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://ubuntu.com/security/CVE-2021-3493\\nhttps://github.com/briskets/CVE-2021-3493\"\n date = \"2023-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2021-3493\"\n classification = \"Linux.Exploit.CVE-2021-3493\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // e75b38661de7d19e1b5fe22d6aaeb8a3e0f60978ad213da88b34c67ca2dcc6bd\n\n $s1 = \"./ovlcap\" fullword ascii\n $s2 = \"rm -rf '%s/'\" fullword ascii\n $s3 = \"died in %s: %u\" fullword ascii\n\n $exploit1 = \"/proc/self/setgroups\" fullword ascii\n $exploit2 = \"0 %d 1\" fullword ascii\n $exploit3 = \"/proc/self/uid_map\" fullword ascii\n $exploit4 = \"/proc/self/gid_map\" fullword ascii\n $exploit5 = \"/proc/self/exe\" fullword ascii\n $exploit6 = {\n 48 ?? 01 00 00 02 FF FF FF FF // mov rax, 0FFFFFFFF02000001h\n 48 ?? 00 00 00 00 FF FF FF FF // mov rdx, 0FFFFFFFF00000000h\n }\n\n condition:\n uint16(0) == 0x457f and (all of ($s*) or all of ($exploit*))\n}\n", "rule_count": 1, "rule_names": [ "cve_2021_3493" ], "rule_creation_date": "2023-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.CVE-2021-3493" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2021-4034_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576846Z", "creation_date": "2026-03-23T11:46:25.576848Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576853Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" ], "name": "cve-2021-4034.yar", "content": "rule cve_2021_4034 {\n meta:\n title = \"CVE-2021-4034 LPE Exploit\"\n id = \"af332cf0-d2dc-4757-8d2b-c7216e2a78b2\"\n description = \"Detects the Pwnkit LPE exploit (CVE-2021-4034) targeting Polkit's pkexec.\\nPwnkit is a local privilege escalation vulnerability in the pkexec tool, allowing unprivileged users to gain root access by bypassing system checks.\\nThis exploit has been widely used and affects multiple Linux distributions.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034\\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034\"\n date = \"2023-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2021-4034\"\n classification = \"Linux.Exploit.CVE-2021-4034\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 8c5fd2687d3a7fa2e0507b9ed87d8ead0275cfe9b7d6c8bb629a1b37eba604bd\n // 5fc47d5a952dd65b0b3319ecf6485e645e0576f2c7aea3f0938f1a985880866f\n\n $s1 = \"PATH=GCONV_PATH=.\" fullword ascii\n $s2 = \"CHARSET=\" ascii\n $s3 = \"/usr/bin/pkexec\" fullword ascii\n\n condition:\n uint16(0) == 0x457f and all of them\n}\n", "rule_count": 1, "rule_names": [ "cve_2021_4034" ], "rule_creation_date": "2023-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.CVE-2021-4034" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2022-34918_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572651Z", "creation_date": "2026-03-23T11:46:25.572653Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572658Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/randorisec/CVE-2022-34918-LPE-PoC\nhttps://attack.mitre.org/techniques/T1068/" ], "name": "cve-2022-34918.yar", "content": "rule cve_2022_34918 {\n meta:\n title = \"CVE-2022-34918 LPE Exploit\"\n id = \"d4794408-f36c-4915-a18e-31f7cd81a1f6\"\n description = \"Detects the Linux Kernel exploit targeting CVE-2022-34918.\\nThis exploit leverages a type confusion bug in nft_set_elem_init, which can cause a buffer overflow, allowing a local attacker to escalate privileges.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/randorisec/CVE-2022-34918-LPE-PoC\\nhttps://attack.mitre.org/techniques/T1068/\"\n date = \"2022-11-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2022-34918\"\n classification = \"Linux.Exploit.CVE-2022-34918\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9c5ed9f4c7b7ee0a950cb1f1ea4bccc7816162f1d977101c066dba1979ef8580\n // 80b3a8f79436289029b178c6f808d545a6308434d806edb305aa3d03b1ae3d56\n\n $s1 = \"[-] calloc\" fullword ascii\n $s2 = \"[-] add key\" fullword ascii\n $s3 = \"[-] keyctl(KEY_CTL_REVOKE)\" fullword ascii\n $s4 = \"#!/bin/bash\\n\\nchown root:root /tmp/get_root\\nchmod 4555 /tmp/get_root\\n\" fullword ascii\n $s5 = \"[-] unshare(CLONE_NEWUSER | CLONE_NEWNS)\" fullword ascii\n $s6 = \"[-] open(/proc/sys/kernel/modprobe)\" fullword ascii\n $s7 = \"/tmp/dummy\" fullword ascii\n $s8 = \"[+] Get CAP_NET_ADMIN capability\" fullword ascii\n $s9 = \"[+] kaslr base found 0x%lx\\n\" fullword ascii\n\n // from line 56 of keystring.c in https://github.com/randorisec/CVE-2022-34918-LPE-PoC\n // Works for -O0, 1, 2 and 3\n $op_parse_leak = {\n 8B 45 ?? // mov eax, [rbp+??]\n 48 8D 14 C5 00 00 00 00 // lea rdx, ds:0[rax*8]\n 48 8B 45 ?? // mov rax, [rbp+??]\n 48 01 D0 // add rax, rdx\n 48 8B 00 // mov rax, [rax]\n 25 FF FF 0F 00 // and eax, 0FFFFFh\n 48 3D 00 FA 0D 00 // cmp rax, 0DFA00h\n 75 ?? // jnz short loc_401ED4\n 8B 45 ?? // mov eax, [rbp+??]\n 48 8D 14 C5 00 00 00 00 // lea rdx, ds:0[rax*8]\n 48 8B 45 ?? // mov rax, [rbp+??]\n 48 01 D0 // add rax, rdx\n 48 8B 00 // mov rax, [rax]\n 48 8D 90 00 06 C2 FF // lea rdx, [rax-3DFA00h]\n 48 8B 45 ?? // mov rax, [rbp+??]\n 48 89 10 // mov [rax], rdx\n 8B 45 ?? // mov eax, [rbp+??]\n 83 C0 05 // add eax, 5\n 89 C0 // mov eax, eax\n 48 8D 14 C5 00 00 00 00 // lea rdx, ds:0[rax*8]\n 48 8B 45 ?? // mov rax, [rbp+??]\n 48 01 D0 // add rax, rdx\n 48 8B 00 // mov rax, [rax]\n 48 BA 00 00 00 00 FF FF FF FF // mov rdx, 0FFFFFFFF00000000h\n 48 21 C2 // and rdx, rax\n 48 8B 45 ?? // mov rax, [rbp+??]\n 48 89 50 08 // mov [rax+8], rdx\n 48 8B 45 ?? // mov rax, [rbp+??]\n }\n\n condition:\n uint16(0) == 0x457f and filesize < 1400KB and (all of ($s*) or $op_parse_leak)\n}\n", "rule_count": 1, "rule_names": [ "cve_2022_34918" ], "rule_creation_date": "2022-11-03", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.CVE-2022-34918" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve_2023_21768_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584336Z", "creation_date": "2026-03-23T11:46:25.584338Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584344Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://nvd.nist.gov/vuln/detail/CVE-2023-21768\nhttps://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768/tree/master" ], "name": "cve_2023_21768.yar", "content": "rule cve_2023_21768 {\n meta:\n title = \"CVE-2023-21768 LPE Exploit\"\n id = \"9a2bc78d-def5-4958-8e10-67b03a278e99\"\n description = \"Detects payloads exploiting the CVE-2023-21768 Local Privilege Escalation vulnerability.\\nThis vulnerability enables attackers to escalate privileges by performing arbitrary kernel memory operations, granting them SYSTEM-level access.\"\n references = \"https://nvd.nist.gov/vuln/detail/CVE-2023-21768\\nhttps://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768/tree/master\"\n date = \"2023-09-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2023-21768\"\n classification = \"Windows.Exploit.CVE-2023-21768\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 722b3030a0017588fc0e8bf736bc53bf31a5288c27679e044e098e2de0469f10\n\n $canary = \"91c5bb0ba01db03fe9b7d3d4220cb3217ce0c13d8b3a2f790ffc12a1d8ce91f2\"\n\n $s1 = \"exp.exe \" fullword ascii\n $s2 = \"[!] Attempting to elevate pid %i\" fullword ascii\n $s3 = \"[-] Failed to get address of NT functions: %0x\" fullword ascii\n $s4 = \"[-] IORING setup failed: %0x\" fullword ascii\n $s5 = \"[+] IoRing Obj Address at %llx\" fullword ascii\n $s6 = \"[-] IoRing->RegBuffers overwrite failed: %0x\" fullword ascii\n $s7 = \"[+] IoRing->RegBuffers overwritten with address 0x1000000\" fullword ascii\n $s8 = \"[-] IoRing->RegBuffersCount overwrite failed: %0x\" fullword ascii\n $s9 = \"[+] IoRing->RegBuffersCount overwritten with 0x1\" fullword ascii\n $s10 = \"[-] LPE Failed: %0x\" fullword ascii\n $s11 = \"[+] Target process token elevated to SYSTEM!\" fullword ascii\n $s12 = \"[+] System EPROC address: %llx\" fullword ascii\n $s13 = \"[+} Target process EPROC address: %llx\" fullword ascii\n $s14 = \"[+] System token is at: %llx\" fullword ascii\n\n condition:\n 5 of ($s*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "cve_2023_21768" ], "rule_creation_date": "2023-09-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Exploit.CVE-2023-21768" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve_2024_21338_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584307Z", "creation_date": "2026-03-23T11:46:25.584309Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584315Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" ], "name": "cve_2024_21338.yar", "content": "rule cve_2024_21338 {\n meta:\n title = \"CVE-2024-21338 LPE Exploit\"\n id = \"f6da85b4-fa5c-4d8b-81f2-0cbfdebe569b\"\n description = \"Detects payloads exploiting the CVE-2024-21338 Local Privilege Escalation vulnerability.\\nThis exploit enables attackers with administrative privileges to gain kernel-level access by manipulating the AppLocker driver through an ioctl call.\"\n references = \"https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/\"\n date = \"2024-04-17\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2024-21338\"\n classification = \"Windows.Exploit.CVE-2024-21338\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 0517f8e37149d0a17a9d8f9071ade7831b6a310a3bb80f0e4e1ec792486f3d60\n\n $generic_1 = \"\\\\Device\\\\AppID\" wide fullword\n // Function call to NtDeviceIoControlFile with the vulnerable\n // 0x22A018 ioctl\n $generic_2 = { 18 A0 22 00 }\n // Windows build number after which exploitation structure are\n // different in size.\n $generic_3 = { F0 55 00 00 }\n // Offset of the KTHREAD structure of the PreviousMode\n $generic_4 = { 32 02 00 00 }\n\n // ntoskrnl pattern searched for exploitation\n $generic_5 = {\n 00 00 00 40 // mov [rsp+0A8h+pattern], 40h ; '@'\n [2-4] 00 00 00 53 // mov [rsp+0A8h+pattern+1], 53h ; 'S'\n [2-4] 00 00 00 48 // mov [rsp+0A8h+pattern+2], 48h ; 'H'\n [2-4] 00 00 00 83 // mov [rsp+0A8h+pattern+3], 83h\n [2-4] 00 00 00 EC // mov [rsp+0A8h+pattern+4], 0ECh\n [2-4] 00 00 00 20 // mov [rsp+0A8h+pattern+5], 20h ; ' '\n [2-4] 00 00 00 48 // mov [rsp+0A8h+pattern+6], 48h ; 'H'\n [2-4] 00 00 00 83 // mov [rsp+0A8h+pattern+7], 83h\n [2-4] 00 00 00 79 // mov [rsp+0A8h+pattern+8], 79h ; 'y'\n [2-4] 00 00 00 30 // mov [rsp+0A8h+pattern+9], 30h ; '0'\n [2-4] 00 00 00 00 // mov [rsp+0A8h+pattern+0Ah], 0\n [2-4] 00 00 00 48 // mov [rsp+0A8h+pattern+0Bh], 48h ; 'H'\n [2-4] 00 00 00 8B // mov [rsp+0A8h+pattern+0Ch], 8Bh\n [2-4] 00 00 00 D9 // mov [rsp+0A8h+pattern+0Dh], 0D9h\n [2-4] 00 00 00 74 // mov [rsp+0A8h+pattern+0Eh], 74h ; 't'\n }\n\n // Various strings associated with the open-source POC\n $poc_1 = \"AppLocker (AppId) handle opened: 0x%p\" ascii fullword\n $poc_2 = \"c_impersonate::find_process_token_and_duplicate\" ascii fullword\n $poc_3 = \"c_impersonate::impersonate_as_local_service\" ascii fullword\n $poc_4 = \"c_impersonate::impersonate_as_local_service\" ascii fullword\n $poc_5 = \"c_impersonate::impersonate_as_system\" ascii fullword\n $poc_6 = \"c_impersonate::impersonate\" ascii fullword\n $poc_7 = \"c_impersonate::token_check_privilege\" ascii fullword\n $poc_8 = \"c_impersonate::token_compare_sids\" ascii fullword\n $poc_9 = \"c_impersonate::token_get_sid\" ascii fullword\n $poc_10 = \"c_impersonate::token_get_username\" ascii fullword\n $poc_11 = \"c_impersonate::token_is_not_restricted\" ascii fullword\n $poc_12 = \"c_poc::act\" ascii fullword\n $poc_13 = \"c_poc::get_ethread_address\" ascii fullword\n $poc_14 = \"c_poc::get_file_object_address\" ascii fullword\n $poc_15 = \"c_poc::set_ioctl_buffer\" ascii fullword\n $poc_16 = \"Current ETHREAD PreviousMode address -> 0x%p\" ascii fullword\n $poc_17 = \"Current PreviousMode -> %d\" ascii fullword\n $poc_18 = \"ETHREAD address leaked: 0x%p\" ascii fullword\n $poc_19 = \"Failed to duplicate handle, error: %lu\" ascii fullword\n $poc_20 = \"Failed to fetch the ETHREAD/FileObject/KernelBase addresses.\" ascii fullword\n $poc_21 = \"Failed to open dummy file, error: %lu\" ascii fullword\n $poc_22 = \"Feching the ExpProfileDelete (user cfg gadget) address.\" ascii fullword\n $poc_23 = \"File object address -> 0x%p\" ascii fullword\n $poc_24 = \"Found a potential Process candidate: PID=%d - Image='%ws' - User='%ws'\" ascii fullword\n $poc_25 = \"ioctl_buffer -> 0x%p size: %d\" ascii fullword\n $poc_26 = \"kCFG Gadget address -> 0x%p\" ascii fullword\n $poc_27 = \"kCFG User Base address -> 0x%p\" ascii fullword\n $poc_28 = \"Sending IOCTL request to 0x22A018 (AipSmartHashImageFile)\" ascii fullword\n $poc_29 = \"Windows version detected: %lu.%lu, build: %lu.\" ascii fullword\n\n $canary = \"1e0e9f9bebba5157dab7742a339e2e6e74958e8a43709b844cde3470ccaa059b\"\n condition:\n all of ($generic_*) or 3 of ($poc_*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "cve_2024_21338" ], "rule_creation_date": "2024-04-17", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Exploit.CVE-2024-21338" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2024-30088_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584394Z", "creation_date": "2026-03-23T11:46:25.584396Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584401Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/tykawaii98/CVE-2024-30088\nhttps://archive.is/RuKH4" ], "name": "cve-2024-30088.yar", "content": "rule cve_2024_30088 {\n meta:\n title = \"CVE-2024-30088 LPE Exploitation\"\n id = \"ef0129d6-5121-4a11-b42c-cbff440a2ba9\"\n description = \"Detects payloads exploiting the CVE-2024-30088 vulnerability affecting the Microsoft Windows Kernel.\\nThis vulnerability enables privilege escalation via a race condition, specifically a Time-of-Check Time-of-Use (TOCTOU) flaw.\"\n references = \"https://github.com/tykawaii98/CVE-2024-30088\\nhttps://archive.is/RuKH4\"\n date = \"2024-10-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2024-30088\"\n classification = \"Windows.Exploit.CVE-2024-30088\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 163dcf1f9337265eaab9390581256f5322c6f7820aba361272fd51d180dc75a7\n // 1baca5609c5085c10a4adfa8e659dfd019e06fffff3d7a06fc273494939a9d63\n // 2d9c8e69b0090f9ee7219f340eb40c2ad07783ece8010458b2f36e685195ced3\n // 3ccaca6200d98234ab05a63e342ad64dda6561b7a5c07e8d7e6e13f7872cb3c1\n // 71b6f06bb48ad21bd36151bb137a32d2c3d3e0febe9bfca9a8e1f14760d02203\n\n $s1 = \"GetProcAddress() failed.\" ascii fullword\n $s2 = \"NtQuerySystemInformation failed with error code 0x%X\" ascii fullword\n $s3 = \"Error creating new process (%d)\" ascii fullword\n $s4 = \"Enjoy your new SYSTEM process\" ascii fullword\n $s5 = \"hToken: %x, kTokenAddr: %p\" ascii fullword\n $s6 = \"Found target offset value: 0x%x\" ascii fullword\n $s7 = \"Got Winlogon handle: 0x%x\" ascii fullword\n\n $pdb1 = \"\\\\CVE-2024-30088\\\\x86\\\\Debug\\\\poc.pdb\" ascii\n $pdb2 = \"\\\\CVE-2024-30088\\\\x86\\\\Release\\\\poc.pdb\" ascii\n $pdb3 = \"\\\\CVE-2024-30088\\\\x64\\\\Debug\\\\poc.pdb\" ascii\n $pdb4 = \"\\\\CVE-2024-30088\\\\x64\\\\Release\\\\poc.pdb\" ascii\n $pdb5 = \"\\\\CVE-2024-30088-main\\\\x86\\\\Debug\\\\poc.pdb\" ascii\n $pdb6 = \"\\\\CVE-2024-30088-main\\\\x86\\\\Release\\\\poc.pdb\" ascii\n $pdb7 = \"\\\\CVE-2024-30088-main\\\\x64\\\\Debug\\\\poc.pdb\" ascii\n $pdb8 = \"\\\\CVE-2024-30088-main\\\\x64\\\\Release\\\\poc.pdb\" ascii\n\n $x1_x64 = {\n 48 8B ?? ?? ?? 00 00 // mov rax, cs:qword_140005668\n 48 8B ?? ?? ?? 00 00 // mov rcx, cs:qword_140005670\n 48 83 C1 3C // add rcx, 3Ch ; '<'\n 66 C7 40 02 02 00 // mov word ptr [rax+2], 2\n 48 89 48 08 // mov [rax+8], rcx\n C3 // retn\n }\n $x1_x32 = {\n 8B 15 ?? ?? ?? 00 // mov edx, dword_4043C0\n A1 ?? ?? ?? 00 // mov eax, dword_4043B8\n 83 C2 3C // add edx, 3Ch ; '<'\n 8B 0D ?? ?? ?? 00 // mov ecx, dword_4043C4\n 83 D1 00 // adc ecx, 0\n 89 48 0C // mov [eax+0Ch], ecx\n B9 02 00 00 00 // mov ecx, 2\n 89 50 08 // mov [eax+8], edx\n 66 89 48 02 // mov [eax+2], cx\n C3 // retn\n }\n\n $x2_x64 = {\n 4C 8B ?? ?? ?? 00 00 // mov r8, cs:qword_140005680\n 41 B9 00 10 00 00 // mov r9d, 1000h\n 48 8B ?? ?? ?? 00 00 // mov rcx, cs:hObject\n BA 16 00 00 00 // mov edx, 16h\n 4C 89 7C 24 20 // mov qword ptr [rsp+350h+dwCreationFlags], r15\n FF ?? ?? ?? 00 00 // call cs:qword_140005690\n 48 83 EB 01 // sub rbx, 1\n 75 D6 // jnz short loc_1400012F3\n }\n $x2_x32 = {\n 68 ?? ?? ?? 00 // push offset unk_4043D4\n 68 00 10 00 00 // push 1000h\n FF 35 ?? ?? ?? 00 // push dword_4043C8\n 6A 16 // push 16h\n FF 35 ?? ?? ?? 00 // push ArgList\n FF 15 ?? ?? ?? 00 // call dword_4043D0\n 83 C4 14 // add esp, 14h\n 83 EE 01 // sub esi, 1\n 75 DA // jnz short loc_401330\n }\n\n $x3 = {\n // loc_140011E73:\n 8B 45 24 // mov eax, [rbp+110h+var_EC]\n FF C0 // inc eax\n 89 45 24 // mov [rbp+110h+var_EC], eax\n\n // loc_140011E7B:\n 81 7D 24 00 00 01 00 // cmp [rbp+110h+var_EC], 10000h\n 7D 21 // jge short loc_140011EA5\n B8 02 00 00 00 // mov eax, 2\n 48 8B ?? ?? ?? 00 00 // mov rcx, cs:qword_14001E190\n 66 89 41 02 // mov [rcx+2], ax\n 48 8B ?? ?? ?? 00 00 // mov rax, cs:qword_14001E190\n 48 8B 4D 08 // mov rcx, [rbp+110h+var_108]\n 48 89 48 08 // mov [rax+8], rcx\n EB CE // jmp short loc_140011E73\n }\n\n condition:\n 4 of ($s*) or\n 1 of ($pdb*) or\n (1 of ($x1_*) and 1 of ($x2_*)) or\n $x3\n}\n", "rule_count": 1, "rule_names": [ "cve_2024_30088" ], "rule_creation_date": "2024-10-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Exploit.CVE-2024-30088" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2024-35250_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584366Z", "creation_date": "2026-03-23T11:46:25.584368Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584373Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/varwara/CVE-2024-35250\nhttps://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/" ], "name": "cve-2024-35250.yar", "content": "rule cve_2024_35250 {\n meta:\n title = \"CVE-2024-35250 LPE Exploitation\"\n id = \"58120802-7f6a-4d9f-a7c3-01e17334fc2b\"\n description = \"Detects payloads exploiting the CVE-2024-35250 LPE vulnerability.\\nThis vulnerability exploits an untrusted pointer dereference in the ks.sys driver, enabling local privilege escalation to System.\"\n references = \"https://github.com/varwara/CVE-2024-35250\\nhttps://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/\"\n date = \"2024-10-17\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2024-35250\"\n classification = \"Windows.Exploit.CVE-2024-35250\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 44d35e6d14b860a90422e6fa3767aa78acbb559b7ab8adb8b9410fe24bd1092f\n // 3aae2560d0ec2027b98fc48b879c46a73477125de2b21ace931bc92e254f6ed4\n // 247aa6b2a76e7c2316dd339595e924c7bd06a45faea5072352e096db09a2ab09\n // 308af6a404d8a91387ddab482a38fdf266e5f903d0e7ff4cac59ebc137ec288c\n\n $s1 = \"[-] AllocateBitmap failed with error: %d\" ascii fullword\n $s2 = \"[-] leak_gadget_address failed\" ascii fullword\n $s3 = \"[-] KsOpenDefaultDevice at index %d failed with error = %x\" ascii fullword\n $s4 = \"[!] Leveraging DKOM to achieve LPE\" ascii fullword\n\n $wdm1 = \"RtlSetAllBits\" ascii fullword\n $wdm2 = \"RtlClearAllBits\" ascii fullword\n\n $x1 = { 03 00 2F 00 } // dwIoControlCode\n $x2 = { 3F 6E BB FF FE CC 84 4D 90 D9 42 14 18 B0 3A 8E } // KSCATEGORY_DRM_DESCRAMBLE\n $x3 = { DD 8D 2C 2F 98 41 AC 4F BA 29 61 BB 05 B7 DE 06 } // KSPROPSETID_DrmAudioStream\n\n condition:\n 3 of ($s*) or\n (\n uint16(0) == 0x5A4D and\n filesize < 1MB and\n 1 of ($wdm*) and\n all of ($x*)\n )\n}\n", "rule_count": 1, "rule_names": [ "cve_2024_35250" ], "rule_creation_date": "2024-10-17", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Exploit.CVE-2024-35250" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-cve-2024-38193_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569860Z", "creation_date": "2026-03-23T11:46:25.569862Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569868Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://nvd.nist.gov/vuln/detail/cve-2024-38193\nhttps://blog.exodusintel.com/2024/12/02/windows-sockets-from-registered-i-o-to-system-privileges/\nhttps://github.com/killvxk/CVE-2024-38193-Nephster/blob/main/Poc/poc.cpp" ], "name": "cve-2024-38193.yar", "content": "rule cve_2024_38193 {\n meta:\n title = \"CVE-2024-38193 LPE Exploitation\"\n id = \"497e923c-9b65-4452-8d76-115fa6809120\"\n description = \"Detects payloads exploiting the CVE-2024-38193 vulnerability that affects the default AFD.sys driver, responsible for kernel-mode support for the Windows socket (Winsock) interface used in network communication.\\nThis vulnerability can be exploited by attackers to elevate privileges to SYSTEM-level, potentially leading to full system compromise.\\nIt is recommended to check the system event logs for signs of unauthorized process creation or unusual activity related to the AFD.sys driver and apply the official Microsoft patch as soon as possible.\"\n references = \"https://nvd.nist.gov/vuln/detail/cve-2024-38193\\nhttps://blog.exodusintel.com/2024/12/02/windows-sockets-from-registered-i-o-to-system-privileges/\\nhttps://github.com/killvxk/CVE-2024-38193-Nephster/blob/main/Poc/poc.cpp\"\n date = \"2024-12-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2024-38193\"\n classification = \"Windows.Exploit.CVE-2024-38193\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 51bf18ff4cd01571843d82c0dde8e30e6583cc5ca597afa2680d3e272955737b\n\n $s1 = \"[ERORR] code: %x Couldnt PEEK data from the PIPE\" ascii fullword\n $s2 = \"[ERROR] Unable to write value 2 to IM CBB.\" ascii fullword\n $s3 = \"[*] Address of Active process link in _EPROCESS: %llx\" ascii fullword\n $s4 = \"[*] System TOKEN: %llx\" ascii fullword\n\n $afd_create1 = \"\\\\Device\\\\Afd\\\\Endpoint\" wide fullword\n $afd_create2 = {\n 41 66 64 4F // mov [rbp+10h+var_58], 4F646641h\n [2-4] 70 65 6E 50 // mov [rbp+10h+var_54], 506E6570h\n [2-4] 61 63 6B 65 // mov [rbp+10h+var_50], 656B6361h\n [2-4] 74 58 58 00 // mov [rbp+10h+var_4C], 585874h\n [2-4] 00 10 01 10 // mov [rbp+10h+var_48], 10011000h\n [2-4] 02 00 00 00 // mov [rbp+10h+var_40], 2\n [2-4] 01 00 00 00 // mov [rbp+10h+var_3C], 1\n [2-4] 06 00 00 00 // mov [rbp+10h+var_38], 6\n [2-4] 16 00 00 00 // mov [rbp+10h+var_34], 16h\n [2-4] 5C 00 44 00 // mov [rbp+10h+var_30], 44005Ch\n [2-4] 65 00 76 00 // mov [rbp+10h+var_2C], 760065h\n [2-4] 69 00 63 00 // mov [rbp+10h+var_28], 630069h\n [2-4] 65 00 5C 00 // mov [rbp+10h+var_24], 5C0065h\n [2-4] 54 00 63 00 // mov [rbp+10h+var_20], 630054h\n [2-4] 70 00 00 00 // mov [rbp+10h+var_1C], 70h\n }\n\n condition:\n 3 of ($s*) or all of ($afd_create*)\n}\n", "rule_count": 1, "rule_names": [ "cve_2024_38193" ], "rule_creation_date": "2024-12-11", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Exploit.CVE-2024-38193" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-darkcloud_stealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582381Z", "creation_date": "2026-03-23T11:46:25.582385Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582394Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/\nhttps://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/" ], "name": "darkcloud_stealer.yar", "content": "rule darkcloud_stealer {\n meta:\n title = \"DarkCloud Stealer\"\n id = \"0339c602-2d21-4180-bf7c-807114fa0f37\"\n description = \"Detects DarkCloud, a Windows-based information stealer, that was first identified in 2022, known for stealing passwords, banking details, and other sensitive data.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/\\nhttps://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/\"\n date = \"2025-08-25\"\n modified = \"2025-10-15\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555;attack.exfiltration;attack.t1048\"\n classification = \"Windows.Stealer.DarkCloud\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ff83cbdb1e2d13c2b5b85bdbc2d87cfdfe96a115d97e4341024c7758747e80f1\n // 5946bbf5dc0be29cccdd0e66b13d17cf776fc785c9b8d67b06cbb56c85bd5577\n // 08f355fcbedbabe2e6c40ce27486149731495c7064732fe85faa0ad810f07856\n // 38ff89e2b1d143d1710917e87c0a53c4886ff2295aefad2646c3791882ef8669\n\n $darkcloud1 = \"===============DARKCLOUD===============\" wide fullword\n $darkcloud2 = \"===============DCS V\" wide\n\n $a1 = \"DC-Creds\" wide fullword\n $a2 = \"\\\\keyDBPath.sqlite\" wide fullword\n $a3 = \"\\\\recentservers.xml\" wide fullword\n $a4 = \"Application : FileZilla\" wide fullword\n $a5 = \"KoreanLocalCard\" wide fullword\n $a6 = \"^(6541|6556)[0-9]{12}$\" wide fullword\n $a7 = \"SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards\" wide fullword\n $a8 = \"SELECT item1 FROM metadata WHERE id = 'password';\" wide fullword\n\n $b1 = \"\\\\eM Client\\\\accounts.dat\" wide fullword\n $b2 = \"SELECT key, value FROM AccountsJson\" wide fullword\n $b3 = \"MailClient.Accounts.CredentialsModelTypes\" wide fullword\n $b4 = \"\\\\chrome_decrypt.zip\" wide fullword\n $b5 = \"\\\\conversations.dat\" wide fullword\n $b6 = \"@TITLE Removing\" wide fullword\n $b7 = \"\\\\163MailContacts1.db\" wide fullword\n $b8 = \"@StrFtpPass\" wide fullword\n\n condition:\n 1 of ($darkcloud*) and (5 of ($a*) or 5 of ($b*))\n}\n", "rule_count": 1, "rule_names": [ "darkcloud_stealer" ], "rule_creation_date": "2025-08-25", "rule_modified_date": "2025-10-15", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.DarkCloud" ], "rule_tactic_tags": [ "attack.credential_access", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1048", "attack.t1555" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-darkgate_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582652Z", "creation_date": "2026-03-23T11:46:25.582653Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582659Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "name": "darkgate.yar", "content": "rule darkgate {\n meta:\n title = \"DarkGate Loader\"\n id = \"f6c31039-96c8-456a-9a75-0ace84d2b64f\"\n description = \"Detects DarkGate, a loader with features that include the ability to download and execute files in memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate uses legitimate AutoIt files to execute AutoIt scripts for decoding and executing its final loader. This malware is commonly distributed through phishing campaigns.\\nIt is recommended to dump the affected process and investigate for any suspicious AutoIt scripts or network activities indicative of C2 communication.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate\"\n date = \"2023-10-12\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555;attack.t1539;attack.defense_evasion;attack.t1140;attack.t1027;attack.collection;attack.t1005;attack.t1119;attack.command_and_control;attack.t1071.001;attack.t1132\"\n classification = \"Windows.Loader.DarkGate\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 301158ffb44a9824deeec16bdc7dabdc328b9f3ecde0df048741218285d8bcc8\n\n $s1 = \"____padoru____\" ascii fullword\n $s2 = \"/c xcopy /E /I /Y \\\"%s\\\" \\\"%s\\\" && exit\" ascii fullword\n $s3 = \" --mute-audio --disable-audio --no-sandbox --new-window --disable-3d-apis --disable-gpu --disable-d3d11 --window-size=\"\n $s4 = \"ventanas.txt\" ascii fullword\n $s5 = \":9000 -u 0xDark\" ascii fullword\n $s6 = \"/c c:\\\\temp\\\\PsExec.exe -accepteula -i -d -s\" ascii fullword\n $s7 = \"http://darkgate.com\" ascii fullword\n\n $decode_string = {\n 8B 45 ?? // mov eax, [rbp+var_8]\n E8 ?? ?? ?? ?? // call sub_49EC\n 8B 55 ?? // mov edx, [rbp+var_10]\n 8A 4D ?? // mov cl, [rbp+var_14]\n 80 E1 3F // and cl, 3Fh\n C1 E1 02 // shl ecx, 2\n 8A 5D ?? // mov bl, [rbp+var_13]\n 80 E3 30 // and bl, 30h\n 81 E3 FF 00 00 00 // and ebx, 0FFh\n C1 EB 04 // shr ebx, 4\n 02 CB // add cl, bl\n 88 4C 10 FF // mov [rax+rdx-1], cl\n FF 45 ?? // inc [rbp+var_10]\n 80 7D ?? 40 // cmp [rbp+var_12], 40h\n 74 55 // jz short loc_33449\n 8B 45 ?? // mov eax, [rbp+var_8]\n E8 ?? ?? ?? ?? // call sub_49EC\n 8B 55 ?? // mov edx, [rbp+var_10]\n 8A 4D ?? // mov cl, [rbp+var_13]\n 80 E1 0F // and cl, 0Fh\n C1 E1 04 // shl ecx, 4\n 8A 5D ?? // mov bl, [rbp+var_12]\n 80 E3 3C // and bl, 3Ch\n 81 E3 FF 00 00 00 // and ebx, 0FFh\n C1 EB 02 // shr ebx, 2\n 02 CB // add cl, bl\n 88 4C 10 FF // mov [rax+rdx-1], cl\n FF 45 ?? // inc [rbp+var_10]\n 80 7D ?? 40 // cmp [rbp+var_11], 40h\n 74 23 // jz short loc_33449\n 8B 45 ?? // mov eax, [rbp+var_8]\n E8 ?? ?? ?? ?? // call sub_49EC\n 8B 55 ?? // mov edx, [rbp+var_10]\n 8A 4D ?? // mov cl, [rbp+var_12]\n 80 E1 03 // and cl, 3\n C1 E1 06 // shl ecx, 6\n 8A 5D ?? // mov bl, [rbp+var_11]\n 80 E3 3F // and bl, 3Fh\n 02 CB // add cl, bl\n 88 4C 10 FF // mov [rax+rdx-1], cl\n FF 45 ?? // inc [rbp+var_10]\n }\n\n $memory = {\n 53 // push ebx\n 56 // push esi\n 57 // push edi\n 83 C4 E4 // add esp, 0FFFFFFE4h\n 8B F9 // mov edi, ecx\n 8B F2 // mov esi, edx\n 8B D8 // mov ebx, eax\n 33 C0 // xor eax, eax\n 89 04 24 // mov [esp+28h+var_28], eax\n 68 ?? ?? ?? ?? // push 441A7CCh\n A1 ?? ?? ?? ?? // mov eax, ds:4451660h\n 8B 00 // mov eax, [eax]\n 50 // push eax\n A1 ?? ?? ?? ?? // mov eax, ds:44515BCh\n 8B 00 // mov eax, [eax]\n FF D0 // call eax\n\n 89 44 24 10 // mov [esp+28h+var_18], eax\n 68 ?? ?? ?? ?? // push 441A7E0h\n A1 ?? ?? ?? ?? // mov eax, ds:4451660h\n 8B 00 // mov eax, [eax]\n 50 // push eax\n A1 ?? ?? ?? ?? // mov eax, ds:44515BCh\n 8B 00 // mov eax, [eax]\n FF D0 // call eax\n\n 89 44 24 0C // mov [esp+28h+var_1C], eax\n 68 ?? ?? ?? ?? // push 441A7F0h\n A1 ?? ?? ?? ?? // mov eax, ds:4451660h\n 8B 00 // mov eax, [eax]\n 50 // push eax\n A1 ?? ?? ?? ?? // mov eax, ds:44515BCh\n 8B 00 // mov eax, [eax]\n FF D0 // call eax\n\n 89 44 24 08 // mov [esp+28h+var_20], eax\n 8B D7 // mov edx, edi\n 8B C3 // mov eax, ebx\n E8 ?? ?? FF FF // call sub_3A000\n 89 44 24 18 // mov [esp+28h+var_10], eax\n 8B D6 // mov edx, esi\n 8B C3 // mov eax, ebx\n E8 ?? ?? FF FF // call sub_3A000\n 89 44 24 14 // mov [esp+28h+var_14], eax\n 6A 14 // push 14h\n 6A 00 // push 0\n 8D 4C 24 10 // lea ecx, [esp+30h+var_20]\n BA ?? ?? ?? ?? // mov edx, 441A6E0h\n 8B C3 // mov eax, ebx\n }\n\n condition:\n 5 of ($s*) or\n (1 of ($s*) and $decode_string) or\n $memory\n}\n", "rule_count": 1, "rule_names": [ "darkgate" ], "rule_creation_date": "2023-10-12", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.DarkGate" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1027", "attack.t1555", "attack.t1119", "attack.t1539", "attack.t1132", "attack.t1005" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-darkloadlibrary_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585500Z", "creation_date": "2026-03-23T11:46:25.585502Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585508Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/bats3c/DarkLoadLibrary" ], "name": "darkloadlibrary.yar", "content": "rule darkloadlibrary {\n meta:\n title = \"DarkLoadLibrary Technique\"\n id = \"811bf6d2-1d59-4077-9e85-b901b95fc232\"\n description = \"Detects the DarkLoadLibrary evasion technique.\\nDarkLoadLibrary is a redeveloped LoadLibrary function designed to avoid triggering the LoadImage kernel callback.\\nThis technique is used to bypass detection mechanisms of security products by modifying how libraries are loaded in memory.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/bats3c/DarkLoadLibrary\"\n date = \"2024-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1055.001\"\n classification = \"Windows.Generic.DarkLoadLibrary\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 1986c6503eb77c68817f7ca38b6f1540dd1095bfa595f5d2c98d970eecec0848\n\n $stub_hashSW2_darkloadlibrary= {\n 4? b? 99 11 19 63 // mov r10d, 63191199h\n 4? 8B ?? // mov rax, rdx\n [0-12] // nop dword ptr [rax+rax+00h]\n 0F B7 ?? // movzx eax, word ptr [rax]\n 4? 8B ?? // mov ecx, r10d\n (C1|C0) ?? 08 // ror ecx, 8\n 4? ff ?? // inc r11d\n 03 ?? // add ecx, eax\n 4? 8B ?? // mov eax, r11d\n 4? 03 ?? // add rax, rdx\n 4? 33 ?? // xor r10d, ecx\n 80 ?? 00 // cmp byte ptr [rax], 0\n [30-40] // place holder\n ?? 8? ?? F4 01 00 00 // cmp r8d, 1F4h\n }\n\n $stub_mapview_00 = {\n 4? 8b ?? 10 // mov rax, qword [rbx+0x10]\n 4? 8b ?? 30 // mov rcx, qword [rbx+0x30]\n 4? 8b ?? // mov edx, r8d\n 4? ff ?? // inc r8d\n 0f b? ?? ?? // movzx eax, byte [rdx+rax]\n [2-4] // mov byte [rdx+rcx], al\n 4? 3b ?? 54 // cmp r8d, dword [rdi+0x54]\n }\n\n $stub_mapview_01 = {\n 4? 8b ?? 04 // mov r8d, dword [r10+0x4]\n 4? 8b ?? fc // mov edx, dword [r10-0x4]\n 4? 8b ?? 10 // mov rax, qword [rbx+0x10]\n 4? 8b ?? // mov ecx, r9d\n 4? ff ?? // inc r9d\n 4? (01|02|03|04|05) ?? // add r8, rcx\n 4? (01|02|03|04|05) ?? // add rdx, rcx\n 4? 8b ?? 30 // mov rcx, qword [rbx+0x30]\n 4? 0f b? ?? ?? // movzx eax, byte [r8+rax]\n [2-4] // mov byte [rdx+rcx], al\n 4? 3b ?? // cmp r9d, dword [r10]\n }\n\n $stub_mapview_02 = {\n 4? 8b ?? 30 // mov rcx, qword [rbx+0x30]\n 4? 8d ?? b0 00 00 00 // lea rax, [rdi+0xb0]\n 4? 8b ?? // mov r10, rcx\n 4? 2b ?? 30 // sub r10, qword [rdi+0x30]\n }\n\n $stub_mapview_03 = {\n 6? (c1|c0) ?? 0c // shr dx, 0xc\n 6? 83 ?? 0a // cmp dx, 0xa\n [2-4] // jne 0x140001f4a\n 4? 8b ?? // mov eax, dword [r8]\n ?? ?? ff 0f 00 00 // and ecx, 0xfff\n 4? (01|02|03|04|05) ?? // add rcx, rax\n 4? 8b ?? 30 // mov rax, qword [rbx+0x30]\n 4? (01|02|03|04|05) ?? ?? // add qword [rcx+rax], r10\n [2-4] // jmp 0x140001f9a\n 6? 83 ?? 03 // cmp dx, 0x3\n [2-4] // jne 0x140001f60\n 4? 8b ?? // mov edx, dword [r8]\n ?? ff 0f 00 00 // and eax, 0xfff\n 4? (01|02|03|04|05) ?? // add rdx, rax\n 4? 8b ?? // mov eax, r10d\n [2-4] // jmp 0x140001f92\n 6? 83 ?? 01 // cmp dx, 0x1\n [2-4] // jne 0x140001f7d\n 4? 8b ?? // mov edx, dword [r8]\n ?? ff 0f 00 00 // and eax, 0xfff\n 4? (01|02|03|04|05) ?? // add rdx, rax\n 4? 8b ?? // mov rax, r10\n 4? (c1|c0) ?? 10 // shr rax, 0x10\n 0f b? ?? // movzx eax, ax\n [2-4] // jmp 0x140001f92\n 6? 83 ?? 02 // cmp dx, 0x2\n [2-4] // jne 0x140001f9a\n 4? 8b ?? // mov edx, dword [r8]\n ?? ff 0f 00 00 // and eax, 0xfff\n }\n\n condition:\n 1 of ($stub_hashSW2*)\n or 3 of ($stub_mapview*)\n}\n", "rule_count": 1, "rule_names": [ "darkloadlibrary" ], "rule_creation_date": "2024-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.DarkLoadLibrary" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055.001" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-darkside_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571057Z", "creation_date": "2026-03-23T11:46:25.571059Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571065Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ph4nt0mbyt3/Darkside/\nhttps://www.loldrivers.io/drivers/e0e93453-1007-4799-ad02-9b461b7e0398/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "darkside.yar", "content": "rule darkside {\n meta:\n title = \"Darkside HackTool\"\n id = \"5c89c206-6f3f-4b01-88ea-4dcd7948a57e\"\n description = \"Detects the Darkside hacktool, a tool that leverages the TrueSight.sys vulnerable driver to kill protected processes.\\nDarkside loads the TrueSight.sys driver and utilizes its functionality to terminate specified processes. The tool is designed to bypass process protection mechanisms by leveraging this driver-based approach.\\nIt is recommended to investigate for any unusual activity related to the TrueSight.sys driver, particularly focusing on attempts to bypass security solutions.\"\n references = \"https://github.com/ph4nt0mbyt3/Darkside/\\nhttps://www.loldrivers.io/drivers/e0e93453-1007-4799-ad02-9b461b7e0398/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n classification = \"Windows.HackTool.Darkside\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b07ce632ceb1e6f4759de13b538668a8a2afd13f20e17e9f5c15123b4c4823b9\n\n $device = \"\\\\\\\\.\\\\TrueSight\" wide ascii\n $winapi_01 = \"CreateFile\" wide ascii\n $winapi_02 = \"DeviceIoControl\" wide ascii\n $winapi_03 = \"GetProcessById\" wide ascii\n $winapi_04 = \"GetProcessesByName\" wide ascii\n $ioctl_kill = { (44 E0 22|22 E0 44) }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "darkside" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Darkside" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-darkwidow_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570729Z", "creation_date": "2026-03-23T11:46:25.570731Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570737Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/reveng007/DarkWidow\nhttps://attack.mitre.org/techniques/T1055/004/\nhttps://attack.mitre.org/techniques/T1134/004/\nhttps://attack.mitre.org/techniques/T1106/\nhttps://attack.mitre.org/techniques/T1562/002/" ], "name": "darkwidow.yar", "content": "rule darkwidow {\n meta:\n title = \"DarkWidow HackTool\"\n id = \"bbb699ba-6e45-43dc-ac89-6ad0e2f7b730\"\n description = \"Detects DarkWidow, a post-exploitation tool specialized in defense evasion.\\nDarkWidow is a malicious tool designed to evade detection and persistence in a compromised system. It injects its payload into remote processes and employs various evasion techniques such as indirect system calls and process parent ID spoofing. Additionally, it can disable specific event logs to cover its tracks and avoid being detected by monitoring tools.\\nIt is recommended to investigate for any additional malicious activity or related processes.\"\n references = \"https://github.com/reveng007/DarkWidow\\nhttps://attack.mitre.org/techniques/T1055/004/\\nhttps://attack.mitre.org/techniques/T1134/004/\\nhttps://attack.mitre.org/techniques/T1106/\\nhttps://attack.mitre.org/techniques/T1562/002/\"\n date = \"2024-03-05\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.004;attack.t1134.004;attack.t1562.002\"\n os = \"Windows\"\n classification = \"Windows.HackTool.DarkWidow\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 11b28209ca98f3a653c6ef4c23885165457affd52a7c28b6500a75c72a15d159\n\n $s_apihash00 = { FC FC 06 BE 7B CD D1 4F } // djb2(ntdll.dll)\n $s_apihash01 = { 41 07 6F 48 BA C2 A3 68 } // djb2(NtWriteVirtualMemory)\n $s_apihash02 = { 67 02 1A 92 9F ED 73 70 } // djb2(NtQueueApcThread)\n $s_apihash03 = { E7 F6 91 52 1F CA 8C 71 } // djb2(NtOpenProcess)\n $s_apihash04 = { 34 77 34 77 34 77 34 77 } // hellsgate like constant for djb2\n $s_apihash05 = { 37 6A FB 46 10 CB 8B 85 } // djb2(NtProtectVirtualMemory)\n $s_apihash06 = { 9B B8 A6 80 34 37 BD F5 } // djb2(NtAllocateVirtualMemory)\n\n $s_stub_getdll = {\n 65 48 8B 04 25 30 [0-3] // mov rax, gs:30h\n 48 8B ?? 30 // mov rcx, [rax+30h]\n 4C 8B ?? 60 // mov r12, [rcx+60h]\n }\n\n condition:\n 4 of ($s_apihash*) and $s_stub_getdll\n}\n", "rule_count": 1, "rule_names": [ "darkwidow" ], "rule_creation_date": "2024-03-05", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.DarkWidow" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1134.004", "attack.t1562.002", "attack.t1055.004" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dazzleup_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568069Z", "creation_date": "2026-03-23T11:46:25.568071Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568076Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/hlldz/dazzleUP\nhttps://twitter.com/malmoeb/status/1742209997709185339\nhttps://attack.mitre.org/techniques/T1068/" ], "name": "dazzleup.yar", "content": "rule dazzleup {\n meta:\n title = \"dazzleUP HackTool\"\n id = \"3cc94bcb-751c-44d2-b686-45b81ef4851f\"\n description = \"Detects the dazzleUP HackTool.\\nDazzleUP is a tool designed to identify privilege escalation vulnerabilities in Windows systems due to misconfigurations or outdated updates.\\nAttackers can use this tool to gain elevated system permissions during the post exploitation phase.\"\n references = \"https://github.com/hlldz/dazzleUP\\nhttps://twitter.com/malmoeb/status/1742209997709185339\\nhttps://attack.mitre.org/techniques/T1068/\"\n date = \"2024-01-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;attack.t1543.003;attack.t1574\"\n classification = \"Windows.HackTool.dazzleUP\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 66437e19186377c0ce0314a271ed8064a9ac1c58cf781c3b207b8c44cd2f0e7b\n // bbe104f402a6c02e5cf38f18245c5f0fa50a48a098f7ff136a0189ef28eaca97\n // bdd8493bc9a1be6b5018c949bd3fc60831b83e0c97ff31933a0e9516a25947a2\n\n $s1 = \"Author : Halil Dalabasmaz\" ascii\n $s2 = \"- AccessCheck FAILED! -\" fullword ascii\n $s3 = \"[!] NOTE: Current user is in a local group that grants administrative privileges! Use UAC Bypass attacks to elevate privileges to admin.\" fullword ascii\n $s4 = \"[*] Token Privileges:\" fullword ascii\n $s5 = \"[*] Checking for privileges escalation exploits...\" fullword ascii\n $s6 = \"[!] Cannot checking updates beacuse Windows Update Agent API not working properly...\" fullword ascii\n $s7 = \"[!] Vulnerable for CVE-2019-0836 Windows Elevation of Privilege Vulnerability\" ascii\n $s8 = \"Always Install Elevated User:\t Vulnerable\" ascii\n $s9 = \"\\\\Panther\\\\Unattend\\\\Unattended.xml\" fullword ascii\n $s10 = \"---========== EXPLOIT CHECKS ==========---\" ascii\n\n condition:\n 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "dazzleup" ], "rule_creation_date": "2024-01-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.dazzleUP" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1543.003", "attack.t1068", "attack.t1574" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-defender_control_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571164Z", "creation_date": "2026-03-23T11:46:25.571166Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571172Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a\nhttps://www.sordum.org/9480/defender-control-v2-1/" ], "name": "defender_control.yar", "content": "import \"pe\"\nimport \"math\"\n\nrule defender_control {\n meta:\n title = \"DefenderControl Tool\"\n id = \"408fcdd0-ce25-40c7-86d1-a11b62546885\"\n description = \"Detects DefenderControl, a free tool developed by Sordum Software.\\nThis tool is designed to disable Windows Defender and has been linked with the Snatch Ransomware group, which uses it to bypass defender mechanisms.\\nIt is recommended to check for the presence of associated malicious files or actions.\"\n references = \"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-284a\\nhttps://www.sordum.org/9480/defender-control-v2-1/\"\n date = \"2023-08-28\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001\"\n classification = \"Windows.Tool.DefenderControl\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae\n // 92e16530dea1a805fa6604ec4e4319114aea3024b8cb4c08acf562d59c0ff0c0\n\n $s = \"Windows Defender Control\" wide ascii\n\n condition:\n (\n math.entropy(pe.overlay.offset, pe.overlay.size) > 7.9\n and $s in (pe.overlay.offset..(pe.overlay.offset + pe.overlay.size))\n )\n or pe.version_info[\"FileDescription\"] == \"Windows Defender Control\"\n}\n", "rule_count": 1, "rule_names": [ "defender_control" ], "rule_creation_date": "2023-08-28", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.DefenderControl" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-deimos_beacon_elfx64_obfs_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586205Z", "creation_date": "2026-03-23T11:46:25.586207Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586213Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DeimosC2/DeimosC2" ], "name": "deimos_beacon_elfx64_obfs.yar", "content": "rule deimos_obfs_6250b5c666ed {\n meta:\n title = \"Obfuscated DeimosC2 Beacon (6250b5c666ed)\"\n id = \"d2519ecd-9ab2-4047-a1f7-6250b5c666ed\"\n description = \"Detects the DeimosC2 Linux C2 beacon, a post-exploitation tool used for command and control.\\nDeimosC2 is a post-exploitation Command & Control (C2) tool that establishes persistence on compromised systems and communicates with its command server using various protocols. It is capable of executing system commands, gathering information, and maintaining persistence on the infected machine.\\nIt is recommended to review system logs for any signs of unauthorized access and isolate the affected machine from the network. Additionally, consider scanning the system for other potential malicious files or processes that may have been executed alongside this beacon.\"\n references = \"https://github.com/DeimosC2/DeimosC2\"\n date = \"2022-11-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573;attack.t1068\"\n classification = \"Linux.Framework.Deimos\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 1ff0484c33bfad219d791fa68d609b98d66a178e6c85c18c800c229793da9332\n\n $shell_prep_obfuscated = {\n 48 83 EC 50 // sub rsp, 50h\n 48 89 6C 24 ?? // mov [rsp+50h+var_8], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+50h+var_8]\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // mov rax, 0F8DD37AA87FF684Ah\n 48 89 44 24 ?? // mov [rsp+50h+var_18], rax\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // mov rax, 96B468C1E49A0029h\n 48 89 44 24 ?? // mov [rsp+50h+var_20], rax\n 48 ?? 44 24 ?? 00 00 00 00 // mov [rsp+50h+var_10], 0\n 31 C0 // xor eax, eax\n }\n\n $logger_prep_obfuscated = {\n 48 83 EC 20 // sub rsp, 20h\n 48 89 6C 24 ?? // mov [rsp+20h+var_8], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+20h+var_8]\n F2 0F 10 ?? 24 ?? // movsd xmm0, [rsp+20h+arg_8]\n F2 0F 10 ?? 24 ?? // movsd xmm1, [rsp+20h+arg_0]\n F2 0F 59 C1 // mulsd xmm0, xmm1\n 0F 10 D1 // movups xmm2, xmm1\n F2 0F 5C C8 // subsd xmm1, xmm0\n F2 0F 58 C2 // addsd xmm0, xmm2\n F2 0F ?? ?? ?? ?? ?? ?? // movsd xmm2, cs:qword_89F2C0\n 66 0F 2E D1 // ucomisd xmm2, xmm1\n }\n\n $gobfuscated = {\n 48 83 EC 48 // sub rsp, 48h\n 48 89 6C 24 ?? // mov [rsp+48h+var_C+4], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+48h+var_C+4]\n C7 44 24 ?? ?? ?? ?? ?? // mov [rsp+48h+var_10], 0FB6D3082h\n C7 44 24 ?? ?? ?? ?? ?? // mov [rsp+48h+var_14], 8F045EEBh\n C7 44 24 ?? 00 00 00 00 // mov dword ptr [rsp+48h+var_C], 0\n 31 C0 // xor eax, eax\n }\n\n condition:\n uint16(0) == 0x457f and (\n ($shell_prep_obfuscated)\n or ($gobfuscated)\n or ($logger_prep_obfuscated)\n )\n}\n", "rule_count": 1, "rule_names": [ "deimos_obfs_6250b5c666ed" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.Deimos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1573", "attack.t1027", "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-deimos_beacon_elfx64_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563914Z", "creation_date": "2026-03-23T11:46:25.563916Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563922Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DeimosC2/DeimosC2" ], "name": "deimos_beacon_elfx64.yar", "content": "rule deimos_ef9e5f57c358 {\n meta:\n title = \"DeimosC2 Beacon (ef9e5f57c358)\"\n id = \"dc49e645-12f7-4264-a698-ef9e5f57c358\"\n description = \"Detects the DeimosC2 Linux C2 beacon, a post-exploitation tool used for command and control.\\nDeimosC2 is a post-exploitation Command & Control (C2) tool that establishes persistence on compromised systems and communicates with its command server using various protocols. It is capable of executing system commands, gathering information, and maintaining persistence on the infected machine.\\nIt is recommended to review system logs for any signs of unauthorized access and isolate the affected machine from the network. Additionally, consider scanning the system for other potential malicious files or processes that may have been executed alongside this beacon.\"\n references = \"https://github.com/DeimosC2/DeimosC2\"\n date = \"2022-11-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573;attack.t1068\"\n classification = \"Linux.Framework.Deimos\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d\n\n $general_1 = \"github.com/DeimosC2/DeimosC2/agents/resources/fingerprint/fingerprint_linux.go\" fullword ascii\n $general_2 = \"github.com/DeimosC2/DeimosC2/agents/resources/agentfunctions.KillNetList\" fullword ascii\n $general_3 = \"github.com/DeimosC2/DeimosC2/lib/privileges/isadmin_linux.go\" fullword ascii\n $general_4 = \"github.com/DeimosC2/DeimosC2/agents/resources/selfdestruction/kill_linux.go\" fullword ascii\n\n $shell_1 = \"/bin/bash\" ascii\n $shell_2 = \"/bin/sh\" ascii\n\n $stat_shell_1 = {\n 48 89 74 24 ?? // mov [rsp+2B8h+var_240], rsi\n 48 89 ?? 24 ?? ?? ?? ?? // mov [rsp+2B8h+var_1E0], rbx\n 48 8D ?? ?? ?? ?? ?? // lea rax, aBinBash ; \"/bin/bash\"\n 48 89 ?? 24 // mov [rsp+2B8h+var_2B8.ptr], rax ; __int64\n 48 C7 44 24 ?? 09 ?? ?? ?? // mov [rsp+2B8h+var_2B8.len], 9 ; __int64\n E8 ?? ?? ?? ?? // call os_Stat\n 48 8B 44 24 ?? // mov rax, [rsp+2B8h+var_290]\n 48 8B 4C 24 ?? // mov rcx, [rsp+2B8h+var_298]\n 48 85 C9 // test rcx, rcx\n }\n\n $stat_shell_2 = {\n 48 C1 E1 04 // shl rcx, 4\n 48 C7 44 ?? ?? 07 00 00 00 // mov qword ptr [rax+rcx+8], 7\n 48 8D 3C 08 // lea rdi, [rax+rcx]\n 83 3D ?? ?? ?? 00 00 // cmp cs:dword_B59FC0, 0\n 0F ?? ?? ?? ?? ?? // jnz loc_74CB8B\n 48 8D ?? ?? ?? ?? 00 // lea rsi, aBinSh1953125 ; \"/bin/sh1953125\"\n 48 89 34 08 // mov [rax+rcx], rsi\n }\n\n $fingerprinting = {\n 48 89 5C 24 ?? // mov [rsp+2B8h+var_268], rbx\n 48 89 54 24 ?? // mov [rsp+2B8h+var_270], rdx\n 48 89 84 24 ?? ?? ?? ?? // mov [rsp+2B8h+var_1B8], rax\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_lib_privileges_AdminOrElevated\n 0F ?? ?? 24 // movzx eax, byte ptr [rsp+2B8h+var_2B8.ptr]\n 88 44 24 ?? // mov [rsp+2B8h+var_271], al\n 0F ?? 4C 24 01 // movzx ecx, byte ptr [rsp+2B8h+var_2B8.ptr+1]\n 88 4C 24 ?? // mov [rsp+2B8h+var_272], cl\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_agents_resources_fingerprint_FingerPrint\n }\n\n $agent_shellfunc = {\n 48 83 FE 01 // cmp rsi, 1\n 0F ?? ?? ?? ?? ?? // jl loc_74D4A2\n 4C 8D 4E FF // lea r9, [rsi-1]\n 48 89 F2 // mov rdx, rsi\n 4C 29 CE // sub rsi, r9\n 49 89 F2 // mov r10, rsi\n 48 F7 DE // neg rsi\n 48 C1 FE 3F // sar rsi, 3Fh\n 4C 21 CE // and rsi, r9\n 4C 01 C6 // add rsi, r8\n 49 83 FA 01 // cmp r10, 1\n 0F ?? ?? ?? ?? ?? // jz loc_74D45F\n 31 C0 // xor eax, eax\n }\n\n $shell_execute = {\n 48 8B ?? 24 ?? 00 00 00 // mov rax, [rsp+80h+arg_0]\n 48 89 ?? 24 // mov [rsp+80h+var_80], rax ; __int64\n 48 8B ?? 24 ?? 00 00 00 // mov rax, [rsp+80h+arg_8]\n 48 89 ?? 24 ?? // mov [rsp+80h+var_78], rax ; __int64\n 48 8B ?? 24 ?? 00 00 00 // mov rax, [rsp+80h+arg_10]\n 48 89 ?? 24 ?? // mov [rsp+80h+var_70], rax ; __int64\n 48 8B ?? ?? ?? ?? ?? // mov rax, cs:qword_B2DB58\n 48 8B ?? ?? ?? ?? ?? // mov rcx, cs:qword_B2DB50\n 48 89 4C 24 ?? // mov [rsp+80h+var_68], rcx ; __int64\n 48 89 44 24 ?? // mov [rsp+80h+var_60], rax ; __int64\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_agents_resources_shellexec_ShellExecute\n }\n\n condition:\n uint16(0) == 0x457f and (\n 1 of ($general_*)\n or (all of ($shell_*) and all of ($stat_shell_*) and $fingerprinting)\n or ($agent_shellfunc and $shell_execute)\n )\n}\n", "rule_count": 1, "rule_names": [ "deimos_ef9e5f57c358" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.Deimos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1573", "attack.t1027", "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-deimos_beacon_elfx86_obfs_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572117Z", "creation_date": "2026-03-23T11:46:25.572126Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572132Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DeimosC2/DeimosC2" ], "name": "deimos_beacon_elfx86_obfs.yar", "content": "rule deimos_obfs_9ff8a57a5e2e {\n meta:\n title = \"Obfuscated DeimosC2 Beacon (9ff8a57a5e2e)\"\n id = \"9a4ab57f-8fab-4103-9721-9ff8a57a5e2e\"\n description = \"Detects the Obfuscated DeimosC2 Linux C2 beacon, a post-exploitation tool used for command and control.\\nDeimosC2 is a post-exploitation Command & Control (C2) tool that establishes persistence on compromised systems and communicates with its command server using various protocols. It is capable of executing system commands, gathering information, and maintaining persistence on the infected machine.\\nIt is recommended to review system logs for any signs of unauthorized access and isolate the affected machine from the network. Additionally, consider scanning the system for other potential malicious files or processes that may have been executed alongside this beacon.\"\n references = \"https://github.com/DeimosC2/DeimosC2\"\n date = \"2022-11-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573;attack.t1068\"\n classification = \"Linux.Framework.Deimos\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // da76dc5c608f5f75a8bbb86e13eee6bb575a2305ca53036e8cebe0e3755a3982\n // 046bc639e73a8f33fc580d20392b28fe261d08453b23d20f45d5ced7ae6b37d9\n\n $connect_and_log = {\n FF D1 // call ecx\n 8B 44 24 ?? // mov eax, [esp+70h+var_68.ptr]\n 8B 4C 24 ?? // mov ecx, [esp+70h+var_70.len]\n 89 ?? 24 // mov [esp+70h+var_70.ptr], ecx\n 89 44 24 ?? // mov [esp+70h+var_70.len], eax\n E8 ?? ?? ?? ?? // call FirstTime_I_think_?\n C6 44 24 ?? 00 // mov [esp+70h+var_41], 0\n E8 ?? ?? ?? ?? // call logging_TheRecovery\n 83 C4 70 // add esp, 70\n }\n\n $log_recovery_1 = {\n 65 8B 0D 00 00 00 00 // mov ecx, large gs:0\n 8B 89 FC FF FF FF // mov ecx, [ecx-4]\n 3B 61 08 // cmp esp, [ecx+8]\n 76 ?? // jbe short loc_830C361\n 83 EC 18 // sub esp, 18h\n 8D ?? 24 ?? // lea eax, [esp+18h+arg_0]\n 89 ?? 24 // mov [esp+18h+var_18], eax ; int\n }\n\n $log_recovery_2 = {\n E8 ?? ?? ?? ?? // call runtime_gorecover\n 8B 44 24 ?? // mov eax, [esp+18h+var_14.ptr]\n 8B 4C 24 ?? // mov ecx, [esp+18h+var_14.len]\n 85 C0 // test eax, eax\n 75 ?? // jnz short loc_830C321\n 83 C4 18 // add esp, 18h\n C3 // retn\n }\n\n $gobfuscated = {\n 65 8B 0D 00 00 00 00 // mov ecx, large gs:0\n 8B 89 FC FF FF FF // mov ecx, [ecx-4]\n 3B 61 08 // cmp esp, [ecx+8]\n 76 ?? // jbe short loc_831A55E\n 83 EC 24 // sub esp, 24h\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+24h+var_8], 0D6229B51h\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+24h+var_C], 0A24BF538h\n C7 44 24 ?? 00 00 00 00 // mov [esp+24h+var_4], 0\n 31 C0 // xor eax, eax\n }\n\n condition:\n uint16(0) == 0x457f and (\n (\n all of ($log_recovery_*)\n and\n (($connect_and_log) or ($gobfuscated))\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "deimos_obfs_9ff8a57a5e2e" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.Deimos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1573", "attack.t1027", "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-deimos_beacon_macho_obfs_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578005Z", "creation_date": "2026-03-23T11:46:25.578007Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578013Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DeimosC2/DeimosC2" ], "name": "deimos_beacon_macho_obfs.yar", "content": "rule deimos_obfs_cf029d5eb60a {\n meta:\n title = \"Obfuscated DeimosC2 Beacon (cf029d5eb60a)\"\n id = \"08dc11f0-c771-4d95-a298-cf029d5eb60a\"\n description = \"Detects the DeimosC2 MachO beacon. DeimosC2 is a post-exploitation Command & Control (C2) tool that leverages multiple communication methods to establish persistence and control over compromised machines.\"\n references = \"https://github.com/DeimosC2/DeimosC2\"\n date = \"2022-11-15\"\n modified = \"2025-03-12\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573;attack.t1068\"\n classification = \"MacOS.Framework.Deimos\"\n context = \"process,memory,file.macho\"\n os = \"MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // fc98fd6e4cdc7170b77b5d68703d00015e92761bdb978624ad6293133c7604e1\n\n $shell_prep_obfuscated = {\n 48 3B 61 10 // cmp rsp, [rcx+10h]\n 0F ?? ?? ?? ?? ?? // jbe loc_1374ECC\n 48 83 EC 50 // sub rsp, 50h\n 48 89 6C 24 ?? // mov [rsp+50h+var_8], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+50h+var_8]\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // mov rax, 0F66EB24E9889CE31h\n 48 89 44 24 38 // mov [rsp+50h+var_18], rax\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // mov rax, 9807ED25FBECA652h\n 48 89 44 24 ?? // mov [rsp+50h+var_20], rax\n 48 C7 44 24 ?? 00 00 00 00 // mov [rsp+50h+var_10], 0\n 31 C0 // xor eax, eax\n }\n\n $logger_prep_obfuscated = {\n 48 83 EC 20 // sub rsp, 20h\n 48 89 6C 24 ?? // mov [rsp+20h+var_8], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+20h+var_8]\n F2 0F 10 ?? 24 ?? // movsd xmm0, [rsp+20h+arg_8]\n F2 0F 10 ?? 24 ?? // movsd xmm1, [rsp+20h+arg_0]\n F2 0F 59 C1 // mulsd xmm0, xmm1\n 0F 10 D1 // movups xmm2, xmm1\n F2 0F 5C C8 // subsd xmm1, xmm0\n F2 0F 58 C2 // addsd xmm0, xmm2\n F2 0F ?? ?? ?? ?? ?? ?? // movsd xmm2, cs:qword_89F2C0\n 66 0F 2E D1 // ucomisd xmm2, xmm1\n }\n\n $gobfuscated = {\n 48 83 EC 48 // sub rsp, 48h\n 48 89 6C 24 ?? // mov [rsp+48h+var_C+4], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+48h+var_C+4]\n C7 44 24 ?? ?? ?? ?? ?? // mov [rsp+48h+var_10], 0FB6D3082h\n C7 44 24 ?? ?? ?? ?? ?? // mov [rsp+48h+var_14], 8F045EEBh\n C7 44 24 ?? 00 00 00 00 // mov dword ptr [rsp+48h+var_C], 0\n 31 C0 // xor eax, eax\n }\n\n condition:\n uint16(0) == 0xfacf and (\n $shell_prep_obfuscated or\n $logger_prep_obfuscated or\n $gobfuscated\n )\n}\n", "rule_count": 1, "rule_names": [ "deimos_obfs_cf029d5eb60a" ], "rule_creation_date": "2022-11-15", "rule_modified_date": "2025-03-12", "rule_os": [ "macos" ], "rule_classifications": [ "MacOS.Framework.Deimos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1573", "attack.t1027", "attack.t1068" ], "rule_score": 100, "rule_context": [ "memory", "file.macho", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-deimos_beacon_winx64_obfs_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580751Z", "creation_date": "2026-03-23T11:46:25.580754Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580760Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DeimosC2/DeimosC2" ], "name": "deimos_beacon_winx64_obfs.yar", "content": "rule deimos_obfs_a40ed9afec0f {\n meta:\n title = \"Obfuscated DeimosC2 Beacon (a40ed9afec0f)\"\n id = \"7998cabe-54da-477f-b358-a40ed9afec0f\"\n description = \"Detects obfuscated DeimosC2 x64 beacons.\\nDeimosC2 is a post-exploitation Command & Control (C2) tool designed to facilitate lateral movement and persistence within a compromised environment.\\nIt uses a variety of communication methods to maintain control over infected machines. This rule specifically targets obfuscated versions of the beacon, which are often used to evade detection.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/DeimosC2/DeimosC2\"\n date = \"2022-11-14\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573;attack.t1068\"\n classification = \"Windows.Framework.Deimos\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 4f069ec1dc6e88a2b4e1c50a8dda6a7935f91424724499b41ff1c3a9f87b143c\n // 7bec7b246c7ba157f16dde3cee2225c1066bac706aa3113031df351a75c22239\n\n $shell_prep_obfuscated = {\n 48 83 EC 50 // sub rsp, 50h\n 48 89 6C 24 ?? // mov [rsp+50h+var_8], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+50h+var_8]\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // mov rax, 0F8DD37AA87FF684Ah\n 48 89 44 24 ?? // mov [rsp+50h+var_18], rax\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // mov rax, 96B468C1E49A0029h\n 48 89 44 24 ?? // mov [rsp+50h+var_20], rax\n 48 ?? 44 24 ?? 00 00 00 00 // mov [rsp+50h+var_10], 0\n 31 C0 // xor eax, eax\n }\n\n $logger_prep_obfuscated = {\n 48 83 EC 20 // sub rsp, 20h\n 48 89 6C 24 ?? // mov [rsp+20h+var_8], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+20h+var_8]\n F2 0F 10 ?? 24 ?? // movsd xmm0, [rsp+20h+arg_8]\n F2 0F 10 ?? 24 ?? // movsd xmm1, [rsp+20h+arg_0]\n F2 0F 59 C1 // mulsd xmm0, xmm1\n 0F 10 D1 // movups xmm2, xmm1\n F2 0F 5C C8 // subsd xmm1, xmm0\n F2 0F 58 C2 // addsd xmm0, xmm2\n F2 0F ?? ?? ?? ?? ?? ?? // movsd xmm2, cs:qword_89F2C0\n 66 0F 2E D1 // ucomisd xmm2, xmm1\n }\n\n $gobfuscated = {\n 48 83 EC 48 // sub rsp, 48h\n 48 89 6C 24 ?? // mov [rsp+48h+var_C+4], rbp\n 48 8D 6C 24 ?? // lea rbp, [rsp+48h+var_C+4]\n C7 44 24 ?? ?? ?? ?? ?? // mov [rsp+48h+var_10], 0FB6D3082h\n C7 44 24 ?? ?? ?? ?? ?? // mov [rsp+48h+var_14], 8F045EEBh\n C7 44 24 ?? 00 00 00 00 // mov dword ptr [rsp+48h+var_C], 0\n 31 C0 // xor eax, eax\n }\n\n condition:\n uint16(0) == 0x5a4d and (\n ($shell_prep_obfuscated)\n or ($gobfuscated)\n or ($logger_prep_obfuscated)\n )\n}\n", "rule_count": 1, "rule_names": [ "deimos_obfs_a40ed9afec0f" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Deimos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1573", "attack.t1027", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-deimos_beacon_winx64_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580717Z", "creation_date": "2026-03-23T11:46:25.580720Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580726Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DeimosC2/DeimosC2" ], "name": "deimos_beacon_winx64.yar", "content": "rule deimos_d29a069ac007 {\n meta:\n title = \"DeimosC2 Beacon (d29a069ac007)\"\n id = \"10a14f92-998c-4959-84b8-d29a069ac007\"\n description = \"Detects a Windows DeimosC2 beacon.\\nDeimosC2 is a post-exploitation Command & Control (C2) tool designed to maintain persistence and control over compromised systems. It employs various communication methods to establish command and control channels.\\nThis rule detects the presence of DeimosC2 beacon activity, including its initialization routines and communication attempts.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/DeimosC2/DeimosC2\"\n date = \"2022-11-14\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573;attack.t1068\"\n classification = \"Windows.Framework.Deimos\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 325f216d2297ca37dcbd050e3a9c34229e47f5dce30f7f6442d4b20ff7940f5b\n\n $general_1 = \"github.com/DeimosC2/DeimosC2/agents/resources/fingerprint.init\" fullword ascii\n $general_2 = \"github.com/DeimosC2/DeimosC2/agents/resources/agentfunctions.KillNetList\" fullword ascii\n $general_3 = \"github.com/DeimosC2/DeimosC2/agents/resources/shellexec/exec_windows.go\" fullword ascii\n $general_4 = \"github.com/DeimosC2/DeimosC2/agents/resources/fingerprint\" fullword ascii\n\n $path_powershell = \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\" ascii\n $path_cmd = \"C:\\\\Windows\\\\System32\\\\cmd.exe\" ascii\n\n $first_connection_1 = {\n 48 89 74 24 ?? // mov [rsp+2B8h+var_240], rsi\n 48 89 ?? 24 ?? ?? ?? ?? // mov [rsp+2B8h+var_1E0], rdx\n 48 8D ?? ?? ?? ?? ?? // lea rax, aCWindowsSystem_0 ; \"C:\\\\Windows\\\\System32\\\\WindowsPowerShel\"...\n 48 89 ?? 24 // mov [rsp+2B8h+var_2B8.ptr], rax ; __int64\n 48 C7 ?? 24 ?? 39 ?? ?? ?? // mov [rsp+2B8h+var_2B8.len], 39h ; '9' ; __int64\n E8 ?? ?? ?? ?? // call os_Stat\n }\n\n $first_connection_2 = {\n 48 8B 44 24 ?? // mov rax, [rsp+2B8h+var_290]\n 48 8B 4C 24 ?? // mov rcx, [rsp+2B8h+var_298]\n 48 85 C9 // test rcx, rcx\n 0F 85 ?? ?? ?? ?? // jnz loc_??????\n 48 8B 4C 24 ?? // mov rcx, [rsp+2B8h+var_270]\n 48 8D ?? 01 // lea rdx, [rcx+1]\n 48 8B ?? ?? ?? // mov rbx, [rsp+2B8h+var_268]\n 48 39 DA // cmp rdx, rbx\n }\n\n $fingerprinting = {\n 48 89 ?? 24 ?? // mov [rsp+2B8h+var_268], rbx\n 48 89 ?? 24 ?? // mov [rsp+2B8h+var_270], rdx\n 48 89 ?? 24 ?? ?? ?? ?? // mov [rsp+2B8h+var_1B8], rax\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_lib_privileges_AdminOrElevated\n 0F B6 ?? ?? // movzx eax, byte ptr [rsp+2B8h+var_2B8.ptr]\n 88 44 24 ?? // mov [rsp+2B8h+var_271], al\n 0F B6 ?? ?? 01 // movzx ecx, byte ptr [rsp+2B8h+var_2B8.ptr+1]\n 88 4C 24 ?? // mov [rsp+2B8h+var_272], cl\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_agents_resources_fingerprint_FingerPrint\n }\n\n $error_handling = {\n FF D1 // call rcx\n 48 8B ?? 24 ?? // mov rax, [rsp+2B8h+var_2B8.cap]\n 48 8B ?? 24 ?? // mov rcx, [rsp+2B8h+var_2B8.len]\n 48 89 ?? 24 // mov [rsp+2B8h+var_2B8.ptr], rcx\n 48 89 ?? 24 ?? // mov [rsp+2B8h+var_2B8.len], rax\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_agents_resources_agentfunctions_ErrHandling\n 31 C0 // xor eax, eax\n 31 C9 // xor ecx, ecx\n 31 D2 // xor edx, edx\n }\n\n $shell_execute = {\n 48 8B ?? ?? ?? ?? ?? // mov rax, cs:qword_B2C318\n 48 8B ?? ?? ?? ?? ?? // mov rcx, cs:qword_B2C310\n 48 89 4C ?? ?? // mov [rsp+0D0h+var_B8], rcx ; __int64\n 48 89 44 ?? ?? // mov [rsp+0D0h+var_B0], rax ; __int64\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_agents_resources_shellexec_ShellExecute\n 48 8B 44 24 ?? // mov rax, [rsp+0D0h+var_A8]\n 48 8B 4C 24 ?? // mov rcx, [rsp+0D0h+var_A0]\n 48 8B 54 24 ?? // mov rdx, [rsp+0D0h+var_98]\n 0F B6 ?? 24 ?? ?? ?? 00 // movzx ebx, [rsp+0D0h+arg_18]\n 84 DB // test bl, bl\n }\n\n condition:\n uint16(0) == 0x5a4d and (\n 1 of ($general_*)\n or (all of ($path_*) and all of ($first_connection_*) and ($fingerprinting))\n or ($shell_execute)\n or ($error_handling)\n )\n}\n", "rule_count": 1, "rule_names": [ "deimos_d29a069ac007" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Deimos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1573", "attack.t1027", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-deimos_beacon_winx86_obfs_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567098Z", "creation_date": "2026-03-23T11:46:25.567100Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567105Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DeimosC2/DeimosC2" ], "name": "deimos_beacon_winx86_obfs.yar", "content": "rule deimos_obfs_bc9492f3e266 {\n meta:\n title = \"Obfuscated DeimosC2 Beacon (bc9492f3e266)\"\n id = \"0053970a-b560-4e32-9f89-bc9492f3e266\"\n description = \"Detects the DeimosC2 Windows x86 beacon.\\nDeimosC2 is a post-exploitation Command & Control (C2) tool used to control compromised machines.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/DeimosC2/DeimosC2\"\n date = \"2022-11-14\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573;attack.t1068\"\n classification = \"Windows.Framework.Deimos\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 439b072b6da250440d70d0e959959973af6077c46bf6ffedd0b38343291eb40e\n\n $shell_prep_obfuscated = {\n 83 EC 30 // sub esp, 30h\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+30h+var_10], 144AB026h\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+30h+var_C], 0FA883AE1h\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+30h+var_18], 772FD845h\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+30h+var_14], 94E1658Ah\n C7 44 24 ?? 00 00 00 00 // mov [esp+30h+var_8], 0\n C7 44 24 ?? 00 00 00 00 // mov [esp+30h+var_4], 0\n 31 C0 // xor eax, eax\n }\n\n $logger_prep_obfuscated = {\n 83 EC 0C // sub esp, 0Ch\n F2 0F 10 44 24 ?? // movsd xmm0, [esp+0Ch+arg_8]\n F2 0F 10 4C 24 ?? // movsd xmm1, [esp+0Ch+arg_0]\n F2 0F 59 C1 // mulsd xmm0, xmm1\n F2 0F 10 D1 // movsd xmm2, xmm1\n F2 0F 5C C8 // subsd xmm1, xmm0\n F2 0F 58 C2 // addsd xmm0, xmm2\n F2 0F ?? ?? ?? ?? ?? ?? // movsd xmm2, ds:qword_7EB308\n 66 0F 2E D1 // ucomisd xmm2, xmm1\n }\n\n $gobfuscated = {\n 83 EC 24 // sub esp, 24h\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+24h+var_8], 51061EDDh\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+24h+var_C], 256F70B4h\n C7 44 24 ?? ?? ?? ?? 00 // mov [esp+24h+var_4], 0\n 31 C0 // xor eax, eax\n }\n\n condition:\n uint16(0) == 0x5a4d and (\n ($shell_prep_obfuscated)\n or ($gobfuscated)\n or ($logger_prep_obfuscated)\n )\n}\n", "rule_count": 1, "rule_names": [ "deimos_obfs_bc9492f3e266" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Deimos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1573", "attack.t1027", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-deimos_beacon_winx86_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569767Z", "creation_date": "2026-03-23T11:46:25.569769Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569774Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DeimosC2/DeimosC2" ], "name": "deimos_beacon_winx86.yar", "content": "rule deimos_winx86 {\n meta:\n title = \"DeimosC2 x86 Beacon\"\n id = \"4b9f3080-79ce-4687-8c45-785e85dad4a7\"\n description = \"Detects a Windows DeimosC2 x86 beacon.\\nDeimosC2 is a post-exploitation Command & Control (C2) tool designed to maintain persistence and execute malicious commands on compromised Windows systems.\\nIt employs various communication methods to establish command and control channels, enabling attackers to remotely control infected machines.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/DeimosC2/DeimosC2\"\n date = \"2022-11-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573;attack.t1068\"\n classification = \"Windows.Framework.Deimos\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // a325c7729d39e5530b2c0804cd28b4dfb1d7560736ae5cbc7631fa5949cf7940\n\n $general_1 = \"github.com/DeimosC2/DeimosC2/agents/resources/fingerprint.init\" fullword ascii\n $general_2 = \"github.com/DeimosC2/DeimosC2/agents/resources/agentfunctions.KillNetList\" fullword ascii\n $general_3 = \"github.com/DeimosC2/DeimosC2/agents/resources/shellexec/exec_windows.go\" fullword ascii\n $general_4 = \"github.com/DeimosC2/DeimosC2/agents/resources/fingerprint\" fullword ascii\n\n $path_powershell = \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\" ascii\n $path_cmd = \"C:\\\\Windows\\\\System32\\\\cmd.exe\" ascii\n\n $first_connection_1 = {\n 8D ?? ?? ?? ?? ?? // lea eax, aCWindowsSystem_0 ; \"C:\\\\Windows\\\\System32\\\\WindowsPowerShel\"...\n 89 ?? 24 // mov [esp+154h+var_154.ptr], eax ; int\n C7 44 24 ?? 39 00 00 00 // mov [esp+154h+var_154.len], 39h ; '9' ; int\n E8 ?? ?? ?? ?? // call os_Stat\n 8B 44 24 ?? // mov eax, [esp+154h+var_140]\n 8B ?? 24 ?? // mov ecx, [esp+154h+var_144]\n 85 C9 // test ecx, ecx\n }\n\n $first_connection_2 = {\n 8D ?? ?? ?? ?? ?? // lea ebx, aCWindowsSystem ; \"C:\\\\Windows\\\\System32\\\\cmd.exe\"\n 89 ?? 24 // mov [esp+154h+var_154.ptr], ebx ; int\n C7 44 24 ?? 1B 00 00 00 // mov [esp+154h+var_154.len], 1Bh ; int\n E8 ?? ?? ?? ?? // call os_Stat\n 8B 44 24 ?? // mov eax, [esp+154h+var_140]\n 8B ?? 24 ?? // mov ecx, [esp+154h+var_144]\n 85 C9 // test ecx, ecx\n }\n\n $fingerprinting = {\n 89 84 24 ?? ?? ?? ?? // mov [esp+154h+var_D4], eax\n 89 54 24 ?? // mov [esp+154h+var_130], edx\n 89 5C 24 ?? // mov [esp+154h+var_12C], ebx\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_lib_privileges_AdminOrElevated\n 0F B6 ?? ?? // movzx eax, byte ptr [esp+154h+var_154.ptr]\n 88 ?? 24 ?? // mov [esp+154h+var_131], al\n 0F B6 ?? ?? ?? // movzx ecx, byte ptr [esp+154h+var_154.ptr+1]\n 88 ?? ?? ?? // mov [esp+154h+var_132], cl\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_agents_resources_fingerprint_FingerPrint\n }\n\n $error_handling = {\n FF D1 // call ecx\n 8B 44 24 ?? // mov eax, [esp+154h+var_154.len]\n 8B ?? 24 ?? // mov ecx, [esp+154h+var_154.cap]\n 89 ?? 24 // mov [esp+154h+var_154.ptr], eax\n 89 ?? 24 ?? // mov [esp+154h+var_154.len], ecx\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_agents_resources_agentfunctions_ErrHandling\n 31 C0 // xor eax, eax\n 31 C9 // xor ecx, ecx\n 31 D2 // xor edx, edx\n }\n\n $shell_execute = {\n 8B 05 ?? ?? ?? ?? // mov eax, dword_??????\n 8B 0D ?? ?? ?? ?? // mov ecx, dword_??????\n 89 44 24 ?? // mov [esp+64h+var_58], eax ; int\n 89 4C 24 ?? // mov [esp+64h+var_54], ecx ; int\n E8 ?? ?? ?? ?? // call github_com_DeimosC2_DeimosC2_agents_resources_shellexec_ShellExecute\n 8B 44 24 ?? // mov eax, [esp+64h+var_50]\n 8B 4C 24 ?? // mov ecx, [esp+64h+var_4C]\n 8B 54 24 ?? // mov edx, [esp+64h+var_48]\n 0F ?? ?? 24 ?? // movzx ebx, [esp+64h+arg_C]\n 84 DB // test bl, bl\n }\n\n condition:\n uint16(0) == 0x5a4d and (\n 1 of ($general_*)\n or (all of ($path_*) and all of ($first_connection_*) and ($fingerprinting))\n or ($error_handling)\n or ($shell_execute)\n )\n}\n", "rule_count": 1, "rule_names": [ "deimos_winx86" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Deimos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1573", "attack.t1027", "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dinodas_common_tk_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586987Z", "creation_date": "2026-03-23T11:46:25.586989Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586995Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/dinodasrat-linux-implant/112284/\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/" ], "name": "dinodas_common_tk.yar", "content": "rule dinodas_common_tk {\n meta:\n title = \"Dinodas RAT (b2f1620b403e)\"\n id = \"0991a16c-c8da-4499-9ff4-b2f1620b403e\"\n description = \"Detects the Dinodas RAT.\\nDinodas is a C++ Remote Access Trojan (RAT) active since at least 2022, associated with China-linked attack campaigns.\\nIt is capable of operating on both Windows and Linux systems.\\nThis malware establishes persistence, collects system information, and communicates with its command-and-control servers using encrypted channels.\"\n references = \"https://securelist.com/dinodasrat-linux-implant/112284/\\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\"\n date = \"2024-03-29\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1140;attack.t1070.004;attack.t1564.001;attack.discovery;attack.t1057;attack.collection;attack.t1113;attack.command_and_control;attack.t1573.001;attack.t1095;attack.exfiltration;attack.t1041\"\n classification = \"Trojan.Dinodas\"\n context = \"file,process,thread,file.pe,file.elf\"\n os = \"Windows,Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e0f109836a025d4531ea895cebecc9bdefb84a0cc747861986c4bc231e1d4213\n // 15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45\n // bf830191215e0c8db207ea320d8e795990cf6b3e6698932e6e0c9c0588fc9eff\n // d17fe5bc3042baf219e81cbbf991749dfcd8b6d73cf6506a8228e19910da3578\n\n $kc1 = { A1 A1 18 AA 10 F0 FA 16 06 71 B3 08 AA AF 31 A1 } // C2 TEA Key\n $kc2 = { A1 01 A8 EA C0 10 FB 12 06 71 F3 18 AC A0 61 AF } // C2 TEA Key\n $kn1 = { A0 21 A1 FA 18 E0 C1 30 1F 9F C0 A1 A0 A6 6F B1 } // Name TEA Key\n $kp1 = { 11 0A A8 E1 C0 F0 FB 10 06 71 F3 18 AC A0 6A AF } // Filepath TEA Key\n $d1 = /\\w{2,10}_%s_%s_%u_V[\\-\\d\\.]{1,18}/ ascii // Dinodas target identifier format string\n $d2 = \"%s\\t%s\\t%s\\t%llu\\t%u\" ascii fullword // Command listing result format string\n $d3 = \"%u%s\\t%llu\\t%llu\\t%u\\n\" ascii // Command listing result format string\n\n condition:\n ((uint16be(0) == 0x4D5A) or (uint32be(0) == 0x7F454C46))\n and filesize > 20KB and filesize < 800KB\n and (any of ($d*))\n and (any of ($k*))\n}\n", "rule_count": 1, "rule_names": [ "dinodas_common_tk" ], "rule_creation_date": "2024-03-29", "rule_modified_date": "2025-03-04", "rule_os": [ "windows", "linux" ], "rule_classifications": [ "Trojan.Dinodas" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.discovery", "attack.execution", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1140", "attack.t1070.004", "attack.t1095", "attack.t1113", "attack.t1041", "attack.t1106", "attack.t1057", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "file.elf", "file", "file.pe", "process", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dinodas_linstr_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577148Z", "creation_date": "2026-03-23T11:46:25.577151Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577160Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/dinodasrat-linux-implant/112284/\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/" ], "name": "dinodas_linstr.yar", "content": "rule dinodas_linstr {\n meta:\n title = \"Dinodas RAT (b6adecae383e)\"\n id = \"0bdf22bf-f2a7-422a-aec5-b6adecae383e\"\n description = \"Detects the Dinodas RAT.\\nDinodas is a C++ Remote Access Trojan (RAT) active since at least 2022, associated with China-linked attack campaigns.\\nIt is capable of operating on both Windows and Linux systems.\\nThis malware establishes persistence, collects system information, and communicates with its command-and-control servers using encrypted channels.\"\n references = \"https://securelist.com/dinodasrat-linux-implant/112284/\\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\"\n date = \"2024-03-29\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1140;attack.t1070.004;attack.t1564.001;attack.discovery;attack.t1057;attack.collection;attack.t1113;attack.command_and_control;attack.t1573.001;attack.t1095;attack.exfiltration;attack.t1041\"\n classification = \"Linux.Trojan.Dinodas\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 15412d1a6b7f79fad45bcd32cf82f9d651d9ccca082f98a0cca3ad5335284e45\n // bf830191215e0c8db207ea320d8e795990cf6b3e6698932e6e0c9c0588fc9eff\n // ebdf3d3e0867b29e66d8b7570be4e6619c64fae7e1fbd052be387f736c980c8e\n\n $a1 = \"%s can't be opened/n\" ascii fullword\n $a2 = \"chkconfig --list | grep %s\" ascii fullword\n $a3 = \"cmd over return [%s]\" ascii fullword\n $a4 = \"int MyShell::createsh()\" ascii fullword\n $a5 = \"\\x00static int IniFile::write_profile_string\" ascii\n $a6 = \"\\x00static int IniFile::read_profile_string\" ascii\n $a7 = \"/proc/%s/status\" ascii fullword\n $a8 = \"%04u-%02u-%02u %02u:%02u:%02u\" ascii fullword\n $a9 = \"touch -d \\\"\" ascii\n\n condition:\n (uint32be(0) == 0x7F454C46)\n and filesize > 20KB and filesize < 800KB\n and (6 of them)\n}\n", "rule_count": 1, "rule_names": [ "dinodas_linstr" ], "rule_creation_date": "2024-03-29", "rule_modified_date": "2025-03-04", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Trojan.Dinodas" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.discovery", "attack.execution", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1140", "attack.t1070.004", "attack.t1095", "attack.t1113", "attack.t1041", "attack.t1106", "attack.t1057", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dinodas_winstr_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573326Z", "creation_date": "2026-03-23T11:46:25.573328Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573333Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/dinodasrat-linux-implant/112284/\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/" ], "name": "dinodas_winstr.yar", "content": "rule dinodas_winstr {\n meta:\n title = \"Dinodas RAT (5533bad8b8c3)\"\n id = \"3e5a77a7-74a0-4a7e-b75c-5533bad8b8c3\"\n description = \"Detects the Dinodas RAT.\\nDinodas is a C++ Remote Access Trojan (RAT) active since at least 2022, associated with China-linked attack campaigns.\\nIt is capable of operating on both Windows and Linux systems.\\nThis malware establishes persistence, collects system information, and communicates with its command-and-control servers using encrypted channels.\"\n references = \"https://securelist.com/dinodasrat-linux-implant/112284/\\nhttps://www.welivesecurity.com/en/eset-research/operation-jacana-spying-guyana-entity/\"\n date = \"2024-03-29\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1140;attack.t1070.004;attack.t1564.001;attack.discovery;attack.t1057;attack.collection;attack.t1113;attack.command_and_control;attack.t1573.001;attack.t1095;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Trojan.Dinodas\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e0f109836a025d4531ea895cebecc9bdefb84a0cc747861986c4bc231e1d4213\n // d17fe5bc3042baf219e81cbbf991749dfcd8b6d73cf6506a8228e19910da3578\n // 50cdd2397836d33a8dc285ed421d9b7cc69e38ba0421638235206fd466299dab\n\n $a1 = \"stopwork\" ascii fullword\n $a2 = \"ioctlsocket get len=%u\" ascii fullword\n $a3 = \".?AVUploadState@@\" ascii fullword\n $a4 = \"unknow_PC\" ascii fullword\n $a5 = \".?AVTcpControl@@\" ascii fullword\n $a6 = \"%s\\t%s\\t%s\\t%llu\\t%u\" ascii fullword\n $a7 = \"QXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFw=\" ascii fullword\n $a8 = \"XFByb2dyYW0gRmlsZXNcQXBwbGljYXRpb24gVG1wXA==\" ascii fullword\n\n condition:\n (uint16be(0) == 0x4D5A)\n and filesize > 20KB and filesize < 800KB\n and (5 of them)\n}\n", "rule_count": 1, "rule_names": [ "dinodas_winstr" ], "rule_creation_date": "2024-03-29", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Dinodas" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.discovery", "attack.execution", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1140", "attack.t1070.004", "attack.t1095", "attack.t1113", "attack.t1041", "attack.t1106", "attack.t1057", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dirtycow_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565502Z", "creation_date": "2026-03-23T11:46:25.565504Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565510Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://dirtycow.ninja/\nhttps://github.com/rexpository/Linux-privilege-escalation\nhttps://github.com/dirtycow/dirtycow.github.io/wiki/PoCs" ], "name": "dirtycow.yar", "content": "rule dirty_cow {\n meta:\n title = \"CVE-2016-5195 Dirty COW Exploitation\"\n id = \"d2b0ccd7-b0fb-4feb-9d55-5e6bf347ef3a\"\n description = \"Detects attempts to exploit CVE-2016-5195, also known as Dirty COW, a Linux kernel privilege escalation vulnerability.\\nDirty COW is a local privilege escalation flaw in the Linux Kernel. It exploits a race condition in the kernel's copy-on-write (COW) mechanism, allowing attackers to gain write access to read-only memory mappings and escalate privileges.\\nThis vulnerability can be used to gain root access by overwriting setuid binaries or sensitive system files.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://dirtycow.ninja/\\nhttps://github.com/rexpository/Linux-privilege-escalation\\nhttps://github.com/dirtycow/dirtycow.github.io/wiki/PoCs\"\n date = \"2026-01-29\"\n modified = \"2026-02-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2016-5195\"\n classification = \"Linux.Exploit.DirtyCow\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 09f0cdd658ce5f9c7c96d7d612a82da816baa2268349407b4a26567be6957fba\n // 3be75a45d1439ff35e487e23fe5c33b0795f138ce0aa3797d3aa827397f0beab\n // 7e11e62fecdb44373c2c995c83e3353ad0e093ef16497180d4851cd8fe89b79a\n // 8ac2696e7558cb97be71d18bb78b2c39be30a51aaf0330eb6a75be48346b3d9b\n // 9f59952ddce4168a553233329e737fb2e1b635a685643f9334c5eb37e06e150a\n // 71b788f9b8b87ca1be6566703fc47875938aaea7834e825ba0b53a0e344552d4\n\n $canary = \"680710eb947e9a2da895bd107a17ed2c6d388398aac58b1dbac159a346673b82\" ascii\n\n $s1 = \"echo '0' > /proc/sys/vm/dirty_writeback_centisecs\" ascii\n $s2 = \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\" ascii\n $s3 = \"dirtyc0w target_file new_content\" ascii\n $s4 = \"Racing, this may take a while..\" ascii\n $s5 = \"DirtyCow root privilege\" ascii\n $s6 = \"/home/xlucas/local/crystal-0.19.4-1/src/kernel.cr\" ascii\n $s7 = \"/src/dirtycow.cr\" ascii\n $s8 = \"Usage: dirtycow\" ascii\n $s9 = \"[*] exploiting (%s)\\n\" ascii\n $s10 = \"[*] madvise thread stops, return code sum %d, iterations %d\" ascii\n $s11 = \"[-] this vDSO version isn't supported\" ascii\n $s12 = \"[*] let make some c0ws dirty\" ascii\n $s13 = \"[+] ok we have some dirty things going on\" ascii\n $s14 = \"[*] let's clean up...\" ascii\n $s15 = \"usage: ./mucow dest < payload\" ascii\n $s16 = \"dirtyCowFun\" ascii\n $s17 = \"$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND\" ascii // dirtyCowFun password\n $s18 = \"[*] waiting for reverse connect shell...\" ascii\n\n $go_poc_1 = \"Go buildinf:\" ascii\n $go_poc_2 = \"dirty-cow-golang/dirtyc0w.go\" ascii\n\n $ptrace_str_1 = \"ptrace(PTRACE_POKETEXT)\" ascii\n $ptrace_str_2 = \"ptrace(PTRACE_PEEKTEXT)\" ascii\n $ptrace_str_3 = \"ptrace(PTRACE_TRACEME)\" ascii\n $ptrace_str_4 = \"prctl(PR_SET_PDEATHSIG)\" ascii\n $ptrace_str_5 = \"ptrace(PTRACE_CONT)\" ascii\n\n $pokemon_poc_1 = \"(___)\" ascii\n $pokemon_poc_2 = \"(o o)_____/\" ascii\n $pokemon_poc_3 = \"madvise %d\" ascii\n $pokemon_poc_4 = \"mmap %lx\" ascii\n\n // https://github.com/rapid7/metasploit-framework/pull/7476/files\n $msf_1 = \"thread stopped\" ascii\n $msf_2 = \"%s overwritten\" ascii\n $msf_3 = \"cp %s /tmp/bak\" ascii\n $msf_4 = \"/usr/bin/passwd\" ascii\n\n // void *madviseThread(void *arg)\n // {\n // char *str;\n // str=(char*)arg;\n // int i,c=0;\n // for(i=0;i<100000000;i++)\n // {\n // c+=madvise(map,100,MADV_DONTNEED);\n // }\n // printf(\"madvise %d\\n\\n\",c);\n // }\n $madvise_thread_1 = {\n 48 [5] 00 // mov rax, qword [rel map]\n ?? 04 00 00 00 // mov edx, 0x4\n ?? 64 00 00 00 // mov esi, 0x64\n 48 89 C7 // mov rdi, rax\n E8 [4] // call madvise\n 01 [2] // add dword [rbp-0x4 {var_c}], eax\n 83 // add dword [rbp-0x8 {i}], 0x1\n }\n\n // void *trigger(void *arg)\n // {\n //\n // int i,c=0;\n // for(i=0;i<100000000 && !die ;i++)\n // {\n // c+=madvise(map,offset+SHELL_SIZE,MADV_DONTNEED);\n // if(die) break;\n // }\n // }\n $madvise_thread_2 = {\n 00 00 // mov rax, qword [rel offset]\n 48 83 C0 28 // add rax, 0x28\n 48 89 C1 // mov rcx, rax\n [5] 00 00 // mov rax, qword [rel map]\n ?? 04 00 00 00 // mov edx, 0x4\n 48 89 CE // mov rsi, rcx\n 48 89 C7 // mov rdi, rax\n [12-18] // call madvise\n // add dword [rbp-0x4 {var_c}], eax\n // mov eax, dword [rel die]\n // test eax, eax\n 7? ?? // jne 0x4012a0\n [4] // add dword [rbp-0x8 {i}], 0x1\n [3] FF E0 F5 05 // cmp dword [rbp-0x8 {i}], 0x5f5e0ff\n 7? // jg 0x4012a1\n }\n\n // Golang Syscall module\n $madvise_thread_3 = {\n B8 1C 00 00 00 // mov eax, 0x1c\n B9 64 00 00 00 // mov ecx, 0x64\n BF 04 00 00 00 // mov edi, 0x4\n 0F 1F 00 // nop dword [rax]\n E8 // call syscall.Syscall\n }\n\n // https://github.com/sivizius/dirtycow.fasm\n $dirtycow_fasm = {\n 48 BB 00 00 00 00 02 00 00 00 // mov rbx, 0x200000000\n 48 C7 C2 04 00 00 00 // mov rdx, 0x4\n 48 C7 C6 64 00 00 00 // mov rsi, 0x64\n 4C 89 FF // mov rdi, r15\n 48 C7 C0 1C 00 00 00 // mov rax, 0x1c\n 0F 05 // syscall\n }\n\n condition:\n (2 of ($s*) or all of ($go_poc_*) or all of ($ptrace_str_*) or all of ($pokemon_poc_*) or all of ($msf_*) or 1 of ($madvise_thread_*) or $dirtycow_fasm) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "dirty_cow" ], "rule_creation_date": "2026-01-29", "rule_modified_date": "2026-02-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.DirtyCow" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dirty_pipe_pocs_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564570Z", "creation_date": "2026-03-23T11:46:25.564572Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564579Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://dirtypipe.cm4all.com/\nhttps://github.com/rexpository/Linux-privilege-escalation\nhttps://github.com/logm1lo/CVE-2022-0847_DirtyPipe_Exploits" ], "name": "dirty_pipe_pocs.yar", "content": "rule dirty_pipe_pocs {\n meta:\n title = \"Dirty Pipe (CVE-2022-0847) POCs\"\n id = \"d615a487-d042-4671-a5b9-cbbf4d0efce5\"\n description = \"Detects attempts to exploit the Dirty Pipe (CVE-2022-0847) vulnerability.\\nDirty Pipe is a local privilege escalation flaw in the Linux Kernel. It exploits how the kernel manages pages in pipes, allowing attackers to write to read-only files in the page cache and escalate privileges.\\nThis vulnerability can be used to gain root access by manipulating memory-mapped files.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://dirtypipe.cm4all.com/\\nhttps://github.com/rexpository/Linux-privilege-escalation\\nhttps://github.com/logm1lo/CVE-2022-0847_DirtyPipe_Exploits\"\n date = \"2022-10-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2022-0847\"\n classification = \"Linux.Exploit.DirtyPipe\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // d4258bc267b3bfa05d88ebf418ddb615fdfb5fdd64fd5704ccd6cb3172ad84d8\n // f5b772288e1718143472864ce3d4ad030be572d9dc2ce0b3367a4a649d07850c\n // 3fe97b37b5027d5bdb45ab444a45a75c49725dc02aa4c7a51383d03750fe9443\n // fe2eaf9257905f7905ef8cadaed832b8cad447502ddf3832361fa4753201c30a\n // 726d07e8ca75c717f27273b72c5db135d878d8ddb9c7cb0e98d040fc7b07fca6\n // 32a8da3e8b513e51e1a45e1d18c80c97a2bb5c562f65f02bbb649e3972473a5b\n // 90bd0027c17350fb33920bf5f5321f6e384ef5e45e0f96346cccbda81d8dc57e\n // fe148e09d57969a4e9d226a9eeea4979b415836313e136979a368ad4228e4a57\n // b915a423471cd975e0ead78783b83382928403aa845062faf972fd8e297e9a20\n // e9e8e91fb28494af0bac973d65bb0a2faed4e4fe20b86ee8e2b9b6655e750710\n // 4c95a54dd86da94a8c3abf66597ac9881e9d0e0944361b3715fd38edbea7e667\n // 0021d6267b978b63eae52a6e1f29123497c0be2b680086c11037d3280e0a453c\n // a90549461e426f9010b8286a7a65c211f4b45ec1f9df10e54e0fb95540f433b9\n\n // These have many different \"critical\" strings.\n // https://github.com/xnderLAN/CVE-2022-0847\n // https://github.com/LudovicPatho/CVE-2022-0847_dirty-pipe\n // https://github.com/phuonguno98/CVE-2022-0847-DirtyPipe-Exploits/blob/main/dirtypipez.c\n // https://github.com/phuonguno98/CVE-2022-0847-DirtyPipe-Exploits/blob/main/exploit-2.c\n // https://github.com/logm1lo/CVE-2022-0847_DirtyPipe_Exploits/blob/main/exploit-2.c\n // https://github.com/drapl0n/dirtypipes\n // https://github.com/VinuKalana/DirtyPipe-CVE-2022-0847\n // https://github.com/githublihaha/DirtyPIPE-CVE-2022-0847\n $critical1 = \"[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\" fullword ascii\n $critical2 = \":$6$root$xgJsQ7yaob86QFGQQYOK0UUj.tXqKn0SLwPRqCaLs19pqYr0p1euYYLqIC6Wh2NyiiZ0Y9lXJkClRiZkeB/Q.0:0:\" fullword ascii\n $critical3 = \"[+] hijacking suid binary..\" fullword ascii\n\n // https://github.com/sa-infinity8888/Dirty-Pipe-CVE-2022-0847\n $critical4 = \":$1$root$9gr5KxwuEdiI80GtIzd.U0:0:0:rootuser:/root:/bin/sh\" fullword ascii\n\n // https://github.com/Shotokhan/cve_2022_0847_shellcode\n // https://github.com/tufanturhan/CVE-2022-0847-L-nux-PrivEsc\n // https://github.com/antx-code/CVE-2022-0847/\n $critical5 = \":$1$antx-soc$pIwpJwMMcozsUxAtRa85w.:0:0:test:/root:/bin/sh\" fullword ascii\n $critical6 = \"Done! Popping shell... (run commands now)\" fullword ascii\n\n // https://github.com/phuonguno98/CVE-2022-0847-DirtyPipe-Exploits/blob/main/exploit-1.c\n $critical7 = \"Setting root password to \\\"piped\\\"...\" fullword ascii\n\n // https://github.com/phuonguno98/CVE-2022-0847-DirtyPipe-Exploits/blob/main/dirtypipe_exploit.c\n // https://github.com/Nekoox/dirty-pipe\n $smart_exploit_1 = \"Usage: %s TARGETFILE OFFSET DATA\" fullword ascii\n\n // https://github.com/phuonguno98/CVE-2022-0847-DirtyPipe-Exploits/blob/main/exploit-1.c\n // https://github.com/logm1lo/CVE-2022-0847_DirtyPipe_Exploits/blob/main/exploit-1.c\n // https://github.com/Nekoox/dirty-pipe\n $smart_exploit_2 = \"prepare_pipe\" fullword ascii\n\n // https://github.com/tufanturhan/CVE-2022-0847-L-nux-PrivEsc\n // https://github.com/Nekoox/dirty-pipels\n // https://github.com/sa-infinity8888/Dirty-Pipe-CVE-2022-0847\n $smart_exploit_3 = \"Sorry, cannot write across a page boundary\" fullword ascii\n $smart_exploit_4 = \"system() function call seems to have failed :(\" fullword ascii\n\n // https://github.com/CYB3RK1D/CVE-2022-0847-POC/blob/main/dirty-%7C-pipe.c\n $smarter_exploit_1 = \"please enter %s filename payload\" fullword ascii\n $smarter_exploit_2 = \"pipe_prep\" fullword ascii\n $smarter_exploit_3 = \"dirty_pipe\" fullword ascii\n\n // https://github.com/Shotokhan/cve_2022_0847_shellcode\n $binary_poc = \"tiny_cve-2022-0847.c\" fullword ascii\n\n condition:\n uint16(0) == 0x457f and ((any of ($critical*)) or (2 of ($smart_exploit_*)) or (2 of ($smarter_exploit_*)) or ($binary_poc))\n}\n", "rule_count": 1, "rule_names": [ "dirty_pipe_pocs" ], "rule_creation_date": "2022-10-11", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.DirtyPipe" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dirty_pipe_shellcode_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564601Z", "creation_date": "2026-03-23T11:46:25.564604Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564609Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://dirtypipe.cm4all.com/\nhttps://github.com/Shotokhan/cve_2022_0847_shellcode" ], "name": "dirty_pipe_shellcode.yar", "content": "rule dirty_pipe_shellcode {\n meta:\n title = \"Dirty Pipe Shellcode\"\n id = \"72232214-761a-449c-85a9-03b3c2126c40\"\n description = \"Detects the Dirty Pipe shellcode, a Linux kernel vulnerability (CVE-2022-0847) that enables local privilege escalation.\\nDirty Pipe exploits how the kernel handles memory pages in pipes, allowing attackers to write to read-only files in the page cache.\\nThis can lead to unauthorized access to sensitive files like \\\"/etc/passwd\\\", enabling persistence or escalating privileges.\\nThe shellcode typically creates pipes, manipulates their size, and writes to the page cache to achieve persistence or privilege escalation.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://dirtypipe.cm4all.com/\\nhttps://github.com/Shotokhan/cve_2022_0847_shellcode\"\n date = \"2022-10-24\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2022-0847\"\n classification = \"Linux.Exploit.DirtyPipe\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n\n // Detection for this sample:\n // 2a19c25305e2b810307e6b5170d14838e2ecf77ce2ef9ee69049d6ed0232e81b\n\n // This might change if the exploit decides to write to a different file but this is most common.\n $openat_etc_passwd = {\n 68 72 76 65 01 // push 1657672h\n 81 34 24 01 01 01 01 // xor dword ptr [rsp], 1010101h\n 48 B8 2F 65 74 63 2F 70 61 73 // mov rax, 7361702F6374652Fh\n 50 // push rax\n 48 89 E6 // mov rsi, rsp\n 6A 9C // push 0FFFFFFFFFFFFFF9Ch\n 5F // pop rdi\n 31 D2 // xor edx, edx\n 31 C0 // xor eax, eax\n 66 B8 01 01 // mov ax, 101h\n 0F 05 // syscall ; LINUX - sys_openat\n }\n\n /*\n * prog += indent + \"syscall\\n\"\n * # fd of pipes will be 4 and 5\n * prog += shellcraft.fcntl(5, F_GETPIPE_SZ)\n * # mov return value of fcntl to r15; assume r15 % PAGE_SIZE == 0\n * prog += shellcraft.mov(dest=\"r15\", src=\"rax\")\n * # need r14 for backup\n * prog += shellcraft.mov(dest=\"r14\", src=\"r15\")\n * prog += shellcraft.mov('rdi', 5)\n * prog += indent + f\"sub rsp, {PAGE_SIZE}\\n\"\n * # now esp points to \"buffer\" variable\n * prog += shellcraft.mov(dest=\"rsi\", src=\"rsp\")\n */\n $setting_pipes = {\n 48 83 EC 10 // sub rsp, 10h\n 48 89 E7 // mov rdi, rsp\n 6A 16 // push 16h\n 58 // pop rax\n 0F 05 // syscall ; LINUX - sys_pipe\n 6A 05 // push 5\n 5F // pop rdi\n 31 F6 // xor esi, esi\n 66 BE 08 04 // mov si, 408h\n 6A 48 // push 48h ; 'H'\n 58 // pop rax\n 0F 05 // syscall ; LINUX - sys_fcntl\n 49 89 C7 // mov r15, rax\n 4D 89 FE // mov r14, r15\n 6A 05 // push 5\n 5F // pop rdi\n 48 81 EC ?? ?? ?? ?? // sub rsp, ???????h\n 48 89 E6 // mov rsi, rsp\n }\n\n // prog += shellcraft.splice(3, 'rsp', 5, NULL, 1, 0)\n $dirty_pipe_1 = {\n 6A ?? // push ??\n 45 31 D2 // xor r10d, r10d\n 6A 01 // push 1\n 41 58 // pop r8\n 45 31 C9 // xor r9d, r9d\n 6A 03 // push 3\n 5F // pop rdi\n 6A 05 // push 5\n 5A // pop rdx\n 48 89 E6 // mov rsi, rsp\n 31 C0 // xor eax, eax\n 66 B8 13 01 // mov ax, 113h\n 0F 05 // syscall ; LINUX - sys_splice\n }\n\n // [SNIP] - Moving root password into the stack\n\n // Writing to page cache\n // prog += shellcraft.write(5, data, data_len)\n // prog += shellcraft.exit_group(0)\n $dirty_pipe_2 = {\n 48 89 E6 // mov rsi, rsp\n 6A 05 // push 5\n 5F // pop rdi\n 6A ?? // push ??\n 5A // pop rdx\n 6A 01 // push 1\n 58 // pop rax\n 0F 05 // syscall ; LINUX - sys_write\n 31 FF // xor edi, edi\n 31 C0 // xor eax, eax\n B0 E7 // mov al, 0E7h\n 0F 05 // syscall ; LINUX - sys_exit_group\n }\n\n condition:\n uint16(0) == 0x457f and ($openat_etc_passwd or $setting_pipes) and (all of ($dirty_pipe_*))\n}\n", "rule_count": 1, "rule_names": [ "dirty_pipe_shellcode" ], "rule_creation_date": "2022-10-24", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Exploit.DirtyPipe" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dll_network_lockbit_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584035Z", "creation_date": "2026-03-23T11:46:25.584037Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584043Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\nhttps://attack.mitre.org/techniques/T1071/001/" ], "name": "dll_network_lockbit.yar", "content": "rule dll_network_lockbit {\n meta:\n title = \"DLL Network LockBit\"\n id = \"85544435-fb8f-4316-90ef-ba86bedcfb30\"\n description = \"Detects a DLL used by LockBit 3.0.\\nThis DLL, named dll_network, was involved in an attack against Boeing in 2023.\\nIt is created via a PowerShell script named 123.ps1 and executed using rundll32.exe.\\nThe file is used during the initial stage of the attack to establish communication with a command and control (C2) server.\"\n references = \"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a\\nhttps://attack.mitre.org/techniques/T1071/001/\"\n date = \"2023-11-23\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Backdoor.LockBit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 0eb66eebb9b4d671f759fb2e8b239e8a6ab193a732da8583e6e8721a2670a96d\n\n $s1 = \">>>>>>> RESULT:\" fullword ascii\n $s2 = \"***REGESTRATION_TARGET***\" fullword ascii\n $s3 = \">>>>>> ON HIDDEN MODE\" fullword ascii\n $s4 = \">> ERROR WORK MOD <<\" fullword ascii\n $s5 = \">> GET_SERVERS\" fullword ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "dll_network_lockbit" ], "rule_creation_date": "2023-11-23", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.LockBit" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dnscat2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564723Z", "creation_date": "2026-03-23T11:46:25.564725Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564730Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/\nhttps://github.com/iagox86/dnscat2\nhttps://attack.mitre.org/techniques/T1572" ], "name": "dnscat2.yar", "content": "rule dnscat2 {\n meta:\n title = \"Dnscat2 HackTool\"\n id = \"7d5155f6-efd1-43f2-86fc-aea75428c90c\"\n description = \"Detects dnscat2, a DNS tunneling tool.\\nAdversaries may use the DNS protocol to communicate with their C&C as a way to circumvent network protections.\\nIt is recommended to check the network communications of the process (if any) to look for suspicious behavior in the binary.\"\n references = \"https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/\\nhttps://github.com/iagox86/dnscat2\\nhttps://attack.mitre.org/techniques/T1572\"\n date = \"2025-09-24\"\n modified = \"2025-09-30\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1572;attack.t1071.004;attack.t1568.003;attack.exfiltration;attack.t1048.003\"\n classification = \"HackTool.dnscat2\"\n context = \"process,memory,file.pe,file.elf\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a394574bca30e5ef7ece2e60da94575fa7e82b92d51d2b62681299d7479d94cb (Windows)\n // 33b80a22946204aecde965725355a68e37c63f2b08861082de2506fc359ff147 (Linux)\n\n $s1 = \"It looks like you're running dnscat2 with the system DNS server\" ascii\n $s2 = \"length <= MAX_DNSCAT_LENGTH(driver->domain)\" ascii\n $s3 = \"[0x%04x] session = 0x%04x, seq = 0x%04x, ack = 0x%04x, data = 0x%x bytes\" ascii\n $s4 = \"[request] :: request_id: 0x%04x\" ascii\n $s5 = \"Peer verified with pre-shared secret!\" ascii\n\n $encryption_salsa20_windows_convention = {\n 65 78 70 61 // mov dword [ebp-0x18 {o[0]}], 0x61707865\n [2-6] 6E 64 20 33 // mov dword [ebp-0x14 {o[1]}], 0x3320646e\n [2-6] 32 2D 62 79 // mov dword [ebp-0x10 {o[2]}], 0x79622d32\n [2-6] 74 65 20 6B // mov dword [ebp-0xc {o[3]}], 0x6b206574\n }\n\n // [2-6] since mov byte rbp extends to 5-6 opcodes when arithmetic operand > 0x80 - unlikely but possible.\n // Function prelude included for Yara performance.\n $encryption_salsa20_linux_convention = {\n 55 // push rbp {__saved_rbp}\n 48 89 E5 // mov rbp, rsp {__saved_rbp}\n 48 83 EC ?? // sub rsp, 0x38\n 48 89 [2-6] // mov qword [rbp-0x28 {var_30}], rdi\n 48 89 [2-6] // mov qword [rbp-0x30 {var_38}], rsi\n 48 89 [2-6] // mov qword [rbp-0x38 {var_40}], rdx\n [2-6] 65 // mov byte [rbp-0x20], 'e'\n [2-6] 78 // mov byte [rbp-0x1f {var_27}], 'x'\n [2-6] 70 // mov byte [rbp-0x1e {var_26}], 'p'\n [2-6] 61 // mov byte [rbp-0x1d {var_25}], 'a'\n [2-6] 6E // mov byte [rbp-0x1c {var_24}], 'n'\n [2-6] 64 // mov byte [rbp-0x1b {var_23}], 'd'\n [2-6] 20 // mov byte [rbp-0x1a {var_22}], ' '\n [2-6] 33 // mov byte [rbp-0x19 {var_21}], '3'\n [2-6] 32 // mov byte [rbp-0x18 {var_20}], '2'\n [2-6] 2D // mov byte [rbp-0x17 {var_1f}], '-'\n [2-6] 62 // mov byte [rbp-0x16 {var_1e}], 'b'\n [2-6] 79 // mov byte [rbp-0x15 {var_1d}], 'y'\n [2-6] 74 // mov byte [rbp-0x14 {var_1c}], 't'\n [2-6] 65 // mov byte [rbp-0x13 {var_1b}], 'e'\n [2-6] 20 // mov byte [rbp-0x12 {var_1a}], ' '\n [2-6] 6B // mov byte [rbp-0x11 {var_19}], 'k'\n }\n\n condition:\n 1 of ($s*) and 1 of ($encryption_salsa20*)\n}", "rule_count": 1, "rule_names": [ "dnscat2" ], "rule_creation_date": "2025-09-24", "rule_modified_date": "2025-09-30", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.dnscat2" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.004", "attack.t1568.003", "attack.t1572", "attack.t1048.003" ], "rule_score": 70, "rule_context": [ "file.elf", "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dogebox_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582564Z", "creation_date": "2026-03-23T11:46:25.582566Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582572Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1" ], "name": "dogebox.yar", "content": "rule dodgebox_loader {\n meta:\n title = \"DodgeBox Loader\"\n id = \"0e315028-9215-4fdb-9f81-d19f5e71a4b0\"\n description = \"Detects DodgeBox Loader from APT41.\\nDodgeBox is a reflective DLL loader written in C developed by APT41. It is designed to decrypt and load embedded DLLs, conduct environment checks and bindings, and perform cleanup procedures to maintain persistence.\\nIt is recommended to analyze the affected process and their behavior to identify malicious activities.\"\n references = \"https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1\"\n date = \"2024-07-18\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1574.002;attack.t1480;attack.t1480.001;attack.t1027;attack.t1027.007;attack.t1620;attack.t1106;attack.t1562.001\"\n classification = \"Windows.Loader.DodgeBox\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db\n // 33fd050760e251ab932e5ca4311b494ef72cee157b20537ce773420845302e49\n\n $machineguid = {\n 4? C7 [2] 28 [0-3] // mov dword ptr [r11+10h], 28h ; '('\n 0F 5? ?? // xorps xmm0, xmm0\n 4? 89 [0-2] // mov [r11+20h], rax\n 4? 8B ?? // mov rbx, rcx\n 33 ?? // xor edx, edx\n 4? 8B [5-8] // mov rcx, cs:off_18002BA00\n 4? C7 ?? 02 00 00 80 // mov r9, 0FFFFFFFF80000002h\n 0F 11 [1-3] // movups [rsp+98h+Src], xmm0\n 0F 11 [1-3] // movups [rsp+98h+var_28], xmm0\n 4? 8B ?? [1-6] // mov rcx, [rcx+1F0h]\n 4? 8D ?? ?? // lea r8d, [rdx+5]\n 4? 89 ?? ?? // mov [r11-18h], rax\n 4? 8D ?? ?? // lea rax, [r11+20h]\n 4? 89 ?? ?? // mov [r11-60h], rax\n 4? 8D [1-6] // lea rax, aSoftwareMicros ; \"SOFTWARE\\\\Microsoft\\\\Cryptography\"\n C7 [1-3] 01 01 [0-2] // mov dword ptr [rsp+98h+var_68], 101h\n 4? C7 [2-6] // mov qword ptr [r11-70h], 0\n 4? 89 [0-2] // mov [r11-78h], rax\n E8 [1-4] // call sub_180002FF0\n 85 ?? // test eax, eax\n 0F 85 // jnz loc_180001D44\n }\n\n $machineguid_reversed = { 4D 61 63 68 69 6E 65 47 75 69 64 }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "dodgebox_loader" ], "rule_creation_date": "2024-07-18", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.DodgeBox" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007", "attack.t1562.001", "attack.t1480.001", "attack.t1027", "attack.t1106", "attack.t1574.002", "attack.t1480", "attack.t1620" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-donut_loader_0148a149ae21_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582291Z", "creation_date": "2026-03-23T11:46:25.582293Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582299Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1027/\nhttps://github.com/TheWover/donut\nhttps://thewover.github.io/Introducing-Donut/" ], "name": "donut_loader_0148a149ae21.yar", "content": "rule donut_loader_0148a149ae21 {\n meta:\n title = \"Donut Loader (0148a149ae21)\"\n id = \"8d57d7d6-32f8-4165-9fd1-0148a149ae21\"\n description = \"Detects an x86 shellcode or executable wrapped with Donut v0.9.1.\\nDonut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies.\\nThis shellcode may be used to inject the Assembly into arbitrary Windows processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1027/\\nhttps://github.com/TheWover/donut\\nhttps://thewover.github.io/Introducing-Donut/\"\n date = \"2021-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027\"\n classification = \"Windows.HackTool.Donut\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $dll1 = {\n 85 C9 // test ecx, ecx\n 75 ?? // jnz short loc_2135\n FF 75 18 // push [ebp+arg_10]\n FF 75 14 // push [ebp+arg_C]\n FF 75 10 // push [ebp+arg_8]\n FF 75 0C // push [ebp+arg_4]\n 50 // push eax\n FF 75 08 // push [ebp+arg_0]\n E8 ?? ?? ?? ?? // call sub_84C\n 8B 36 // mov esi, [esi]\n 83 C4 18 // add esp, 18h\n 8B C8 // mov ecx, eax\n 8B 46 18 // mov eax, [esi+18h]\n 85 C0 // test eax, eax\n 75 ?? // jnz short loc_210E\n }\n\n $dll2 = {\n C7 44 14 ?? 64 6C 6C 00 // mov [esp+edx+1ECh+var_1C3], 6C6C64h\n 42 // inc edx\n 03 CA // add ecx, edx\n 33 D2 // xor edx, edx\n 38 11 // cmp [ecx], dl\n 74 ?? // jz short loc_9CA\n 8D 74 24 ?? // lea esi, [esp+1ECh+var_184]\n 2B F1 // sub esi, ecx\n }\n\n $encryption_algorithm = {\n 03 FE // add edi, esi\n 03 C1 // add eax, ecx\n C1 C6 05 // rol esi, 5\n 33 F7 // xor esi, edi\n C1 C1 08 // rol ecx, 8\n 33 C8 // xor ecx, eax\n C1 C7 10 // rol edi, 10h\n 03 C6 // add eax, esi\n 03 F9 // add edi, ecx\n C1 C6 07 // rol esi, 7\n C1 C1 0D // rol ecx, 0Dh\n 33 F0 // xor esi, eax\n 33 CF // xor ecx, edi\n C1 C0 10 // rol eax, 10h\n 83 6C 24 30 01 // sub [esp+24h+arg_8], 1\n }\n\n condition:\n $dll1 and $dll2 and $encryption_algorithm\n}\n", "rule_count": 1, "rule_names": [ "donut_loader_0148a149ae21" ], "rule_creation_date": "2021-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Donut" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-donut_loader_32c50a072b25_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582034Z", "creation_date": "2026-03-23T11:46:25.582036Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582042Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1027/\nhttps://github.com/TheWover/donut\nhttps://thewover.github.io/Introducing-Donut/" ], "name": "donut_loader_32c50a072b25.yar", "content": "rule donut_loader_32c50a072b25 {\n meta:\n title = \"Donut Loader (32c50a072b25)\"\n id = \"cbd5ed76-e00e-44d9-9a70-32c50a072b25\"\n description = \"Detects an x64 shellcode or executable wrapped with Donut v0.9.3.\\nDonut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies.\\nThis shellcode may be used to inject the Assembly into arbitrary Windows processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1027/\\nhttps://github.com/TheWover/donut\\nhttps://thewover.github.io/Introducing-Donut/\"\n date = \"2021-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027\"\n classification = \"Windows.HackTool.Donut\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $dll1 = {\n 4D 85 D2 // test r10, r10\n 75 ?? // jnz short loc_45DF\n 4C 8B CF // mov r9, rdi\n 4C 8B C6 // mov r8, rsi\n 48 8B D0 // mov rdx, rax\n 48 8B CD // mov rcx, rbp\n E8 ?? ?? ?? ?? // call sub_2993\n 48 8B 1B // mov rbx, [rbx]\n 4C 8B D0 // mov r10, rax\n 48 8B 43 30 // mov rax, [rbx+30h]\n 48 85 C0 // test rax, rax\n 75 ?? // jnz short loc_45BA\n }\n\n $dll2 = {\n C6 44 04 ?? 64 // mov [rsp+rax+240h+var_200], 64h ; 'd'\n 41 8D 41 02 // lea eax, [r9+2]\n C6 44 04 ?? 6C // mov [rsp+rax+240h+var_200], 6Ch ; 'l'\n 41 8D 41 03 // lea eax, [r9+3]\n C6 44 04 ?? 6C // mov [rsp+rax+240h+var_200], 6Ch ; 'l'\n 41 8D 41 04 // lea eax, [r9+4]\n }\n\n $encryption_algorithm = {\n 41 03 C8 // add ecx, r8d\n 03 C2 // add eax, edx\n 41 C1 C0 05 // rol r8d, 5\n 44 33 C1 // xor r8d, ecx\n C1 C2 08 // rol edx, 8\n 33 D0 // xor edx, eax\n C1 C1 10 // rol ecx, 10h\n 41 03 C0 // add eax, r8d\n 03 CA // add ecx, edx\n 41 C1 C0 07 // rol r8d, 7\n C1 C2 0D // rol edx, 0Dh\n 44 33 C0 // xor r8d, eax\n 33 D1 // xor edx, ecx\n C1 C0 10 // rol eax, 10h\n 48 83 EB 01 // sub rbx, 1\n }\n\n condition:\n $dll1 and $dll2 and $encryption_algorithm\n}\n", "rule_count": 1, "rule_names": [ "donut_loader_32c50a072b25" ], "rule_creation_date": "2021-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Donut" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-donut_loader_371f2637ee15_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567628Z", "creation_date": "2026-03-23T11:46:25.567630Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567636Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1027/\nhttps://github.com/TheWover/donut\nhttps://thewover.github.io/Introducing-Donut/" ], "name": "donut_loader_371f2637ee15.yar", "content": "rule donut_loader_371f2637ee15 {\n meta:\n title = \"Donut Loader (371f2637ee15)\"\n id = \"cd3af697-a6ca-47e2-9b44-371f2637ee15\"\n description = \"Detects an x64 shellcode or executable wrapped with Donut v1.0.0 and v1.1.0.\\nDonut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies.\\nThis shellcode may be used to inject the Assembly into arbitrary Windows processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1027/\\nhttps://github.com/TheWover/donut\\nhttps://thewover.github.io/Introducing-Donut/\"\n date = \"2024-10-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027\"\n classification = \"Windows.HackTool.Donut\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $dll1 = {\n 4D 85 D2 // test r10, r10\n 75 ?? // jnz short loc_45DF\n 4C 8B CF // mov r9, rdi\n 4C 8B C6 // mov r8, rsi\n 48 8B D0 // mov rdx, rax\n 48 8B CD // mov rcx, rbp\n E8 ?? ?? ?? ?? // call sub_2993\n 48 8B 1B // mov rbx, [rbx]\n 4C 8B D0 // mov r10, rax\n 48 8B 43 30 // mov rax, [rbx+30h]\n 48 85 C0 // test rax, rax\n 75 ?? // jnz short loc_45BA\n }\n\n $dll2 = {\n C6 44 04 ?? 64 // mov [rsp+rax+240h+var_200], 64h ; 'd'\n 41 8D 41 02 // lea eax, [r9+2]\n C6 44 04 ?? 6C // mov [rsp+rax+240h+var_200], 6Ch ; 'l'\n 41 8D 41 03 // lea eax, [r9+3]\n C6 44 04 ?? 6C // mov [rsp+rax+240h+var_200], 6Ch ; 'l'\n 41 8D 41 04 // lea eax, [r9+4]\n }\n\n $encryption_algorithm = {\n 8B CE // mov ecx, esi\n C1 C8 08 // ror eax, 0x8\n 8B 74 24 ?? // mov esi, dword [esp+0x28]\n 03 C2 // add eax, edx\n C1 CE 08 // ror esi, 0x8\n 33 C7 // xor eax, edi\n 03 F7 // add esi, edi\n C1 C2 03 // rol edx, 0x3\n 33 F3 // xor esi, ebx\n C1 C7 03 // rol edi, 0x3\n 33 D0 // xor edx, eax\n 89 6C 24 ?? // mov dword [esp+0x28], ebp\n 33 FE // xor edi, esi\n 8B E9 // mov ebp, ecx\n }\n\n condition:\n $dll1 and $dll2 and $encryption_algorithm\n}\n", "rule_count": 1, "rule_names": [ "donut_loader_371f2637ee15" ], "rule_creation_date": "2024-10-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Donut" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-donut_loader_822b0b26cfd2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582151Z", "creation_date": "2026-03-23T11:46:25.582153Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582158Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1027/\nhttps://github.com/TheWover/donut\nhttps://thewover.github.io/Introducing-Donut/" ], "name": "donut_loader_822b0b26cfd2.yar", "content": "rule donut_loader_822b0b26cfd2 {\n meta:\n title = \"Donut Loader (822b0b26cfd2)\"\n id = \"82913594-2bd8-43c9-b190-822b0b26cfd2\"\n description = \"Detects an x86 shellcode or executable wrapped with Donut v1.0.0 and v1.1.0.\\nDonut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies.\\nThis shellcode may be used to inject the Assembly into arbitrary Windows processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1027/\\nhttps://github.com/TheWover/donut\\nhttps://thewover.github.io/Introducing-Donut/\"\n date = \"2024-10-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027\"\n classification = \"Windows.HackTool.Donut\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $dll1 = {\n 85 C9 // test ecx, ecx\n 75 ?? // jne 0x1ccda\n FF 75 18 // push [ebp+0x18]\n FF 75 14 // push [ebp+0x14]\n FF 75 10 // push [ebp+0x10]\n FF 75 0C // push [ebp+0xc]\n 50 // push eax\n FF 75 08 // push dword [ebp+0x8]\n E8 ?? ?? ?? ?? // call sub_1ada1\n 8B 36 // mov esi, dword [esi]\n 83 C4 18 // add esp, 0x18\n 8B C8 // mov ecx, eax\n 8B 46 18 // mov eax, [esi+0x18]\n 85 C0 // test eax, eax\n 75 ?? // jne short 0x1ccb3\n }\n\n $dll2 = {\n C7 44 0C ?? 64 6C 6C 00 // mov dword [esp+ecx+0x21], 'dll'\n 33 D2 // xor edx, edx\n 41 // inc ecx\n 03 CE // add ecx, esi\n 38 11 // cmp byte [ecx], dl\n 74 ?? // je 0x1cc56\n 8D 74 24 ?? // lea esi, [esp+0x60]\n 2B F1 // sub esi, ecx\n }\n\n $encryption_algorithm = {\n 8B CE // mov ecx, esi\n C1 C8 08 // ror eax, 0x8\n 8B 74 24 ?? // mov esi, dword [esp+0x28]\n 03 C2 // add eax, edx\n C1 CE 08 // ror esi, 0x8\n 33 C7 // xor eax, edi\n 03 F7 // add esi, edi\n C1 C2 03 // rol edx, 0x3\n 33 F3 // xor esi, ebx\n C1 C7 03 // rol edi, 0x3\n 33 D0 // xor edx, eax\n 89 6C 24 ?? // mov dword [esp+0x28], ebp\n 33 FE // xor edi, esi\n 8B E9 // mov ebp, ecx\n }\n\n condition:\n $dll1 and $dll2 and $encryption_algorithm\n}\n", "rule_count": 1, "rule_names": [ "donut_loader_822b0b26cfd2" ], "rule_creation_date": "2024-10-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Donut" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-donut_loader_8934af49a24a_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567915Z", "creation_date": "2026-03-23T11:46:25.567918Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567924Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1027/\nhttps://github.com/TheWover/donut\nhttps://thewover.github.io/Introducing-Donut/" ], "name": "donut_loader_8934af49a24a.yar", "content": "rule donut_loader_8934af49a24a {\n meta:\n title = \"Donut Loader (8934af49a24a)\"\n id = \"72434c78-e9e5-4a8f-b7cd-8934af49a24a\"\n description = \"Detects an x86 shellcode or executable wrapped with Donut v0.9.2 or v0.9.3.\\nDonut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies.\\nThis shellcode may be used to inject the Assembly into arbitrary Windows processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1027/\\nhttps://github.com/TheWover/donut\\nhttps://thewover.github.io/Introducing-Donut/\"\n date = \"2021-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027\"\n classification = \"Windows.HackTool.Donut\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $dll1 = {\n 85 C9 // test ecx, ecx\n 75 ?? // jnz short loc_2135\n FF 75 18 // push [ebp+arg_10]\n FF 75 14 // push [ebp+arg_C]\n FF 75 10 // push [ebp+arg_8]\n FF 75 0C // push [ebp+arg_4]\n 50 // push eax\n FF 75 08 // push [ebp+arg_0]\n E8 ?? ?? ?? ?? // call sub_84C\n 8B 36 // mov esi, [esi]\n 83 C4 18 // add esp, 18h\n 8B C8 // mov ecx, eax\n 8B 46 18 // mov eax, [esi+18h]\n 85 C0 // test eax, eax\n 75 ?? // jnz short loc_210E\n }\n\n $dll2 = {\n C7 44 14 ?? 64 6C 6C 00 // mov [esp+edx+1ECh+var_1C3], 6C6C64h\n 42 // inc edx\n 03 CA // add ecx, edx\n 33 D2 // xor edx, edx\n 38 11 // cmp [ecx], dl\n 74 ?? // jz short loc_9CA\n 8D 74 24 ?? // lea esi, [esp+1ECh+var_184]\n 2B F1 // sub esi, ecx\n }\n\n $encryption_algorithm = {\n 03 CF // add ecx, edi\n 03 C6 // add eax, esi\n C1 C7 05 // rol edi, 5\n 33 F9 // xor edi, ecx\n C1 C6 08 // rol esi, 8\n 33 F0 // xor esi, eax\n C1 C1 10 // rol ecx, 10h\n 03 C7 // add eax, edi\n 03 CE // add ecx, esi\n C1 C7 07 // rol edi, 7\n C1 C6 0D // rol esi, 0Dh\n 33 F8 // xor edi, eax\n 33 F1 // xor esi, ecx\n C1 C0 10 // rol eax, 10h\n 83 6C 24 30 01 // sub [esp+24h+arg_8], 1\n }\n\n condition:\n $dll1 and $dll2 and $encryption_algorithm\n}\n", "rule_count": 1, "rule_names": [ "donut_loader_8934af49a24a" ], "rule_creation_date": "2021-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Donut" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-donut_loader_e1d6ea371306_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567694Z", "creation_date": "2026-03-23T11:46:25.567697Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567706Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1027/\nhttps://github.com/TheWover/donut\nhttps://thewover.github.io/Introducing-Donut/" ], "name": "donut_loader_e1d6ea371306.yar", "content": "rule donut_loader_e1d6ea371306 {\n meta:\n title = \"Donut Loader (e1d6ea371306)\"\n id = \"634e3096-62c3-40d6-b804-e1d6ea371306\"\n description = \"Detects an x64 shellcode or executable wrapped with Donut v0.9.1.\\nDonut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies.\\nThis shellcode may be used to inject the Assembly into arbitrary Windows processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1027/\\nhttps://github.com/TheWover/donut\\nhttps://thewover.github.io/Introducing-Donut/\"\n date = \"2021-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027\"\n classification = \"Windows.HackTool.Donut\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $dll1 = {\n 4D 85 D2 // test r10, r10\n 75 ?? // jnz short loc_45DF\n 4C 8B CF // mov r9, rdi\n 4C 8B C6 // mov r8, rsi\n 48 8B D0 // mov rdx, rax\n 48 8B CD // mov rcx, rbp\n E8 ?? ?? ?? ?? // call sub_2993\n 48 8B 1B // mov rbx, [rbx]\n 4C 8B D0 // mov r10, rax\n 48 8B 43 30 // mov rax, [rbx+30h]\n 48 85 C0 // test rax, rax\n 75 ?? // jnz short loc_45BA\n }\n\n $dll2 = {\n C6 44 04 ?? 64 // mov [rsp+rax+240h+var_200], 64h ; 'd'\n 41 8D 41 02 // lea eax, [r9+2]\n C6 44 04 ?? 6C // mov [rsp+rax+240h+var_200], 6Ch ; 'l'\n 41 8D 41 03 // lea eax, [r9+3]\n C6 44 04 ?? 6C // mov [rsp+rax+240h+var_200], 6Ch ; 'l'\n 41 8D 41 04 // lea eax, [r9+4]\n }\n\n $encryption_algorithm = {\n 44 03 DA // add r11d, edx\n 03 C1 // add eax, ecx\n C1 C2 05 // rol edx, 5\n 41 33 D3 // xor edx, r11d\n C1 C1 08 // rol ecx, 8\n 33 C8 // xor ecx, eax\n 41 C1 C3 10 // rol r11d, 10h\n 03 C2 // add eax, edx\n 44 03 D9 // add r11d, ecx\n C1 C2 07 // rol edx, 7\n C1 C1 0D // rol ecx, 0Dh\n 33 D0 // xor edx, eax\n 41 33 CB // xor ecx, r11d\n C1 C0 10 // rol eax, 10h\n 48 83 EE 01 // sub rsi, 1\n }\n\n condition:\n $dll1 and $dll2 and $encryption_algorithm\n}\n", "rule_count": 1, "rule_names": [ "donut_loader_e1d6ea371306" ], "rule_creation_date": "2021-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Donut" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-donut_loader_e84ada1a5aa2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582115Z", "creation_date": "2026-03-23T11:46:25.582117Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582130Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1027/\nhttps://github.com/TheWover/donut\nhttps://thewover.github.io/Introducing-Donut/" ], "name": "donut_loader_e84ada1a5aa2.yar", "content": "rule donut_loader_e84ada1a5aa2 {\n meta:\n title = \"Donut Loader (e84ada1a5aa2)\"\n id = \"98485616-aab4-4b2b-bb13-e84ada1a5aa2\"\n description = \"Detects an x64 shellcode or executable wrapped with Donut v0.9.2.\\nDonut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies.\\nThis shellcode may be used to inject the Assembly into arbitrary Windows processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1027/\\nhttps://github.com/TheWover/donut\\nhttps://thewover.github.io/Introducing-Donut/\"\n date = \"2021-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027\"\n classification = \"Windows.HackTool.Donut\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $dll1 = {\n 48 8B 45 ?? // mov rax, [rbp+var_8]\n 48 8B 40 30 // mov rax, [rax+30h]\n 48 8B 4D 20 // mov rcx, [rbp+arg_10]\n 48 8B 55 18 // mov rdx, [rbp+arg_8]\n 49 89 C9 // mov r9, rcx\n 49 89 D0 // mov r8, rdx\n 48 89 C2 // mov rdx, rax\n 48 8B 4D 10 // mov rcx, [rbp+arg_0]\n E8 ?? ?? ?? ?? // call sub_307F\n 48 89 45 ?? // mov [rbp+var_10], rax\n 48 8B 45 ?? // mov rax, [rbp+var_8]\n 48 8B 00 // mov rax, [rax]\n 48 89 45 ?? // mov [rbp+var_8], rax\n 48 8B 45 ?? // mov rax, [rbp+var_8]\n 48 8B 40 30 // mov rax, [rax+30h]\n 48 85 C0 // test rax, rax\n 74 ?? // jz short loc_3552\n 48 83 7D ?? 00 // cmp [rbp+var_10], 0\n 74 ?? // jz short loc_350D\n }\n\n $dll2 = {\n C6 44 05 ?? 64 // mov [rbp+rax+1E0h+var_1C0], 64h ; 'd'\n 8B 85 ?? ?? 00 00 // mov eax, [rbp+1E0h+var_4]\n 83 C0 02 // add eax, 2\n 89 C0 // mov eax, eax\n C6 44 05 ?? 6C // mov [rbp+rax+1E0h+var_1C0], 6Ch ; 'l'\n 8B 85 ?? ?? 00 00 // mov eax, [rbp+1E0h+var_4]\n 83 C0 03 // add eax, 3\n 89 C0 // mov eax, eax\n C6 44 05 ?? 6C // mov [rbp+rax+1E0h+var_1C0], 6Ch ; 'l'\n 8B 85 ?? ?? 00 00 // mov eax, [rbp+1E0h+var_4]\n 83 C0 04 // add eax, 4\n 89 C0 // mov eax, eax\n }\n\n $encryption_algorithm = {\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 8B 10 // mov edx, [rax]\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 04 // add rax, 4\n 8B 00 // mov eax, [rax]\n 01 C2 // add edx, eax\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 89 10 // mov [rax], edx\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 8D 50 04 // lea rdx, [rax+4]\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 04 // add rax, 4\n 8B 00 // mov eax, [rax]\n C1 C0 05 // rol eax, 5\n 89 C1 // mov ecx, eax\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 8B 00 // mov eax, [rax]\n 31 C8 // xor eax, ecx\n 89 02 // mov [rdx], eax\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 08 // add rax, 8\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 08 // add rdx, 8\n 8B 0A // mov ecx, [rdx]\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 0C // add rdx, 0Ch\n 8B 12 // mov edx, [rdx]\n 01 CA // add edx, ecx\n 89 10 // mov [rax], edx\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 0C // add rax, 0Ch\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 0C // add rdx, 0Ch\n 8B 12 // mov edx, [rdx]\n 89 D1 // mov ecx, edx\n C1 C1 08 // rol ecx, 8\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 08 // add rdx, 8\n 8B 12 // mov edx, [rdx]\n 31 CA // xor edx, ecx\n 89 10 // mov [rax], edx\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 08 // add rax, 8\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 08 // add rdx, 8\n 8B 0A // mov ecx, [rdx]\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 04 // add rdx, 4\n 8B 12 // mov edx, [rdx]\n 01 CA // add edx, ecx\n 89 10 // mov [rax], edx\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 8B 00 // mov eax, [rax]\n C1 C0 10 // rol eax, 10h\n 89 C2 // mov edx, eax\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 0C // add rax, 0Ch\n 8B 00 // mov eax, [rax]\n 01 C2 // add edx, eax\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 89 10 // mov [rax], edx\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 8D 50 0C // lea rdx, [rax+0Ch]\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 0C // add rax, 0Ch\n 8B 00 // mov eax, [rax]\n C1 C0 0D // rol eax, 0Dh\n 89 C1 // mov ecx, eax\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 8B 00 // mov eax, [rax]\n 31 C8 // xor eax, ecx\n 89 02 // mov [rdx], eax\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 04 // add rax, 4\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 04 // add rdx, 4\n 8B 12 // mov edx, [rdx]\n 89 D1 // mov ecx, edx\n C1 C1 07 // rol ecx, 7\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 08 // add rdx, 8\n 8B 12 // mov edx, [rdx]\n 31 CA // xor edx, ecx\n 89 10 // mov [rax], edx\n 48 8B 45 ?? // mov rax, [rbp+var_10]\n 48 83 C0 08 // add rax, 8\n 48 8B 55 ?? // mov rdx, [rbp+var_10]\n 48 83 C2 08 // add rdx, 8\n 8B 12 // mov edx, [rdx]\n C1 C2 10 // rol edx, 10h\n 89 10 // mov [rax], edx\n 83 45 FC 01 // add [rbp+var_4], 1\n }\n\n condition:\n $dll1 and $dll2 and $encryption_algorithm\n}\n", "rule_count": 1, "rule_names": [ "donut_loader_e84ada1a5aa2" ], "rule_creation_date": "2021-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Donut" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dotnet_patchetw_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571691Z", "creation_date": "2026-03-23T11:46:25.571693Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571698Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://red.hack-army.net/redteam/evasion/etw-evasion\nhttps://www.mdsec.co.uk/2020/03/hiding-your-net-etw/" ], "name": "dotnet_patchetw.yar", "content": "import \"pe\"\n\nrule dotnet_patchetw {\n meta:\n title = \"DotNet patchETW\"\n id = \"3b29b657-94db-4c48-9157-7e0bd2b974b7\"\n description = \"Detects suspicious code in the .NET programming language that patches the ETW (Event Tracing for Windows). \\nETW is a feature that provides telemetry data from kernel and user spaces, used by EDR solutions. Attackers often disable ETW to hide their malicious actions.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://red.hack-army.net/redteam/evasion/etw-evasion\\nhttps://www.mdsec.co.uk/2020/03/hiding-your-net-etw/\"\n date = \"2023-09-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.006;attack.t1562.001\"\n classification = \"Windows.Generic.SuspiciousDotNet\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e8547e66968e28568a68e34661a699f645ac253842bf4f2fa4512ab783f5cd7b\n // 7e2e049328295d66b968d51c9a8b5377e28aa817ec8a1eeeeb85074e2d99415e\n // 870a4cfc58c388361c8834701aa8112a0de4155305e92aedc66e0384813d3439\n // 4a09a7db3729524b264f61bd57d422714e43167d391eae1df73cad90c2982d07\n // 5d355666219db06acc93d01c0973c0c0a5db514b5af2c43dd7d97075d7b78914\n\n $s1 = \"PatchETW\" ascii fullword\n $s2 = \"ntdll.dll\" wide fullword\n $s3 = \"EtwEventWrite\" wide fullword\n\n condition:\n pe.imports (\"mscoree.dll\",\"_CorExeMain\") and all of them\n}\n", "rule_count": 1, "rule_names": [ "dotnet_patchetw" ], "rule_creation_date": "2023-09-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.SuspiciousDotNet" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1562.006" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dotrunpex_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568482Z", "creation_date": "2026-03-23T11:46:25.568484Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568490Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/\nhttps://cert.pl/en/posts/2023/09/unpacking-whats-packed-dotrunpex/" ], "name": "dotrunpex.yar", "content": "rule dotrunpex {\n meta:\n title = \"DotRunpeX Injector\"\n id = \"fc498474-0790-4a29-9269-eb2b705dd30b\"\n description = \"Detects the DotRunpeX injector.\\nDotRunpeX is a .NET-based injection framework commonly used in second-stage infections to deliver various malware payloads. It is designed to inject malicious code into legitimate processes, often as part of a broader attack chain.\\nIt is recommended to analyze the affected process and its network activity to identify potential command-and-control (C2) communications and determine the scope of the infection.\"\n references = \"https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/\\nhttps://cert.pl/en/posts/2023/09/unpacking-whats-packed-dotrunpex/\"\n date = \"2023-09-18\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Injector.DotRunpeX\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b120d8658812d9d5dd2b0322b3e7aefa5d34ee2acaebdf15a8ef2d73f9743f22\n // e217b089f11e6c38b12c658b52f2d215d8546ce2b61d999235e5f75e3c87fcd3\n\n $runpe = \"RunpeX.Stub.Framework\" wide\n\n $s1 = \"KoiVM.Runtime--test\" ascii fullword\n $s2 = \"CryptoObfuscator 1.0\" ascii fullword\n $s3 = \"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\\\\TaskKill\" wide fullword\n $s4 = \"CryptoProtector [{0}]\" wide\n\n condition:\n (uint16(0) == 0x5a4d) and ($runpe or all of ($s*))\n}\n", "rule_count": 1, "rule_names": [ "dotrunpex" ], "rule_creation_date": "2023-09-18", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Injector.DotRunpeX" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-driver_inject_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584622Z", "creation_date": "2026-03-23T11:46:25.584624Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584629Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.talosintelligence.com/undocumented-reddriver/\nhttps://github.com/strivexjun/DriverInjectDll/" ], "name": "driver_inject.yar", "content": "import \"pe\"\n\nrule driver_inject {\n meta:\n title = \"DriverInjectDll Driver\"\n id = \"6ab54917-e3df-4e43-9a40-b783740c5e47\"\n description = \"Detects a malicious driver associated with the DriverInjectDll HackTool.\\nDriverInjectDll is a tool designed to inject DLLs into processes using a driver, enabling unauthorized code execution within targeted applications.\\nIt is recommended to analyze the memory of the injected processes as well as to investigate and remediate the loading of the malicious driver.\"\n references = \"https://blog.talosintelligence.com/undocumented-reddriver/\\nhttps://github.com/strivexjun/DriverInjectDll/\"\n date = \"2023-07-13\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055\"\n classification = \"Windows.HackTool.DriverInjectDll\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 4b3bc7950ae984bb7570aaf0071988228482795d57d749789997d1eebe9c8e84\n\n $tag1 = { 69 6E 6A 6C } // TAG_INJECTLIST 'ljni'\n $tag2 = { 69 6E 6A 64 } // TAG_INJECTDATA 'djni'\n\n $reg = {\n 50 51 52 53 6A FF 55 56 57 41 50 41 51 6A 10 41 // saveReg[]\n 53 41 54 41 55 41 56 41 57 00 CC CC CC CC CC CC\n 41 5F 41 5E 41 5D 41 5C 41 5B 41 5A 41 59 41 58 // restoneReg[]\n 5F 5E 5D 48 83 C4 08 5B 5A 59 58 00 CC CC CC CC\n }\n\n $strings = {\n 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 // \\System32\\ntdll.dll\n 32 00 5C 00 6E 00 74 00 64 00 6C 00 6C 00 2E 00\n 64 00 6C 00 6C 00 00 00 CC CC CC CC CC CC CC CC\n 5C 00 53 00 79 00 73 00 57 00 4F 00 57 00 36 00 // \\SysWOW64\\ntdll.dll\n 34 00 5C 00 6E 00 74 00 64 00 6C 00 6C 00 2E 00\n 64 00 6C 00 6C 00 00 00 CC CC CC CC CC CC CC CC\n 5C 00 44 00 65 00 76 00 69 00 63 00 65 00 5C 00 // \\Device\\CrashDumpUpload\n 43 00 72 00 61 00 73 00 68 00 44 00 75 00 6D 00\n 70 00 55 00 70 00 6C 00 6F 00 61 00 64 00 00 00\n 5C 00 44 00 6F 00 73 00 44 00 65 00 76 00 69 00 // \\DosDevices\\CrashDumpUpload\n 63 00 65 00 73 00 5C 00 43 00 72 00 61 00 73 00\n 68 00 44 00 75 00 6D 00 70 00 55 00 70 00 6C 00\n 6F 00 61 00 64 00 00 00 CC CC CC CC CC CC CC CC\n }\n\n condition:\n all of them and pe.imports(\"ntoskrnl.exe\")\n}\n", "rule_count": 1, "rule_names": [ "driver_inject" ], "rule_creation_date": "2023-07-13", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.DriverInjectDll" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-driver_windivert_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583031Z", "creation_date": "2026-03-23T11:46:25.583033Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583039Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/" ], "name": "driver_windivert.yar", "content": "rule driver_windivert {\n meta:\n title = \"WinDivert Driver\"\n id = \"6eab77ec-306f-4029-90fa-e6eaba422e8e\"\n description = \"Detects the WinDivert driver that can be used (signed or not) by threat actors to perform malicious network operations, such as network blocking, port redirection, and man-in-the-middle attacks directly through the Windows kernel.\\nWinDivert is a powerful packet filtering driver that can be used for legitimate network monitoring purposes. However, its capabilities can also be abused by malicious actors to intercept and manipulate network traffic, disrupt communication channels, or establish persistence.\"\n references = \"https://rastamouse.me/ntlm-relaying-via-cobalt-strike/\"\n date = \"2022-08-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1543.003\"\n classification = \"Windows.Driver.WinDivert\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples :\n // 2c37e853453e1e4782cf25ecf633506e59ad8f8649ff1c595966cc21234b19e8\n // 9aae7e27dea211b5a3e87fe8027a502e416be3880f03793688ccdc506f06ed60\n\n $s1 = \"\\\\Device\\\\WinDivert\" wide\n $s2 = \"\\\\??\\\\WinDivert\" wide\n $s3 = \"FilterForwardNetworkIPv6\" wide\n $s4 = \"FilterForwardNetworkIPv4\" wide\n $s5 = \"CalloutForwardNetworkIPv6\" wide\n $s6 = \"CalloutForwardNetworkIPv4\" wide\n\n $security_desc_1 = \"D:P(A;;GA;;;SY)\" fullword wide\n $security_desc_2 = \"D:P(A;;GA;;;SY)(A;;GA;;;BA)\" fullword wide\n $security_desc_3 = \"D:P(A;;GA;;;SY)(A;;GRGX;;;BA)\" fullword wide\n $security_desc_4 = \"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)\" fullword wide\n $security_desc_5 = \"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GR;;;WD)(A;;GR;;;RC)\" fullword wide\n $security_desc_6 = \"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGW;;;WD)(A;;GR;;;RC)\" fullword wide\n $security_desc_7 = \"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)\" fullword wide\n\n $allocation_tag = { 57 44 69 76 } // WDiv\n\n condition:\n uint16(0) == 0x5a4d and filesize < 300KB and 4 of ($s*) and 3 of ($security_desc_*) and #allocation_tag > 10\n}\n", "rule_count": 1, "rule_names": [ "driver_windivert" ], "rule_creation_date": "2022-08-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Driver.WinDivert" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1543.003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-driver_winring0_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568926Z", "creation_date": "2026-03-23T11:46:25.568928Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568934Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/FEYE-2019-0004/FEYE-2019-0004.md" ], "name": "driver_winring0.yar", "content": "import \"pe\"\n\nrule driver_winring0 {\n meta:\n title = \"WinRing0 Driver\"\n id = \"5e518b89-cb85-4646-b14a-ceacd910ff1d\"\n description = \"Detects the WinRing0 driver that can be used (signed or not) by threat actors to perform malicious operations through the kernel.\\nThe WinRing0 driver is known to be exploited by threat actors to perform various malicious activities such as killing security products, achieving persistence, and accessing credentials.\\nIt is recommended to conduct a thorough investigation to identify any malicious processes or activities associated with the WinRing0 driver.\"\n references = \"https://github.com/mandiant/Vulnerability-Disclosures/blob/master/FEYE-2019-0004/FEYE-2019-0004.md\"\n date = \"2022-08-02\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1543.003\"\n classification = \"Windows.Driver.WinRing0\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5\n\n $s1 = \"\\\\Device\\\\WinRing0_1_2_0\" fullword wide\n $s2 = \"\\\\DosDevices\\\\WinRing0_1_2_0\" fullword wide\n\n $writemsr = {\n 48 8B 51 04 // mov rdx, [rcx+4]\n 48 C1 EA 20 // shr rdx, 20h\n 8B 09 // mov ecx, [rcx]\n 8B 40 04 // mov eax, [rax+4]\n 0F 30 // wrmsr\n 48 8B 44 24 ?? // mov rax, [rsp+arg_20]\n 83 20 00 // and dword ptr [rax], 0\n 33 C0 // xor eax, eax\n EB ?? // jmp short locret_114C7\n }\n\n $mmmapiospace = {\n 48 8B 09 // mov rcx, [rcx] ; PhysicalAddress\n 48 81 F9 00 00 0C 00 // cmp rcx, 0C0000h\n 7C ?? // jl short loc_115C1\n 8B E8 // mov ebp, eax\n 48 8D 44 01 FF // lea rax, [rcx+rax-1]\n 48 3D FF FF 0F 00 // cmp rax, 0FFFFFh\n 7F ?? // jg short loc_115C1\n 45 33 C0 // xor r8d, r8d ; CacheType\n 48 8B D5 // mov rdx, rbp ; NumberOfBytes\n FF 15 ?? ?? ?? ?? // call cs:MmMapIoSpace\n }\n\n condition:\n uint16(0) == 0x5a4d and\n // Exclusion to avoid double matches with the recommended driver block list\n // while still detecting WinRing0 instances signed with other certificates\n for all i in (0 .. pe.number_of_signatures) : (\n not pe.signatures[i].subject contains \"Noriyuki MIYAZAKI\"\n ) and\n filesize < 300KB and 1 of ($s*) and ($writemsr or $mmmapiospace)\n}\n", "rule_count": 1, "rule_names": [ "driver_winring0" ], "rule_creation_date": "2022-08-02", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Driver.WinRing0" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1543.003" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-duality_prestub_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586074Z", "creation_date": "2026-03-23T11:46:25.586076Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586082Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.aon.com/en/insights/cyber-labs/duality-part-1\nhttps://github.com/AonCyberLabs/DUALITY/\nhttps://attack.mitre.org/techniques/T1574/002/" ], "name": "duality_prestub.yar", "content": "rule duality_prestub {\n meta:\n title = \"DUALITY Backdoor Prestub\"\n id = \"58a84281-8b6e-4fef-bfd7-1d6d82e41a29\"\n description = \"Detects the DUALITY backdoor technique where legitimate DLLs are backdoored to maintain persistence.\\nThe backdoored DLLs contain a Position Independent Code (PIC) that performs DUALITY checks and executes a payload. This rule detects the presence of a prestub used to trigger the malicious activity.\\nIt is recommended to investigate the process associated with this rule for potential malicious content within the binary or its memory.\"\n references = \"https://www.aon.com/en/insights/cyber-labs/duality-part-1\\nhttps://github.com/AonCyberLabs/DUALITY/\\nhttps://attack.mitre.org/techniques/T1574/002/\"\n date = \"2024-03-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1574.002\"\n classification = \"Windows.HackTool.Duality\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9dc0204abf0679322e9aca39dcb3d5ea6f216c293b964aaa09b8d3206b8cd312\n\n // This is the pre-stub stored in the .NET duality executable\n $prestub_expanded = {\n 4c 00 00 00 8b 00 00 00 fc 00 00 00 9c 00 00 00\n 50 00 00 00 53 00 00 00 51 00 00 00 52 00 00 00\n 56 00 00 00 57 00 00 00 55 00 00 00 41 00 00 00\n 50 00 00 00 41 00 00 00 51 00 00 00 41 00 00 00\n 52 00 00 00 41 00 00 00 53 00 00 00 41 00 00 00\n 54 00 00 00 41 00 00 00 55 00 00 00 41 00 00 00\n 56 00 00 00 48 00 00 00 8d 00 00 00 05 00 00 00\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 48 00 00 00 05 00 00 00 d6 00 00 00 7a 00 00 00\n 0a 00 00 00 00 00 00 00 ff 00 00 00 d0 00 00 00\n 41 00 00 00 5e 00 00 00 41 00 00 00 5d 00 00 00\n 41 00 00 00 5c 00 00 00 41 00 00 00 5b 00 00 00\n 41 00 00 00 5a 00 00 00 41 00 00 00 59 00 00 00\n 41 00 00 00 58 00 00 00 5d 00 00 00 5f 00 00 00\n 5e 00 00 00 5a 00 00 00 59 00 00 00 5b 00 00 00\n 58 00 00 00 9d 00 00 00 49 00 00 00 8b 00 00 00\n e7 00 00 00 48 00 00 00 89 00 00 00 5c 00 00 00\n 24 00 00 00 08 00 00 00 e9 00 00 00 93 00 00 00\n c5 00 00 00 ff 00 00 00 ff 00 00 00 00 00 00 00\n }\n\n // This is the prestub as found in infected DLLs\n $prestub_compact = {\n 4c 8b fc // mov r15 rsp\n 9c // pushfq\n 50 // push rax\n 53 // push rbx\n 51 // push rcx\n 52 // push rdx\n 56 // push rsi\n 57 // push rdi\n 55 // push rbp\n 41 50 // push r8\n 41 51 // push r9\n 41 52 // push r10\n 41 53 // push r11\n 41 54 // push r12\n 41 55 // push r13\n 41 56 // push r14\n 48 8d 05 00 00 00 00 // lea rax \n 48 05 ?? ?? ?? ?? // add rax \n ff d0 // call rax\n 41 5e // pop r14\n 41 5d // pop r13\n 41 5c // pop r12\n 41 5b // pop r11\n 41 5a // pop r10\n 41 59 // pop r9\n 41 58 // pop r8\n 5d // pop rbp\n 5f // pop rdi\n 5e // pop rsi\n 5a // pop rdx\n 59 // pop rcx\n 5b // pop rbx\n 58 // pop rax\n 9d // popfq\n 49 8b e7 // mov rsp r15\n 48 89 5c 24 08 // mov qword ptr ss:[rsp+8] rbx\n e9 ?? ?? ?? ?? // jmp \n }\n\n condition:\n any of them\n}\n", "rule_count": 1, "rule_names": [ "duality_prestub" ], "rule_creation_date": "2024-03-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Duality" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1574.002" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-duality_sections_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585719Z", "creation_date": "2026-03-23T11:46:25.585721Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585727Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.aon.com/en/insights/cyber-labs/duality-part-1\nhttps://github.com/AonCyberLabs/DUALITY/\nhttps://attack.mitre.org/techniques/T1574/002/" ], "name": "duality_sections.yar", "content": "import \"pe\"\n\nrule duality_sections {\n meta:\n title = \"DUALITY Backdoor Section\"\n id = \"62487fbe-1a82-4c3f-8b0e-5da8867c3035\"\n description = \"Detects the DUALITY backdoor technique where legitimate DLLs are backdoored to maintain persistence.\\nThe backdoored DLLs contain a Position Independent Code (PIC) that performs DUALITY checks and executes a payload. This rule detects the presence of a prestub used to trigger the malicious activity.\\nIt is recommended to investigate the process associated with this rule for potential malicious content within the binary or its memory.\"\n references = \"https://www.aon.com/en/insights/cyber-labs/duality-part-1\\nhttps://github.com/AonCyberLabs/DUALITY/\\nhttps://attack.mitre.org/techniques/T1574/002/\"\n date = \"2024-03-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1574.002\"\n classification = \"Windows.HackTool.Duality\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n condition:\n for any section in pe.sections : ( section.name == \".duality\" or section.name == \".ensc\" )\n}\n", "rule_count": 1, "rule_names": [ "duality_sections" ], "rule_creation_date": "2024-03-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Duality" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1574.002" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ducktail_getcookie_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581628Z", "creation_date": "2026-03-23T11:46:25.581632Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581641Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail" ], "name": "ducktail_getcookie.yar", "content": "import \"pe\"\n\nrule ducktail_getcookie {\n meta:\n title = \"Ducktail GetCookieToSync\"\n id = \"dbe6a54b-7691-46f5-bf32-44ffcc232c0b\"\n description = \"Detects the GetCookieToSync hacktool.\\nGetCookieToSync is a tool written in .NET employed by the Ducktail threat actor to steal cookies from web browsers, aiding in unauthorized access to user accounts.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail\"\n date = \"2023-10-20\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1539;attack.exfiltration;attack.t1048\"\n classification = \"Windows.HackTool.Ducktail\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b425c9814125459890f71dbf0b32134abb8c141f9b69363b1be106099814c338\n\n $s1 = \"{{ id = {0}, key1 = {1}, key2 = {2} }}\" wide fullword\n $s2 = \"encrypted_key\\\":\\\"\" wide fullword\n $s3 = \"Ko tim dc private key, ko sync dc\" wide fullword\n $s4 = \"KO tim dc cookie path\" wide fullword\n $s5 = \"Vui long chon profile de chay\" wide fullword\n $s6 = \"/api/chrome/fix\" wide fullword\n\n condition:\n 4 of ($s*) or\n 1 of ($s*) and pe.version_info[\"OriginalFilename\"] == \"GetCookieToSync.exe\"\n}\n", "rule_count": 1, "rule_names": [ "ducktail_getcookie" ], "rule_creation_date": "2023-10-20", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Ducktail" ], "rule_tactic_tags": [ "attack.credential_access", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1048", "attack.t1539" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ducktail_nativeaot_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568283Z", "creation_date": "2026-03-23T11:46:25.568286Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568295Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail" ], "name": "ducktail_nativeaot.yar", "content": "rule ducktail_nativeaot {\n meta:\n title = \"Ducktail Malware\"\n id = \"084f7065-a86a-4c1c-8723-640d9ceaeb8d\"\n description = \"Detects Ducktail, a Vietnamese infostealer threat actor using tools written in .NET. This variant, observed in October 2023, employs Native AOT (Ahead Of Time) compilation.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail\"\n date = \"2023-10-20\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.001;attack.defense_evasion;attack.t1562.001;attack.persistence;attack.t1543.003;attack.t1136.001;attack.lateral_movement;attack.t1021.001;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Malware.Ducktail\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 1e082ed9733b033a0c9b27a0d1146397771b350b013ea3e9fba228e1400a263f\n\n $s1 = \"'; 'Member' = $Username};Add-LocalGroupMember @GroupParams;\" wide fullword\n $s2 = \"begin download decrypt to \" wide fullword\n $s3 = \"result install myRdpService :\" wide fullword\n $s4 = \"start run decrypt exe from normal account\" wide fullword\n\n condition:\n uint16(0) == 0x5A4D and all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "ducktail_nativeaot" ], "rule_creation_date": "2023-10-20", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Ducktail" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution", "attack.lateral_movement", "attack.persistence" ], "rule_technique_tags": [ "attack.t1136.001", "attack.t1562.001", "attack.t1071.001", "attack.t1059.001", "attack.t1543.003", "attack.t1021.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ducktail_rdpservice_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568038Z", "creation_date": "2026-03-23T11:46:25.568040Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568045Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail" ], "name": "ducktail_rdpservice.yar", "content": "rule ducktail_rdpservice {\n meta:\n title = \"Ducktail RdpService\"\n id = \"8e50570c-16fe-4f28-b220-5020959eebcc\"\n description = \"Detects the RdpService hacktool used by Ducktail for RDP tunneling.\\nRdpService is used to create tunnels, enabling lateral movement within a compromised network.\\nDucktail is a Vietnamese infostealer threat actor known for using tools like RdpService, often written in .NET.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail\"\n date = \"2023-10-20\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.lateral_movement;attack.t1021.001;attack.command_and_control;attack.t1572\"\n classification = \"Windows.HackTool.Ducktail\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 6b52fdca49db84a5ce3abec0fed77e58451e5bbc5b5c5052aedb5164878a4876\n\n $s1 = \"RdpService.dll\" wide fullword\n $s2 = \"close clietn socket\" wide fullword\n $s3 = \"close client socket success\" wide fullword\n $s4 = \"san sang nhan data\" wide\n $s5 = \"ngat ket noi roi\" wide fullword\n $s6 = \"deviceId.txt\" wide fullword\n\n condition:\n 4 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "ducktail_rdpservice" ], "rule_creation_date": "2023-10-20", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Ducktail" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1572", "attack.t1021.001" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dumpert_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582319Z", "creation_date": "2026-03-23T11:46:25.582321Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582326Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/001/\nhttps://github.com/outflanknl/Dumpert" ], "name": "dumpert.yar", "content": "rule dumpert {\n meta:\n title = \"Dumpert HackTool\"\n id = \"b4260a85-4b0c-46ba-9ce9-80fbaa2f4445\"\n description = \"Detects the LSASS memory dumper Dumpert.\\nDumpert is a tool that extracts LSASS process memory using direct system calls and API unhooking techniques to avoid detection by security solutions.\\nIt attempts to dump memory directly from the LSASS process without relying on traditional methods, making it harder to block.\"\n references = \"https://attack.mitre.org/techniques/T1003/001/\\nhttps://github.com/outflanknl/Dumpert\"\n date = \"2024-01-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.Dumpert\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // f323569e5d64a3aa60045bd06c2421e729d1c0d79028aba9e227d9eeaeec62e5\n // 7f7444414773260e15a8716a14b6a77578191be48fc9abb4d354eb8fc04f73fd\n // 78a7a10aa0d5c69e61d8d5413e1d881f6c7d83bd8c0913f6479c4aa27035ebe4\n // 5180c945e25b9d771624130207da3b7ada27bfa0232170081efe6891d54f5b87\n // 3336e757f9157c001de057b38d3eb24c754fcfaad7ac2b571fbe2ea0e18a9ac1\n // 1da30fe79063333fc5fa8dbf291b5bcc0c07e1ae64722b4de7177eecfa261198\n // 002594fd3f52966d800eb451e60f153b491915f853c6098e5009ab6941373e3a\n\n // ascii\n $s1 = \"[+] %s function pointer at: 0x%p\" fullword ascii\n $s2 = \"[+] %s System call nr is: 0x%x\" fullword ascii\n $s3 = \"[+] Unhooking %s.\" ascii fullword\n $s4 = \"[!] Unhooking %s failed.\" ascii fullword\n\n // wide\n $s5 = \"[!] ZwProtectVirtualMemory failed.\" wide fullword\n $s6 = \"[!] ZwWriteVirtualMemory failed.\" wide fullword\n $s7 = \"By Cneeliz @Outflank 2019\" wide fullword\n $s8 = \"[!] You need elevated privileges to run this tool!\" wide fullword\n $s9 = \"[1] Checking OS version details:\" wide fullword\n $s10 = \"[+] Operating System is Windows %ls, build number %d\" wide fullword\n $s11 = \"[+] Mapping version specific System calls.\" wide fullword\n $s12 = \"[!] OS Version not supported.\" wide fullword\n $s13 = \"[2] Checking Process details:\" wide fullword\n $s14 = \"[!] Enumerating process failed.\" wide fullword\n $s15 = \"[+] Process ID of %wZ is: %lld\" wide fullword\n $s16 = \"[3] Create memorydump file:\" wide fullword\n $s17 = \"[+] Open a process handle.\" wide fullword\n $s18 = \"[!] Failed to get processhandle.\" wide fullword\n $s19 = \"\\\\Temp\\\\dumpert.dmp\" wide fullword\n $s20 = \"[+] Dump %wZ memory to: %wZ\" wide fullword\n $s21 = \"[!] Failed to create dumpfile.\" wide fullword\n $s22 = \"[!] Failed to create minidump, error code: %x\" wide fullword\n $s23 = \"[+] Dump succesful.\" wide fullword\n\n condition:\n 8 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "dumpert" ], "rule_creation_date": "2024-01-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Dumpert" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-dump_sam_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590486Z", "creation_date": "2026-03-23T11:46:25.590488Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590494Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/dump_sam/dump_sam.c" ], "name": "dump_sam.yar", "content": "rule sam_dump {\n meta:\n title = \"SAM Dump HackTool\"\n id = \"2181aab8-607f-4edf-9825-1dd3f2e2b54f\"\n description = \"Detects the Metasploit SAM dump tool used to extract the NTLM hashes from the LSASS process in-memory.\\nTo perform this technique, attackers inject code into the Local Security Authority Subsystem (LSASS) process and use APIs from the samsrv.dll library to dumps password hashes from the Security Account Manager (SAM) database.\\nIt is recommended to investigate the process at the origin of the code injection into the LSASS process.\"\n references = \"https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/dump_sam/dump_sam.c\"\n date = \"2024-10-09\"\n modified = \"2026-02-23\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1204.002;attack.defense_evasion;attack.t1140;attack.t1055\"\n classification = \"Windows.HackTool.SamDump\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 8bdca1b212fec7f790be0b36969248f2f57dc41c7e8c8ea5ec3f93e1ca0b4a52\n // 4c51b58b34131f9755886a04e81ba4669a4ca79fca0cf68d4321cdd06efb873a\n\n $s1 = \"samsrv.dll\" ascii fullword\n $s2 = \"SamIConnect\" ascii fullword\n $s3 = \"SamrEnumerateUsersInDomain\" ascii fullword\n $s4 = \"SamrOpenUser\" ascii fullword\n $s5 = \"SamrQueryInformationUser\" ascii fullword\n $s6 = \"SamIFree_SAMPR_USER_INFO_BUFFER\" ascii fullword\n $s7 = \"SamIFree_SAMPR_ENUMERATION_BUFFER\" ascii fullword\n $s8 = \"SamrCloseHandle\" ascii fullword\n\n $samr_open_domain = { BA FF 07 0F 00 } // mov edx, 0F07FFh\n\n $hash1 = { C7 45 ?? ED 4A 3D D3 } // mov [rbp+57h+var_C8], 0D33D4AEDh\n $hash2 = { C7 45 ?? 89 4D 3F BC } // mov [rbp+57h+var_B0], 0BC3F4D89h\n $hash3 = { C7 45 ?? E8 8A 4D 53 } // mov [rbp+57h+var_98], 534D8AE8h\n $hash4 = { C7 45 ?? C3 AD 69 81 } // mov [rbp+57h+var_80], 8169ADC3h\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "sam_dump" ], "rule_creation_date": "2024-10-09", "rule_modified_date": "2026-02-23", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.SamDump" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1140", "attack.t1204.002", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-early_cascade_injection_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588463Z", "creation_date": "2026-03-23T11:46:25.588465Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588470Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Cracked5pider/earlycascade-injection/\nhttps://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/" ], "name": "early_cascade_injection.yar", "content": "rule early_cascade_injection {\n meta:\n title = \"Early Cascade Injection\"\n id = \"9a1314b5-b994-4fbe-8572-cdf2ba6af4e0\"\n description = \"Detects early cascade injection technique.\\nEarly cascade injection is a process injection technique used to evade security measures by creating multiple processes in a chain. This technique was discovered by Outflank and implemented by @5pider as a sophisticated method for executing malicious code within legitimate processes.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/Cracked5pider/earlycascade-injection/\\nhttps://www.outflank.nl/blog/2024/10/15/introducing-early-cascade-injection-from-windows-process-creation-to-stealthy-injection/\"\n date = \"2024-11-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Windows.Generic.EarlyCascadeInjection\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // f3592125ec88bc5f1f4d2b83a47269d2d8294915a96cb1808c9dc955720ff770\n\n $cascade_stub = {\n 48 83 ec 38 // sub rsp, 38h\n 33 c0 // xor eax, eax\n 45 33 c9 // xor r9d, r9d\n 48 21 44 24 20 // and [rsp+38h+var_18], rax\n\n 48 ba //\n ?? ?? ?? ?? ?? ?? ?? ?? // mov rdx, @cascade_payload\n\n a2 // (offset: 25)\n ?? ?? ?? ?? ?? ?? ?? ?? // mov ds:@g_ShimsEnabled, al\n\n 49 b8 //\n ?? ?? ?? ?? ?? ?? ?? ?? // mov r8, @apc_context\n\n 48 8d 48 fe // lea rcx, [rax-2]\n\n 48 b8 //\n ?? ?? ?? ?? ?? ?? ?? ?? // mov rax, @NtQueueApcThread\n\n ff d0 // call rax\n 33 c0 // xor eax, eax\n 48 83 c4 38 // add rsp, 38h\n c3 // retn\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "early_cascade_injection" ], "rule_creation_date": "2024-11-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.EarlyCascadeInjection" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-earthkapre_downloader_stage1_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577811Z", "creation_date": "2026-03-23T11:46:25.577813Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577819Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\nhttps://www.trendmicro.com/en_ca/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\nhttps://go.group-ib.com/hubfs/report/group-ib-redcurl-threat-research-2020-en.pdf" ], "name": "earthkapre_downloader_stage1.yar", "content": "rule earthkapre_downloader {\n meta:\n title = \"EarthKapre Downloader\"\n id = \"0e517c10-f758-4305-8de4-4b79da496386\"\n description = \"Detects the EarthKapre Downloader.\\nThis malicious tool downloads and executes a stealer or final payload. Strings are encrypted to hide data, including used APIs and download location. Persistence is insured by creating a scheduled task.\\nEarthKapre (RedCurl) is a threat actor with a focus on corporate espionage.\\nIt is recommended to analyze the context around this alert to look for any subsequent file execution or suspicious activities.\"\n references = \"https://www.esentire.com/blog/unraveling-the-many-stages-and-techniques-used-by-redcurl-earthkapre-apt\\nhttps://www.trendmicro.com/en_ca/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html\\nhttps://go.group-ib.com/hubfs/report/group-ib-redcurl-threat-research-2020-en.pdf\"\n date = \"2025-02-19\"\n modified = \"2025-04-07\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.persistence;attack.t1053.005;attack.defense_evasion;attack.t1055.012;attack.t1140\"\n classification = \"Windows.Loader.EarthKapreDownloader\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 868d382f98a4465b239f9e5b6dc91a46ada7f334df26af9e780dd7fa74dc4e3c\n // cbb4ac9c22522a4be4eb7b5472f7acb2c783557cea97013b4c46813ff664cf56\n // 6ecfa9270b4f81746215dd3b8d1696bf0ead22be63ef62c90edecba223aeebc8\n // 2347e3b48c717399b001209442b4a23d39ecf5e22aa728951a0328983b17308f\n // 88edd697a50ef6bc1fb6cecd6867227c090cd6072cbfc5e01fcf7ccf2e11ee04\n // 065193271e823bbeeda8dae5ed2b8633ca7b1d39460c3bb7b0f13509e9220f3b\n\n $op1 = /(((\\xc1[\\xe8-\\xef])|(\\x41\\xc1[\\xe8-\\xef]))\\x1e)(((\\x69[\\xc0\\xc9\\xd2\\xdb\\xe4\\xed\\xf6\\xff])|(\\x45\\x69[\\xc0\\xc9\\xd2\\xdb\\xe4\\xed\\xf6\\xff]))\\xff\\xff\\xff\\x7f)(([\\x29\\x2b][\\xc1-\\xc8\\xca-\\xd1\\xd3-\\xda\\xdc-\\xe3\\xe5-\\xec\\xee-\\xf5\\xf7-\\xfe])|(\\x41([\\x29\\x2b][\\xc0-\\xff])|\\x44([\\x29\\x2b][\\xc0-\\xff])|\\x45([\\x29\\x2b][\\xc1-\\xc8\\xca-\\xd1\\xd3-\\xda\\xdc-\\xe3\\xe5-\\xec\\xee-\\xf5\\xf7-\\xfe])))(((\\x69[\\xc1-\\xc8\\xca-\\xd1\\xd3-\\xda\\xdc-\\xe3\\xe5-\\xec\\xee-\\xf5\\xf7-\\xfe])|([\\x41\\x44]\\x69[\\xc0-\\xff]|\\x45\\x69[\\xc1-\\xc8\\xca-\\xd1\\xd3-\\xda\\xdc-\\xe3\\xe5-\\xec\\xee-\\xf5\\xf7-\\xfe]))\\x8f\\xbc\\x00\\x00)/ ascii\n // C1 E8 1E // shr eax, 1Eh\n // 69 C0 FF FF FF 7F // imul eax, 7FFFFFFFh\n // 44 2B C0 // sub ecx, eax\n // 44 69 C1 8F BC 00 00 // imul r8d, ecx, 0BC8Fh\n //... and variants thereof\n $str1 = \"GetSystemTimeAsFileTime\" ascii fullword\n $str2 = /LegalCopyright.[a-zA-Z]{4,32}\\sCopyright\\s\\(C\\)\\s20\\d{2}/ wide fullword\n\n condition:\n filesize > 10KB and filesize < 2MB\n and (uint16be(0)==0x4D5A)\n and (#op1 > 5) // De-XORing loop\n and ((@op1[2] - @op1[1]) < 100) // Within same func\n and (all of ($str*)) // Single unmasked import + generated PE infos\n}\n", "rule_count": 1, "rule_names": [ "earthkapre_downloader" ], "rule_creation_date": "2025-02-19", "rule_modified_date": "2025-04-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.EarthKapreDownloader" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1140", "attack.t1106", "attack.t1053.005", "attack.t1055.012" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-edr_freeze_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576153Z", "creation_date": "2026-03-23T11:46:25.576156Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576162Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/TwoSevenOneT/EDR-Freeze" ], "name": "edr_freeze.yar", "content": "rule edr_freeze {\n meta:\n title = \"EDR-Freeze HackTool\"\n id = \"0ab6ffbc-02ad-4004-bb72-a36d520205bf\"\n description = \"Detects EDR-Freeze, a tool designed to freeze the EDR processes using WerFaultSecure.exe and MiniDump APIs.\\nEDR-Freeze operates by creating a MiniDump that freezes a specific process.\\nIt is recommended to examine the context in which this tool is executed to determine whether its use is legitimate.\"\n references = \"https://github.com/TwoSevenOneT/EDR-Freeze\"\n date = \"2025-10-13\"\n modified = \"2025-10-13\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1574\"\n classification = \"Windows.HackTool.EDR-Freeze\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 970c7834e58b6ef22473875167a333dbb33bf7b667d1cb814829f68579cd85f7\n\n $s1 = \"D:\\\\Projects\\\\PPL\\\\EDR-Freeze\\\\x64\\\\Release\\\\EDR-Freeze.pdb\" ascii fullword\n $s2 = \"Two Seven One Three: https://x.com/TwoSevenOneT\" wide fullword\n $s3 = \"EDR-Freeze.exe 1234 10000\" wide fullword\n $s4 = \"Failed to find main thread for PID\" wide fullword\n $s5 = \"Kill WER successfully. PID:\" wide fullword\n $s6 = \"Freeze the target for 10000 milliseconds\" wide fullword\n\n $f1 = \"C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\" wide fullword\n $f2 = \"Process suspended successfully.\" ascii fullword\n $f3 = \"Process terminated successfully.\" ascii fullword\n $f4 = \"NtSuspendProcess failed. Error code:\" ascii fullword\n $f5 = \"==================================================\" wide fullword\n\n condition:\n 2 of ($s*) or (all of ($f*))\n}\n", "rule_count": 1, "rule_names": [ "edr_freeze" ], "rule_creation_date": "2025-10-13", "rule_modified_date": "2025-10-13", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.EDR-Freeze" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1574" ], "rule_score": 100, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-edr_killer_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588990Z", "creation_date": "2026-03-23T11:46:25.588992Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588998Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/\nhttps://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/" ], "name": "edr_killer_driver.yar", "content": "rule edr_killer_driver {\n meta:\n title = \"EDR Killer Driver\"\n id = \"75e2df4d-f3fc-4bd2-9520-35f80149cd46\"\n description = \"Detects a malicious driver associated with the emerging Akira ransomware campaign.\\nSpecifically, it targets the unsigned kernel-mode driver hlpdrv.sys used in a bring-your-own-vulnerable-driver (BYOVD) chain, often loaded via the legitimate rwdrv.sys driver.\\nAttackers leverage this driver to disable endpoint protections such as Microsoft Defender on compromised systems.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/\\nhttps://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/\"\n date = \"2025-12-08\"\n modified = \"2026-01-27\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;attack.defense_evasion;attack.t1562.001\"\n classification = \"Windows.Driver.EDRKiller\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56\n\n $s1 = \"Process image path: %ws\"\n $s2 = \"HandleIoctl: IOCTL CALLED: 0x%x\"\n $s3 = \"HandleIoctl: PsLookupProcessByProcessId pid:0x%x\"\n $s4 = \"HandleIoctl: TerminateProcessByPID failed with status 0x%x\"\n $s5 = \"Driver initialized successfully.\"\n\n condition:\n all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "edr_killer_driver" ], "rule_creation_date": "2025-12-08", "rule_modified_date": "2026-01-27", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Driver.EDRKiller" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-edr_redir_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581672Z", "creation_date": "2026-03-23T11:46:25.581675Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581684Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/TwoSevenOneT/EDR-Redir" ], "name": "edr_redir.yar", "content": "rule edr_redir {\n meta:\n title = \"EDR-Redir HackTool\"\n id = \"90cbc507-349e-49f1-a848-40a4dbf4641d\"\n description = \"Detects EDR-Redir, a tool developed by TwoSevenOneT to impair EDRs using path redirections.\\nEDR-Redir is known to target EDR solutions by using a Bind Filter (mini filter bindflt.sys) and the Windows Cloud Filter API (cldflt.sys) to redirect the EDR's working folder to a folder of the attacker's choice.\\nIt is recommended to quarantine detected files, check the integrity of running security solutions and to investigate for any other malicious actions on the host.\"\n references = \"https://github.com/TwoSevenOneT/EDR-Redir\"\n date = \"2025-10-28\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001\"\n classification = \"Windows.HackTool.EDR-Redir\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 0e5f61fc92adea436b9a1c6ad2b7a77123f8524a2caac61bec5bf2f3a9ea0bcf\n\n $edr_redir_1 = \"GitHub: https://github.com/TwoSevenOneT/EDR-Redir\" wide fullword\n $edr_redir_2 = \"EDR-Redir.exe: Tool to redirect the EDR to another location\" wide fullword\n $edr_redir_3 = \"EDR-Redir.exe bind \" wide fullword\n $edr_redir_4 = \"To remove a syncroot that was previously created\" wide fullword\n $edr_redir_5 = \"Failed to register sync root. HRESULT: \" wide fullword\n $edr_redir_6 = \"Cloud filter usage: EDR-Redir.exe cloud create\" wide fullword\n $edr_redir_7 = \"Two Seven One Three: https://x.com/TwoSevenOneT\" wide fullword\n\n condition:\n 3 of ($edr_redir_*)\n}\n", "rule_count": 1, "rule_names": [ "edr_redir" ], "rule_creation_date": "2025-10-28", "rule_modified_date": "2025-11-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.EDR-Redir" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-edrsandblast_generic_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563255Z", "creation_date": "2026-03-23T11:46:25.563259Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563267Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/wavestone-cdt/EDRSandblast" ], "name": "edrsandblast_generic.yar", "content": "rule edrsandblast {\n meta:\n title = \"EDRSandblast HackTool\"\n id = \"70d11aed-45c6-470d-966b-bfe4fac30782\"\n description = \"Detects EDRSandblast, a tool developed by Wavestone designed to kill or silence EDRs using various techniques including ETW silencing or kernel callback tampering.\\nEDRSandblast is known to target EDR solutions through methods like ETW (Event Tracing for Windows) silencing, driver interference, and kernel callback manipulation.\\nIt is recommended to quarantine detected files, check the integrity of running security solutions and to investigate for any other malicious actions on the host.\"\n references = \"https://github.com/wavestone-cdt/EDRSandblast\"\n date = \"2023-05-05\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001\"\n classification = \"Windows.HackTool.EDRSandblast\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a783abe25e1e450339d646df8e58502b8452984d82c660d09c7661d8e6f75f33\n // 22940c6fc95a843810765a454ba73ec7c28ca08737087c9136571aa96831fbbe\n\n $check_for_debugger = {\n 48 89 ?? ?? ?? // mov [rsp+JMC_flag], rcx\n 48 83 ?? ?? // sub rsp, 38h\n 48 8B ?? ?? ?? // mov rax, [rsp+38h+JMC_flag]\n 48 89 ?? ?? ?? // mov [rsp+38h+__DebuggerLocalJMCFlag], rax\n 48 8B ?? ?? ?? // mov rax, [rsp+38h+JMC_flag]\n 0F B6 00 // movzx eax, byte ptr [rax]\n 85 C0 // test eax, eax\n 74 ?? // jz short loc_140029E57\n 83 ?? ?? ?? ?? 00 00 // cmp cs:__DebuggerCurrentSteppingThreadId, 0\n 74 ?? // jz short loc_140029E57\n FF ?? ?? ?? ?? 00 // call cs:__imp_GetCurrentThreadId\n 39 ?? ?? ?? ?? 00 // cmp cs:__DebuggerCurrentSteppingThreadId, eax\n 75 ?? // jnz short loc_140029E57\n 90 // nop\n 48 83 ?? ?? // add rsp, 38h\n C3 // retn\n }\n\n $vuln_driver_install_1 = {\n E8 ?? ?? FF FF // call j_GetDriverServiceName\n 48 ?? ?? ?? // mov [rbp+110h+svcName], rax\n C7 ?? ?? ?? 01 00 00 00 // mov [rsp+140h+startIt], 1 ; startIt\n C7 ?? ?? ?? 02 00 00 00 // mov [rsp+140h+startType], 2 ; startType\n 41 B9 01 00 00 00 // mov r9d, 1 ; serviceType\n 4C 8B ?? ?? ?? 00 00 // mov r8, [rbp+110h+driverPath] ; binPath\n 48 8B ?? ?? // mov rdx, [rbp+110h+svcName] ; displayName\n 48 8B ?? ?? // mov rcx, [rbp+110h+svcName] ; serviceName\n E8 ?? ?? FF FF // call j_ServiceInstall\n }\n\n $vuln_driver_install_2 = {\n 41 B9 10 00 06 00 // mov r9d, 60010h ; dwDesiredAccess\n 4C 8B ?? ?? ?? ?? ?? // mov r8, [rbp+110h+displayName] ; lpDisplayName\n 48 8B ?? ?? ?? ?? ?? // mov rdx, [rbp+110h+serviceName] ; lpServiceName\n 48 8B ?? ?? // mov rcx, [rbp+110h+hSC] ; hSCManager\n FF ?? ?? ?? ?? 00 // call cs:__imp_CreateServiceW\n }\n\n $get_ntoskrnl_offset_online = {\n 8B C0 // mov eax, eax\n 48 89 05 ?? ?? ?? 00 // mov qword ptr cs:g_ntoskrnlOffsets+28h, rax\n 4C 8D 05 ?? ?? ?? 00 // lea r8, aProviderenable ; \"ProviderEnableInfo\"\n 48 8D 15 ?? ?? ?? 00 // lea rdx, aEtwGuidEntry ; \"_ETW_GUID_ENTRY\"\n 48 8B ?? ?? // mov rcx, [rbp+0F0h+sym_ctx] ; ctx\n E8 ?? ?? ?? FF // call j_GetFieldOffset\n 8B C0 // mov eax, eax\n 48 89 05 ?? ?? ?? 00 // mov qword ptr cs:g_ntoskrnlOffsets+30h, rax\n 48 8D 15 ?? ?? ?? 00 // lea rdx, aPsprocesstype ; \"PsProcessType\"\n 48 8B ?? ?? // mov rcx, [rbp+0F0h+sym_ctx] ; ctx\n E8 ?? ?? ?? FF // call j_GetSymbolOffset\n 48 89 05 ?? ?? ?? 00 // mov qword ptr cs:g_ntoskrnlOffsets+38h, rax\n 48 8D 15 ?? ?? ?? 00 // lea rdx, aPsthreadtype ; \"PsThreadType\"\n 48 8B ?? ?? // mov rcx, [rbp+0F0h+sym_ctx] ; ctx\n E8 ?? ?? ?? FF // call j_GetSymbolOffset\n 48 89 05 ?? ?? ?? 00 // mov qword ptr cs:g_ntoskrnlOffsets+40h, rax\n 4C 8D 05 ?? ?? ?? 00 // lea r8, aCallbacklist ; \"CallbackList\"\n 48 8D 15 ?? ?? ?? 00 // lea rdx, aObjectType ; \"_OBJECT_TYPE\"\n 48 8B ?? ?? // mov rcx, [rbp+0F0h+sym_ctx] ; ctx\n E8 ?? ?? ?? FF // call j_GetFieldOffset\n 8B C0 // mov eax, eax\n }\n\n $edr_driver_1 = \"DwShield.sys\" wide\n $edr_driver_2 = \"CpAvKernel.sys\" wide\n $edr_driver_3 = \"Spiderg3.sys\" wide\n $edr_driver_4 = \"fortishield.sys\" wide\n $edr_driver_5 = \"SophosED.sys\" wide\n $edr_driver_6 = \"DTDSel.sys\" wide\n $edr_driver_7 = \"isecureflt.sys\" wide\n $edr_driver_8 = \"JKPPOK.sys\" wide\n $edr_driver_9 = \"ctifile.sys\" wide\n $edr_driver_10 = \"QQProtect.sys\" wide\n $edr_driver_11 = \"GEProtection.sys\" wide\n $edr_driver_12 = \"IronGateFD.sys\" wide\n\n $rt_core = \"\\\\\\\\.\\\\RTCore64\" fullword wide\n\n condition:\n ($check_for_debugger and (all of ($vuln_driver_install_*) or $get_ntoskrnl_offset_online))\n or (all of ($edr_driver_*) and $rt_core)\n}\n", "rule_count": 1, "rule_names": [ "edrsandblast" ], "rule_creation_date": "2023-05-05", "rule_modified_date": "2025-11-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.EDRSandblast" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-edrsandblast_strings_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571503Z", "creation_date": "2026-03-23T11:46:25.571505Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571511Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/wavestone-cdt/EDRSandblast" ], "name": "edrsandblast_strings.yar", "content": "rule edrsandblast_strings {\n meta:\n title = \"EDRSandblast HackTool Strings\"\n id = \"f793d32f-60ab-4050-b483-0c2649c25f07\"\n description = \"Detects strings proper to EDRSandblast, a tool developed by Wavestone designed to kill or silence EDRs using various techniques including ETW silencing or kernel callback tampering.\\nEDRSandblast is known to target EDR solutions through methods like ETW (Event Tracing for Windows) silencing, driver interference, and kernel callback manipulation.\\nIt is recommended to quarantine detected files, check the integrity of running security solutions and to investigate for any other malicious actions on the host.\"\n references = \"https://github.com/wavestone-cdt/EDRSandblast\"\n date = \"2022-09-12\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1601.001\"\n classification = \"Windows.HackTool.EDRSandblast\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a783abe25e1e450339d646df8e58502b8452984d82c660d09c7661d8e6f75f33\n // 22940c6fc95a843810765a454ba73ec7c28ca08737087c9136571aa96831fbbe\n\n $s1 = \"EDRSandblast\" ascii\n $s2 = \"EDRSandblast\" wide\n\n $s3 = \"NtoskrnlOffsets.csv\" wide\n $s4 = \"WdigestOffsets.csv\" wide\n\n $s5 = \"Kernel callbacks\" wide\n $s6 = \"--unhook-method\" wide\n $s7 = \"RTCore64.sys\" wide\n $s8 = \"Psp%sNotifyRoutine:\" wide\n $s9 = \"Found callback belonging to EDR driver\" wide\n $s10 = \"\\\\\\\\.\\\\RTCore64\" fullword wide\n\n condition:\n 6 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "edrsandblast_strings" ], "rule_creation_date": "2022-09-12", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.EDRSandblast" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1601.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-edrsilencer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576051Z", "creation_date": "2026-03-23T11:46:25.576053Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576059Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/netero1010/EDRSilencer\nhttps://attack.mitre.org/techniques/T1562/004/" ], "name": "edrsilencer.yar", "content": "rule edrsilencer {\n meta:\n title = \"EDRSilencer HackTool\"\n id = \"af108d15-6cb6-44e2-9120-e2a1f69dad59\"\n description = \"Detects EDRSilencer, a tool designed to block outbound network traffic of running EDR processes using Windows Filtering Platform (WFP) APIs.\\nEDRSilencer operates by creating WFP filters to block network communication of specific EDR processes.\"\n references = \"https://github.com/netero1010/EDRSilencer\\nhttps://attack.mitre.org/techniques/T1562/004/\"\n date = \"2024-01-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.004;attack.t1574\"\n classification = \"Windows.HackTool.EDRSilencer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3b2de5c23a09cee3661dd8f499d43ca5275159c64bd567cfcc133aceac5b2573\n // bb666500ada02a8d55297c8af05cc89c5e48f154327c8a318a15f5e4e40de31f\n // 721af117726af1385c08cc6f49a801f3cf3f057d9fd26fcec2749455567888e7\n\n $s1 = \"[-] FwpmEngineOpen0 failed with error code: 0x%x\" ascii fullword\n $s2 = \"[-] CreateToolhelp32Snapshot (of processes) failed with error code: 0x%x\" ascii fullword\n $s3 = \"Detected running EDR process: %s (%d):\" ascii fullword\n $s4 = \"Added WFP filter for \\\"%s\\\" (Filter id: %d, IPv4 layer).\" ascii fullword\n $s5 = \"[-] No EDR process was detected. Please double check the edrProcess list or add the filter manually using 'block' command.\" ascii fullword\n $s6 = \"Deleted filter id: %llu.\" ascii fullword\n $s7 = \"EDRSilencer.exe blockedr\" ascii\n\n $f1 = \"FwpmEngineOpen0\" ascii fullword\n $f2 = \"FwpmFilterAdd0\" ascii fullword\n $f3 = \"FwpmFilterCreateEnumHandle0\" ascii fullword\n\n $edr1 = \"MsMpEng.exe\" ascii fullword\n $edr2 = \"elastic-agent.exe\" ascii fullword\n $edr3 = \"QualysAgent.exe\" ascii fullword\n $edr4 = \"SentinelAgent.exe\" ascii fullword\n $edr5 = \"CylanceSvc.exe\" ascii fullword\n $edr6 = \"CybereasonAV.exe\" ascii fullword\n $edr7 = \"TaniumCX.exe\" ascii fullword\n $edr8 = \"fortiedr.exe\" ascii fullword\n\n condition:\n 4 of ($s*) or (all of ($f*) and 5 of ($edr*))\n}\n", "rule_count": 1, "rule_names": [ "edrsilencer" ], "rule_creation_date": "2024-01-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.EDRSilencer" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.004", "attack.t1574" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-efspotato_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586279Z", "creation_date": "2026-03-23T11:46:25.586281Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586286Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/zcgonvh/EfsPotato/\nhttps://attack.mitre.org/techniques/T1068/" ], "name": "efspotato.yar", "content": "rule efspotato {\n meta:\n title = \"EfsPotato HackTool\"\n id = \"8c554ccf-b6df-4edd-b451-ec90923f68c0\"\n description = \"Detects the EfsPotato HackTool.\\nEfsPotato is a privilege escalation tool that exploits the MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privilege escalation vulnerability.\\nIt is recommended to investigate the affected process and its potential children for elevated privileges.\"\n references = \"https://github.com/zcgonvh/EfsPotato/\\nhttps://attack.mitre.org/techniques/T1068/\"\n date = \"2024-02-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.HackTool.EfsPotato\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 92b3d78269edf254ffd28dded1c57ba8ac87c5241b96035de02bd08a2450db47\n\n $s1 = \"[x] RpcStringBindingCompose failed with status 0x\" wide fullword\n $s2 = \"[x] RpcBindingFromStringBinding failed with status 0x\" wide fullword\n $s3 = \"[x] RpcBindingSetAuthInfo failed with status 0x\" wide fullword\n $s4 = \"[x] RpcBindingSetOption failed with status 0x\" wide fullword\n $s5 = \"[x] SeImpersonatePrivilege not held.\" wide fullword\n\n condition:\n 3 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "efspotato" ], "rule_creation_date": "2024-02-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.EfsPotato" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ekko_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571720Z", "creation_date": "2026-03-23T11:46:25.571722Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571728Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Cracked5pider/Ekko\nhttps://github.com/rad9800/misc/blob/main/bypasses/RtlRegisterWait.c\nhttps://attack.mitre.org/techniques/T1027/" ], "name": "ekko.yar", "content": "rule ekko {\n meta:\n title = \"Ekko Technique\"\n id = \"fb68eb04-32e3-4b0f-9399-19fe3fd2562b\"\n description = \"Detects the Ekko sleep obfuscation technique.\\nThe Ekko sleep obfuscation technique uses the worker threads to encrypt the payload's own image in-memory during execution.\\nTo do so, it uses Windows API functions CreateTimerQueueTimer and RtlRegisterWait.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/Cracked5pider/Ekko\\nhttps://github.com/rad9800/misc/blob/main/bypasses/RtlRegisterWait.c\\nhttps://attack.mitre.org/techniques/T1027/\"\n date = \"2024-03-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Generic.Ekko\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 05e382013be893344cec5dc1dda21de8e6326a8e6edb19a72726bc9eb3619b04\n // 0040f242adf89fa2032c8f66bcfec170244d25aa9d55f8f108f39a0202442a3d\n\n $stub_gadget_population_00 = {\n 48 89 ?? 24 ?? 06 00 00 // mov [rsp+38h+arg_630], rdx\n 4C 89 ?? 24 ?? 0A 00 00 // mov [rsp+38h+arg_A88], r8\n 48 89 ?? 24 ?? 06 00 00 // mov [rsp+38h+arg_5F8], rax\n 48 89 ?? 24 ?? 0A 00 00 // mov [rsp+38h+arg_A90], rcx\n 48 83 ?? 24 ?? 06 00 00 08 // sub [rsp+38h+arg_5D0], 8\n 48 83 ?? 24 ?? 0A 00 00 08 // sub [rsp+38h+arg_AA0], 8\n 4C 89 ?? 24 ?? 06 00 00 // mov [rsp+38h+arg_5B8], r14\n 4C 89 ?? 24 ?? 06 00 00 // mov [rsp+38h+arg_5C0], r13\n 48 C7 ?? 24 ?? 06 00 00 04 00 00 00 // mov [rsp+38h+arg_5F0], 4\n 4C 89 ?? 24 ?? 0B 00 00 // mov [rsp+38h+arg_B00], r15\n 48 83 ?? 24 ?? 0F 00 00 08 // sub [rsp+38h+arg_F70], 8\n }\n\n $stub_gadget_population_01 = {\n 4C 89 ?? 24 ?? 14 00 00 // mov [rsp+38h+arg_1428], r8\n 48 89 ?? 24 ?? 19 00 00 // mov [rsp+38h+arg_1970], rdx\n 48 83 ?? 24 ?? 14 00 00 08 // sub [rsp+38h+arg_1440], 8\n 48 83 ?? 24 ?? 19 00 00 08 // sub [rsp+38h+arg_1910], 8\n 48 83 ?? 24 ?? 1E 00 00 08 // sub [rsp+38h+arg_1DE0], 8\n 48 89 ?? 24 ?? 10 00 00 // mov [rsp+38h+arg_FD0], rbx\n 48 C7 ?? 24 ?? 0F 00 00 FF FF FF FF // mov [rsp+38h+arg_F58], 0FFFFFFFFFFFFFFFFh\n 48 89 ?? 24 ?? 0F 00 00 // mov [rsp+38h+arg_F60], rsi\n 4C 89 ?? 24 ?? 14 00 00 // mov [rsp+38h+arg_14A0], r15\n 4C 89 ?? 24 ?? 19 00 00 // mov [rsp+38h+arg_18F8], r14\n 4C 89 ?? 24 ?? 19 00 00 // mov [rsp+38h+arg_1900], r13\n 48 C7 ?? 24 ?? 19 00 00 40 00 00 00 // mov [rsp+38h+arg_1930], 40h ; '@'\n 48 89 84 24 10 1E 00 00 // mov [rsp+38h+arg_1DC8], rax\n }\n\n $stub_gadget_population_02 = {\n 48 C7 ?? E0 0E 00 00 FF FF FF FF // mov [rbp+21E0h+var_1300], 0FFFFFFFFFFFFFFFFh\n 8B ?? ?? 21 00 00 // mov eax, [rbp+21E0h+arg_0]\n 48 89 ?? E8 0E 00 00 // mov [rbp+21E0h+var_12F8], rax\n 48 8B ?? 28 0A 00 00 // mov rax, [rbp+21E0h+var_17B8]\n 48 83 ?? 08 // sub rax, 8\n 48 89 ?? 28 0A 00 00 // mov [rbp+21E0h+var_17B8], rax\n 48 8B ?? A8 21 00 00 // mov rax, [rbp+21E0h+var_38]\n 48 89 ?? 88 0A 00 00 // mov [rbp+21E0h+var_1758], rax\n ?? ?? ?? ?? // lea rax, [rbp+21E0h+var_2230]\n 48 89 ?? 10 0A 00 00 // mov [rbp+21E0h+var_17D0], rax\n ?? ?? ?? ?? // lea rax, [rbp+21E0h+var_2220]\n 48 89 ?? 18 0A 00 00 // mov [rbp+21E0h+var_17C8], rax\n 48 8B ?? 58 05 00 00 // mov rax, [rbp+21E0h+var_1C88]\n 48 83 ?? 08 // sub rax, 8\n }\n\n condition:\n 1 of ($stub*)\n}\n", "rule_count": 1, "rule_names": [ "ekko" ], "rule_creation_date": "2024-03-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.Ekko" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-emotet_api_hashing_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567420Z", "creation_date": "2026-03-23T11:46:25.567423Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567428Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0367/\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a\nhttps://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/\nhttps://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf" ], "name": "emotet_api_hashing.yar", "content": "rule emotet_api_hashing {\n meta:\n title = \"Emotet Trojan API Hashing\"\n id = \"d127137e-715b-459c-893d-40b433e36b65\"\n description = \"Detects API hashing techniques used by the Emotet Trojan.\\nEmotet is a sophisticated Trojan known for its banking trojan activity and various evasion techniques. This rule focuses on detecting its use of API hashing or DLL name manipulation to hide its malicious activities. The Emotet Trojan often employs these techniques to disguise its operations and avoid detection by security solutions.\\nIt is recommended to investigate the context around this alert to quarantine infected files.\"\n references = \"https://attack.mitre.org/software/S0367/\\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a\\nhttps://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/\\nhttps://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf\"\n date = \"2023-04-11\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.s0367;attack.defense_evasion;attack.t1027;attack.persistence;attack.t1543.003;attack.command_and_control;attack.t1204.001\"\n classification = \"Windows.Trojan.Emotet\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // d1d4dacc9603a8659445398adec5e9ebdb6755e446626e14884f435ed510c42a\n // 3cae2c5fc6ffa7b5c7cb51d150bbe8e05a56f462dc8047a27f574a4e3dd23fbe\n // 8c1db84c9f86675e3487960e5275fdf2e690b53eff1879e2d72673463fe1055a\n // eac5c6cd3836bed3cfee274587583fa29a629d0bb7ce3aa54a2691c69329d307\n // 0791f0df822c5f03404d2643b49728c458a4493423b2d3359866e6643b1a1e5a\n // 8ec69127e6c6676189caf841242091ddd3365b52d4bf91967338534cf14eb9e5\n\n // do\n // {\n // v6 = v2 % 32;\n // ++v2;\n // *((_BYTE *)BaseAddress + v5) = *((_BYTE *)Resource + v5) ^ aMq1TVu6dTJwlro[v6];\n // ++v5;\n // }\n // while ( (unsigned __int64)v2 < *(_QWORD *)Size );\n\n $hashing_1 = {\n 48 63 C8 // movsxd rcx, eax\n FF C3 // inc ebx\n 48 8B ?? ?? ?? // mov rax, [rsp+328h+Resource]\n 0F B6 ?? ?? ?? ?? ?? 00 // movzx ecx, byte ptr [rcx+rsi+54220h]\n 32 0C 02 // xor cl, [rdx+rax]\n 48 8B ?? ?? ?? // mov rax, [rsp+328h+BaseAddress]\n 88 0C 02 // mov [rdx+rax], cl\n 48 FF ?? // inc rdx\n 48 63 C3 // movsxd rax, ebx\n 48 3B ?? ?? ?? // cmp rax, qword ptr [rsp+328h+Size]\n }\n\n // for ( i = 0; (unsigned __int64)i < *(_QWORD *)Size; ++i )\n // *((_BYTE *)BaseAddress + i) = v8[i % 38] ^ *((_BYTE *)Resource + i);\n // result = a2;\n // *a2 = BaseAddress;\n $hashing_2 = {\n 99 // cdq\n B9 ?? 00 00 00 // mov ecx, 26h ; '&'\n F7 F9 // idiv ecx\n 8B C2 // mov eax, edx\n 48 98 // cdqe\n 48 8B ?? ?? ?? // mov rcx, [rsp+358h+var_2F8]\n 0F B6 04 01 // movzx eax, byte ptr [rcx+rax]\n 8B 4C ?? ?? // mov ecx, [rsp+358h+var_320]\n 33 C8 // xor ecx, eax\n 8B C1 // mov eax, ecx\n 48 63 ?? ?? ?? // movsxd rcx, [rsp+358h+var_328]\n 48 8B ?? ?? ?? // mov rdx, [rsp+358h+BaseAddress]\n 88 04 0A // mov [rdx+rcx], al\n }\n\n // do\n // {\n // v6 = v2;\n // v7 = (unsigned __int64)(3926827243i64 * v2++) >> 32;\n // *((_BYTE *)BaseAddress + v5) = *((_BYTE *)Resource + v5) ^ aCjtxejprlwXhrg[v6\n // - 35\n // * (((unsigned int)v7 >> 31) + (v7 >> 5))];\n // ++v5;\n // }\n // while ( (unsigned __int64)v2 < *(_QWORD *)Size );\n\n $hashing_3 = {\n 6B C2 ?? // imul eax, edx, 23h ; '#'\n 2B C8 // sub ecx, eax\n 48 8B ?? ?? ?? // mov rax, [rsp+320h+Resource]\n 48 63 D1 // movsxd rdx, ecx\n 8A 8C ?? ?? ?? ?? ?? // mov cl, [rdx+rsi+68080h]\n ?? 32 0C ?? // xor cl, [r8+rax]\n 48 8B ?? ?? ?? // mov rax, [rsp+320h+BaseAddress]\n ?? ?? 0C ?? // mov [r8+rax], cl\n 49 FF C0 // inc r8\n }\n\n $exclusion_agile_dotnet_packer = \"Agile.NET runtime internal error occurred.\" ascii\n\n condition:\n 1 of ($hashing_*) and not 1 of ($exclusion_*)\n}\n", "rule_count": 1, "rule_names": [ "emotet_api_hashing" ], "rule_creation_date": "2023-04-11", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Emotet" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1543.003", "attack.t1204.001", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-emotet_onenote_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567452Z", "creation_date": "2026-03-23T11:46:25.567454Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567460Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0367/\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a" ], "name": "emotet_onenote_dll.yar", "content": "rule emotet_onenote_dll {\n meta:\n title = \"Emotet Injected Thread\"\n id = \"6db9fe0d-eff3-4cb5-b9b8-9ce2f39a3a33\"\n description = \"Detects the Emotet OneNote injected DLL delivered through .wsf files in OneNote documents and injected into regsvr.exe.\\nEmotet is a sophisticated banking trojan known for its modular architecture and ability to evade detection. Some samples arrive as a malicious OneNote document containing a .wsf file, which executes when the document is opened. The injected DLL uses specific shellcode patterns to establish persistence and communication.\\nIt is recommended investigate the context around this alert, analyze the loaded DLL or the memory region associated with this detection, and check for related processes or files linked to Emotet's activities.\"\n references = \"https://attack.mitre.org/software/S0367/\\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a\"\n date = \"2023-02-13\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.s0367;attack.defense_evasion;attack.t1027;attack.persistence;attack.t1543.003;attack.command_and_control;attack.t1204.001\"\n classification = \"Windows.Trojan.Emotet\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5d65ab3b6748ba7034dc0588f2d61fa43e7fce7ed5ee6ab533e2f08274bc5d22\n\n $register_server = \"DllRegisterServer\" ascii\n\n $shellcode_1 = {\n C7 45 ?? ?? ?? ?? ?? // mov [rbp+40h+arg_10], 0C003h\n 8B 45 ?? // mov eax, [rbp+40h+arg_10]\n 8D 0C C0 // lea ecx, [rax+rax*8]\n B8 ?? ?? ?? ?? // mov eax, 88888889h\n C1 E1 03 // shl ecx, 3\n 89 4D ?? // mov [rbp+40h+arg_10], ecx\n 8B 4D ?? // mov ecx, [rbp+40h+arg_10]\n F7 E1 // mul ecx\n C1 EA 04 // shr edx, 4\n 89 55 ?? // mov [rbp+40h+arg_10], edx\n 81 75 ?? ?? ?? ?? ?? // xor [rbp+40h+arg_10], 2DB42AE3h\n 81 75 ?? ?? ?? ?? ?? // xor [rbp+40h+arg_10], 17476684h\n 81 75 ?? ?? ?? ?? ?? // xor [rbp+40h+arg_10], 3AF98305h\n }\n\n // hash func\n $shellcode_2 = {\n 8B CB // mov ecx, ebx\n 41 8B D0 // mov edx, r8d\n D3 E2 // shl edx, cl\n 41 8B CB // mov ecx, r11d\n D3 E0 // shl eax, cl\n 03 D0 // add edx, eax\n 41 0F BE C1 // movsx eax, r9b\n 03 D0 // add edx, eax\n 41 2B D0 // sub edx, r8d\n 49 FF C2 // inc r10\n 44 8B C2 // mov r8d, edx\n }\n\n $sub_n_shift_1 = {\n F7 E1 // mul ecx\n 2B CA // sub ecx, edx\n D1 E9 // shr ecx, 1\n 03 CA // add ecx, edx\n C1 E9 06 // shr ecx, 6\n 89 4D ?? // mov [rbp+arg_8], ecx\n }\n\n $sub_n_shift_2 = {\n F7 E1 // mul ecx\n 2B CA // sub ecx, edx\n D1 E9 // shr ecx, 1\n 03 CA // add ecx, edx\n C1 E9 04 // shr ecx, 4\n 89 ?? ?? ?? // mov [rsp+68h+var_24], ecx\n }\n\n $sub_n_shift_3 = {\n 44 8B ?? ?? ?? // mov r8d, [rsp+28h+arg_0]\n 41 F7 E0 // mul r8d\n 44 2B C2 // sub r8d, edx\n 41 D1 E8 // shr r8d, 1\n 44 03 C2 // add r8d, edx\n 41 C1 E8 05 // shr r8d, 5\n }\n\n condition:\n $register_server and (\n ((#sub_n_shift_1 > 50) and (#sub_n_shift_2 > 50) and (#sub_n_shift_3 > 50))\n or all of ($shellcode_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "emotet_onenote_dll" ], "rule_creation_date": "2023-02-13", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Emotet" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1543.003", "attack.t1204.001", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-empire_invoke_psinject_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567137Z", "creation_date": "2026-03-23T11:46:25.567139Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567145Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/EmpireProject/Empire" ], "name": "empire_invoke_psinject.yar", "content": "rule empire_invoke_psinject {\n meta:\n title = \"Empire Framework Invoke-PSInject Injected Thread\"\n id = \"eeda42e9-d70b-426f-a044-2f29ac787f32\"\n description = \"Detects the use of Empire's Invoke-PSInject module for PowerShell-based process injection.\\nInvoke-PSInject is a module within the Empire framework designed to inject shellcode into remote processes using PowerShell.\\nThis technique is commonly used for executing malicious commands, establishing persistence, or performing lateral movement within a compromised environment.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/EmpireProject/Empire\"\n date = \"2020-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0363;attack.t1055\"\n classification = \"Windows.Framework.Empire\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1#L1263\n // #Write Shellcode to the remote process which will call LoadLibraryA (Shellcode: LoadLibraryA.asm)\n $LoadLibrarySC1 = {\n 53 // push rbx\n 48 89 e3 // mov rbx, rsp\n 48 83 ec 20 // sub rsp, 0x20\n 66 83 e4 c0 // and sp, 0xffc0\n 48 b9 ?? ?? ?? ?? ?? ?? ?? ?? // movabs rcx, ?????????\n 48 ba ?? ?? ?? ?? ?? ?? ?? ?? // movabs rdx, ?????????\n ff d2 // call rdx\n 48 ba ?? ?? ?? ?? ?? ?? ?? ?? // movabs rdx, ?????????\n 48 89 02 // mov qword [rdx], rax\n 48 89 dc // mov rsp, rbx\n 5b // pop rbx\n c3 // ret\n }\n\n // https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1#L1411\n // #Write Shellcode to the remote process which will call GetProcAddress\n $GetProcAddressSC1_64 = {\n 53 // push rbx\n 48 89 E3 // mov rbx, rsp\n 48 83 EC 20 // sub rsp, 0x20\n 66 83 E4 C0 // and sp, 0xffc0\n 48 B9 ?? ?? ?? ?? ?? ?? ?? ?? // movabs rcx, ???????\n 48 BA ?? ?? ?? ?? ?? ?? ?? ?? // movabs rdx, ???????\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // movabs rax, ???????\n FF D0 // call rax\n 48 B9 ?? ?? ?? ?? ?? ?? ?? ?? // movabs rcx, ???????\n 48 89 01 // mov qword ptr [rcx], rax\n 48 89 DC // mov rsp, rbx\n 5B // pop rbx\n C3 // ret\n }\n\n $GetProcAddressSC1_32 = {\n 53 // push ebx\n 89 e3 // mov ebx, esp\n 83 e4 c0 // and esp, 0xffffffc0\n b8 ?? ?? ?? ?? // mov eax, ???????\n b9 ?? ?? ?? ?? // mov ecx, ???????\n 51 // push ecx\n 50 // push eax\n b8 ?? ?? ?? ?? // mov eax, ???????\n ff d0 // call eax\n b9 ?? ?? ?? ?? // mov ecx, ???????\n 89 01 // mov dword [ecx], eax\n 89 dc // mov esp, ebx\n 5b // pop ebx\n c3 // ret\n }\n\n // https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1#L2472\n // #Shellcode: CallDllMain.asm\n $CallDllMainS_64 = {\n 53 // push rbx\n 48 89 E3 // mov rbx, rsp\n 66 83 E4 00 // and sp, 0\n 48 B9 ?? ?? ?? ?? ?? ?? ?? ?? // movabs rcx, ???????\n BA 01 00 00 00 // mov edx, 1\n 41 B8 00 00 00 00 // mov r8d, 0\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // movabs rax, ???????\n FF D0 // call rax\n 48 89 DC // mov rsp, rbx\n 5B // pop rbx\n C3 // ret\n }\n\n $CallDllMainS_32 = {\n 53 // push ebx\n 89 e3 // mov ebx, esp\n 83 e4 f0 // and esp, 0xfffffff0\n b9 ?? ?? ?? ?? // mov ecx, ????\n ba 01 00 00 00 // mov edx, 1\n b8 00 00 00 00 // mov eax, 0\n 50 // push eax\n 52 // push edx\n 51 // push ecx\n b8 ?? ?? ?? ?? // mov eax, ????\n ff d0 // call eax\n 89 dc // mov esp, ebx\n 5b // pop ebx\n c3 // ret\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "empire_invoke_psinject" ], "rule_creation_date": "2020-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Empire" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-exmatter_exfiltrator_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585192Z", "creation_date": "2026-03-23T11:46:25.585194Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585200Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1048/\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter" ], "name": "exmatter_exfiltrator.yar", "content": "rule exmatter_exfiltrator {\n meta:\n title = \"ExMatter Exfiltrator\"\n id = \"683c0cef-5102-484b-96a2-e7d6afafc2c3\"\n description = \"Detects ExMatter, an exfiltrator used by the BlackCat Ransomware group.\\nBlackCat is a Ransomware-as-a-Service (RaaS) group that emerged in November 2021.\\nThis group uses ExMatter, a .NET-based exfiltrator, to steal data from victims' computers before encryption.\\nIt is recommended to investigate the host for data exfiltration and further malicious activities linked with ransomware.\"\n references = \"https://attack.mitre.org/techniques/T1048/\\nhttps://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack\\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter\"\n date = \"2022-12-16\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.exfiltration;attack.t1048\"\n os = \"Windows\"\n classification = \"Windows.HackTool.ExMatter\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // fd102a2d650e12121782e63be11dc189fc6361c77b683a8d447c97357c071861\n\n $s1 = \"Stop-Process -Id {0}; Start-Sleep 3; Set-Content -Path '{1}' -Value 0\" ascii wide fullword\n $s2 = \"SeTakeOwnershipPrivilege\" ascii wide fullword\n $s3 = \"if-modn{sign{rsa-pkcs1-sha1},encrypt{rsa-pkcs1v2-oaep}}\" ascii wide fullword\n $s4 = \"type=deactivation&hash=\" ascii wide fullword\n\n condition:\n all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "exmatter_exfiltrator" ], "rule_creation_date": "2022-12-16", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.ExMatter" ], "rule_tactic_tags": [ "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1048" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-fabookie_stealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568356Z", "creation_date": "2026-03-23T11:46:25.568358Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568364Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://urlhaus.abuse.ch/browse/signature/Fabookie/" ], "name": "fabookie_stealer.yar", "content": "rule fabookie_stealer_second_stage {\n meta:\n title = \"Fabookie Stealer Second Stage\"\n id = \"9450aa6a-10e9-475c-9453-39f85894516e\"\n description = \"Detects Fabookie Stealer Second Stage.\\nFabookie Stealer is malware designed to steal Facebook session cookies from infected systems. The second stage of its operation involves extracting these cookies and making unauthorized API requests to gather detailed user information, including connected accounts and payment methods. These activities can enable attackers to impersonate victims or misuse their accounts for fraudulent purposes.\\nIt is recommended to isolate the affected system and conduct a thorough investigation to remove any malicious processes or files associated with Fabookie.\"\n references = \"https://urlhaus.abuse.ch/browse/signature/Fabookie/\"\n date = \"2023-09-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555.003\"\n classification = \"Windows.Stealer.Fabookie\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 2c389fe6cbdf4948992278c96a3341f7d05659c5fd913d8eccea651961f496fd\n\n $api_strings_1 = \"Mozilla/5.0 (Windows\" wide\n $api_strings_2 = \"https://www.facebook.com/\" wide fullword\n $api_strings_3 = \"https://adsmanager.facebook.com/ads/manager/accounts\" wide fullword\n $api_strings_4 = \"https://business.facebook.com/api/graphql/\" wide fullword\n $api_strings_5 = \"&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=Billing\" ascii\n\n // Before every call Facebook API call, formats strings according to their types to build the URLs.\n // Should happen at least 10 times for all the calls.\n\n $string_formatting_setup = {\n 90 // nop\n 49 ?? ?? // mov rdx, r12\n 48 ?? ?? ?? ?? ?? ?? 00 // lea rcx, [rsp+698h+var_4C8]\n E8 ?? ?? ?? ?? // call sub_180005160\n 90 // nop\n }\n\n condition:\n all of ($api_strings_*) and #string_formatting_setup > 10\n}\n", "rule_count": 1, "rule_names": [ "fabookie_stealer_second_stage" ], "rule_creation_date": "2023-09-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Fabookie" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-firefox-cookie-monster_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584565Z", "creation_date": "2026-03-23T11:46:25.584567Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584573Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/wunderwuzzi23/firefox-cookiemonster\nhttps://attack.mitre.org/techniques/T1539/" ], "name": "firefox-cookie-monster.yar", "content": "rule firefox_cookie_monster {\n meta:\n title = \"Firefox Cookie Monster\"\n id = \"d97a5462-205f-485f-96a6-109795b48e6a\"\n description = \"Detects Firefox Cookie Monster, a debug client for cookie stealing written in Go.\\nThis tool enables attackers to decrypt and retrieve browser cookies by exploiting Firefox's debug features, potentially leading to unauthorized access of sensitive data.\\nIt is recommended to investigate any stolen data from the browser and to look for further malicious activities on the host.\"\n references = \"https://github.com/wunderwuzzi23/firefox-cookiemonster\\nhttps://attack.mitre.org/techniques/T1539/\"\n date = \"2023-03-30\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1539\"\n classification = \"Windows.HackTool.FirefoxCookieMonster\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 764b7b52806de2f036b7d82ec348f425bf42d3d581349c601fef00c54070f7b4\n\n $s1 = \"Services.cookies.cookies.forEach(async function (cookie) {\" ascii\n $s2 = \"output = output+cookie.name+\\\":\\\"+cookie.value+\\\":\\\"+cookie.rawHost+\" ascii\n $s3 = \"internal/syscall/windows/registry.Key.GetStringValue\" ascii\n $s4 = \"syscall.RegEnumKeyEx\" ascii\n\n // This is a list of methods invoked on the debug server\n $server1 = \"serverN.connN.parentProcessTarget\" ascii\n $server2 = \"serverN.connN.processDescriptorN\" ascii\n $server3 = \"serverN.connN.consoleActorN\" ascii\n $server4 = \"server2.connN.longstractorN\" ascii\n $server5 = \"evaluateJSAsync\" ascii\n $server6 = \"omitempty\" ascii\n $server7 = \"testConnectionPrefix\" ascii\n $server8 = \"processDescriptor\" ascii\n\n $canary = \"9d0b20fd101102721591b00d31cc169b303747bf831ba0beebcc68f887c3e23fe199f3bbddca97d802232ca53d68895c7c94c92b1e0af4a1176f5738588c279b\"\n\n condition:\n (all of ($s*) or all of ($server*)) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "firefox_cookie_monster" ], "rule_creation_date": "2023-03-30", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.FirefoxCookieMonster" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1539" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-forensia_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576575Z", "creation_date": "2026-03-23T11:46:25.576577Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576583Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/PaulNorman01/Forensia\nhttps://attack.mitre.org/techniques/T1070/" ], "name": "forensia.yar", "content": "rule forensia_generic {\n meta:\n title = \"Forensia anti-forensics Tool\"\n id = \"75e99373-fe49-475c-acf8-724a26ccb038\"\n description = \"Detects Forensia anti-forensics tool.\\nForensia is an anti-forensics tool designed for red-teamers. It is typically used during the post-exploitation phase by attackers to cover their tracks. The tool provides several capabilities including the removal of Windows Event Logs, unloading the Sysmon driver, and clearing ShellBags to hinder forensic analysis.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/PaulNorman01/Forensia\\nhttps://attack.mitre.org/techniques/T1070/\"\n date = \"2023-01-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1070;attack.t1070.001;attack.t1489\"\n classification = \"Windows.Tool.Forensia\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 510c6896ab176ad04a534ed48a3c74957ca929accbaf277ee1d678eac6bf3b36\n\n $logo_1 = \" ______ _\" fullword wide\n $logo_2 = \" / ____/___ ________ ____ _____(_)___ _\" fullword wide\n $logo_3 = \" / /_ / __ \\\\/ ___/ _ \\\\/ __ \\\\/ ___/ / __ \\\\`/\" fullword wide\n $logo_4 = \" / __/ / /_/ / / / __/ / / (__ ) / /_/ / \" fullword wide\n $logo_5 = \"/_/ \\\\____/_/ \\\\___/_/ /_/____/_/\\\\__,_/ \" fullword wide\n\n $help_1 = \"Remove ShellBags\" fullword wide\n $help_2 = \"Clear ShimCache\" fullword wide\n $help_3 = \"Delete RecentFileCache.bcf\" fullword wide\n $help_4 = \"Clear Recent Items\" fullword wide\n $help_5 = \"Melt Me!\" fullword wide\n\n $info_1 = \"Deleting RecentFileCache.bcf, However It May Not Exist!\" fullword wide\n $info_2 = \"Clearing Shim Cache Data...\" fullword wide\n $info_3 = \"Clearing Recent Items...\" fullword wide\n $info_4 = \"Melting The Executable...Goodbye!\" fullword wide\n $info_5 = \"Minifilter Successfully Unloaded\" fullword wide\n\n condition:\n (uint16(0) == 0x5a4d) and (\n all of ($info_*)\n or 2 of ($logo_*)\n or 3 of ($help_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "forensia_generic" ], "rule_creation_date": "2023-01-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Forensia" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1070", "attack.t1070.001", "attack.t1489" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-forkdump_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567790Z", "creation_date": "2026-03-23T11:46:25.567792Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567798Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/D4stiny/ForkPlayground/\nhttps://attack.mitre.org/techniques/T1003/001/" ], "name": "forkdump.yar", "content": "rule forkdump {\n meta:\n title = \"ForkDump HackTool\"\n id = \"ca42f731-9f50-4fd6-9e53-b84cb7ec8569\"\n description = \"Detects the ForkDump HackTool.\\nForkDump is a credential dumper that uses a forked process to dump LSASS memory silently. It typically creates a child process to escalate debug privileges, allowing it to capture sensitive information. The rule identifies activities indicative of ForkDump's operation, such as error messages related to debug privilege escalation and file operations.\"\n references = \"https://github.com/D4stiny/ForkPlayground/\\nhttps://attack.mitre.org/techniques/T1003/001/\"\n date = \"2024-01-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.ForkDump\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9d53c20aa668c2f8b7dab96dca2e4f411a50d917715de5a887ae259d4ec6dad2\n // 6e25af11ddd954c5e6ee5d94bd0feca63721d16e9fc6e5240f9e99c1b605010c\n // f76885e4a5e373823657fd0c3b1fd7e2a8af1e758d2d1dabcda5d62999a1cb7c\n // a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864\n\n $s1 = \"Failed to escalate debug privileges, are you running ForkDump as Administrator?\" ascii fullword\n $s2 = \"Failed to open the token of the current process with the last error %i.\" ascii fullword\n $s3 = \"Failed to lookup the current debug privilege with the last error %i.\" ascii fullword\n $s4 = \"ForkDump.exe [dump file name] [target process ID]\" ascii fullword\n $s5 = \"Failed to open dump file %s with the last error %i.\" ascii fullword\n $s6 = \"Failed to take a snapshot of the target process. Attempting to escalate debug privilege...\" ascii fullword\n $s7 = \"Failed to escalate debug privileges, are you running ForkDump as Administrator?\" ascii fullword\n $s8 = \"Escalated debug privileges, attempting to take another snapshot.\" ascii fullword\n $s9 = \"Second attempt at taking a snapshot of the target failed. It is likely that there is a difference in process privilege or the handle was stripped.\" ascii fullword\n $s10 = \"Failed to create a dump of the forked process with the last error %i.\" ascii fullword\n $s11 = \"Successfully dumped process %i to %s!\" ascii fullword\n\n condition:\n 3 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "forkdump" ], "rule_creation_date": "2024-01-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.ForkDump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-framework_manjusaka_c2_server_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576693Z", "creation_date": "2026-03-23T11:46:25.576695Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576701Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html" ], "name": "framework_manjusaka_c2_server.yar", "content": "rule manjusaka_c2_server {\n meta:\n title = \"Manjusaka C2 Server\"\n id = \"e9170f6d-3709-43c8-8685-4a80be0c6047\"\n description = \"Detects the Manjusaka C2 server associated with the Manjusaka attacker framework.\\nManjusaka is a sophisticated attacker framework initially discovered in August 2022 by Talos Intelligence. It is designed to establish command-and-control (C2) communication and perform malicious activities on compromised systems.\\nThis rule identifies the C2 server by detecting specific configuration strings and patterns indicative of Manjusaka's infrastructure.\\nIt is recommended to isolate the affected system and monitor for any additional malicious activities linked to Manjusaka's attack vector.\"\n references = \"https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html\"\n date = \"2022-08-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Linux.Framework.Manjusaka\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // ff20333d38f7affbfde5b85d704ee20cd60b519cb57c70e0cf5ac1f65acf91a6\n\n $s1 = \"Manjusaka\" ascii\n $s2 = \"__PRODUCTION__MANJUSAKA__CONF__\" ascii\n\n $contains_hex_gzip_archives = \"1f8b08\" ascii\n\n condition:\n uint16(0) == 0x457f and filesize < 40MB and all of ($s*) and #contains_hex_gzip_archives > 10\n}\n", "rule_count": 1, "rule_names": [ "manjusaka_c2_server" ], "rule_creation_date": "2022-08-03", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.Manjusaka" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-framework_manjusaka_rust_beacon_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569707Z", "creation_date": "2026-03-23T11:46:25.569709Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569715Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html" ], "name": "framework_manjusaka_rust_beacon.yar", "content": "rule manjusaka_rust_beacon {\n meta:\n title = \"Manjusaka Rust Beacon\"\n id = \"e03150a0-65ff-475a-9491-6640523a2cb0\"\n description = \"Detects the Manjusaka Rust Beacon, a new attacker framework discovered in August 2022 by Talos Intelligence.\\nManjusaka is a multi-component attacker framework known for its lateral movement and persistence capabilities. Its Rust-based beacons are designed to communicate with command and control servers.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html\"\n date = \"2022-08-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Framework.Manjusaka\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 8e9ecd282655f0afbdb6bd562832ae6db108166022eb43ede31c9d7aacbcc0d8\n\n $s1 = \"SELECT * FROM MSAcpi_ThermalZoneTemperature\" fullword wide\n $s2 = \"CurrentTemperature\" fullword wide\n $s3 = \"CriticalTripPoint\" fullword wide\n\n $date_manipulation = {\n 48 C1 E8 3F // shr rax, 3Fh\n 48 C1 FA 0D // sar rdx, 0Dh\n 48 01 C2 // add rdx, rax\n 48 69 C2 80 51 01 00 // imul rax, rdx, 15180h\n 48 29 C1 // sub rcx, rax\n B8 80 51 01 00 // mov eax, 15180h\n 48 8D 3C 01 // lea rdi, [rcx+rax]\n 48 85 C9 // test rcx, rcx\n 48 0F 49 F9 // cmovns rdi, rcx\n 48 C1 F9 3F // sar rcx, 3Fh\n 01 D1 // add ecx, edx\n 81 C1 3B F9 0A 00 // add ecx, 0AF93Bh\n 0F 80 ?? ?? ?? ?? // jo loc_1400477E1\n 81 C1 6D 01 00 00 // add ecx, 16Dh\n 48 63 F1 // movsxd rsi, ecx\n 4C 69 FE BD 06 6B 39 // imul r15, rsi, 396B06BDh\n 4D 89 FC // mov r12, r15\n 49 C1 EC 3F // shr r12, 3Fh\n 49 C1 FF 2F // sar r15, 2Fh\n }\n\n $fetch_process_info = {\n 4C 8D 84 24 ?? ?? ?? ?? // lea r8, [rsp+1068h+var_F58] ; ProcessInformation\n 41 B9 30 00 00 00 // mov r9d, 30h ; '0' ; ProcessInformationLength\n FF 15 ?? ?? ?? ?? // call cs:NtQueryInformationProcess\n 85 C0 // test eax, eax\n 0F 88 ?? ?? ?? ?? // js loc_1400E7118\n 48 8B 94 24 ?? ?? ?? ?? // mov rdx, [rsp+1068h+var_F58+8] ; lpBaseAddress\n 48 ?? ?? ?? ?? 00 00 00 00 // mov [rsp+1068h+ReturnLength], 0 ; lpNumberOfBytesRead\n 41 B9 C8 07 00 00 // mov r9d, 7C8h ; nSize\n 48 89 F1 // mov rcx, rsi ; hProcess\n 49 89 E8 // mov r8, rbp ; lpBuffer\n E8 ?? ?? ?? ?? // call ReadProcessMemory\n 83 F8 01 // cmp eax, 1\n 0F 85 ?? ?? ?? ?? // jnz loc_1400E7118\n [17]\n 41 B9 10 04 00 00 // mov r9d, 410h ; nSize\n }\n\n\n condition:\n uint16(0) == 0x5a4d and filesize < 5MB and 2 of ($s*) and ($date_manipulation or $fetch_process_info)\n}\n", "rule_count": 1, "rule_names": [ "manjusaka_rust_beacon" ], "rule_creation_date": "2022-08-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Manjusaka" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-freeze_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572254Z", "creation_date": "2026-03-23T11:46:25.572257Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572262Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1574/\nhttps://github.com/optiv/Freeze" ], "name": "freeze.yar", "content": "rule freeze_generic {\n meta:\n title = \"Freeze Loader\"\n id = \"8b3a5e7e-3a49-4cb9-bd89-f81d009a5114\"\n description = \"Detects binaries generated by the Freeze Loader that contain malicious shellcode.\\nThe Freeze Loader is a sophisticated malware that launches a suspended process and loads ntdll.dll before EDR hooking calls can be made. It reads the .text section of Ntdll using the ReadProcessMemory API and overwrites the hooked .text section before executing shellcode. The loader also has capabilities to patch ETW syscalls and uses the Go language to define necessary system calls.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://attack.mitre.org/techniques/T1574/\\nhttps://github.com/optiv/Freeze\"\n date = \"2022-10-07\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1574\"\n classification = \"Windows.Tool.Freeze\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b92aa7a08ddb807147bc696890707fd54e48bb6c54a1057b0d6be11f9ea4aa68\n // 8c6aa1f791494a6e085ea0e0e6f965540279d079a468fcade6bf59ac8a384a9c\n // 99b13554015659c03d39422eb9f1ea10da53676a1d08c1f900b4e3a430af0acd\n\n // Setting args to read the Ntdll.dll before EDR hooking (suspended state)\n $Syscall_SetupReadProcessMemory = {\n 4C 8D 64 24 F8 // lea r12, [rsp+var_8]\n 4D 3B 66 10 // cmp r12, [r14+10h]\n 0F 86 ?? ?? ?? ?? // jbe loc_??????\n 48 81 EC 88 00 00 00 // sub rsp, 88h\n 48 89 AC 24 80 00 00 00 // mov [rsp+88h+var_8], rbp\n 48 8D AC 24 80 00 00 00 // lea rbp, [rsp+88h+var_8]\n 48 89 5C 24 58 // mov [rsp+88h+var_30], rbx ; (Moving ntdll.dll size (0x119000 constant) to rbx)\n 48 89 44 24 50 // mov [rsp+88h+var_38], rax ; (Golang shenanigans)\n 48 89 8C 24 A0 00 00 00 // mov [rsp+88h+arg_10], rcx ; (rcx is also 0x119000)\n 48 8D 05 ?? ?? ?? 00 // lea rax, RTYPE_uint8\n 48 89 CB // mov rbx, rcx ;\n E8 ?? ?? ?? FF // call runtime_makeslice ; (Making ntdll.dll string from the constant uint8 array)\n 48 C7 44 24 ?? 00 00 00 00 // mov [rsp+88h+var_??], 0\n 48 8B ?? 24 A0 00 00 00 // mov rdx, [rsp+88h+arg_10]\n 0F 1F 84 00 00 00 00 00 // nop dword ptr [rax+rax+00000000h]\n 48 85 ?? // test r?x, r?x ; (rcx or rbx)\n 0F 86 CF 00 00 00 // jbe loc_??????\n 48 89 44 24 68 // mov [rsp+88h+var_20], rax\n 48 89 44 24 78 // mov [rsp+88h+var_10], rax\n 48 8D 4C 24 ?? // lea rcx, [rsp+88h+var_??]\n 48 89 4C 24 70 // mov [rsp+88h+var_18], rcx\n 48 8B 0D ?? ?? ?? 00 // mov rcx, cs:qword_??????\n 48 89 4C 24 60 // mov [rsp+88h+var_28], rcx\n 90 // nop\n }\n\n // Rewriting Ntdll.dll with unhooked version read earlier.\n $Syscall_WriteProcessMemory = {\n E8 ?? ?? ?? FF // call ??????__ptr_????????_Find ; (Finding memory area for procs Ntdll.dll memory zone)\n 48 85 C0 // test rax, rax\n 0F 85 92 00 00 00 // jnz loc_??????\n 48 8B 54 24 58 // mov rdx, [rsp+78h+var_20]\n 48 8B 52 20 // mov rdx, [rdx+20h]\n 48 8B 74 24 68 // mov rsi, [rsp+78h+var_10]\n 4C 8B 4C 24 60 // mov r9, [rsp+78h+var_18]\n 48 8B 42 18 // mov rax, [rdx+18h]\n BB 05 00 00 00 // mov ebx, 5\n 48 8B 4C 24 48 // mov rcx, [rsp+78h+var_30]\n 48 8B 7C 24 40 // mov rdi, [rsp+78h+var_38]\n 4C 8B 44 24 50 // mov r8, [rsp+78h+var_28]\n 45 31 D2 // xor r10d, r10d\n 0F 1F 00 // nop dword ptr [rax]\n E8 ?? ?? ?? FF // call syscall_Syscall6 ; procWriteProcessMemory\n }\n\n condition:\n (uint16(0) == 0x5a4d) and filesize < 5MB and all of them\n}\n", "rule_count": 1, "rule_names": [ "freeze_generic" ], "rule_creation_date": "2022-10-07", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Freeze" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1574" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-frp_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.587841Z", "creation_date": "2026-03-23T11:46:25.587843Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.587848Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/fatedier/frp/\nhttps://asec.ahnlab.com/en/38156/\nhttps://attack.mitre.org/techniques/T1572/" ], "name": "frp.yar", "content": "rule frp {\n meta:\n title = \"FastReverseProxy Tool\"\n id = \"cbec7bc3-2035-4bf3-ab0e-a01641c61279\"\n description = \"Detects the FastReverseProxy (Frp) tool.\\nFastReverseProxy is a popular open-source reverse proxy tool that establishes secure tunnels between servers and clients.\\nAttackers often abuse it to create command and control (C2) communication channels or to pivot within a compromised environment.\\nIt is recommended to investigate network activity and the usage of this tool to identify any unauthorized access or data exfiltration activities.\"\n references = \"https://github.com/fatedier/frp/\\nhttps://asec.ahnlab.com/en/38156/\\nhttps://attack.mitre.org/techniques/T1572/\"\n date = \"2024-02-01\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1572\"\n classification = \"Tool.FastReverseProxy\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b94032ad4893db6c58a3f7615afd44b01b334f009f815e7d9473b9639a360144\n // 15846490706281424a0f5b0b7d3e6ea92173dbeaf6a10a566f4dc8a6a1e977bb\n // 59a6d633da1d2ce0c68a3950a1e325c2a0810f206b7004e6ed218e20a716e9fc\n // cd75f7ae1b3196be51bdb0de6d9b887c3048f3da0f2686a3235bfe489a9d1325\n\n // frps - server\n $s1 = \"Generate the autocompletion script for the specified shell\" ascii\n $s2 = \"Help about any command\" ascii\n $s3 = \"Verify that the configures is valid\" ascii\n $s4 = \"strict config parsing mode, unknown fields will cause error\" ascii\n $s6 = \"config file of frps\" ascii\n $s7 = \"frps tls only\" ascii\n $s8 = \"help for frps\" ascii\n $s9 = \"if enable dashboard tls mode\" ascii\n $s10 = \"Use \\\"{{.CommandPath}} [command] --help\\\" for more information about a command.{{end}}\" ascii\n $s11 = \"frps is the server of frp (https://github.com/fatedier/frp)\"\n\n // frpc - client\n $s12 = \"Stop the running frpc\" ascii\n $s13 = \"Actions about nathole\" ascii\n $s14 = \"Run frpc with a single http proxy\" ascii\n $s15 = \"Run frpc with a single https proxy\" ascii\n $s16 = \"Hot-Reload frpc configuration\" ascii\n $s17 = \"Run frpc with a single xtcp proxy\" ascii\n $s18 = \"Run frpc with a single\" ascii\n $s19 = \"Overview of all proxies status\" ascii\n $s20 = \"frpc is the client of frp (https://github.com/fatedier/frp)\" ascii\n $s21 = \"Generate the autocompletion script for the specified shell\" ascii\n\n condition:\n 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "frp" ], "rule_creation_date": "2024-02-01", "rule_modified_date": "2025-03-04", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Tool.FastReverseProxy" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1572", "attack.t1071.001" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-fscan_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564756Z", "creation_date": "2026-03-23T11:46:25.564758Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564764Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/shadow1ng/fscan/\nhttps://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure\nhttps://attack.mitre.org/techniques/T1046/" ], "name": "fscan.yar", "content": "rule fscan {\n meta:\n title = \"Fscan HackTool\"\n id = \"5cb81255-2f8c-489f-aa21-b0a2502bfb01\"\n description = \"Detects the Fscan hacktool.\\nFscan is an open-source advanced network scanning tool designed for automated vulnerability scanning and brute-force attacks. It is commonly used to identify and exploit security weaknesses in target systems and networks.\\nThe tool is frequently employed in cyber-attacks, including those targeting critical infrastructure.\\nIt enables attackers to perform comprehensive scans and identify potential attack vectors quickly.\"\n references = \"https://github.com/shadow1ng/fscan/\\nhttps://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure\\nhttps://attack.mitre.org/techniques/T1046/\"\n date = \"2024-02-01\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1046\"\n classification = \"HackTool.Fscan\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples (in-memory):\n // b9919cdb3ebf7abed7458e357a71924bb0dd43332e90c30a6f146caefcf56baa\n // 78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029\n // 62ba281147ceeefca5bd15f58ac52125bc42b0e134a6fcb4bd90efdae0fce318\n // b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59\n\n $s1 = \"poc full scan,as: shiro 100 key\" ascii\n $s2 = \"Outputfile (default \\\"result.txt\\\")\" ascii\n $s3 = \"use the pocs these contain pocname, -pocname weblogic\" ascii\n $s4 = \"the hosts no scan,as: -hn 192.168.1.1/24\" ascii\n $s6 = \"not to scan web vul\" ascii\n $s7 = \"every time to LogErr (default 60)\" ascii\n $s8 = \"set poc cookie,-cookie rememberMe=login\" ascii\n $s9 = \"set socks5 proxy, will be used in tcp connection, timeout setting will not work\" ascii\n $s10 = \"add a user base DefaultUsers,-usera user\" ascii\n\n // Detection for these samples:\n // 6456719f0d001d2ffff908746724de45f7ea057e1881c05dfe943c8ec6e3ec97\n // 3e5f575ca0d39ac53d2834393c9870e9b7e50dc6e3cb936be1bfee406d9e874b\n // 8d3fb9a982adb40df649c633644d18d7470edfda1c4db353c38c407854125c84\n // 78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029\n\n $upx1 = \"Info: This file is packed with the UPX executable packer\" ascii\n $upx2 = \"UPX!\" ascii fullword\n\n $a1 = \"shadow1ng\" ascii\n $a2 = \"fscan\" ascii\n $a3 = \" Go build\" ascii\n\n $b1 = \"V0Cqo0cJWDaA=\" ascii\n $b2 = \"A7eHBwdwEAeA==\" ascii\n $b3 = \"luLISE_G381W2ssv93g\" ascii\n $b4 = \"goWMIExec\" ascii\n $b5 = \"portscan\" ascii\n $b6 = \"FjMRJfCqmXfwPzGYq5Vhk\" ascii\n\n condition:\n 5 of ($s*) or\n (\n (\n uint16(0) == 0x5a4d or // Windows\n uint16(0) == 0x457f or // Linux\n (\n // MacOS\n uint32(0) == 0xfeedface or\n uint32(0) == 0xcefaedfe or\n uint32(0) == 0xfeedfacf or\n uint32(0) == 0xcffaedfe or\n uint32(0) == 0xcafebabe or\n uint32(0) == 0xbebafeca\n )\n )\n and\n (\n 1 of ($upx*) and\n (\n (all of ($a*)) or\n (2 of ($a*) and 2 of ($b*)) or\n (1 of ($a*) and 3 of ($b*))\n )\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "fscan" ], "rule_creation_date": "2024-02-01", "rule_modified_date": "2025-02-27", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.Fscan" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1046" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-fsentinel_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569306Z", "creation_date": "2026-03-23T11:46:25.569308Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569314Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1055/012/" ], "name": "fsentinel_loader.yar", "content": "rule fsentinel_loader {\n meta:\n title = \"Fsentinel Loader\"\n id = \"d80fc445-8eee-4fe7-9bd2-5a0194cdeaa1\"\n // Description to check before putting to production\n description = \"Detects the Fsentinel loader.\\nFsentinel is a defense evasion loader that utilizes DLL Sideloading and a custom Process Hollowing technique to execute malicious payloads.\\nIt typically drops Stealers as the final payloads.\\nIt is recommended to isolate the affected device, conduct a thorough system scan with advanced detection tools, and monitor for any signs of ongoing or related malicious activities.\"\n // Add references ?\n references = \"https://attack.mitre.org/techniques/T1055/012/\"\n date = \"2024-10-30\"\n modified = \"2025-07-02\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.012\"\n classification = \"Windows.Loader.FsentinelLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 2bc570688c2e63b83bb94fafea42f9056b0f079d6d47524319e8190404225db5\n\n // fuckSsentincfuckSsentincfuckSsentincfuckSsentincfuckSsentinc\n $s_sentinel = { 66 75 63 6b 53 73 65 6e 74 69 6e 63 66 75 63 6b 53 73 65 6e 74 69 6e 63 66 75 63 6b 53 73 65 6e 74 69 6e 63 66 75 63 6b 53 73 65 6e 74 69 6e 63 66 75 63 6b 53 73 65 6e 74 69 6e 63 }\n\n condition:\n all of ($s_sentinel*)\n}\n", "rule_count": 1, "rule_names": [ "fsentinel_loader" ], "rule_creation_date": "2024-10-30", "rule_modified_date": "2025-07-02", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.FsentinelLoader" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gamos_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565441Z", "creation_date": "2026-03-23T11:46:25.565443Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565449Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal research" ], "name": "gamos.yar", "content": "rule gamos {\n meta:\n title = \"Gamos Hacktool\"\n id = \"a3dee493-4292-46ce-813f-8005b30246ef\"\n description = \"Detects Gamos Hacktool, a hacktool written in Go used for lateral movement.\\nThis tool retrieves encrypted command instructions from the Internet and performs authenticated lateral movement using both Kerberos and NTLM mechanisms.\\nIt is recommended to investigate the context around this alert to ensure that the activity is part of an approved security test and to identify any potential misuse.\"\n references = \"Internal research\"\n date = \"2025-11-28\"\n modified = \"2025-12-05\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071;attack.lateral_movement;attack.t1550;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.HackTool.Gamos\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 0ec1b0c35ecf0206d8305761c30bccd0dcaea262fbedf5b1f512429a3b22c6d3\n // 16982a9e9baa51ce627d22cb869cd6b7bba3204048c0433fa81964b2b73f8f77\n // 98e4b11a11d96354199c0caf74b197609762ff5f7a39be53b8e9474a30c9f601\n\n $go = \" Go build\" ascii\n\n $strings1 = \").SetDisconnectCallback\" ascii\n $strings2 = \").SetReadDeadline\" ascii\n $strings3 = \").Pack-fm\" ascii\n $strings4 = \").GetClientConn\" ascii\n $strings5 = \").SetClientInitCallback\" ascii\n $strings6 = \").ProxyConfig\" ascii\n\n $x_main = {\n 49 3B 66 10 // cmp rsp, [r14+10h]\n 0F 86 89 00 00 00 // jbe loc_703053\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 18 // sub rsp, 18h\n 48 89 4C 24 38 // mov [rsp+18h+arg_10], rcx\n 48 89 5C 24 30 // mov [rsp+18h+arg_8], rbx\n 48 89 44 24 28 // mov [rsp+18h+arg_0], rax\n 89 FA // mov edx, edi\n 48 89 D6 // mov rsi, rdx\n 48 29 CA // sub rdx, rcx\n 48 C1 FA 3F // sar rdx, 3Fh\n 48 21 D6 // and rsi, rdx\n 8B 14 30 // mov edx, [rax+rsi]\n 01 FA // add edx, edi\n 89 54 24 14 // mov [rsp+18h+var_4], edx\n 90 // nop\n 48 8D 05 ?? ?? ?? ?? // lea rax, RTYPE_main_Config\n E8 3A ?? ?? ?? // call runtime_newobject\n 48 C7 00 00 00 00 00 // mov qword ptr [rax], 0\n 48 8B 4C 24 30 // mov rcx, [rsp+18h+arg_8]\n 48 89 48 08 // mov [rax+8], rcx\n 48 8B 4C 24 38 // mov rcx, [rsp+18h+arg_10]\n 48 89 48 10 // mov [rax+10h], rcx\n 83 3D ?? ?? ?? ?? 00 // cmp cs:dword_ADE020, 0\n 75 07 // jnz short loc_70302F\n 48 8B 4C 24 28 // mov rcx, [rsp+18h+arg_0]\n EB 14 // jmp short loc_703043\n }\n\n $x_rev_to_self = {\n 75 74 // jnz short loc_623AC1\n 48 8B 49 18 // mov rcx, [rcx+18h]\n 48 89 F8 // mov rax, rdi\n FF D1 // call rcx\n B9 14 00 00 00 // mov ecx, 14h\n 48 89 C7 // mov rdi, rax\n 48 89 DE // mov rsi, rbx\n 31 C0 // xor eax, eax\n 48 8D [5] \t\t\t // lea rbx, a20060102150405_1+755h\n E8 [4]\t\t // call runtime_concatstring2\n 48 89 5C 24 28 // mov [rsp+38h+var_10], rbx\n 48 89 44 24 30 // mov [rsp+38h+var_8], rax\n 48 8D [5] \t\t\t // lea rax, RTYPE_errors_errorString\n E8 [4] // call runtime_newobject\n 48 8B 4C 24 28 // mov rcx, [rsp+38h+var_10]\n 48 89 48 08 // mov [rax+8], rcx\n 83 [4] 00 00\t\t // cmp cs:dword_ADE020, 0\n 75 09 // jnz short loc_623AA0\n 48 8B 4C 24 30 // mov rcx, [rsp+38h+var_8]\n EB 0F // jmp short loc_623AAD\n [0-2] // align 20h\n E8 [4] // call runtime_gcWriteBarrier1\n 48 8B 4C 24 30 // mov rcx, [rsp+38h+var_8]\n 49 89 0B // mov [r11], rcx\n 48 89 08 // mov [rax], rcx\n 48 89 C3 // mov rbx, rax\n }\n $x_xor_stream_read = {\n 48 8B 54 24 48 // mov rdx, [rsp+30h+arg_8]\n 48 8B 74 24 28 // mov rsi, [rsp+30h+var_8]\n 48 8B 44 24 20 // mov rax, [rsp+30h+var_10]\n 31 FF // xor edi, edi\n 90 // nop\n EB 25 // jmp short loc_6F4567\n 48 8B 44 24 20 // mov rax, [rsp+30h+var_10]\n 48 83 C4 30 // add rsp, 30h\n 5D // pop rbp\n C3 // retn\n 48 83 C4 30 // add rsp, 30h\n 5D // pop rbp\n C3 // retn\n 44 0F B6 04 3A // movzx r8d, byte ptr [rdx+rdi]\n 44 0F B6 0C 37 // movzx r9d, byte ptr [rdi+rsi]\n 45 31 C8 // xor r8d, r9d\n 44 88 04 3A // mov [rdx+rdi], r8b\n 48 FF C7 // inc rdi\n 48 39 F8 // cmp rax, rdi\n 7F E7 // jg short loc_6F4553\n 48 83 C4 30 // add rsp, 30h\n 5D // pop rbp\n C3\n }\n $x_xor_stream_write = {\n 48 8B 54 24 20 // mov rdx, [rsp+28h+var_8]\n 31 C0 // xor eax, eax\n EB 1B // jmp short loc_6F4649\n 31 C0 // xor eax, eax\n 48 83 C4 28 // add rsp, 28h\n 5D // pop rbp\n C3 // retn\n 0F B6 34 03 // movzx esi, byte ptr [rbx+rax]\n 44 0F B6 04 10 // movzx r8d, byte ptr [rax+rdx]\n 44 31 C6 // xor esi, r8d\n 40 88 34 03 // mov [rbx+rax], sil\n 48 FF C0 // inc rax\n 48 39 C1 // cmp rcx, rax\n 7F E8 // jg short loc_6F4636\n 48 8B 54 24 38 // mov rdx, [rsp+28h+arg_0]\n 48 8B 42 08 // mov rax, [rdx+8]\n 48 8B 12 // mov rdx, [rdx]\n 48 8B 52 50 // mov rdx, [rdx+50h]\n 48 8B 7C 24 50 // mov rdi, [rsp+28h+arg_18]\n FF D2 // call rdx\n 48 83 C4 28 // add rsp, 28h\n 5D // pop rbp\n C3 // retn\n }\n $x_controlstream = {\n 48 85 DB // test rbx, rbx\n 0F 85 B6 00 00 00 // jnz loc_6FC470\n 48 8B 08 // mov rcx, [rax]\n 0F 1F 00 // nop dword ptr [rax]\n 48 [6] \t\t\t // cmp cs:qword_ADDB98, rcx\n 75 66 // jnz short loc_6FC42F\n 0F B6 48 08 // movzx ecx, byte ptr [rax+8] ; int\n 80 F9 01 // cmp cl, 1\n 76 3A // jbe short loc_6FC40C\n 80 F9 02 // cmp cl, 2\n 74 2E // jz short loc_6FC405\n 80 F9 1A // cmp cl, 1Ah\n 74 0E // jz short loc_6FC3EA\n 0F 1F 40 00 // nop dword ptr [rax+00h]\n 80 F9 1C // cmp cl, 1Ch\n 75 B4 // jnz short loc_6FC399\n E9\n }\n $x_loadconfig = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 81 EC E8 00 00 00 // sub rsp, 0E8h\n 48 B9 [8] // mov rcx, 0FC14011454D6426Fh\n 48 89 4C 24 68 // mov [rsp+0E8h+var_80], rcx\n 48 B9 [8] // mov rcx, 988EDB17E77D1C81h\n 48 89 4C 24 70 // mov [rsp+0E8h+var_78], rcx\n 48 B9 [8] \t\t // mov rcx, 35A2EFB59AC06560h\n 48 89 4C 24 78 // mov [rsp+0E8h+var_70], rcx\n 48 B9 [8] \t\t // mov rcx, 68A39A8C02A51C08h\n 48 89 8C 24 80 00 00 00 // mov [rsp+0E8h+var_68], rcx\n }\n condition:\n ($go and all of ($strings*)) or\n 1 of ($x*)\n}", "rule_count": 1, "rule_names": [ "gamos" ], "rule_creation_date": "2025-11-28", "rule_modified_date": "2025-12-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Gamos" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1071", "attack.t1550", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-garble_2355b3b2c098_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564820Z", "creation_date": "2026-03-23T11:46:25.564822Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564829Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1027/\nhttps://github.com/burrowers/garble\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/" ], "name": "garble_2355b3b2c098.yar", "content": "rule garble_2355b3b2c098 {\n meta:\n title = \"Garble Obfuscated Binary (2355b3b2c098)\"\n id = \"a5b3b763-b128-471b-a859-2355b3b2c098\"\n description = \"Detects Go binaries compiled with the Garble obfuscator by detecting simple string transformation patterns.\\nGarble obfuscates Go binaries by replacing identifiers, stripping debug information, and removing build metadata, making reverse engineering difficult.\\nThis is commonly used by malware for creating obfuscated payloads.\\nIt is recommended to perform a detailed dynamic analysis of the binary an use common tools like the one in the references to deobfuscate and identify hidden functionalities and determine maliciousness.\"\n references = \"https://attack.mitre.org/techniques/T1027/\\nhttps://github.com/burrowers/garble\\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/\"\n date = \"2025-03-13\"\n modified = \"2025-03-19\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Generic.Garble\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 184e9a4c1f726843ab36024089c8f8620466fb78e20da5bf7781c0d9999b9ba4\n // 688dc0d366c55d42401eff651a61aa3faa266759106b64e46cff0ca24767da97\n // a0f67b760c9aac5e22088613506a8aab2fb93f874e31bbc5c9b88cfd9af414be\n // b0d20a3dcb937da1ddb01684f6040bdbb920ac19446364e949ee8ba5b50a29e4\n // cf37a75989b5f89a8b18a036cfdbab234035aba1dfc8bc844e8c7e77a35b3dd2\n // cfbc472d727d40a8dbdc15c7c912c825b937c9482de9b57637eaa6d59156912f\n\n // Try to check if it is a Go binary without using too many resources\n $go_binary_1 = \"Go buildinf:\" ascii\n $go_binary_2 = \"fatal error: cgo callback before cgo call\" ascii\n $go_binary_3 = \".gopclntab\" ascii\n\n $simple_transformation_swap_and_op = {\n 48 BA [5-8] // mov rdx, 0x5f1ce45fe41c2b59\n 48 89 [5-8] // mov qword [rsp+0x281 {var_2de+0x7}], rdx {0x5f1ce45fe41c2b59}\n 48 BA [5-8] // mov rdx, 0x8894e45c2b592b5f\n 48 89 [5-8] // mov qword [rsp+0x289 {var_2cf}], rdx {-0x776b1ba3d4a6d4a1}\n 31 C0 // xor eax, eax {0x0}\n EB ?? // jmp 0x46a7cd\n\n [0-7]\n\n 0F B6 [2-6] // movzx edx, byte [rsp+rax+0x39 {var_27}]\n 0F B6 [2-6] // movzx esi, byte [rsp+rax+0x1a {var_46}]\n (29|01|31) ?? // add|sub|xor esi, edx (not always esi, if you're wondering.)\n 40 88 [2-6] // mov byte [rsp+rax+0x1a {var_46}], sil\n\n 48 FF C0 // inc rax\n 48 83 F8?? // cmp\n 7C ?? // conditional jump\n }\n\n $simple_transformation_swap_only = {\n 48 BA [5-8] // mov rdx, 0x5f1ce45fe41c2b59\n 48 89 [5-8] // mov qword [rsp+0x281 {var_2de+0x7}], rdx {0x5f1ce45fe41c2b59}\n 48 BA [5-8] // mov rdx, 0x8894e45c2b592b5f\n 48 89 [5-8] // mov qword [rsp+0x289 {var_2cf}], rdx {-0x776b1ba3d4a6d4a1}\n 31 C0 // xor eax, eax {0x0}\n EB ?? // jmp 0x46a7cd\n\n 0F B6 [2-6] // movzx edx, byte [rsp+rax+0x3fd {var_15b}]\n 48 8D [2-6] // lea rsi, [rel data_4e6faf]\n 0F B6 [2-6] // movzx edx, byte [rsi+rdx]\n 88 94 [5] // mov byte [rsp+rax+0x3fd {var_15b}], dl\n\n 48 FF C0 // inc rax\n 48 83 F8?? // cmp\n 7C ?? // conditional jump\n }\n\n condition:\n 1 of ($go_binary_*) and (\n #simple_transformation_swap_and_op > 10 or #simple_transformation_swap_only > 10\n )\n}\n", "rule_count": 1, "rule_names": [ "garble_2355b3b2c098" ], "rule_creation_date": "2025-03-13", "rule_modified_date": "2025-03-19", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Generic.Garble" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-garble_382a85810806_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564789Z", "creation_date": "2026-03-23T11:46:25.564791Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564797Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1027/\nhttps://github.com/burrowers/garble\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/" ], "name": "garble_382a85810806.yar", "content": "rule garble_382a85810806 {\n meta:\n title = \"Garble Obfuscated Binary (382a85810806)\"\n id = \"022c43db-2175-44d1-8346-382a85810806\"\n description = \"Detects Go binaries compiled with the Garble obfuscator by detecting the stack operations leading to string seed transformations and the calls to the transformations themselves.\\nGarble obfuscates Go binaries by replacing identifiers, stripping debug information, and removing build metadata, making reverse engineering difficult.\\nThis is commonly used by malware for creating obfuscated payloads.\\nIt is recommended to perform a detailed dynamic analysis of the binary an use common tools like the one in the references to deobfuscate and identify hidden functionalities and determine maliciousness.\"\n references = \"https://attack.mitre.org/techniques/T1027/\\nhttps://github.com/burrowers/garble\\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/\"\n date = \"2025-03-13\"\n modified = \"2025-03-19\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Generic.Garble\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1d8ae8261f83244be16a06e3775ce05dcdb2be6c3f30e6d3a3c20cde46d35fcc\n // 688dc0d366c55d42401eff651a61aa3faa266759106b64e46cff0ca24767da97\n // b0d20a3dcb937da1ddb01684f6040bdbb920ac19446364e949ee8ba5b50a29e4\n // 184e9a4c1f726843ab36024089c8f8620466fb78e20da5bf7781c0d9999b9ba4\n // a0f67b760c9aac5e22088613506a8aab2fb93f874e31bbc5c9b88cfd9af414be\n // cf37a75989b5f89a8b18a036cfdbab234035aba1dfc8bc844e8c7e77a35b3dd2\n\n // Try to check if it is a Go binary without using too many resources\n $go_binary_1 = \"Go buildinf:\" ascii\n $go_binary_2 = \"fatal error: cgo callback before cgo call\" ascii\n $go_binary_3 = \".gopclntab\" ascii\n\n $common_obfstring_stack_setup = {\n 48 B9 [8] // mov rcx, 0xcbbb9d5dc1059ed8\n 48 89 08 // mov qword [rax], rcx {-0x344462a23efa6128}\n 48 B9 [8] // mov rcx, 0x629a292a367cd507\n 48 89 48 08 // mov qword [rax+0x8], rcx {0x629a292a367cd507}\n 48 B9 [8] // mov rcx, 0x9159015a3070dd17\n 48 89 48 10 // mov qword [rax+0x10], rcx {-0x6ea6fea5cf8f22e9}\n 48 B9 [8] // mov rcx, 0x152fecd8f70e5939\n 48 89 48 18 // mov qword [rax+0x18], rcx {0x152fecd8f70e5939}\n 48 B9 [8] // mov rcx, 0x67332667ffc00b31\n 48 89 48 20 // mov qword [rax+0x20], rcx {0x67332667ffc00b31}\n }\n\n $seed_transformation_reg_call = {\n FF D1 // call rcx\n 48 8B 08 // mov rcx, qword [rax]\n 48 89 C2 // mov rdx, rax\n B8 [4] // mov eax, 0xfffffffd\n ff D1 // call rcx\n 48 8B 08 // mov rcx, qword [rax]\n 48 89 C2 // mov rdx, rax\n B8 [4] // mov eax, 0xfffffff9\n FF D1 // call rcx\n 48 8B 08 // mov rcx, qword [rax]\n 48 89 C2 // mov rdx, rax\n B8 [4] // mov eax, 0xffffffcd\n FF D1 // call rcx\n }\n\n condition:\n 1 of ($go_binary_*) and #common_obfstring_stack_setup > 2 and #seed_transformation_reg_call > 20\n\n}\n", "rule_count": 1, "rule_names": [ "garble_382a85810806" ], "rule_creation_date": "2025-03-13", "rule_modified_date": "2025-03-19", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Generic.Garble" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-garble_6994b63f5389_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577072Z", "creation_date": "2026-03-23T11:46:25.577074Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577080Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1027/\nhttps://github.com/burrowers/garble\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/" ], "name": "garble_6994b63f5389.yar", "content": "rule garble_6994b63f5389 {\n meta:\n title = \"Garble Obfuscated Binary (6994b63f5389)\"\n id = \"a1237c96-5b9f-4a59-8368-6994b63f5389\"\n description = \"Detects Go binaries compiled with the Garble obfuscator by detecting simple string transformation patterns.\\nGarble obfuscates Go binaries by replacing identifiers, stripping debug information, and removing build metadata, making reverse engineering difficult.\\nThis is commonly used by malware for creating obfuscated payloads.\\nIt is recommended to perform a detailed dynamic analysis of the binary an use common tools like the one in the references to deobfuscate and identify hidden functionalities and determine maliciousness.\"\n references = \"https://attack.mitre.org/techniques/T1027/\\nhttps://github.com/burrowers/garble\\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/\"\n date = \"2025-03-17\"\n modified = \"2025-03-25\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Generic.Garble\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x86\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c92b21bdb91fe4c0590212e650212528a1f608a2ea086ce5eb5ac6d05edc41f7\n // be5d276314f9a108d0d44ba6e2c876e1ffac33ce2f549f2c530a31d210816800\n // 6b35bd1a2b0e41ec61f3518b53aec7986c23cc2cd230e2651aed4b6f28e9481b\n\n // Try to check if it is a Go binary without using too many resources\n $go_binary_1 = \"Go buildinf:\" ascii\n $go_binary_2 = \"fatal error: cgo callback before cgo call\" ascii\n $go_binary_3 = \".gopclntab\" ascii\n\n $simple_transformation_swap_and_op = {\n C7 84 [9] // mov dword [esp+0x384 {var_d90}], 0x4569021b\n C7 84 [9] // mov dword [esp+0x372 {var_da2}], 0xeab87fb7 {0xeab87fb7}\n C7 84 [9] // mov dword [esp+0x375 {var_da2+0x3}], 0xf0eb62ea {0xf0eb62ea}\n C7 84 [9] // mov dword [esp+0x379 {var_d9b}], 0x27036213\n 31 C0 // xor eax, eax {0x0}\n EB ?? // jmp 0x4fbf99\n 0F B6 [6] // movzx ecx, byte [esp+eax+0x37d {var_d97}]\n 0F B6 [6] // movzx edx, byte [esp+eax+0x372 {var_da2}]\n (29|01|31) ?? // add ecx, edx\n 88 [6] // mov byte [esp+eax+0x372 {var_da2}], cl\n 40 // inc eax\n 83 F8 ?? // cmp eax, 0xb\n 7C ?? // jl 0x4fbf7f\n }\n\n condition:\n 1 of ($go_binary_*) and #simple_transformation_swap_and_op > 15\n}\n", "rule_count": 1, "rule_names": [ "garble_6994b63f5389" ], "rule_creation_date": "2025-03-17", "rule_modified_date": "2025-03-25", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Generic.Garble" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-garble_e1fc4152a5e2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564853Z", "creation_date": "2026-03-23T11:46:25.564855Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564861Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1027/\nhttps://github.com/burrowers/garble\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/" ], "name": "garble_e1fc4152a5e2.yar", "content": "rule garble_e1fc4152a5e2 {\n meta:\n title = \"Garble Obfuscated Binary (e1fc4152a5e2)\"\n id = \"53c67821-8f20-4d0b-ba4b-e1fc4152a5e2\"\n description = \"Detects Go binaries compiled with the Garble obfuscator by detecting the stack operations leading to string seed transformations and the calls to the transformations themselves.\\nGarble obfuscates Go binaries by replacing identifiers, stripping debug information, and removing build metadata, making reverse engineering difficult.\\nThis is commonly used by malware for creating obfuscated payloads.\\nIt is recommended to perform a detailed dynamic analysis of the binary an use common tools like the one in the references to deobfuscate and identify hidden functionalities and determine maliciousness.\"\n references = \"https://attack.mitre.org/techniques/T1027/\\nhttps://github.com/burrowers/garble\\nhttps://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/\"\n date = \"2025-03-13\"\n modified = \"2025-03-24\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Generic.Garble\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x86\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these sample:\n // f4c602e6b962915ff27c09138b8c123187d8463f97e587637e04ea91ed06a2d8\n // c92b21bdb91fe4c0590212e650212528a1f608a2ea086ce5eb5ac6d05edc41f7\n // be5d276314f9a108d0d44ba6e2c876e1ffac33ce2f549f2c530a31d210816800\n // 91e4448d68474262e1f52ba687ded3fce3344514b0eb043245e9c9e2433b8932\n\n // Try to check if it is a Go binary without using too many resources\n $go_binary_1 = \"Go buildinf:\" ascii\n $go_binary_2 = \"fatal error: cgo callback before cgo call\" ascii\n $go_binary_3 = \".gopclntab\" ascii\n\n $common_obfstring_stack_setup = {\n C7 44 24 [5] // mov dword [esp+0x1e {var_a}], 0x4bd48f1b\n C7 44 24 [5] // mov dword [esp+0x20 {var_a+0x2}], 0x768a4bd4\n C7 44 24 [5] // mov dword [esp+0x24 {var_4}], 0xbcb23b8a {0xbcb23b8a}\n C7 44 24 [5] // mov dword [esp+0x14 {var_14}], 0xaa38fb6a {0xaa38fb6a}\n C7 44 24 [5] // mov dword [esp+0x16 {var_14+0x2}], 0xdbdaaa38 {0xdbdaaa38}\n C7 44 24 [5] // mov dword [esp+0x1a {var_e}], 0x1f1ba8fc\n 31 C0 // xor eax, eax {0x0}\n EB ?? // jmp 0x4926d8\n }\n\n $seed_transformation_reg_call = {\n FF D0 // call eax\n 8B 54 24 ?? // mov edx, dword [esp+0x4 {var_1c}]\n 8B 02 // mov eax, dword [edx]\n C6 04 24 ?? // mov byte [esp {var_20}], 0x9d\n FF D0 // call eax\n 8B 54 24 ?? // mov edx, dword [esp+0x4 {var_1c}]\n 8B 02 // mov eax, dword [edx]\n C6 04 24 ?? // mov byte [esp {var_20}], 0x2f\n FF D0 // call eax\n 8B 54 24 ?? // mov edx, dword [esp+0x4 {var_1c}]\n 8B 02 // mov eax, dword [edx]\n C6 04 24 ?? // mov byte [esp {var_20}], 0x66\n FF D0 // call eax\n 8B 54 24 ?? // mov edx, dword [esp+0x4 {var_1c}]\n 8B 02 // mov eax, dword [edx]\n C6 04 24 ?? // mov byte [esp {var_20}], 0xc3\n FF D0 // call eax\n 8B 54 24 ?? // mov edx, dword [esp+0x4 {var_1c}]\n 8B 02 // mov eax, dword [edx]\n C6 04 24 ?? // mov byte [esp {var_20}], 0x6f\n FF D0 // call eax\n 8B 54 24 ?? // mov edx, dword [esp+0x4 {var_1c}]\n 8B 02 // mov eax, dword [edx]\n C6 04 24 ?? // mov byte [esp {var_20}], 0xe2\n }\n\n condition:\n 1 of ($go_binary_*) and #common_obfstring_stack_setup > 10 and #seed_transformation_reg_call > 30\n}\n", "rule_count": 1, "rule_names": [ "garble_e1fc4152a5e2" ], "rule_creation_date": "2025-03-13", "rule_modified_date": "2025-03-24", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Generic.Garble" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gazer_comm_module_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583694Z", "creation_date": "2026-03-23T11:46:25.583696Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583702Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0168/\nhttps://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" ], "name": "gazer_comm_module.yar", "content": "rule gazer_comm_module {\n meta:\n title = \"Gazer Communication Module\"\n id = \"0cfdfc81-2417-4d3a-b811-c737cfecafee\"\n description = \"Detects the Gazer communication module, a Turla malware also known as WhiteBear used by the group since at least 2016.\\nGazer is a backdoor written in C++ which is based on three components: a loader, an orchestrator, and a communication module. It uses custom 3DES and RSA encryption libraries to encrypt the data sent to the C&C server.\\nThe tasks received from the C&C server can be executed either by the infected machine or by another machine on the network.\\nIt is recommended to investigate network connections for potential C2 activity, as well as to quarantine detected files.\"\n references = \"https://attack.mitre.org/software/S0168/\\nhttps://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf\"\n date = \"2023-01-20\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1573.001;attack.t1573.002;attack.defense_evasion;attack.t1055.003;attack.t1027;attack.t1553.002;attack.discovery;attack.t1033;attack.s0168\"\n classification = \"Windows.Malware.Gazer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 93e36c336b5b20b3c33b7d0f8844572ddcc10046d1fe91b7b106d78c7fea932c\n // 6f3cca3ec5110b8cd761697967067a93d2c1546b2c18f75437c5f36bca45da86\n // f16e2fc2e467580a7cac3f09757b048419b73c7687401c9266fbb146c8e449bb\n // ca9e3ea2e21483612ec2d9ff4a91693e97ab24175ac00ccb52da89e4b89230c9\n\n $s1 = \"InternetRelations::ReceiveMessageFromCentre\" fullword ascii\n $s2 = \"InternetRelations::SendMessageToCentre\" fullword ascii\n $s3 = \"hash\" fullword ascii\n $s4 = \"session\" fullword ascii\n $s5 = \"photo\" fullword ascii\n $s6 = \"Mozilla/4.0 (compatible; MSIE 6.0)\" fullword wide\n $s7 = \"InternetRelations::GetUserAgent\" fullword wide\n $s8 = \"INTERNET_OPEN_TYPE_PRECONFIG\" fullword wide\n $s9 = \"windowsupdate.microsoft.com\" fullword wide\n $s10 = \"InternetRelations::GetInetConnectToGazer\" fullword wide\n $s11 = \"_GETSID_METHOD_1_\" fullword wide\n $s12 = \"\\\\\\\\.\\\\pipe\\\\Winsock2\\\\CatalogChangeListener-FFFF-F\" fullword wide\n\n condition:\n 6 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "gazer_comm_module" ], "rule_creation_date": "2023-01-20", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Gazer" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.discovery" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1027", "attack.t1553.002", "attack.t1573.002", "attack.t1055.003", "attack.t1573.001", "attack.t1033" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gazer_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583727Z", "creation_date": "2026-03-23T11:46:25.583729Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583734Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0168/\nhttps://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" ], "name": "gazer_loader.yar", "content": "import \"pe\"\n\nrule gazer_loader {\n meta:\n title = \"Gazer Loader\"\n id = \"806bc6c6-ef6c-4b88-bc1e-9024a1b9d002\"\n description = \"Detects the Gazer loader, a Turla malware also known as WhiteBear used by the group since at least 2016.\\nGazer is a backdoor written in C++ which is based on three components: a loader, an orchestrator, and a communication module. It uses custom 3DES and RSA encryption libraries to encrypt the data sent to the C&C server.\\nThe tasks received from the C&C server can be executed either by the infected machine or by another machine on the network.\\nIt is recommended to investigate network connections for potential C2 activity, as well as to quarantine detected files.\"\n references = \"https://attack.mitre.org/software/S0168/\\nhttps://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf\"\n date = \"2023-01-19\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.003;attack.t1027;attack.t1553.002;attack.discovery;attack.t1033;attack.s0168\"\n classification = \"Windows.Malware.Gazer\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a65bc4adbd61c098acf40ef81dc8b6b10269af0d9ebbdc18b48439df76c18cb3\n // 473aa2c3ace12abe8a54a088a08e00b7bd71bd66cda16673c308b903c796bec0\n // d0b169d2e753191a5c366a863d216bc5a9eb5e173f0bd5a61f126c4fd16484ac\n // 4013d3c221c6924e8c525aac7ed0402bd5349a28dcbc20bc1ff6bd09079faacf\n\n $s1 = \"KernelInjector::KernelInjector\" fullword ascii\n $s2 = \"KernelInjector::MapLibrary\" fullword ascii\n $s3 = \"KernelInjector::KernelInjector\" fullword wide\n $s4 = \"KernelInjector::LoadDllToProcess\" fullword wide\n $s5 = \"{531511FA-190D-5D85-8A4A-279F2F592CC7}\" fullword wide\n $s6 = \"\\\\\\\\.\\\\pipe\\\\Winsock2\\\\CatalogChangeListener-%02x%02x-%01x\" fullword wide\n\n $resource_201 = {00000000220000006500780070006C006F007200650072002E00650078006500} // explorer.exe\n $resource_202 = {4D5A}\n\n condition:\n 3 of ($s*) or (\n pe.number_of_resources == 3 and\n pe.resources[0].length == 128 and\n $resource_201 at pe.resources[0].offset and\n $resource_202 at pe.resources[1].offset\n )\n}\n", "rule_count": 1, "rule_names": [ "gazer_loader" ], "rule_creation_date": "2023-01-19", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Gazer" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery" ], "rule_technique_tags": [ "attack.t1553.002", "attack.t1055.003", "attack.t1027", "attack.t1033" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gazer_orchestrator_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569336Z", "creation_date": "2026-03-23T11:46:25.569338Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569344Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0168/\nhttps://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" ], "name": "gazer_orchestrator.yar", "content": "import \"pe\"\n\nrule gazer_orchestrator {\n meta:\n title = \"Gazer Orchestrator\"\n id = \"d656a9fd-d46f-4e95-82a3-5979267b7940\"\n description = \"Detects the Gazer orchestrator, a Turla malware also known as WhiteBear used by the group since at least 2016.\\nGazer is a backdoor written in C++ which is based on three components: a loader, an orchestrator, and a communication module. It uses custom 3DES and RSA encryption libraries to encrypt the data sent to the C&C server.\\nThe tasks received from the C&C server can be executed either by the infected machine or by another machine on the network.\\nIt is recommended to investigate network connections for potential C2 activity, as well as to quarantine detected files.\"\n references = \"https://attack.mitre.org/software/S0168/\\nhttps://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf\"\n date = \"2023-01-19\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.003;attack.t1027;attack.t1553.002;attack.discovery;attack.t1033;attack.s0168\"\n classification = \"Windows.Malware.Gazer\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9747f2d56b108d80cc4ae05ca6c4809a956c08b40e35c0e7dbf611aca80be9dd\n // 09da9e80e4554be5c2734ced0e70a6a08eb9ddacb8c1d9155c44ad8f0cbad8d2\n // bc8869b55c5d6c9afc487ceb0e815577043875f4f8a3e0d84b8b8ed33d0b56e1\n\n $s1 = \"Crypto::EncryptRSA\" fullword wide\n $s2 = \"Crypto::CompressBuffer\" fullword wide\n $s3 = \"CMC_GIVE_SETTINGS\" fullword wide\n $s4 = \"CMC_TAKE_TASK\" fullword wide\n $s5 = \"LTNamedPipe::Receive\" fullword wide\n $s6 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\ScreenSaver\" fullword wide\n $s7 = \"DLL_PROCESS_ATTACH\" fullword wide\n $s8 = \"EncryptDES Error\" fullword wide\n\n $l1 = \"KernelInjector::KernelInjector\" fullword ascii\n $l2 = \"KernelInjector::KernelInjector\" fullword wide\n\n condition:\n 4 of ($s*) and (\n pe.number_of_resources > 10 or\n not 1 of ($l*)\n )\n}\n", "rule_count": 1, "rule_names": [ "gazer_orchestrator" ], "rule_creation_date": "2023-01-19", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Gazer" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery" ], "rule_technique_tags": [ "attack.t1553.002", "attack.t1055.003", "attack.t1027", "attack.t1033" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gc2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586908Z", "creation_date": "2026-03-23T11:46:25.586910Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586916Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/looCiprian/GC2-sheet/" ], "name": "gc2.yar", "content": "rule gc2_strings {\n meta:\n title = \"GC2 Generic Strings\"\n id = \"6cdcb8ae-dba6-44a2-827a-6d64a4caf077\"\n description = \"Detects the GC2 C2 framework which uses Google Sheets/Drive and Microsoft SharePoint/List for command execution and file exfiltration.\\nGC2 is a Go-based framework that enables attackers to execute commands on compromised machines and transfer files using legitimate cloud services.\\nIt typically communicates through specific configuration strings related to Google and Microsoft services.\"\n references = \"https://github.com/looCiprian/GC2-sheet/\"\n date = \"2024-10-11\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1071.001;attack.t1102.002;attack.command_and_control;attack.exfiltration;attack.t1567.002\"\n classification = \"Framework.GC2\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $static_str_1 = \"GC2-sheet/internal/C2\" ascii\n $static_str_2 = \"GC2-sheet/cmd\" ascii\n $static_str_3 = \"CommandService:\" ascii\n $static_str_4 = \"FileSystemService:\" ascii\n\n $google_cfg_str_1 = \"GoogleServiceAccountKey:\" ascii\n $google_cfg_str_2 = \"GoogleSheetID:\" ascii\n $google_cfg_str_3 = \"GoogleDriveID:\" ascii\n\n $ms_cfg_str_1 = \"MicrosoftTenantID:\" ascii\n $ms_cfg_str_2 = \"MicrosoftClientID:\" ascii\n $ms_cfg_str_3 = \"MicrosoftClientSecret:\" ascii\n $ms_cfg_str_4 = \"MicrosoftSiteID:\" ascii\n\n condition:\n all of ($static_str_*) and (all of ($google_cfg_str_*) or all of ($ms_cfg_str_*))\n}\n", "rule_count": 1, "rule_names": [ "gc2_strings" ], "rule_creation_date": "2024-10-11", "rule_modified_date": "2025-02-27", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Framework.GC2" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.execution", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1567.002", "attack.t1102.002", "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_api_hashing_02c89791ecf7_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585691Z", "creation_date": "2026-03-23T11:46:25.585693Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585699Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\nhttps://attack.mitre.org/techniques/T1027/007/" ], "name": "generic_api_hashing_02c89791ecf7.yar", "content": "rule generic_api_hashing_02c89791ecf7 {\n meta:\n title = \"Generic API Hashing (02c89791ecf7)\"\n id = \"5308c9e6-d9b3-45b6-8acc-02c89791ecf7\"\n description = \"Detects API hashing functions seen in Pikabot malware.\\nPikabot is a known malware family that employs API hashing to dynamically resolve functions, allowing it to avoid detection and analysis. This technique involves hashing API function names at runtime, which helps the malware avoid static detection mechanisms and makes it harder to analyze its behavior.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\\nhttps://attack.mitre.org/techniques/T1027/007/\"\n date = \"2024-02-23\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Generic.ApiHashing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1545a44e666ca8f1a3a77012677665287a44898a9b2240838c40474988b0fc29\n // ff7c3ebcd8cc98132ea7e06e72c73e0e5e60fc9b05c235b3ac105c9d83c64c97\n // fb13f1443013b5a4108b79253487506b9fbf572cf9c7fb1dc8c098da71545edc\n\n $hashing = {\n 8B 45 08 // mov eax, [ebp+arg_0]\n 0F BE 08 // movsx ecx, byte ptr [eax]\n 85 C9 // test ecx, ecx\n 74 22 // jz short loc_51A466\n 8B 55 08 // mov edx, [ebp+arg_0]\n 0F B6 02 // movzx eax, byte ptr [edx]\n 83 C8 60 // or eax, 60h\n 03 45 FC // add eax, [ebp+var_4]\n 89 45 FC // mov [ebp+var_4], eax\n 8B 4D 08 // mov ecx, [ebp+arg_0]\n 83 C1 01 // add ecx, 1\n 89 4D 08 // mov [ebp+arg_0], ecx\n 8B 55 FC // mov edx, [ebp+var_4]\n D1 E2 // shl edx, 1\n 89 55 FC // mov [ebp+var_4], edx\n EB D4 // jmp short loc_51A43A\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "generic_api_hashing_02c89791ecf7" ], "rule_creation_date": "2024-02-23", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ApiHashing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_api_hashing_41fb0034c288_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585649Z", "creation_date": "2026-03-23T11:46:25.585652Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585661Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\nhttps://attack.mitre.org/techniques/T1027/007/" ], "name": "generic_api_hashing_41fb0034c288.yar", "content": "rule generic_api_hashing_41fb0034c288 {\n meta:\n title = \"Generic API Hashing (41fb0034c288)\"\n id = \"9be73ed3-6cf7-4983-b6c6-41fb0034c288\"\n description = \"Detects API hashing functions seen in SmokeLoader malware.\\nSmokeLoader is a type of malware that employs API hashing to dynamically resolve function calls. This technique allows the malware to avoid static analysis by using hashes to locate API functions, making it harder to identify and analyze its malicious behavior.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\\nhttps://attack.mitre.org/techniques/T1027/007/\"\n date = \"2023-10-10\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Generic.ApiHashing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $push_hash_1 = {\n 68 86 57 0D 00 // push 0D5786h\n 68 88 4E 0D 00 // push 0D4E88h ; kernel32.dll hash\n E8 ?? ?? ?? ?? // call near ptr unk_7CF1F0\n }\n\n $push_hash_2 = {\n 68 FA 8B 34 00 // push 348BFAh\n 68 88 4E 0D 00 // push 0D4E88h\n E8 ?? ?? ?? ?? // call near ptr unk_A58E3B\n }\n\n $hash_api_fn = {\n 8A 10 // mov dl, [eax]\n 80 CA 60 // or dl, 60h\n 03 DA // add ebx, edx\n D1 E3 // shl ebx, 1\n 03 45 10 // add eax, [ebp+arg_8]\n 8A 08 // mov cl, [eax]\n 84 C9 // test cl, cl\n }\n\n $qihoo_360_0 = \"C:\\\\Program Files (x86)\\\\360\\\\Total Security\\\\safemon\\\\QHActiveDefense.exe\" ascii\n $qihoo_360_1 = \"X-360-Cloud-Security-Desc\" ascii\n $qihoo_360_2 = \"AVC360UtilExportFuncs\" ascii\n\n condition:\n (1 of ($push_hash_*) and $hash_api_fn) and not 1 of ($qihoo_360_*)\n}\n", "rule_count": 1, "rule_names": [ "generic_api_hashing_41fb0034c288" ], "rule_creation_date": "2023-10-10", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ApiHashing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_api_hashing_923bc731ca99_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585866Z", "creation_date": "2026-03-23T11:46:25.585882Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585889Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\nhttps://attack.mitre.org/techniques/T1027/007/" ], "name": "generic_api_hashing_923bc731ca99.yar", "content": "rule generic_api_hashing_923bc731ca99 {\n meta:\n title = \"Generic API Hashing (923bc731ca99)\"\n id = \"4d3b6d49-4aee-4255-a4b0-923bc731ca99\"\n description = \"Detects API hashing functions seen in the Koi Loader malware.\\nAPI hashing is a technique used to dynamically resolve functions called by the malware, allowing it to hide malicious activities and evade defensive analysis. This technique helps the malware avoid static detection by using dynamic function resolution.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\\nhttps://attack.mitre.org/techniques/T1027/007/\"\n date = \"2024-05-23\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Generic.ApiHashing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ebff8e5324010b0572b971205707faa234154416533f68a4091d4b5b7cf0f4b7\n // 2fc9bd91753ff3334ef7f9861dc1ae79cf5915d79fa50f7104cbb3262b7037da\n\n $getprocaddress = {\n 89 4D E0 // mov [ebp+var_20], ecx\n 8B 55 F8 // mov edx, [ebp+var_8]\n 8B 45 08 // mov eax, [ebp+arg_0]\n 03 42 24 // add eax, [edx+24h]\n 89 45 E4 // mov [ebp+var_1C], eax\n C7 45 FC 00 00 00 00 // mov [ebp+var_4], 0\n EB 09 // jmp short loc_4010C3\n\n // loc_4010BA:\n 8B 4D FC // mov ecx, [ebp+var_4]\n 83 C1 01 // add ecx, 1\n 89 4D FC // mov [ebp+var_4], ecx\n\n // loc_4010C3:\n 8B 55 F8 // mov edx, [ebp+var_8]\n 8B 45 FC // mov eax, [ebp+var_4]\n 3B 42 18 // cmp eax, [edx+18h]\n 73 ?? // jnb short loc_401105\n 8B 4D FC // mov ecx, [ebp+var_4]\n 8B 55 EC // mov edx, [ebp+var_14]\n 8B 45 08 // mov eax, [ebp+arg_0]\n 03 04 8A // add eax, [edx+ecx*4]\n 89 45 E8 // mov [ebp+var_18], eax\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "generic_api_hashing_923bc731ca99" ], "rule_creation_date": "2024-05-23", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ApiHashing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_api_hashing_a4eaf6faea91_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585528Z", "creation_date": "2026-03-23T11:46:25.585530Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585536Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\nhttps://attack.mitre.org/techniques/T1027/007/" ], "name": "generic_api_hashing_a4eaf6faea91.yar", "content": "rule generic_api_hashing_a4eaf6faea91 {\n meta:\n title = \"Generic API Hashing (a4eaf6faea91)\"\n id = \"184cb4b1-142f-45f5-ae59-a4eaf6faea91\"\n description = \"Detects API hashing/encryption functions seen in FIN7 packer.\\nAPI hashing is a technique used by malware to dynamically resolve API function addresses at runtime, which helps in evading static analysis and anti-virus detection. This behavior is commonly associated with the FIN7 malware group, which uses such techniques to enhance the obfuscation of its malicious activities.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\\nhttps://attack.mitre.org/techniques/T1027/007/\"\n date = \"2024-08-06\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Generic.ApiHashing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $hashing = {\n 0F B? [1-2] // movzx eax, [rsp+128h+size_string]\n 39 [1-3] // cmp [rsp+128h+var_124], eax\n 73 ?? // jnb short loc_140001CC9\n 8B [1-3] // mov eax, [rsp+128h+var_124]\n 83 ?? 05 // add eax, 5\n 8B ?? // mov eax, eax\n 4? 8B [1-6] // mov rcx, [rsp+128h+arg_0]\n 0F B? [1-2] // movsx eax, byte ptr [rcx+rax]\n 85 ?? // test eax, eax\n 74 ?? // jz short loc_140001CB0\n 0f B? [1-3] // movzx eax, [rsp+128h+key]\n 8B [1-3] // mov ecx, [rsp+128h+var_124]\n 83 ?? 05 // add ecx, 5\n 8B ?? // mov ecx, ecx\n 4? 8B [1-6] // mov rdx, [rsp+128h+arg_0]\n 0F B? [1-2] // movsx ecx, byte ptr [rdx+rcx]\n 33 ?? // xor eax, ecx\n 2B [1-3] // sub eax, [rsp+128h+var_124]\n FF ?? // dec eax\n 8B [1-3] // mov ecx, [rsp+128h+var_124]\n 88 [1-3] // mov [rsp+rcx+128h+decrypted_string], al\n EB // jmp short loc_140001CC7\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "generic_api_hashing_a4eaf6faea91" ], "rule_creation_date": "2024-08-06", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ApiHashing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_dotnet_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586738Z", "creation_date": "2026-03-23T11:46:25.586740Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586746Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://stackoverflow.com/questions/24903575/how-to-return-byte-when-decrypt-using-cryptostream-descryptoserviceprovider" ], "name": "generic_dotnet_loader.yar", "content": "import \"dotnet\"\n\nrule generic_dotnet_loader {\n meta:\n title = \"Generic Dotnet Loader\"\n id = \"3ab51ce4-d234-453c-8570-46ecb9548639\"\n description = \"Detects a generic .NET loader that loads an embedded encrypted payload.\\nThis loader is designed to decrypt and execute its payload in memory. Such loaders are often used by malware to avoid writing malicious files to disk, making them harder to detect. The rule identifies activities indicative of such a loader, including the use of functions like ResumeThread, CreateProcess, ReadProcessMemory, and WriteProcessMemory, which are commonly used to manipulate processes and memory spaces. Additionally, the presence of cryptographic functions such as CreateDecryptor and PerformCryptography further suggests the loader's intent to decrypt and execute malicious code.\\nIt is recommended to verify if the usage of this binary is legitimate.\"\n references = \"https://stackoverflow.com/questions/24903575/how-to-return-byte-when-decrypt-using-cryptostream-descryptoserviceprovider\"\n date = \"2024-01-24\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1055.012\"\n classification = \"Windows.Loader.UnknownDotnet\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n $s1 = \"ResumeThread\" ascii fullword\n $s2 = \"CreateProcess\" ascii fullword\n $s3 = \"ReadProcessMemory\" ascii fullword\n $s4 = \"WriteProcessMemory\" ascii fullword\n $s5 = \"CreateDecryptor\" ascii fullword\n // Custom function\n $s6 = \"PerformCryptography\" ascii fullword\n\n condition:\n dotnet.is_dotnet and all of them\n}\n", "rule_count": 1, "rule_names": [ "generic_dotnet_loader" ], "rule_creation_date": "2024-01-24", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.UnknownDotnet" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1055.012" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_dynamic_load_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571661Z", "creation_date": "2026-03-23T11:46:25.571663Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571668Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\nhttps://attack.mitre.org/techniques/T1027/007/" ], "name": "generic_dynamic_load.yar", "content": "rule generic_dynamic_load {\n meta:\n title = \"Generic Dynamic API Resolution\"\n id = \"6ce8c2d2-1dcc-4eca-ab88-faf0e36f0c46\"\n description = \"Detects general Dynamic API Loading of the kernel32.dll library followed by the VirtualProtect function.\\nThis technique is often used by malware authors to avoid the actual API calls being displayed in the IAT, as a way to defeat static analysis.\\nThis technique has been often seen in SmokeLoader samples.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\\nhttps://attack.mitre.org/techniques/T1027/007/\"\n date = \"2023-10-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Generic.DynamicApiLoading\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $load_library_strings = {\n C6 05 ?? ?? ?? 00 33 // mov byte_42490E, 33h ; '3'\n C6 05 ?? ?? ?? 00 32 // mov byte_42490F, 32h ; '2'\n C6 05 ?? ?? ?? 00 6C // mov byte_424913, 6Ch ; 'l'\n C6 05 ?? ?? ?? 00 6C // mov byte_424912, 6Ch ; 'l'\n C6 05 ?? ?? ?? 00 6E // mov byte_42490B, 6Eh ; 'n'\n C6 05 ?? ?? ?? 00 6C // mov byte_42490D, 6Ch ; 'l'\n C6 05 ?? ?? ?? 00 6B // mov ProcName, 6Bh ; 'k'\n C6 05 ?? ?? ?? 00 65 // mov byte_42490C, 65h ; 'e'\n C6 05 ?? ?? ?? 00 72 // mov byte_42490A, 72h ; 'r'\n C6 05 ?? ?? ?? 00 2E // mov byte_424910, 2Eh ; '.'\n C6 05 ?? ?? ?? 00 64 // mov byte_424911, 64h ; 'd'\n C6 05 ?? ?? ?? 00 65 // mov byte_424909, 65h ; 'e'\n C6 05 ?? ?? ?? 00 00 // mov byte_424914, 0\n FF [6-12] // call ds:LoadLibraryA\n // push esi ; lpProcName\n // push eax ; hModule\n // mov dword_454A80, eax\n C6 05 ?? ?? ?? 00 65 // mov byte_424913, 65h ; 'e'\n C6 05 ?? ?? ?? 00 69 // mov byte_424909, 69h ; 'i'\n C6 05 ?? ?? ?? 00 75 // mov byte_42490C, 75h ; 'u'\n C6 05 ?? ?? ?? 00 6C // mov byte_42490E, 6Ch ; 'l'\n C6 05 ?? ?? ?? 00 61 // mov byte_42490D, 61h ; 'a'\n C6 05 ?? ?? ?? 00 6F // mov byte_424911, 6Fh ; 'o'\n C6 05 ?? ?? ?? 00 74 // mov byte_424915, 74h ; 't'\n C6 05 ?? ?? ?? 00 56 // mov ProcName, 56h ; 'V'\n C6 05 ?? ?? ?? 00 63 // mov byte_424914, 63h ; 'c'\n C6 05 ?? ?? ?? 00 50 // mov byte_42490F, 50h ; 'P'\n C6 05 ?? ?? ?? 00 00 // mov byte_424916, 0\n C6 05 ?? ?? ?? 00 74 // mov byte_42490B, 74h ; 't'\n C6 05 ?? ?? ?? 00 74 // mov byte_424912, 74h ; 't'\n C6 05 ?? ?? ?? 00 72 // mov byte_42490A, 72h ; 'r'\n C6 05 ?? ?? ?? 00 72 // mov byte_424910, 72h ; 'r'\n FF ?? ?? ?? ?? ?? // call ds:GetProcAddress\n }\n\n condition:\n $load_library_strings\n}\n", "rule_count": 1, "rule_names": [ "generic_dynamic_load" ], "rule_creation_date": "2023-10-11", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.DynamicApiLoading" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic-gmer-exploit_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590328Z", "creation_date": "2026-03-23T11:46:25.590330Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590335Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "\nhttps://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "generic-gmer-exploit.yar", "content": "rule generic_gmer_exploit {\n meta:\n title = \"Generic-GMER-Exploit HackTool\"\n id = \"400f6c4e-b235-4ad5-8a93-b019c50efa95\"\n description = \"Detects payloads exploiting the gmer64.sys vulnerable driver to terminate protected processes.\\nSuch payloads load the gmer64.sys driver and use its functionality to stop specified processes, likely to bypass protection mechanisms or disrupt legitimate system operations.\"\n references = \"\\nhttps://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2026-02-11\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n classification = \"Windows.HackTool.GenericGMERExploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 32051f61c8d6d1d9bb19fd225ff3a3a2f6c06673f92398cf7178f235ecf3abf2\n\n $s_device = \"\\\\\\\\.\\\\\" wide ascii\n $s_winapi_01 = \"CreateFile\" wide ascii\n $s_winapi_02 = \"DeviceIoControl\" wide ascii\n $s_winapi_03 = \"CreateService\" wide ascii\n $s_winapi_04 = \"OpenSCManager\" wide ascii\n $s_winapi_05 = \"OpenService\" wide ascii\n $s_winapi_06 = \"StartService\" wide ascii\n $s_IOCTL_init = { (98 76 C0 04|04 C0 76 98) }\n $s_IOCTL_kill = { (98 76 C0 94|94 C0 76 98) }\n\n // Call stub to deviceioctl with the KILL IOCTL\n $s_call_stub = {\n 41 B9 04 00 00 00 // mov r9d, 4 ; nInBufferSize\n [0-12] // padding\n BA 94 C0 76 98 // mov edx, 9876C094h ; dwIoControlCode\n [0-12] // padding\n FF // call DeviceIoControl\n }\n\n // This is handled by the rule 43437884-fa45-43fc-8920-5a6d827fbdb7\n $filter_superman = \"superman\" wide ascii nocase\n // This is handled by the rule 22ff49d7-43a4-4641-82c3-012936d91882\n $filter_blackout = \"blackout\" wide ascii nocase\n\n condition:\n all of ($s_*)\n and not (1 of ($filter_*))\n}\n", "rule_count": 1, "rule_names": [ "generic_gmer_exploit" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2026-02-11", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.GenericGMERExploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_loader_586c0a5814c0_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572781Z", "creation_date": "2026-03-23T11:46:25.572783Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572788Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.zerodetection.net/blog/minimal-shellcode-loader-in-c-a-step-by-step-guide\nhttps://redsiege.com/blog/2023/07/obfuscating-shellcode-using-jargon/\nhttps://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1055/" ], "name": "generic_loader_586c0a5814c0.yar", "content": "rule generic_loader_586c0a5814c0 {\n meta:\n title = \"Generic Loader (586c0a5814c0)\"\n id = \"1ffdc7c7-3f8d-4a27-a077-586c0a5814c0\"\n description = \"Detects generic code patterns used by loaders.\\nThis binary likely loads and executes another payload or module in memory.\\nIt is recommended to investigate the source of the loaded module and check for signs of unauthorized execution.\"\n references = \"https://www.zerodetection.net/blog/minimal-shellcode-loader-in-c-a-step-by-step-guide\\nhttps://redsiege.com/blog/2023/07/obfuscating-shellcode-using-jargon/\\nhttps://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1055/\"\n date = \"2025-03-07\"\n modified = \"2025-03-14\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1562;attack.t1055\"\n classification = \"Windows.Generic.Loader\"\n context= \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 0bdfbbd811c57bf008283df10c42fb6d94872983bb827758e05d8fb6c0e55def\n // 1e6dceab2287bd6f5e7286a7a5f4ed46bf8e39151f70e4faa0699715d1b72772\n // 1ec9675c5d09c4a74e13c542238f9387b0d0f58223be1d696dc9c9e7cc8f6cce\n // 6a5f3777f6ec459dc2c773c569fa5730ddb284be99069265f0e74464a3ca2252\n // caada6c08b2a185a48b66a0b7e28397e6a5a0f04a88bc57366323da9df40f5bb\n // fb7598c53948b86b4716b1089c44f78a05cbb9791e1156f9a381ec17ee2e4304\n\n $hash_string = {\n 75 07 // jnz short loc_40182A\n 48 83 45 F0 01 // add [rbp+var_10], 1\n EB 25 // jmp short loc_40184F\n\n // loc_40182A:\n 80 7D EF ?? // cmp [rbp+var_11], 60h\n 76 04 // jbe short loc_401834\n 80 6D EF ?? // sub [rbp+var_11], 20h\n\n // loc_401834:\n 8B 45 FC // mov eax, [rbp+var_4]\n C1 E0 ?? // shl eax, 5\n 89 C2 // mov edx, eax\n 8B 45 FC // mov eax, [rbp+var_4]\n 01 C2 // add edx, eax\n 0F B6 45 EF // movzx eax, [rbp+var_11]\n 01 D0 // add eax, edx\n 89 45 FC // mov [rbp+var_4], eax\n 48 83 45 F0 01 // add [rbp+var_10], 1\n }\n\n $uuid_1 = {\n // loc_1C2381439:\n 48 8B 55 F8 // mov rdx, [rbp+Uuid]\n 8B 45 F4 // mov eax, [rbp+var_C]\n 48 98 // cdqe\n 48 8D 0C C5 00 00 00 00 // lea rcx, ds:0[rax*8]\n 48 8D 05 ?? ?? ?? ?? // lea rax, off_1C23D9BC0 ; \"0171c084-fce8-8348-e000-48c7c3000000\"\n 48 8B 04 01 // mov rax, [rcx+rax]\n 48 89 C1 // mov rcx, rax ; StringUuid\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:__imp_UuidFromStringA\n FF D0 // call rax ; __imp_UuidFromStringA\n 89 45 E4 // mov [rbp+var_1C], eax\n 83 7D E4 00 // cmp [rbp+var_1C], 0\n 75 24 // jnz short loc_1C238148E\n 48 83 45 F8 10 // add [rbp+Uuid], 10h\n 83 45 F4 01 // add [rbp+var_C], 1\n }\n $uuid_2 = {\n 30 31 37 31 63 30 38 34 2D 66 63 65 38 2D // db '0171c084-fce8-3148-c048-31db4831c948'\n }\n\n // https://redsiege.com/blog/2023/07/obfuscating-shellcode-using-jargon/\n $jargon_x86 = {\n C7 45 E8 ?? ?? ?? ?? // mov [ebp+var_18], 68Fh\n C7 45 F4 00 00 00 00 // mov [ebp+var_C], 0\n EB 41 // jmp short loc_69041545\n\n // loc_69041504:\n C7 45 F0 00 00 00 00 // mov [ebp+var_10], 0\n EB 2B // jmp short loc_69041538\n\n // loc_6904150D:\n 8B 45 F0 // mov eax, [ebp+var_10]\n 8B 14 85 ?? ?? ?? ?? // mov edx, _translation_table[eax*4]\n 8B 45 F4 // mov eax, [ebp+var_C]\n 8B 04 85 ?? ?? ?? ?? // mov eax, _translated_shellcode[eax*4]\n 39 C2 // cmp edx, eax\n 75 0F // jnz short loc_69041534\n 8B 55 F4 // mov edx, [ebp+var_C]\n 8B 45 EC // mov eax, [ebp+var_14]\n 01 D0 // add eax, edx\n 8B 55 F0 // mov edx, [ebp+var_10]\n 88 10 // mov [eax], dl\n EB 0D // jmp short loc_69041541\n\n // loc_69041534:\n 83 45 F0 01 // add [ebp+var_10], 1\n\n // loc_69041538:\n 81 7D F0 FF 00 00 00 // cmp [ebp+var_10], 0FFh\n 7E CC // jle short loc_6904150D\n }\n $jargon_x64 = {\n // loc_1C238142D:\n C7 45 F8 00 00 00 00 // mov [rbp+var_8], 0\n EB 4D // jmp short loc_1C2381483\n\n // loc_1C2381436:\n 8B 45 F8 // mov eax, [rbp+var_8]\n 48 98 // cdqe\n 48 8D 14 C5 00 00 00 00 // lea rdx, ds:0[rax*8]\n 48 8D 05 ?? ?? ?? ?? // lea rax, off_1C2383020 ; \"ought\"\n 48 8B 14 02 // mov rdx, [rdx+rax]\n 8B 45 FC // mov eax, [rbp+var_4]\n 48 98 // cdqe\n 48 8D 0C C5 00 00 00 00 // lea rcx, ds:0[rax*8]\n 48 8D 05 ?? ?? ?? ?? // lea rax, off_1C2383820 ; \"warning\"\n 48 8B 04 01 // mov rax, [rcx+rax]\n 48 39 C2 // cmp rdx, rax\n 75 14 // jnz short loc_1C238147F\n 8B 45 FC // mov eax, [rbp+var_4]\n 48 63 D0 // movsxd rdx, eax\n 48 8B 45 F0 // mov rax, [rbp+var_10]\n 48 01 D0 // add rax, rdx\n 8B 55 F8 // mov edx, [rbp+var_8]\n 88 10 // mov [rax], dl\n EB 0D // jmp short loc_1C238148C\n }\n\n // patchEtw()\n $patchetw_x86 = {\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 83 EC 48 // sub esp, 48h\n C7 45 E8 48 33 C0 C3 // mov [ebp+var_18], 0C3C03348h\n C7 45 DE 6E 74 64 6C // mov dword ptr [ebp+ModuleName], 6C64746Eh\n C7 45 E2 6C 2E 64 6C // mov [ebp+var_1E], 6C642E6Ch\n 66 C7 45 E6 6C 00 // mov [ebp+var_1A], 6Ch ; 'l'\n 8D 45 DE // lea eax, [ebp+ModuleName]\n 89 04 24 // mov [esp], eax ; lpModuleName\n A1 ?? ?? ?? ?? // mov eax, ds:__imp__GetModuleHandleA@4 ; GetModuleHandleA(x)\n FF D0 // call eax ; GetModuleHandleA(x) ; GetModuleHandleA(x)\n 83 EC 04 // sub esp, 4\n 89 45 F4 // mov [ebp+hModule], eax\n C7 45 D1 4E 74 54 72 // mov dword ptr [ebp+ProcName], 7254744Eh\n C7 45 D5 61 63 65 45 // mov [ebp+var_2B], 45656361h\n C7 45 D9 76 65 6E 74 // mov [ebp+var_27], 746E6576h\n C6 45 DD 00 // mov [ebp+var_23], 0\n }\n $patchetw_x64_v1 = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 60 // sub rsp, 60h\n C7 45 E4 48 33 C0 C3 // mov [rbp+var_1C], 0C3C03348h\n 48 B8 6E 74 64 6C 6C 2E 64 6C // mov rax, 6C642E6C6C64746Eh\n 48 89 45 DA // mov qword ptr [rbp+ModuleName], rax\n 66 C7 45 E2 6C 00 // mov [rbp+var_1E], 6Ch ; 'l'\n 48 8D 45 DA // lea rax, [rbp+ModuleName]\n 48 89 C1 // mov rcx, rax ; lpModuleName\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:__imp_GetModuleHandleA\n FF D0 // call rax ; __imp_GetModuleHandleA\n 48 89 45 F8 // mov [rbp+hModule], rax\n 48 B8 4E 74 54 72 61 63 65 45 // mov rax, 456563617254744Eh\n 48 89 45 CD // mov qword ptr [rbp+ProcName], rax\n C7 45 D5 76 65 6E 74 // mov [rbp+var_2B], 746E6576h\n C6 45 D9 00 // mov [rbp+var_27], 0\n }\n $patchetw_x64_v2 = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 50 // sub rsp, 50h\n 48 B8 6E 74 64 6C 6C 2E 64 6C // mov rax, 6C642E6C6C64746Eh\n 48 89 45 E6 // mov qword ptr [rbp+ModuleName], rax\n 66 C7 45 EE 6C 00 // mov [rbp+var_12], 6Ch ; 'l'\n 48 8D 45 E6 // lea rax, [rbp+ModuleName]\n 48 89 C1 // mov rcx, rax ; lpModuleName\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:__imp_GetModuleHandleA\n FF D0 // call rax ; __imp_GetModuleHandleA\n 48 89 45 F8 // mov [rbp+hModule], rax\n 48 B8 4E 74 54 72 61 63 65 45 // mov rax, 456563617254744Eh\n 48 89 45 D9 // mov qword ptr [rbp+ProcName], rax\n 48 B8 63 65 45 76 65 6E 74 00 // mov rax, 746E6576456563h\n 48 89 45 DE // mov qword ptr [rbp+ProcName+5], rax\n }\n\n // UNHOOKING_GetJmpInstructionLength()\n $unhooking_get_x86 = {\n 0F B6 45 FB // movzx eax, [ebp+var_5]\n 0F B6 C0 // movzx eax, al\n 3D FF 00 00 00 // cmp eax, 0FFh\n 74 4F // jz short loc_69041693\n 3D FF 00 00 00 // cmp eax, 0FFh\n 7F 75 // jg short loc_690416C0\n 3D EB 00 00 00 // cmp eax, 0EBh\n 74 17 // jz short loc_69041669\n 3D EB 00 00 00 // cmp eax, 0EBh\n 7F 67 // jg short loc_690416C0\n 3D E9 00 00 00 // cmp eax, 0E9h\n 74 17 // jz short loc_69041677\n 3D EA 00 00 00 // cmp eax, 0EAh\n 74 1E // jz short loc_69041685\n EB 57 // jmp short loc_690416C0\n }\n $unhooking_get_x64 = {\n 0F B6 45 FB // movzx eax, [rbp+var_5]\n 0F B6 C0 // movzx eax, al\n 3D FF 00 00 00 // cmp eax, 0FFh\n 74 ?? // jz short loc_14000171F\n 3D FF 00 00 00 // cmp eax, 0FFh\n 0F 8F 81 00 00 00 // jg loc_140001752\n 3D EB 00 00 00 // cmp eax, 0EBh\n 74 17 // jz short loc_1400016EF\n 3D EB 00 00 00 // cmp eax, 0EBh\n 7F 73 // jg short loc_140001752\n 3D E9 00 00 00 // cmp eax, 0E9h\n 74 19 // jz short loc_1400016FF\n 3D EA 00 00 00 // cmp eax, 0EAh\n 74 22 // jz short loc_14000170F\n EB 63 // jmp short loc_140001752\n }\n\n // UNHOOKING_IsInstructionJmp\n $unhooking_is_x86 = {\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 83 EC 04 // sub esp, 4\n 8B 45 08 // mov eax, [ebp+arg_0]\n 88 45 FC // mov [ebp+var_4], al\n 0F B6 45 FC // movzx eax, [ebp+var_4]\n 3D EB 00 00 00 // cmp eax, 0EBh\n 7F 09 // jg short loc_690415F3\n 3D E9 00 00 00 // cmp eax, 0E9h\n 7D 09 // jge short loc_690415FA\n EB 0E // jmp short loc_69041601\n\n // loc_690415F3:\n 3D FF 00 00 00 // cmp eax, 0FFh\n 75 07 // jnz short loc_69041601\n\n // loc_690415FA:\n B8 01 00 00 00 // mov eax, 1\n EB 05 // jmp short locret_69041606\n\n // loc_69041601:\n B8 00 00 00 00 // mov eax, 0\n\n // locret_69041606:\n C9 // leave\n C3 // retn\n }\n $unhooking_is_x64 = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 89 C8 // mov eax, ecx\n 88 45 10 // mov [rbp+arg_0], al\n 0F B6 45 10 // movzx eax, [rbp+arg_0]\n 3D EB 00 00 00 // cmp eax, 0EBh\n 7F 09 // jg short loc_14000166E\n 3D E9 00 00 00 // cmp eax, 0E9h\n 7D 09 // jge short loc_140001675\n EB 0E // jmp short loc_14000167C\n\n // loc_14000166E:\n 3D FF 00 00 00 // cmp eax, 0FFh\n 75 07 // jnz short loc_14000167C\n\n // loc_140001675:\n B8 01 00 00 00 // mov eax, 1\n EB 05 // jmp short loc_140001681\n\n // loc_14000167C:\n B8 00 00 00 00 // mov eax, 0\n\n // loc_140001681:\n 5D // pop rbp\n C3 // retn\n }\n\n $start_code_v1 = {\n FC // cld\n (\n 48 29 C0 | // sub rax, rax\n 48 31 C0 | // xor rax, rax\n 48 83 E0 00 | // and rax, 0\n 48 C7 C0 00 00 00 00 // mov rax, 0\n )\n (\n 48 29 DB | // sub rbx, rbx\n 48 31 DB | // xor rbx, rbx\n 48 83 E3 00 | // and rbx, 0\n 48 C7 C3 00 00 00 00 // mov rbx, 0\n )\n 48 31 C9 // xor rcx, rcx\n (\n 48 29 FF | // sub rdi, rdi\n 48 31 FF | // xor rdi, rdi\n 48 83 E7 00 | // and rdi, 0\n 48 C7 C7 00 00 00 00 // mov rdi, 0\n )\n EB ?? // jmp short loc_14000D079\n\n // sub_14000D02F\n 5A // pop rdx\n 04 FE // add al, 0FEh\n 48 89 C6 // mov rsi, rax\n }\n $start_code_v2 = {\n 84 C0 // test al, al\n 71 01 // jno short near ptr loc_140012024+1\n\n // loc_140012024:\n E8 ?? ?? ?? ?? // call near ptr 1002A6925h\n [0-4]\n (\n 48 29 DB | // sub rbx, rbx\n 48 31 DB | // xor rbx, rbx\n 48 83 E3 00 | // and rbx, 0\n 48 C7 C3 00 00 00 00 // mov rbx, 0\n )\n (\n 48 29 C9 | // sub rcx, rcx\n 48 31 C9 | // xor rcx, rcx\n 48 83 E1 00 | // and rcx, 0\n 48 C7 C1 00 00 00 00 // mov rcx, 0\n )\n (\n 48 29 FF | // sub rdi, rdi\n 48 31 FF | // xor rdi, rdi\n 48 83 E7 00 | // and rdi, 0\n 48 C7 C7 00 00 00 00 // mov rdi, 0\n )\n EB ?? // jmp short loc_140012091\n }\n\n $next_code_v1 = {\n 75 ?? // jnz short loc_14000D040\n 48 31 CA // xor rdx, rcx\n 48 31 C9 // xor rcx, rcx\n 48 FF C8 // dec rax\n 88 02 // mov [rdx], al\n 48 31 FA // xor rdx, rdi\n 48 FF C3 // inc rbx\n 48 39 F3 // cmp rbx, rsi\n 75 ?? // jnz short loc_14000D040\n 48 29 F3 // sub rbx, rsi\n 48 01 DA // add rdx, rbx\n 48 31 FA // xor rdx, rdi\n FF E2 // jmp rdx\n }\n\n $next_code_v2 = {\n 88 02 // mov [rdx], al\n 48 31 FA // xor rdx, rdi\n (\n 48 8D 5B 01 | // lea rbx, [rbx+1]\n 48 83 C3 01 | // add rbx, 1\n 48 FF C3 // inc rbx\n )\n 48 39 F3 // cmp rbx, rsi\n 75 ?? // jnz short loc_14001204C\n 48 29 F3 // sub rbx, rsi\n 48 01 DA // add rdx, rbx\n 48 31 FA // xor rdx, rdi\n FF E2 // jmp rdx\n }\n\n condition:\n $hash_string or\n all of ($uuid*) or\n 1 of ($jargon_*) or\n 1 of ($patchetw_*) or\n 2 of ($unhooking_*) or\n (1 of ($start_code_*) and 1 of ($next_code_*))\n}\n", "rule_count": 1, "rule_names": [ "generic_loader_586c0a5814c0" ], "rule_creation_date": "2025-03-07", "rule_modified_date": "2025-03-14", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.Loader" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1562", "attack.t1055" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_mal_trash_calls_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563715Z", "creation_date": "2026-03-23T11:46:25.563718Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563723Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.researchgate.net/publication/252930440_Obfuscated_malware_detection_using_API_call_dependency" ], "name": "generic_mal_trash_calls.yar", "content": "import \"pe\"\n\nrule generic_pe_trash_calls {\n meta:\n title = \"Generic Malware Trash Calls\"\n id = \"c75e0ea9-0b6d-480c-8c7b-19e06ce45e3d\"\n description = \"Detects the use of trash calls in malware.\\nTrash calls are a technique used to make API calls that don't serve a legitimate purpose. This method is employed by malware to make malicious binaries appear more benign to heuristic-based detection mechanisms. The detection focuses on identifying patterns where APIs are called with arbitrary or meaningless parameters, a common tactic in malware such as SmokeLoader to mimic legitimate software behavior.\\nIt is recommended to check for additional signs of malicious activity.\"\n references = \"https://www.researchgate.net/publication/252930440_Obfuscated_malware_detection_using_API_call_dependency\" // Section 4.1\n date = \"2023-10-11\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.TrashCalls\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // af2edb431e026575bf1b73f79bb4145af87586a594635075a470636a7e78b1dd\n // 6dbd206ef6296fe378dc4367b5ec9c07e65a9863a2fefb55716a39c48e144d21\n // 36adb28694fa3c7195d9914afee88dc148627f218c3713cc5bee2d713c418f55\n // 059d615ce6dee655959d7feae7b70f3b7c806f3986deb1826d01a07aec5a39cf\n\n // Detection is based on having \"trash calls\". This is used by SmokeLoader to call APIs with random trash values to look like a real binary.\n // There are too many variants of this to sig all of them so we chose a few common ones.\n // (50 | 52 | 53 | 6A 00 | 56 )\n // (push eax | push edx | push ebx | push 0 | push esi )\n\n\n // 53 // push ebx ; lpSecurityAttributes\n // 53 // push ebx ; nDefaultTimeOut\n // 53 // push ebx ; nInBufferSize\n // 53 // push ebx ; nOutBufferSize\n // 53 // push ebx ; nMaxInstances\n // 53 // push ebx ; dwPipeMode\n // 53 // push ebx ; dwOpenMode\n // 53 // push ebx ; lpName\n // FF ?? ?? ?? ?? ?? // call ds:CreateNamedPipeW ; Indirect Call Near Procedure\n // 53 // push ebx ; lpdwNumberOfBytesRead\n // 53 // push ebx ; dwNumberOfBytesToRead\n // 53 // push ebx ; lpBuffer\n // 53 // push ebx ; hRequest\n // FF ?? ?? ?? ?? ?? // call ds:WinHttpReadData ; Indirect Call Near Procedure\n $thrash_call_1 = {\n (\n 53 53 53 53 53 53 53 (FF ?? | FF ?? ?? ?? ?? ??) 53 53 53 FF |\n 52 52 52 52 52 52 52 (FF ?? | FF ?? ?? ?? ?? ??) 52 52 52 FF |\n 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 6A 00 (FF ?? | FF ?? ?? ?? ?? ??) 6A 00 6A 00 6A 00 FF|\n 56 56 56 56 56 56 56 (FF ?? | FF ?? ?? ?? ?? ??) 56 56 56 FF\n )\n }\n\n // FF ?? ?? ?? ?? ?? // call ds:AddConsoleAliasW ; Indirect Call Near Procedure\n // 56 // push esi ; Result\n // 56 // push esi ; JobHandle\n // 56 // push esi ; ProcessHandle\n // FF ?? ?? ?? ?? ?? // call ds:IsProcessInJob ; Indirect Call Near Procedure\n // 56 // push esi ; bDisablePriorityBoost\n // 56 // push esi ; hProcess\n // FF ?? ?? ?? ?? ?? // call ds:SetProcessPriorityBoost ; Indirect Call Near Procedure\n // 56 // push esi ; CalType\n // 56 // push esi ; Calendar\n // 56 // push esi ; Locale\n // 56 // push esi ; lpCalInfoEnumProcEx\n // FF // call ds:EnumCalendarInfoExA ; Indirect Call Near Procedure\n $thrash_call_2 = {\n (\n ((FF ?? | FF ?? ?? ?? ?? ??) 53 53 53 (FF ?? | FF ?? ?? ?? ?? ??) 53 53 (FF ?? | FF ?? ?? ?? ?? ??) 53 53 53 53 FF) |\n ((FF ?? | FF ?? ?? ?? ?? ??) 52 52 52 (FF ?? | FF ?? ?? ?? ?? ??) 52 52 (FF ?? | FF ?? ?? ?? ?? ??) 52 52 52 52 FF) |\n ((FF ?? | FF ?? ?? ?? ?? ??) 6A 00 6A 00 6A 00 (FF ?? | FF ?? ?? ?? ?? ??) 6A 00 6A 00 (FF ?? | FF ?? ?? ?? ?? ??) 6A 00 6A 00 6A 00 6A 00 FF) |\n ((FF ?? | FF ?? ?? ?? ?? ??) 56 56 56 (FF ?? | FF ?? ?? ?? ?? ??) 56 56 (FF ?? | FF ?? ?? ?? ?? ??) 56 56 56 56 FF)\n )\n }\n\n // 83 ?? ?? ?? ?? ?? ?? // cmp dwBytes, 10h\n // 75 ?? // jnz short loc_4055E6\n // 53 // push ebx ; lpAddend\n // FF ?? ?? ?? ?? ?? // call ds:InterlockedDecrement\n // 53 // push ebx ; lpBuffer\n // 53 // push ebx ; iLast\n // 53 // push ebx ; iFirst\n // 53 // push ebx ; hdc\n // FF // call ds:GetCharWidthA\n $thrash_call_3 = {\n 83 ?? ?? ?? ?? ?? ??\n 75 ??\n (\n (53 (FF ?? | FF ?? ?? ?? ?? ??) 53 53 53 53 FF) |\n (52 (FF ?? | FF ?? ?? ?? ?? ??) 52 52 52 52 FF) |\n (6A 00 (FF ?? | FF ?? ?? ?? ?? ??) 6A 00 6A 00 6A 00 6A 00 FF) |\n (56 (FF ?? | FF ?? ?? ?? ?? ??) 56 56 56 56 FF)\n )\n }\n\n condition:\n (uint16(0) == 0x4d5a) and\n (#thrash_call_1 + #thrash_call_2 + #thrash_call_3) > 2 and\n pe.number_of_signatures == 0\n}\n", "rule_count": 1, "rule_names": [ "generic_pe_trash_calls" ], "rule_creation_date": "2023-10-11", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.TrashCalls" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_packer_2b012dd5dd3c_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589281Z", "creation_date": "2026-03-23T11:46:25.589283Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589288Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal Research" ], "name": "generic_packer_2b012dd5dd3c.yar", "content": "rule generic_packer_2b012dd5dd3c {\n meta:\n title = \"Generic Packer (2b012dd5dd3c)\"\n id = \"306b1a51-c72f-4bea-aad3-2b012dd5dd3c\"\n description = \"Detects generic packers via known decryption stub patterns.\\nPackers are tools used to compress, encrypt, or obfuscate executable files to reduce their size or evade detection mechanisms.\\nThe decryption stubs typically contain distinctive instruction sequences for data decryption that this rule detects.\\nIt is recommended to investigate the detected processes for malicious behavior, perform memory dumps for detailed analysis of the unpacked payload, and examine the process tree for suspicious parent-child relationships, and correlate with any other potentially malicious activity.\"\n references = \"Internal Research\"\n date = \"2024-11-13\"\n modified = \"2026-01-27\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Generic.Packer\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n confidence = \"strong\"\n score = 100\n\n strings:\n // Detection for this sample:\n // 078d6a4bb8fcf8d907e0470601755eed2e396ae6d0e50cfc0874831c0d742063\n\n $s_stub00 = {\n 48 8B 03 // mov rax, [rbx]\n 83 78 28 00 // cmp dword ptr [rax+28h], 0\n 74 25 // jz short loc_1400138C3\n 48 8B 4B 08 // mov rcx, [rbx+8]\n 8B 40 28 // mov eax, [rax+28h]\n 45 33 C0 // xor r8d, r8d\n 41 8D 50 01 // lea edx, [r8+1]\n 48 03 C1 // add rax, rcx\n FF D0 // call rax\n 85 C0 // test eax, eax\n 75 07 // jnz short loc_1400138BC\n B9 5A 04 00 00 // mov ecx, 45Ah\n EB 1B // jmp short loc_1400138D7\n C7 43 1C 01 00 00 00 // mov dword ptr [rbx+1Ch], 1\n 48 8B C3 // mov rax, rbx\n EB 46 // jmp short loc_14001390E\n B9 0D 00 00 00 // mov ecx, 0Dh\n E9 [1] FE FF FF // jmp loc_1400136DB\n B9 C1 00 00 00 // mov ecx, 0C1h\n FF 15 // call cs:qword_1412C78B0\n }\n\n condition:\n all of ($s_stub*)\n}", "rule_count": 1, "rule_names": [ "generic_packer_2b012dd5dd3c" ], "rule_creation_date": "2024-11-13", "rule_modified_date": "2026-01-27", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.Packer" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_packer_b963042c0ece_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577946Z", "creation_date": "2026-03-23T11:46:25.577949Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577954Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal Research" ], "name": "generic_packer_b963042c0ece.yar", "content": "rule generic_packer_b963042c0ece {\n meta:\n title = \"Generic Packer (b963042c0ece)\"\n id = \"6a221b13-ab9e-46bb-be4b-b963042c0ece\"\n description = \"Detects a generic packer with known decryption stub patterns.\\nThis packer is identified through its decryption routines, which exhibit characteristics commonly found in packing tools.\\nIt is recommended to investigate detected processes and consider memory analysis for further insights.\"\n references = \"Internal Research\"\n date = \"2024-10-23\"\n modified = \"2025-07-02\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Generic.Packer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n\n strings:\n // Detection for these samples:\n // 047cb407472a0a5609bb546f8212ea20dfd1b3d3feac34b1796e633d4e027207\n // 524f9523586c25af068c2252b1f5f346ac87170a5751bcfcb7e8b2768e175ac1\n\n $s_decryption_stub00 = {\n 0F B6 44 24 [1] // movzx eax, [rsp+48h+var_44]\n 48 63 4C 24 [1] // movsxd rcx, [rsp+48h+var_2C]\n 48 8B 54 24 [1] // mov rdx, [rsp+48h+var_38]\n 8B 0C 8A // mov ecx, [rdx+rcx*4]\n 03 4C 24 [1] // add ecx, [rsp+48h+var_14]\n 48 8B 54 24 [1] // mov rdx, [rsp+48h+var_38]\n 8B 04 82 // mov eax, [rdx+rax*4]\n 33 C1 // xor eax, ecx\n 0F B6 4C 24 [1] // movzx ecx, [rsp+48h+var_44]\n 48 8B 54 24 [1] // mov rdx, [rsp+48h+var_38]\n 89 04 8A // mov [rdx+rcx*4], eax\n }\n $s_decryption_stub01 = {\n 0F B6 C9 // movzx ecx, cl\n 48 8B [1] 24 [1-4] // mov rdx, [rsp+48h+arg_8]\n 0F B6 04 02 // movzx eax, byte ptr [rdx+rax]\n 48 8B 54 24 [1] // mov rdx, [rsp+48h+var_38]\n 33 04 8A // xor eax, [rdx+rcx*4]\n 48 63 4C 24 [1] // movsxd rcx, [rsp+48h+var_20]\n 48 8B [1] 24 [1-4] // mov rdx, [rsp+48h+arg_8]\n 88 04 0A // mov [rdx+rcx], al\n 0F B6 [1] 24 [1-4] // movzx eax, [rsp+48h+var_24]\n 8B 4C 24 [1] // mov ecx, [rsp+48h+var_28]\n 8B 54 24 [1] // mov edx, [rsp+48h+var_30]\n 03 D1 // add edx, ecx\n }\n $s_decryption_stub02 = {\n 89 95 CC [1] FF FF // mov [ebp+var_2F34], edx\n DB 85 CC [1] FF FF // fild [ebp+var_2F34]\n D9 9D EC [1] FF FF // fstp [ebp+var_2F14]\n E8 [4] // call _rand\n 99 // cdq\n B9 [1] 00 00 00 // mov ecx, 32h ; '2'\n F7 F9 // idiv ecx\n 83 C2 01 // add edx, 1\n 89 95 C8 [1] FF FF // mov [ebp+var_2F38], edx\n DB 85 C8 [1] FF FF // fild [ebp+var_2F38]\n D9 9D F0 [1] FF FF // fstp [ebp+var_2F10]\n 51 // push ecx\n D9 85 F0 [1] FF FF // fld [ebp+var_2F10]\n D9 1C 24 // fstp [esp+2F40h+var_2F40] ; floa\n }\n $s_decryption_stub03 = {\n 8D 8D [1][1] FF FF // lea ecx, [ebp+var_2F30]\n E8 [4] // call sub_10002F00\n 8B 95 F4 [1] FF FF // mov edx, [ebp+var_2F0C]\n C1 E2 04 // shl edx, 4\n 8D 8C 15 08 [1] FF FF // lea ecx, [ebp+edx+var_2E[1]]\n 8B 10 // mov edx, [eax]\n 89 11 // mov [ecx], edx\n 8B 50 04 // mov edx, [eax+4]\n 89 51 04 // mov [ecx+4], edx\n 8B 50 08 // mov edx, [eax+8]\n 89 51 08 // mov [ecx+8], edx\n 8B 40 0C // mov eax, [eax+0Ch]\n 89 41 0C // mov [ecx+0Ch], eax\n E9 53 FF FF FF // jmp loc_10001B0C\n }\n $s_decryption_stub_04 = {\n 0F 94 C0 // setz al\n 45 33 C0 // xor r8d, r8d\n 46 89 5C [2] // mov [rbp+r12*4+4], r11d\n 42 89 7C [2] // mov [rbp+r13*4+4], edi\n 42 0F B6 54 [2] // movzx edx, byte ptr [rbp+r12*4+4]\n 03 44 95 [1] // add eax, [rbp+rdx*4+4]\n 84 D2 // test dl, dl\n 42 89 44 [2] // mov [rbp+r12*4+4], eax\n 8B 44 8D [1] // mov eax, [rbp+rcx*4+4]\n 41 0F 94 C0 // setz r8b\n 41 8D 0C 00 // lea ecx, [r8+rax]\n 43 8D [2-3] // lea eax, [r12+r13]\n 49 FF [1] // inc r14\n 42 89 4C [2] // mov [rbp+r13*4+4], ecx\n 0F B6 C8 // movzx ecx, al\n 44 02 D9 // add r11b, cl\n 44 02 DF // add r11b, dil\n 41 0F B6 CB // movzx ecx, r11b\n 0F B6 44 8D [1] // movzx eax, byte ptr [rbp+rcx*4+4]\n 41 30 [1-2] // xor [r14-1], al\n 8B 44 8D [1] // mov eax, [rbp+rcx*4+4]\n 31 44 95 [1] // xor [rbp+rdx*4+4], eax\n 42 8B 44 // mov eax, [rbp+r12*4+4]\n }\n $s_decryption_stub_05 = {\n 0F 94 C0 // setz al\n 03 44 95 [1] // add eax, [rbp+rdx*4+8]\n 42 89 44 A5 [1] // mov [rbp+r12*4+8], eax\n 44 8B D1 // mov r10d, ecx\n 45 33 C0 // xor r8d, r8d\n 84 D2 // test dl, dl\n 41 0F 94 C0 // setz r8b\n 8B 44 8D [1] // mov eax, [rbp+rcx*4+8]\n 41 8D 0C 00 // lea ecx, [r8+rax]\n 42 89 4C B5 [1] // mov [rbp+r14*4+8], ecx\n 43 8D 04 34 // lea eax, [r12+r14]\n 0F B6 C8 // movzx ecx, al\n 44 02 D9 // add r11b, cl\n 44 02 DF // add r11b, dil\n 41 0F B6 CB // movzx ecx, r11b\n 0F B6 44 8D [1] // movzx eax, byte ptr [rbp+rcx*4+4]\n 41 30 [1-2] // xor [r14-1], al\n 8B 44 8D [1] // mov eax, [rbp+rcx*4+4]\n 31 44 95 [1] // xor [rbp+rdx*4+4], eax\n 42 8B 44 // mov eax, [rbp+r12*4+4]\n }\n $s_decryption_stub_06 = {\n 0F B6 C8 // movzx ecx, al\n 44 02 D9 // add r11b, cl\n 44 02 DF // add r11b, dil\n 41 0F B6 CB // movzx ecx, r11b\n 0F B6 44 8D [1] // movzx eax, byte ptr [rbp+rcx*4+4]\n 41 30 [1-2] // xor [r14-1], al\n 8B 44 8D [1] // mov eax, [rbp+rcx*4+4]\n 31 44 95 [1] // xor [rbp+rdx*4+4], eax\n 42 8B 44 // mov eax, [rbp+r12*4+4]\n }\n $s_decryption_stub_07 = {\n 02 55 F8 // add dl, byte ptr [ebp+var_8]\n 0F B6 D2 // movzx edx, dl\n 0F B6 5C 90 [1] // movzx ebx, byte ptr [eax+edx*4+4]\n 8D 54 90 [1] // lea edx, [eax+edx*4+4]\n 89 55 08 // mov [ebp+arg_0], edx\n 8B 55 0C // mov edx, [ebp+arg_4]\n 30 5C 16 FF // xor [esi+edx-1], bl\n 8B 55 08 // mov edx, [ebp+arg_0]\n 8B 12 // mov edx, [edx]\n 31 17 // xor [edi], edx\n 8B 7C 88 [1] // mov edi, [eax+ecx*4+4]\n 03 7D EC // add edi, [ebp+var_14]\n 8B 55 F4 // mov edx, [ebp+var_C]\n 31 3A // xor [edx], edi\n 3B 75 10 // cmp esi, [ebp+arg_8]\n }\n $s_decryption_stub08 = {\n 0F B6 C8 // movzx ecx, al\n 40 02 F1 // add sil, cl\n 40 02 F5 // add sil, bpl\n 40 0F B6 CE // movzx ecx, sil\n (41 0F B6 44 [2] // movzx eax, byte ptr [r15+rcx*4+8]\n 41 30 45 [0-1] // xor [r13+0], al\n 41 8B 44 [2] // mov eax, [r15+rcx*4+8]\n 41 31 44 [2] // xor [r15+rdx*4+8], eax\n 43 8B 44 // mov eax, [r15+r12*4+8]\n |\n 41 8A 44 8D [1] // mov al, [r13+rcx*4+8]\n 41 30 02) // xor [r10], al\n }\n $s_decryption_stub09 = {\n 41 0F 94 C0 // setz r8b\n 41 8D 0C 00 // lea ecx, [r8+rax]\n 8D 04 3A // lea eax, [rdx+rdi]\n 41 89 4C BE [1] // mov [r14+rdi*4+8], ecx\n 0F B6 C8 // movzx ecx, al\n 44 02 D1 // add r10b, cl\n 44 02 D3 // add r10b, bl\n [0-8] // lea rbx, aText ; \".text\"\n 41 0F B6 CA // movzx ecx, r10b\n 4C 8B [1-3] // mov r10, [rsp+200h+Time]\n 41 8A 44 8E [1] // mov al, [r14+rcx*4+8]\n 41 30 04 1A // xor [r10+rbx], al\n 41 8B 44 8E [1] // mov eax, [r14+rcx*4+8]\n 4D 03 D5 // add r10, r13\n 43 31 // xor [r14+r11*4+8], eax\n }\n $s_decryption_stub10 = {\n 84 D2\n 42 89 44 [1-3]\n 8B 44 [1-3]\n 41 0F 94 C0\n 41 8D 0C 00\n 43 8D 04 2C\n 42 89 4C [1-3]\n 0F B6 C8\n 44 02 D9\n 44 02 DF\n 41 0F B6 CB\n 8A 44 [1-3]\n 41 30 06\n 8B 44 [1-3]\n 49 FF C6\n 31 44 [1-3]\n 42 8B 44\n }\n $s_decryption_stub11 = {\n 0F B6 C8 // movzx ecx, al\n 44 02 D9 // add r11b, cl\n 44 02 DF // add r11b, dil\n 41 0F B6 CB // movzx ecx, r11b\n 41 0F B6 44 8D 08 // movzx eax, byte ptr [r13+rcx*4+8]\n 41 30 46 [1] // xor [r14+1], al\n 41 8B 44 8D 08 // mov eax, [r13+rcx*4+8]\n 41 31 44 95 08 // xor [r13+rdx*4+8], eax\n 41 8B 44 AD 08 // mov eax, [r13+rbp*4+8]\n }\n condition:\n 1 of ($s_decryption_stub*)\n}\n", "rule_count": 1, "rule_names": [ "generic_packer_b963042c0ece" ], "rule_creation_date": "2024-10-23", "rule_modified_date": "2025-07-02", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.Packer" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_process_injection_bf1d184a1bda_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585442Z", "creation_date": "2026-03-23T11:46:25.585444Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585450Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages" ], "name": "generic_process_injection_bf1d184a1bda.yar", "content": "rule generic_process_injection_bf1d184a1bda {\n meta:\n title = \"Generic Process Injection (bf1d184a1bda)\"\n id = \"5a6184b1-00ed-4e13-a5b2-bf1d184a1bda\"\n description = \"Detects a generic process injection technique used by adversaries to inject malicious code into legitimate processes, a common tactic to evade process-based defenses and execute malicious activities on the system.\\nProcess injection involves creating a new thread in an existing process or opening a handle to it, then injecting shellcode or malicious code into its address space. This technique allows adversaries to execute malicious code under the guise of a trusted process, making detection more challenging.\\nIt is recommended to investigate actions performed by the related process and consider isolating the affected system for thorough analysis.\"\n references = \"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/behind-the-captcha-a-clever-gateway-of-malware/\\nhttps://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages\"\n date = \"2024-12-06\"\n modified = \"2025-03-31\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.001;attack.t1055.002\"\n classification = \"Windows.Generic.ProcessInjection\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = \"[+] Got handle %p on remote process.\" ascii fullword\n $s2 = \"[+] Allocated memory at %p within remote process.\" ascii fullword\n $s3 = \"[+] Copied shellcode into allocated memory.\" ascii fullword\n $s4 = \"[+] Created remote thread with entry point %p.\" ascii fullword\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "generic_process_injection_bf1d184a1bda" ], "rule_creation_date": "2024-12-06", "rule_modified_date": "2025-03-31", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ProcessInjection" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.002", "attack.t1055.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_shellcode_1a268d969f86_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565186Z", "creation_date": "2026-03-23T11:46:25.565188Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565193Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://infosecwriteups.com/craft-your-own-windows-x86-64-shellcode-31b321d1933c" ], "name": "generic_shellcode_1a268d969f86.yar", "content": "rule generic_shellcode_1a268d969f86 {\n meta:\n title = \"Generic Reverse Shell Shellcode (1a268d969f86)\"\n id = \"1ca3d529-134d-4b16-a956-1a268d969f86\"\n description = \"Detects generic patterns associated with reverse shell used by Windows shellcodes.\\nA shellcode is often used by malicious actors to execute code in memory, bypass certain security mechanisms, and evade detection.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://infosecwriteups.com/craft-your-own-windows-x86-64-shellcode-31b321d1933c\"\n date = \"2025-10-15\"\n modified = \"2025-10-22\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Shellcode.Generic\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 39fd6dd5d40a57c32ac8d98e05bb6b3bd338409d0d32e62ea7a1964fade9cd9e\n // e6b7d5c94411725f30023c9bd0a92325166e99f9155b88abbaa77d051db13277\n // 80d7092ea9789995e78aa85fe1cd22a9b514933941bb89d0d644d715c36c8c64\n // 756ad25157a9e0e4b7911c74fa7822752700634f9b44f0168d978417c9c109c5\n\n $x1 = {\n C7 [2-3] 33 32 2E 64 // mov [rbp+0D50h+var_CFC], 642E3233h\n 66 C7 [2-3] 6C 6C // mov [rbp+0D50h+var_CF8], 6C6Ch\n FF ?? // call rbx\n 48 8D [2-3] // lea rcx, [rbp+0D50h+var_CF0]\n C7 [2-3] (57|77) 73 32 5F // mov [rbp+0D50h+var_CF0], 5F327377h\n C7 [2-3] 33 32 2E 64 // mov [rbp+0D50h+var_CEC], 642E3233h\n 66 C7 [2-3] 6C 6C // mov [rbp+0D50h+var_CE8], 6C6Ch\n 40 88 [2-3] // mov [rbp+0D50h+var_CE6], dil\n FF ?? // call rbx\n }\n\n $x2 = {\n B9 29 80 6B 00 // mov ecx, 6B8029h\n E8 ?? ?? 00 00 // call sub_1F8\n B9 EA 0F DF E0 // mov ecx, 0E0DF0FEAh\n 48 [2-6] // mov rbx, rax\n E8 ?? ?? 00 00 // call sub_1F8\n B9 99 A5 74 61 // mov ecx, 6174A599h\n 48 8B ?? // mov rsi, rax\n E8 ?? ?? 00 00 // call sub_1F8\n B9 C2 EB 38 5F // mov ecx, 5F38EBC2h\n 4C 8B F0 // mov r14, rax\n E8 ?? ?? 00 00 // call sub_1F8\n }\n\n $ror1 = {\n 0F BE 01 // movsx eax, byte ptr [rcx]\n C1 CA 0D // ror edx, 0Dh\n 80 39 61 // cmp byte ptr [rcx], 61h\n 7C 03 // jl short loc_27B\n 83 C2 E0 // add edx, 0FFFFFFE0h\n\n // loc_27B:\n 03 D0 // add edx, eax\n 48 FF C1 // inc rcx\n 49 83 EA 01 // sub r10, 1\n 75 E7 // jnz short loc_26D\n }\n\n $ror2 = {\n // loc_2A6:\n 0F BE 0E // movsx ecx, byte ptr [rsi]\n 48 FF C6 // inc rsi\n C1 CB 0D // ror ebx, 0Dh\n 03 D9 // add ebx, ecx\n 84 C9 // test cl, cl\n 75 F1 // jnz short loc_2A6\n 8D 04 13 // lea eax, [rbx+rdx]\n 3B C5 // cmp eax, ebp\n 74 0E // jz short loc_2CA\n 41 FF C3 // inc r11d\n 45 3B 5A 18 // cmp r11d, [r10+18h]\n 72 D5 // jb short loc_29A\n E9 5D FF FF FF // jmp loc_227\n }\n\n condition:\n all of ($x*) or\n (1 of ($x*) and 1 of ($ror*))\n}\n", "rule_count": 1, "rule_names": [ "generic_shellcode_1a268d969f86" ], "rule_creation_date": "2025-10-15", "rule_modified_date": "2025-10-22", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Shellcode.Generic" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071", "attack.t1055" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_shellcode_af75d8e6bea3_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586125Z", "creation_date": "2026-03-23T11:46:25.586128Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586137Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://infosecwriteups.com/craft-your-own-windows-x86-64-shellcode-31b321d1933c" ], "name": "generic_shellcode_af75d8e6bea3.yar", "content": "rule generic_shellcode_af75d8e6bea3 {\n meta:\n title = \"Generic Reverse Shell Shellcode (af75d8e6bea3)\"\n id = \"e6a5ae0b-f1a5-47f3-9ab2-af75d8e6bea3\"\n description = \"Detects generic patterns associated with reverse shell used by Windows shellcodes.\\nA shellcode is often used by malicious actors to execute code in memory, bypass certain security mechanisms, and evade detection.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://infosecwriteups.com/craft-your-own-windows-x86-64-shellcode-31b321d1933c\"\n date = \"2025-10-15\"\n modified = \"2025-10-22\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Shellcode.Generic\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6f3bfbdf5e7f1c4fe0cf8597effe3b124ad77c197cf896445e2f8ccc93615058\n // c5ae28fa8020680a42ed03c845a8a32462f62ba11d84bcbb29a3607ea25f6437\n // e9b1e0a897923bad694189e8e6ed7aeb87f86a372f957b80924ddfb347b3cdad\n // 672aee4fbe1766ae46a034069e94f7bf6a0311debb452e3224f1e3424e43ebbb\n\n $x1 = {\n C7 45 ?? 75 73 65 72 // mov [ebp+var_C], 72657375h (user32.dll)\n C7 45 ?? 33 32 2E 64 // mov [ebp+var_8], 642E3233h\n 66 C7 45 ?? 6C 6C // mov [ebp+var_4], 6C6Ch\n C6 45 ?? 00 // mov [ebp+var_2], 0\n FF ?? // call esi\n B9 45 83 56 07 // mov ecx, 7568345h\n E8 ?? FE FF FF // call sub_10E\n 89 ?? 04 // mov [edi+4], eax\n 8D 45 E8 // lea eax, [ebp+var_18]\n 50 // push eax\n C7 45 ?? (57|77) 73 32 5F // mov [ebp+var_18], 5F327357h (ws2_32.dll)\n C7 45 ?? 33 32 2E 64 // mov [ebp+var_14], 642E3233h\n 66 C7 ?? F0 6C 6C // mov [ebp+var_10], 6C6Ch\n C6 45 ?? 00 // mov [ebp+var_E], 0\n FF ?? // call dword ptr [esi]\n }\n\n $x2 = {\n B9 29 80 6B 00 // mov ecx, 6B8029h (WSAStartup)\n E8 ?? FE FF FF // call sub_401369\n B9 EA 0F DF E0 // mov ecx, 0E0DF0FEAh (WSASocketA)\n 89 ?? ?? // mov [esi+8], eax\n E8 ?? FE FF FF // call sub_401369\n B9 99 A5 74 61 // mov ecx, 6174A599h (connect)\n 89 ?? ?? // mov [esi+0Ch], eax\n E8 ?? FE FF FF // call sub_401369\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "generic_shellcode_af75d8e6bea3" ], "rule_creation_date": "2025-10-15", "rule_modified_date": "2025-10-22", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Shellcode.Generic" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071", "attack.t1055" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_stager_shellcode_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563839Z", "creation_date": "2026-03-23T11:46:25.563841Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563846Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://lowery.tech/building-a-custom-shellcode-stager-with-process-injection-to-bypass-windows-defender/\nhttps://medium.com/@oblivionccyber/catching-local-stager-payload-dc7f095153d8" ], "name": "generic_stager_shellcode.yar", "content": "rule generic_stager_shellcode {\n meta:\n title = \"Generic Stager Shellcode\"\n id = \"023a434d-8d7e-469b-81cc-84cc6d3f0e54\"\n description = \"Detects a generic stager shellcode.\\nA stager shellcode is used to bootstrap another malicious payload inside an injected process. This type of shellcode is commonly used in attack chains to establish persistence, escalate privileges, or execute commands on a compromised system. The rule detects specific patterns and syscall sequences commonly associated with shellcode injection activities, which are often indicative of malicious code execution.\\nIt is recommended to dump the process for further analysis and to look for signs of process injection.\"\n references = \"https://lowery.tech/building-a-custom-shellcode-stager-with-process-injection-to-bypass-windows-defender/\\nhttps://medium.com/@oblivionccyber/catching-local-stager-payload-dc7f095153d8\"\n date = \"2024-08-30\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055.002;attack.execution;attack.t1106;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Generic.StagerShellcode\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 53b6159d9a270a2e546a4ac9d493d301eca9b50b34061a1ef211f0dc78564a42\n // b50447556a04b4afe3ffcc67210e21b259edb85eedf8e98e221839d1ba27c058\n // 6bd9ab563881d349ddce7907dce6720459451e5479460e57b15804759c3dedfb\n\n $x1 = {\n E9 ?? ?? 00 00 // jmp sub_4A93\n CC CC CC CC CC CC\n CC CC CC CC CC\n }\n\n $x2 = {\n 56 // push esi\n 48 // dec eax\n 8B F4 // mov esi, esp\n 48 // dec eax\n 83 E4 F0 // and esp, 0FFFFFFF0h\n 48 // dec eax\n 83 EC 20 // sub esp, 20h\n E8 ?? ?? FF FF // call sub_140\n 48 // dec eax\n 8B E6 // mov esp, esi\n 5E // pop esi\n C3 // retn\n }\n\n $x3 = {\n 41 // inc ecx\n 8B 12 // mov edx, [edx]\n 33 C0 // xor eax, eax\n 4D // dec ebp\n 8D 52 04 // lea edx, [edx+4]\n 49 // dec ecx\n 03 D3 // add edx, ebx\n 0F 1F 40 00 // nop dword ptr [eax+00h]\n\n C1 C8 0D // ror eax, 0Dh\n 0F BE 0A // movsx ecx, byte ptr [edx]\n 48 // dec eax\n 8D 52 01 // lea edx, [edx+1]\n 03 C1 // add eax, ecx\n 80 7A FF 00 // cmp byte ptr [edx-1], 0\n 75 EE // jnz short loc_D0\n }\n\n $syscall1 = {\n 48 // dec eax\n 33 C0 // xor eax, eax\n 4C // dec esp\n 8B D1 // mov edx, ecx\n B8 ?? 00 00 00 // mov eax, 29h\n 0F 05 // syscall\n C3 // retn\n }\n\n $syscall2 = {\n 4C // dec esp\n 8B D1 // mov edx, ecx\n B8 ?? 00 00 00 // mov eax, 27h\n 0F 05 // syscall\n C3 // retn\n }\n\n condition:\n all of ($x*) and for any of ($syscall*) : ( # > 1 )\n}\n", "rule_count": 1, "rule_names": [ "generic_stager_shellcode" ], "rule_creation_date": "2024-08-30", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.StagerShellcode" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1106", "attack.t1071.001", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_stealer_5e1c4bc2f8bf_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582424Z", "creation_date": "2026-03-23T11:46:25.582427Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582436Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\nhttps://attack.mitre.org/techniques/T1213/" ], "name": "generic_stealer_5e1c4bc2f8bf.yar", "content": "rule generic_stealer_5e1c4bc2f8bf {\n meta:\n title = \"Generic Stealer (5e1c4bc2f8bf)\"\n id = \"10344d71-0e98-4ecb-a026-5e1c4bc2f8bf\"\n description = \"Detects a generic stealer associated with fake captcha campaigns.\\nThis stealer is often used by attackers to trick users into executing malicious commands through fake verification pages. The malware is frequently delivered during these campaigns and is known to include Lumma Stealer, an information-stealing tool available through a Malware-as-a-Service (MaaS) model since August 2022.\\nIt is recommended to check for additional signs of malicious activity such as unauthorized processes or network connections.\"\n references = \"https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha\\nhttps://attack.mitre.org/techniques/T1213/\"\n date = \"2024-11-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.t1213\"\n classification = \"Windows.Stealer.Generic\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 948b54455b514de73d7f3f0d12d3270cb9d6cca3f525ed88b3c63b4c32631bdb\n // ad249b7ea19c66b5d27285bd107526106f57c5ff14a836c4a963dcd5e8d3203f\n // c34e317d32e09e82f15ac4ca0da7b19bfcacef125d60dc24e706f883a8124f78\n\n $go = \" Go build ID: \\\"\" ascii\n\n $a1 = \"main.decryptAES\" ascii fullword\n $a2 = \"main.GetHWID\" ascii fullword\n $a3 = \"main.BLYYYAADGET\" ascii fullword\n $a4 = \"main.CheckConnection\" ascii fullword\n $a5 = \"main.findSeedPhrases\" ascii fullword\n $a6 = \"main.Tryhard\" ascii fullword\n $a7 = \"main.TESTGET\" ascii fullword\n $a8 = \"github.com/atotto/clipboard.init\" ascii fullword\n\n $b1 = \"^bc1[0-9a-zA-HJ-NP-Z]{25,39}\" ascii fullword\n $b2 = \"L[a-km-zA-HJ-NP-Z1-9]{33}\" ascii fullword\n $b3 = \"^[1-9A-HJ-NP-Za-km-z]{44}\" ascii fullword\n $b4 = \"^ronin:[a-fA-F0-9]{40}\" ascii fullword\n $b5 = \"^(bitcoincash:)?(q|p)[a-z0-9]{41}|^(BITCOINCASH:)?(Q|P)[A-Z0-9]{41}\" ascii fullword\n $b6 = \"steamcommunity.com:443\" ascii fullword\n\n condition:\n $go and\n (\n all of ($a*) or\n all of ($b*)\n )\n}\n", "rule_count": 1, "rule_names": [ "generic_stealer_5e1c4bc2f8bf" ], "rule_creation_date": "2024-11-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Generic" ], "rule_tactic_tags": [ "attack.collection" ], "rule_technique_tags": [ "attack.t1213" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_stealers_af1a47ade43e_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577747Z", "creation_date": "2026-03-23T11:46:25.577749Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577755Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords/\nhttps://resources.infosecinstitute.com/topics/malware-analysis/redline-stealer-malware-full-analysis/\nhttps://www.sentinelone.com/labs/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\nhttps://attack.mitre.org/software/S0331/" ], "name": "generic_stealers_af1a47ade43e.yar", "content": "rule generic_stealer_strings {\n meta:\n title = \"Generic Stealer Strings\"\n id = \"ddf3fb3f-65f8-4b9c-8cda-af1a47ade43e\"\n description = \"Detects generic stealer strings used by various malware such as WinPEAS, Agent Tesla, and other credential access tools.\\nThese strings are associated with malicious activities including credential theft, persistence mechanisms, and data exfiltration. The malware is often delivered through phishing emails and exhibits capabilities such as keylogging, screen capture, form-grabbing, credential stealing, and the injection into other processes to establish persistence.\\nIt is recommended to investigate network traffic for potential command and control (C2) communication.\"\n references = \"https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords/\\nhttps://resources.infosecinstitute.com/topics/malware-analysis/redline-stealer-malware-full-analysis/\\nhttps://www.sentinelone.com/labs/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/\\nhttps://attack.mitre.org/software/S0331/\"\n date = \"2023-11-23\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.s0331;attack.credential_access;attack.t1555;attack.exfiltration;attack.t1048.003;attack.defense_evasion;attack.t1564.001\"\n classification = \"Windows.Stealer.Generic\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n // Detection for this sample:\n // 08dee64a7678819af1f98d97c614dc08afd87d2964497cb6f9a5c917a075f534\n\n $windows_vault_guid1 = \"2F1A6504-0641-44CF-8BB5-3612D865F2E5\" wide ascii // Windows Secure Note\n $windows_vault_guid2 = \"3CCD5499-87A8-4B10-A215-608888DD3B55\" wide ascii // Windows Web Password Credential\n $windows_vault_guid3 = \"154E23D0-C644-4E6F-8CE6-5069272F999F\" wide ascii // Windows Credential Picker Protector\n $windows_vault_guid4 = \"4BF4C442-9B8A-41A0-B380-DD4A704DDB28\" wide ascii // Web Credentials\n $windows_vault_guid5 = \"77BC582B-F0A6-4E15-4E80-61736B6F3B29\" wide ascii // Windows Credentials\n $windows_vault_guid6 = \"E69D7838-91B5-4FC9-89D5-230D4D4CC2BC\" wide ascii // Windows Domain Certificate Credential\n $windows_vault_guid7 = \"3E0E35BE-1B77-43E7-B873-AED901B6275B\" wide ascii // Windows Domain Password Credential\n $windows_vault_guid8 = \"3C886FF3-2669-4AA2-A8FB-3F6759A77548\" wide ascii // Windows Extended Credential\n\n $mail_strings0 = \"PocoMail\\\\accounts.ini\" wide ascii\n $mail_strings1 = \"\\\\Mailbird\\\\Store\\\\Store.db\" wide ascii\n $mail_strings2 = \"\\\\Opera Mail\\\\Opera Mail\\\\wand.dat\" wide ascii\n $mail_strings3 = \"Software\\\\IncrediMail\\\\Identities\\\\\" wide ascii\n $mail_strings4 = \"HKEY_CURRENT_USER\\\\Software\\\\Aerofox\\\\Foxmail\" wide ascii\n $mail_strings5 = \"\\\\Mailbox.ini\" wide ascii\n $mail_strings6 = \"Software\\\\Qualcomm\\\\Eudora\\\\CommandLine\\\\\" wide ascii\n $mail_strings7 = \"ClawsMail\" wide ascii\n\n $ftp_strings0 = \"SOFTWARE\\\\FTPWare\\\\COREFTP\\\\Sites\" wide ascii\n $ftp_strings1 = \"FTP Navigator\" wide ascii\n $ftp_strings2 = \"SmartFTP\\\\Client 2.0\\\\Favorites\\\\Quick Connect\" wide ascii\n $ftp_strings3 = \"Ipswitch\\\\WS_FTP\\\\Sites\\\\ws_ftp.ini\" wide ascii\n $ftp_strings4 = \"FtpCommander\" wide ascii\n $ftp_strings5 = \"FTP Commander\" wide ascii\n $ftp_strings6 = \"Ftplist.txt\" wide ascii\n $ftp_strings7 = \"\\\\FTPGetter\\\\servers.xml\" wide ascii\n\n $vnc0 = \"RealVNC 4.x\" wide ascii\n $vnc1 = \"SOFTWARE\\\\RealVNC\\\\WinVNC4\" wide ascii\n $vnc2 = \"RealVNC 3.x\" wide ascii\n $vnc3 = \"SOFTWARE\\\\RealVNC\\\\vncserver\" wide ascii\n $vnc4 = \"SOFTWARE\\\\Wow6432Node\\\\RealVNC\\\\WinVNC4\" wide ascii\n $vnc5 = \"Software\\\\TigerVNC\\\\Server\" wide ascii\n $vnc6 = \"Software\\\\TightVNC\\\\Server\" wide ascii\n $vnc7 = \"TightVNC ControlPassword\" wide ascii\n $vnc8 = \"Software\\\\ORL\\\\WinVNC3\" wide ascii\n $vnc9 = \"\\\\UltraVNC\\\\ultravnc.ini\" wide ascii\n\n $user_data = \"User Data\" wide ascii\n\n $browser2 = \"7Star\" wide ascii\n $browser3 = \"Chedot\" wide ascii\n $browser4 = \"Orbitum\" wide ascii\n $browser5 = \"CentBrowser\" wide ascii\n $browser6 = \"Torch Browser\" wide ascii\n $browser7 = \"Yandex Browser\" wide ascii\n $browser8 = \"SeaMonkey\" wide ascii\n $browser9 = \"PaleMoon\" wide ascii\n $browser10 = \"\\\\Mozilla\\\\icecat\\\\\" wide ascii\n $browser12 = \"Citrio\" wide ascii\n $browser13 = \"Edge Chromium\" wide ascii\n $browser14 = \"Opera Browser\" wide ascii\n $browser15 = \"Liebao Browser\" wide ascii\n $browser16 = \"Coowon\" wide ascii\n $browser17 = \"Iridium Browser\" wide ascii\n $browser18 = \"Sputnik\" wide ascii\n $browser19 = \"Thunderbird\" wide ascii\n $browser20 = \"Amigo\" wide ascii\n $browser21 = \"Cool Novo\" wide ascii\n $browser22 = \"Coccoc\" wide ascii\n $browser23 = \"Comodo Dragon\" wide ascii\n $browser24 = \"CyberFox\" wide ascii\n $browser25 = \"360 Browser\" wide ascii\n $browser26 = \"WaterFox\" wide ascii\n $browser27 = \"Elements Browser\" wide ascii\n $browser28 = \"K-Meleon\" wide ascii\n $browser29 = \"QIP Surf\" wide ascii\n $browser31 = \"Brave\" wide ascii\n $browser32 = \"Chromium\" wide ascii\n $browser33 = \"\\\\Mozilla\\\\Firefox\\\\\" wide ascii\n $browser34 = \"\\\\Comodo\\\\IceDragon\\\\\" wide ascii\n $browser35 = \"Vivaldi\" wide ascii\n $browser36 = \"Kometa\" wide ascii\n $browser37 = \"Chrome\" wide ascii\n $browser38 = \"Epic Privacy\" wide ascii\n\n $crypto0 = \"MyMonero\" wide ascii\n $crypto1 = \"Exodus\" wide ascii\n $crypto2 = \"Binance\" wide ascii\n $crypto3 = \"Raven\" wide ascii\n $crypto4 = \"Armory\" wide ascii\n $crypto5 = \"Dogecoin\" wide ascii\n $crypto6 = \"MultiBit\" wide ascii\n $crypto7 = \"Bitcoin\" wide ascii\n $crypto8 = \"DashCore\" wide ascii\n $crypto9 = \"Electrum\" wide ascii\n $crypto10 = \"Litecoin\" wide ascii\n $crypto11 = \"BitcoinGold\" wide ascii\n $crypto12 = \"WalletWasabi\" wide ascii\n $crypto13 = \"Atomic\" wide ascii\n $crypto14 = \"Guarda\" wide ascii\n $crypto15 = \"Electrum-LTC\" wide ascii\n $crypto16 = \"MyCrypto\" wide ascii\n $crypto17 = \"Bisq\" wide ascii\n $crypto18 = \"DeFi Blockchain\" wide ascii\n $crypto19 = \"Coinomi\" wide ascii\n $crypto20 = \"TokenPocket\" wide ascii\n\n $wallet1 = \"Coin98 Wallet\" wide ascii\n $wallet2 = \"Cyano Wallet\" wide ascii\n $wallet3 = \"Byone\" wide ascii\n $wallet4 = \"Nash Extension\" wide ascii\n $wallet5 = \"Leaf Wallet\" wide ascii\n $wallet6 = \"Authy 2FA\" wide ascii\n $wallet7 = \"EVER Wallet\" wide ascii\n $wallet8 = \"KardiaChain Wallet\" wide ascii\n $wallet9 = \"Rabby Wallet\" wide ascii\n $wallet10 = \"Phantom\" wide ascii\n $wallet11 = \"Atomic Crypto Wallet\" wide ascii\n $wallet12 = \"Pali Wallet\" wide ascii\n $wallet13 = \"XDEFI Wallet\" wide ascii\n $wallet14 = \"SteemKeychain\" wide ascii\n $wallet15 = \"Braavos Smart Wallet\" wide ascii\n $wallet16 = \"Enkrypt\" wide ascii\n $wallet17 = \"Hashpack\" wide ascii\n $wallet18 = \"Eternl\" wide ascii\n $wallet19 = \"Pontem Aptos Wallet\" wide ascii\n $wallet20 = \"Keeper Wallet\" wide ascii\n $wallet21 = \"Finnie\" wide ascii\n $wallet22 = \"Leap Terra Wallet\" wide ascii\n\n $pass_manager0 = \"DashLane\" wide ascii\n $pass_manager1 = \"NordPass\" wide ascii\n $pass_manager2 = \"RoboForm\" wide ascii\n $pass_manager3 = \"LastPass\" wide ascii\n $pass_manager4 = \"BrowserPass\" wide ascii\n $pass_manager5 = \"KeePass\" wide ascii\n $pass_manager6 = \"EOS Authenticator\" wide ascii\n $pass_manager7 = \"GAuth Authenticator\" wide ascii\n $pass_manager8 = \"Trezor Password Manager\" wide ascii\n\n // Cleaner or Browser Recovery Software for exclusion\n $cleaner1 = \"wisecleaner.net/wisecleaner\" wide // WiseCare 365\n $cleaner2 = \"AVAST Software\" ascii // AVG TuneUp\n $cleaner3 = \"Lavasoft Software\" ascii\n\n $av1 = \"Kaspersky Anti-Virus provides anti-virus services\" ascii\n $av2 = \"ninjarmm agent\" ascii // NinjaRMM CLI\n $av3 = \"corp_it@ninjarmm.com0\" ascii // NinjaRMM\n $av4 = \"endpoint@mcafee_com\" ascii // mfeatp - McAfee\n $av5 = \"SophosManagedEntityAdapter\" ascii // McsAgent - Sophos\n $av6 = \"AdguardSvc.ProjectInstaller.resources\" ascii // AdGuard for Windows\n $av7 = \"SSPService\" ascii // SSPService - Sophos\n $av8 = \"C:\\\\orbit\\\\bin\\\\NinjaOrbit.pdb\" ascii // NinjaOrbit.exe\n\n // HP\\Sure Click\\servers\\BrPrintHelper.exe\n // 52c74aa37accdd1fc1978ee802b57ce8622a6d3547be14ca35dbd6c7f129b7d2\n $exclusion1 = \"Printer DB version mismatch. This build supports version\" ascii\n // \\JetBrains\\PyCharm 2022.2.2\\bin\\pycharm64.exe\n // 8612d0c3811f7cca0663f3dee64ac7ecb5e3d56497d3a62cd25314a36f3bc6ff\n $exclusion2 = \"(c) by P.J. Plauger, licensed by Dinkumware\" ascii\n // \\JetBrains\\PyCharm Community Edition 2023.3.3\\bin\\pycharm64.exe\n // cd730b79e5e37366a8f410732f41c68ad9598d4b13a1dedd3a5fe5a037a15fba\n $exclusion3 = \"Copyright (C) 2010-2024 JetBrains s.r.o.\" wide\n // Google Chrome - chrome.exe\n // f2ed18345f7b58f1e73cdf932ae8b22612484a4c234973b02b0bc6a205030aa7\n $exclusion4 = \"CHROME_CRASHPAD_PIPE_NAME\" wide\n // IOBit Update - rmuin.exe\n // 87580b8b527e8324ab75923a48efd6dc90c23bab56b0e133a25ddea85d369e28\n $exclusion5 = \"IObit\\\\IObit Uninstaller\\\\SHCatch.ini\" wide\n // LogonUI.exe - MS\n // cf01e46c146699f6c0e3dd447043f59bc9438dbbcb9563af6c60ebc6d82727f2\n // $exclusion5 = \".text$lp00logonui.exe!20_pri7\" ascii fullword\n // C:\\Program Files\\HP\\Sure Click\\servers\\BemSvc.exe\n // 891089cd699f9a8106b3f5a3e6e0856c384c056649f2bb6265d651a19451d012\n $exclusion6 = \"Unable to Sync NEO UI exclusion list with BemSvc as remediation manager is unavailable.\" ascii\n $exclusion7 = \"BemSvc marked as started, but still setting up.\" ascii\n $exclusion8 = \"AppID for BemSvc is registered successfully\" ascii\n // C:\\Program Files (x86)\\Adguard\\Adguard.exe\n // 4240e40c24a043e11c913af7a89239381f8fe72297b8bc0e37d5593882afd1e8\n $exclusion9 = \"{0}/oauth/authorize?client_id=adguard-windows&response_type=token&state=OAuth&scope=trust&redirect_uri={1}&social_provider={2}\" wide\n $exclusion10 = \"\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\" wide\n\n $canary = \"fffff33160f45e5e576bf364c6d62a5a1c3cff46c320c82b3923b382457e74c42e5415c0d8cc367b24bea7e4de50f1a3acd31441ee8691e20a3597677a958971\"\n\n condition:\n (\n all of ($windows_vault_guid*) or\n all of ($mail_strings*) or\n all of ($ftp_strings*) or\n all of ($vnc*) or\n (16 of ($browser*) and not 1 of ($cleaner*) and $user_data) or\n 12 of ($crypto*) or\n 10 of ($wallet*) or\n 6 of ($pass_manager*)\n )\n and not 1 of ($av*)\n and not 1 of ($exclusion*)\n and not $canary\n}\n", "rule_count": 1, "rule_names": [ "generic_stealer_strings" ], "rule_creation_date": "2023-11-23", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Generic" ], "rule_tactic_tags": [ "attack.credential_access", "attack.defense_evasion", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1555", "attack.t1048.003" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-generic_stealers_extension_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575806Z", "creation_date": "2026-03-23T11:46:25.575808Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575814Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0331/" ], "name": "generic_stealers_extension.yar", "content": "rule generic_stealer_chrome {\n meta:\n title = \"Generic Malware Stealer Targeting Chrome\"\n id = \"519970d8-b0d1-4c8a-abf4-26e811f73787\"\n description = \"Detects a generic stealer targeting Chrome-based browsers.\\nThis rule identifies a potential stealer by detecting specific Chrome extensions' unique identifiers (UUIDs) that are known to be targeted by malicious actors. These extensions are often exploited to steal sensitive information such as browser credentials, payment details, and encrypted wallet information.\\nIt is recommended to isolate the affected system, investigate for any stolen credentials, and check the browser's data storage for signs of tampering.\"\n references = \"https://attack.mitre.org/software/S0331/\"\n date = \"2024-09-20\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555;attack.exfiltration\"\n classification = \"Windows.Stealer.Generic\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s_extension_Authenticator=\"bhghoamapcdpbohphigoooaddinpkbai\" wide ascii\n $s_extension_EOS_Authenticator=\"oeljdldpnmdbchonielidgobddffflal\" wide ascii\n $s_extension_BrowserPass=\"naepdomgkenhinolocfifgehidddafch\" wide ascii\n $s_extension_MYKI=\"bmikpgodpkclnkgmnpphehdgcimmided\" wide ascii\n $s_extension_Splikity=\"jhfjfclepacoldmjmkmdlmganfaalklb\" wide ascii\n $s_extension_CommonKey=\"chgfefjpcobfbnpmiokfjjaglahmnded\" wide ascii\n $s_extension_Zoho_Vault=\"igkpcodhieompeloncfnbekccinhapdb\" wide ascii\n $s_extension_Norton_Password_Manager=\"admmjipmmciaobhojoghlmleefbicajg\" wide ascii\n $s_extension_Avira_Password_Manager=\"caljgklbbfbcjjanaijlacgncafpegll\" wide ascii\n $s_extension_Trezor_Password_Manager=\"imloifkgjagghnncjkhggdhalmcnfklk\" wide ascii\n $s_extension_MetaMask=\"nkbihfbeogaeaoehlefnkodbefgpgknn\" wide ascii\n $s_extension_TronLink=\"ibnejdfjmmkpcnlpebklmnkoeoihofec\" wide ascii\n $s_extension_BinanceChain=\"fhbohimaelbohpjbbldcngcnapndodjp\" wide ascii\n $s_extension_Coin98=\"aeachknmefphepccionboohckonoeemg\" wide ascii\n $s_extension_iWallet=\"kncchdigobghenbbaddojjnnaogfppfj\" wide ascii\n $s_extension_Wombat=\"amkmjjmmflddogmhpjloimipbofnfjih\" wide ascii\n $s_extension_NeoLine=\"cphhlgmgameodnhkjdmkpanlelnlohao\" wide ascii\n $s_extension_Terra_Station=\"aiifbnbfobpmeekipheeijimdpnlpgpp\" wide ascii\n $s_extension_Keplr=\"dmkamcknogkgcdfhhbddcghachkejeap\" wide ascii\n $s_extension_Sollet=\"fhmfendgdocmcbmfikdcogofphimnkno\" wide ascii\n $s_extension_ICONex=\"flpiciilemghbmfalicajoolhkkenfel\" wide ascii\n $s_extension_KHC=\"hcflpincpppdclinealmandijcmnkbgn\" wide ascii\n $s_extension_TezBox=\"mnfifefkajgofkcjkemidiaecocnkjeh\" wide ascii\n $s_extension_Byone=\"nlgbhdfgdhgbiamfdfmbikcdghidoadd\" wide ascii\n $s_extension_OneKey=\"ilbbpajmiplgpehdikmejfemfklpkmke\" wide ascii\n $s_extension_Trust_Wallets=\"pknlccmneadmjbkollckpblgaaabameg\" wide ascii\n $s_extension_MetaWallet=\"pfknkoocfefiocadajpngdknmkjgakdg\" wide ascii\n $s_extension_Guarda_Wallet=\"fcglfhcjfpkgdppjbglknafgfffkelnm\" wide ascii\n $s_extension_Exodus=\"idkppnahnmmggbmfkjhiakkbkdpnmnon\" wide ascii\n $s_extension_JaxxxLiberty=\"mhonjhhcgphdphdjcdoeodfdliikapmj\" wide ascii\n $s_extension_Atomic_Wallet=\"bhmlbgebokamljgnceonbncdofmmkedg\" wide ascii\n $s_extension_Electrum=\"hieplnfojfccegoloniefimmbfjdgcgp\" wide ascii\n $s_extension_Mycelium=\"pidhddgciaponoajdngciiemcflpnnbg\" wide ascii\n $s_extension_Coinomi=\"blbpgcogcoohhngdjafgpoagcilicpjh\" wide ascii\n $s_extension_GreenAddress=\"gflpckpfdgcagnbdfafmibcmkadnlhpj\" wide ascii\n $s_extension_Edge=\"doljkehcfhidippihgakcihcmnknlphh\" wide ascii\n $s_extension_BRD=\"nbokbjkelpmlgflobbohapifnnenbjlh\" wide ascii\n $s_extension_Samourai_Wallet=\"apjdnokplgcjkejimjdfjnhmjlbpgkdi\" wide ascii\n $s_extension_Copay=\"ieedgmmkpkbiblijbbldefkomatsuahh\" wide ascii\n $s_extension_Bread=\"jifanbgejlbcmhbbdbnfbfnlmbomjedj\" wide ascii\n $s_extension_KeepKey=\"dojmlmceifkfgkgeejemfciibjehhdcl\" wide ascii\n $s_extension_Trezor=\"jpxupxjxheguvfyhfhahqvxvyqthiryh\" wide ascii\n $s_extension_Ledger_Live=\"pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln\" wide ascii\n $s_extension_Ledger_Wallet=\"hbpfjlflhnmkddbjdchbbifhllgmmhnm\" wide ascii\n $s_extension_Bitbox=\"ocmfilhakdbncmojmlbagpkjfbmeinbd\" wide ascii\n $s_extension_Digital_Bitbox=\"dbhklojmlkgmpihhdooibnmidfpeaing\" wide ascii\n $s_extension_YubiKey=\"mammpjaaoinfelloncbbpomjcihbkmmc\" wide ascii\n $s_extension_Google_Authenticator=\"khcodhlfkpmhibicdjjblnkgimdepgnd\" wide ascii\n $s_extension_Microsoft_Authenticator=\"bfbdnbpibgndpjfhonkflpkijfapmomn\" wide ascii\n $s_extension_Authy=\"gjffdbjndmcafeoehgdldobgjmlepcal\" wide ascii\n $s_extension_Duo_Mobile=\"eidlicjlkaiefdbgmdepmmicpbggmhoj\" wide ascii\n $s_extension_OTP_Auth=\"bobfejfdlhnabgglompioclndjejolch\" wide ascii\n $s_extension_FreeOTP=\"elokfmmmjbadpgdjmgglocapdckdcpkn\" wide ascii\n $s_extension_Aegis_Authenticator=\"ppdjlkfkedmidmclhakfncpfdmdgmjpm\" wide ascii\n $s_extension_LastPass_Authenticator=\"cfoajccjibkjhbdjnpkbananbejpkkjb\" wide ascii\n $s_extension_Dashlane=\"flikjlpgnpcjdienoojmgliechmmheek\" wide ascii\n $s_extension_Keeper=\"gofhklgdnbnpcdigdgkgfobhhghjmmkj\" wide ascii\n $s_extension_RoboForm=\"hppmchachflomkejbhofobganapojjol\" wide ascii\n $s_extension_KeePass=\"lbfeahdfdkibininjgejjgpdafeopflb\" wide ascii\n $s_extension_KeePassXC=\"kgeohlebpjgcfiidfhhdlnnkhefajmca\" wide ascii\n $s_extension_Bitwarden=\"inljaljiffkdgmlndjkdiepghpolcpki\" wide ascii\n $s_extension_NordPass=\"njgnlkhcjgmjfnfahdmfkalpjcneebpl\" wide ascii\n $s_extension_LastPass=\"gabedfkgnbglfbnplfpjddgfnbibkmbb\" wide ascii\n $s_extension_Nifty_Wallet=\"jbdaocneiiinmjbjlgalhcelgbejmnid\" wide ascii\n $s_extension_Math_Wallet=\"afbcbjpbpfadlkmhmclhkeeodmamcflc\" wide ascii\n $s_extension_Coinbase_Wallet=\"hnfanknocfeofbddgcijnmhnfnkdnaad\" wide ascii\n $s_extension_Equal_Wallet=\"blnieiiffboillknjnepogjhkgnoac\" wide ascii\n $s_extension_EVER_Wallet=\"cgeeodpfagjceefieflmdfphplkenlfk\" wide ascii\n $s_extension_Jaxx_Liberty=\"ocefimbphcgjaahbclemolcmkeanoagc\" wide ascii\n $s_extension_BitApp_Wallet=\"fihkakfobkmkjojpchpfgcmhfjnmnfpi\" wide ascii\n $s_extension_Mew_CX=\"nlbmnnijcnlegkjjpcfjclmcfggfefdm\" wide ascii\n $s_extension_GU_Wallet=\"nfinomegcaccbhchhgflladpfbajihdf\" wide ascii\n $s_extension_Guild_Wallet=\"nanjmdkhkinifnkgdeggcnhdaammmj\" wide ascii\n $s_extension_Saturn_Wallet=\"nkddgncdjgifcddamgcmfnlhccnimig\" wide ascii\n $s_extension_Harmony_Wallet=\"fnnegphlobjdpkhecapkijjdkgcjhkib\" wide ascii\n $s_extension_TON_Wallet=\"nphplpgoakhhjchkkhmiggakijnkhfnd\" wide ascii\n $s_extension_OpenMask_Wallet=\"penjlddjkjgpnkllboccdgccekpkcbin\" wide ascii\n $s_extension_MyTonWallet=\"fldfpgipfncgndfolcbkdeeknbbbnhcc\" wide ascii\n $s_extension_DeWallet=\"pnccjgokhbnggghddhahcnaopgeipafg\" wide ascii\n $s_extension_TrustWallet=\"egjidjbpglichdcondbcbdnbeeppgdph\" wide ascii\n $s_extension_NC_Wallet=\"imlcamfeniaidioeflifonfjeeppblda\" wide ascii\n $s_extension_Moso_Wallet=\"ajkifnllfhikkjbjopkhmjoieikeihjb\" wide ascii\n $s_extension_Enkrypt_Wallet=\"kkpllkodjeloidieedojogacfhpaihoh\" wide ascii\n $s_extension_CirusWeb3_Wallet=\"kgdijkcfiglijhaglibaidbipiejjfdp\" wide ascii\n $s_extension_Martian_and_Sui_Wallet=\"efbglgofoippbgcjepnhiblaibcnclgk\" wide ascii\n $s_extension_SubWallet=\"onhogfjeacnfoofkfgppdlbmlmnplgbn\" wide ascii\n $s_extension_Pontem_Wallet=\"phkbamefinggmakgklpkljjmgibohnba\" wide ascii\n $s_extension_Talisman_Wallet=\"fijngjgcjhjmmpcmkeiomlglpeiijkld\" wide ascii\n $s_extension_Kardiachain_Wallet=\"pdadjkfkgcafgbceimcpbkalnfnepbnk\" wide ascii\n $s_extension_Phantom_Wallet=\"bfnaelmomeimhIpmgjnjophhpkkoljpa\" wide ascii\n $s_extension_Oxygen_Wallet=\"fhilaheimglignddjgofkcbgekhenbh\" wide ascii\n $s_extension_PaliWallet=\"mgfffbidihjpoaomajlbgchddlicgpn\" wide ascii\n $s_extension_BoltX_Wallet=\"aodkkagnadcbobfpggnjeongemjbjca\" wide ascii\n $s_extension_Liquality_Wallet=\"kpopkelmapcoipemfendmdghnegimn\" wide ascii\n $s_extension_xDefi_Wallet=\"hmeobnffcmdkdcmlb1gagmfpfboieaf\" wide ascii\n $s_extension_Nami_Wallet=\"Ipfcbjknijpeeillifnkikgncikgfhdo\" wide ascii\n $s_extension_MaiarDeFi_Wallet=\"dngmlblcodfobpdpecaadgfbeggfjfnm\" wide ascii\n $s_extension_MetaMask_Edge_Wallet=\"ejbalbakoplchlghecdalmeeeajnimhm\" wide ascii\n $s_extension_Goblin_Wallet=\"mlbafbjadjidk1bhgopoamemfibcpdfi\" wide ascii\n $s_extension_Braavos_Smart_Wallet=\"jnlgamecbpmbajjfhmmmlhejkemejdma\" wide ascii\n $s_extension_UniSat_Wallet=\"ppbibelpcjmhbdihakflkdcoccbgbkpo\" wide ascii\n $s_extension_OKX_Wallet=\"mcohilncbfahbmgdjkbpemcciiolgcge\" wide ascii\n $s_extension_Manta_Wallet=\"enabgbdfcbaehmbigakijjabdpdnimlg\" wide ascii\n $s_extension_Suku_Wallet=\"fopmedgnkfpebgllppeddmmochcookhc\" wide ascii\n $s_extension_Suiet_Wallet=\"khpkpbbcccdmmclmpigdgddabeilkdpd\" wide ascii\n $s_extension_Koala_Wallet=\"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\" wide ascii\n $s_extension_ExodusWeb3_Wallet=\"aholpfdialjgjfhomihkjbmgjidlcdno\" wide ascii\n $s_extension_Aurox_Wallet=\"kilnpioakcdndlodeeceffgjdpojajlo\" wide ascii\n $s_extension_Fewcha_Move_Wallet=\"ebfidpplhabeedpnhjnobghokpiioolj\" wide ascii\n $s_extension_Carax_Demon_Wallet=\"mdjmfdffdcmnoblignmgpommbefadffd\" wide ascii\n $s_extension_Leap_Terra_Wallet=\"aijcbedoijmgnlmjeegjaglmepbmpkpi\" wide ascii\n\n $s_edge00 = \"msedge.dll\" fullword\n $s_edge01 = \"msedge.dll.pdb\" fullword\n\n $s_filter_avg=\"AVG Technologies USA, LLC\"\n $s_filter_avast=\"Avast Software s.r.o.\"\n $s_filter_bitdefender=\"Bitdefender SRL\"\n $s_filter_eset=\"ESET, spol. s r.o.\"\n $s_filter_norton=\"NortonLifeLock Inc.\"\n\n condition:\n 20 of ($s_extension*)\n and not all of ($s_edge*)\n and not 1 of ($s_filter*)\n}\n", "rule_count": 1, "rule_names": [ "generic_stealer_chrome" ], "rule_creation_date": "2024-09-20", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Generic" ], "rule_tactic_tags": [ "attack.credential_access", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1555" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-geoshell_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573975Z", "creation_date": "2026-03-23T11:46:25.573979Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573988Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/groups/G1002/\nhttps://x.com/ginkgo_g/status/1900079709444333812" ], "name": "geoshell.yar", "content": "import \"pe\"\n\nrule geoshell {\n meta:\n title = \"GEOShell RAT\"\n id = \"4d852295-d339-4974-80b7-3012b3fd5b36\"\n description = \"Detects the GEOShell remote access tool.\\nGEOShell is a .NET-based remote access tool reportedly used by the MysteriousElephant APT group (also known as Bitter) to infiltrate and control compromised systems. The tool is part of the group's evolving toolkit targeting entities in South Asia, leveraging spear-phishing and malicious payloads for initial access.\\nIt is recommended to investigate the context around this alert to look for signs of malicious activity.\"\n references = \"https://attack.mitre.org/groups/G1002/\\nhttps://x.com/ginkgo_g/status/1900079709444333812\"\n date = \"2025-03-13\"\n modified = \"2025-06-20\"\n author = \"HarfangLab\"\n tags = \"attack.g1002;attack.command_and_control;attack.t1573\"\n classification = \"Windows.Trojan.GEOShell\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1fb0ede8086c6487be2b2a01458f6b58687085140227491895ea6f0f6634b4ba\n // 303bc4bce9555b02d9b1c0b96eb5736561d70fca3b994b353db2cc1b2eca66ca\n // 416a747cc56bf0704173934117be424d0919c8770891018766b37562e598493c\n // 511cc667d3793848ec162286310a60137a87e5ac7f08770536435f7c4bd89eae\n // ac44b8ecb06055744c9478e2ae2ba66fd52cf0c8ecb8411cc4d0ddd73d0a537c\n\n $s1 = \"k__BackingField\" ascii fullword\n $s2 = \"k__BackingField\" ascii fullword\n $s3 = \"get_IV\" ascii fullword\n $s4 = \"get_RequestId\" ascii fullword\n $s5 = \"get_MachineName\" ascii fullword\n $s6 = \"get_Isp\" ascii fullword\n $s7 = \"get_Client\" ascii fullword\n\n condition:\n pe.imports (\"mscoree.dll\",\"_CorExeMain\") and all of them\n}\n", "rule_count": 1, "rule_names": [ "geoshell" ], "rule_creation_date": "2025-03-13", "rule_modified_date": "2025-06-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.GEOShell" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1573" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gh0strat_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573928Z", "creation_date": "2026-03-23T11:46:25.573931Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573937Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\nhttps://attack.mitre.org/software/S0032/" ], "name": "gh0strat.yar", "content": "rule gh0strat {\n meta:\n title = \"Gh0stRAT\"\n id = \"e4ccabcb-cb5a-4016-bcda-df0443b86232\"\n description = \"Detects Gh0stRAT, also named Farfli, a remote access tool used by various threat actors.\\nGh0stRAT is a remote access tool (RAT) that allows attackers to remotely control infected systems. The malware is known for its modular architecture and ability to perform various malicious activities, including keylogging, screen capturing, file theft, and process injection. The public availability of its source code has led to multiple variants and widespread use in cyberattacks.\\nIt is recommended to isolate the affected system and investigate for additional malicious actions on the host.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\\nhttps://attack.mitre.org/software/S0032/\"\n date = \"2024-05-28\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.s0032;attack.discovery;attack.t1082;attack.defense_evasion;attack.t1140;attack.collection;attack.t1113;attack.t1056.001;attack.command_and_control;attack.t1132.001;attack.t1573\"\n classification = \"Windows.Trojan.Gh0stRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6c1bac5c2984d8554148521de72d6bfa40a619d8afa8c3b9d964456177745bb4\n // ffd1cd414eda06cbc6b747d3d300cf3feb15fccbc08c4149cede59eac8494b4d\n // f03dfe846ec60fdfef47c03ac679c741b0a4cca600b3893879ed3ce81e6feaaf\n // fff92d7556148a1c8b3f2a88ad3a3de368c8eaeb6bd19faf0ac6252f2ad66277\n\n $s1 = \"\\\\\\\\.\\\\PHYSICALDRIVE0\" ascii fullword\n $s2 = \"[%s]\" ascii fullword\n $s3 = \"WinSta0\\\\Default\" ascii fullword\n $s4 = \"%-24s %-15s 0x%x(%d)\" ascii fullword\n $s5 = \"ICSeqCompressFrameStart\" ascii fullword\n $s6 = \"HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\0\" ascii fullword\n\n // unsigned char scode[] =\n $x_code = {\n B8 12 00 CD 10 BD 18 7C B9 18 00 B8 01 13 BB 0C\n 00 BA 1D 0E CD 10 E2 FE\n }\n\n // bool CClientSocket::Connect(LPCTSTR lpszHost, UINT nPort)\n $x_connect1 = {\n 8D ?? ?? ?? // lea edx, [esp+40h+vInBuffer]\n 6A 0C // push 0Ch ; cbInBuffer\n 5? // push edx ; lpvInBuffer\n 68 04 00 00 98 // push 98000004h ; dwIoControlCode\n 5? // push eax ; s\n [4-8] // mov [esp+50h+vInBuffer], 1\n C7 ?? ?? ?? 20 BF 02 00 // mov [esp+50h+var_18], 2BF20h\n C7 ?? ?? ?? 88 13 00 00 // mov [esp+50h+var_14], 1388h\n FF // call ds:WSAIoctl\n }\n $x_connect2 = {\n 6A 0C // push 0Ch\n 50 // push eax\n 68 04 00 00 98 // push 98000004h\n FF B6 A8 00 00 00 // push dword ptr [esi+0A8h]\n 89 ?? ?? // mov [ebp+var_4C], edi\n C7 ?? ?? 30 75 00 00 // mov [ebp+var_48], 7530h\n C7 ?? ?? 88 13 00 00 // mov [ebp+var_44], 1388h\n FF // call [ebp+var_24]\n }\n\n // DWORD WINAPI CScreenManager::ControlThread(LPVOID lparam)\n $x_control_thread1 = {\n A0 ?? ?? ?? 10 // mov al, byte_101306AC\n 84 C0 // test al, al\n 74 24 // jz short loc_1000BCB0\n 6A 00 // push 0 ; fWinIni\n 6A 00 // push 0 ; pvParam\n 6A 00 // push 0 ; uiParam\n 6A 56 // push 56h ; 'V' ; uiAction\n FF ?? // call esi ; SystemParametersInfoA\n 6A FF // push 0FFFFFFFFh ; lParam\n 68 70 F1 00 00 // push 0F170h ; wParam\n 68 12 01 00 00 // push 112h ; Msg\n 68 FF FF 00 00 // push 0FFFFh ; hWnd\n FF ?? // call edi ; SendMessageA\n C6 05 ?? ?? ?? ?? 00 // mov byte_101306AC, 0\n }\n $x_control_thread2 = {\n BB 70 F1 00 00 // mov ebx, 0F170h\n BF 12 01 00 00 // mov edi, 112h\n BE FF FF 00 00 // mov esi, 0FFFFh\n\n // loc_406DDE:\n 83 65 FC 00 // and [ebp+var_4], 0\n\n // loc_406DE2:\n 8B 4D 08 // mov ecx, [ebp+arg_0]\n E8 // call sub_406343\n }\n\n $x_service_main = {\n 57 // push edi\n FF 15 ?? ?? ?? ?? // call ds:FreeConsole\n 6A 01 // push 1\n 6A 00 // push 0\n 6A 02 // push 2\n E8 ?? ?? 00 00 // call sub_10008E60\n 6A 00 // push 0\n 6A 00 // push 0\n 6A 04 // push 4\n E8 ?? ?? 00 00 // call sub_10008E60\n 6A 00 // push 0 ; char\n 6A 00 // push 0 ; ThrdAddr\n 6A 00 // push 0 ; InitFlag\n 68 ?? ?? ?? ?? // push offset ServiceName ; int\n 68 ?? ?? ?? ?? // push offset sub_10008FA0 ; int\n 6A 00 // push 0 ; StackSize\n 6A 00 // push 0 ; Security\n C7 05 ?? ?? ?? ?? 20 01 00 00 // mov dword_100176AC, 120h\n E8 // call sub_1000A1B0\n }\n\n condition:\n (1 of ($s*) and $x_code) or\n (2 of ($x*)) or\n (2 of ($s*) and 1 of ($x*))\n}\n", "rule_count": 1, "rule_names": [ "gh0strat" ], "rule_creation_date": "2024-05-28", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Gh0stRAT" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.discovery" ], "rule_technique_tags": [ "attack.t1140", "attack.t1113", "attack.t1056.001", "attack.t1132.001", "attack.t1082", "attack.t1573" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ghostfart_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563808Z", "creation_date": "2026-03-23T11:46:25.563811Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563816Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mansk1es/GhostFart" ], "name": "ghostfart.yar", "content": "rule ghostfart {\n meta:\n title = \"GhostFart\"\n id = \"095c7310-0bac-41f8-b4ab-a660282c5c8a\"\n description = \"Detects GhostFart, an open-source project performing unhooking via indirect syscalls.\\nGhostFart is a tool designed to bypass anti-debugging mechanisms by hooking system functions. It operates by creating a reflective PE loader from a resource section, allowing it to execute malicious payloads directly in memory without writing to disk. This technique makes it particularly stealthy and effective at evading traditional detection methods.\\nIt is recommended investigate the process' memory for potential malicious payloads or injected code.\"\n references = \"https://github.com/mansk1es/GhostFart\"\n date = \"2024-03-25\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Windows.Generic.GhostFart\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 08246e26ecc49817a6124c240ab96483cebaf88f169985b9e900eaaf4c60500b\n // 0d9016c5c9d9ad0f6004bbe3353aab39a9c05baa8af6203e06bbf69992f8f938\n\n $s1 = \"\\\\??\\\\C:\\\\Windows\\\\System32\\\\WEB.rs\" wide\n\n $clear_ntdll = {\n B9 05 00 00 00 // mov ecx, 5\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 48 89 05 ?? ?? ?? 00 // mov cs:qword_14001CAE8, rax\n B9 B3 74 AF 06 // mov ecx, 6AF74B3h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 48 89 05 ?? ?? ?? 00 // mov cs:qword_14001CAF8, rax\n 48 C7 84 24 ?? 00 00 00 00 00 00 00 // mov [rsp+0F8h+var_48], 0\n }\n\n $generic_my_nt = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 ?? ?? ?? ?? // mov ecx, 805225Dh\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 ?? ?? ?? ?? // mov ecx, 805225Dh\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtCreateSection\n $my_ntcreate_section = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 5D 22 05 08 // mov ecx, 805225Dh\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 5D 22 05 08 // mov ecx, 805225Dh\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtCreateProcessEx\n $my_ntcreate_processex = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 87 99 D5 07 // mov ecx, 7D59987h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 87 99 D5 07 // mov ecx, 7D59987h\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtCreateFile\n $my_ntcreate_file = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 55 62 BC 05 // mov ecx, 5BC6255h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 55 62 BC 05 // mov ecx, 5BC6255h\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtReadVirtualMemory\n $my_ntread_virtual_memory = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 05 82 BC 06 // mov ecx, 6BC8205h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 05 82 BC 06 // mov ecx, 6BC8205h\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtAllocateVirtualMemory\n $my_ntallocate_virtual_memory = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 49 11 1F 05 // mov ecx, 51F1149h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 49 11 1F 05 // mov ecx, 51F1149h\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtFreeVirtualMemory\n $my_ntfree_virtual_memory = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 49 11 1F 05 // mov ecx, 51F1149h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 49 11 1F 05 // mov ecx, 51F1149h\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtTerminateProcess\n $my_ntterminate_process = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 E3 4E 0E 07 // mov ecx, 70E4EE3h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 E3 4E 0E 07 // mov ecx, 70E4EE3h\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtProtectVirtualMemory\n $my_ntprotect_virtual_memory = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 49 BF 4C 09 // mov ecx, 94CBF49h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 49 BF 4C 09 // mov ecx, 94CBF49h\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n // MyNtMapViewOfSection\n $my_ntmap_view_of_section = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 99 89 BD 05 // mov ecx, 5BD8999h\n E8 ?? ?? FF FF // call GetNTDLLFunc\n 4C 8B F8 // mov r15, rax\n B9 99 89 BD 05 // mov ecx, 5BD8999h\n E8 ?? ?? FF FF // call SyscallNum\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 41 FF E7 // jmp r15\n }\n\n condition:\n (all of ($s*) and $clear_ntdll) or\n (#generic_my_nt > 5) or\n (4 of ($my_nt*))\n}\n", "rule_count": 1, "rule_names": [ "ghostfart" ], "rule_creation_date": "2024-03-25", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.GhostFart" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ghostsocks_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567599Z", "creation_date": "2026-03-23T11:46:25.567601Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567607Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostsocks\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/" ], "name": "ghostsocks.yar", "content": "rule ghostsocks {\n meta:\n title = \"GhostSocks HackTool\"\n id = \"b15d8be3-afad-4642-a069-4fd7545fcf86\"\n description = \"Detects GhostSocks, a Golang-based SOCKS5 proxy malware first offered as Malware-as-a-Service on Russian underground forums in October 2023.\\nThis proxy tool has been linked to LockBit ransomware campaigns and allows threat actors to route traffic through compromised systems for internal network access.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostsocks\\nhttps://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\\nhttps://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/\"\n date = \"2025-01-29\"\n modified = \"2025-05-09\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1090;attack.t1573.001;attack.t1571\"\n classification = \"Windows.HackTool.GhostSocks\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n context = \"process,memory,thread,file.pe\"\n\n strings:\n // Detection for this sample:\n // ced4ee8a9814c243f0c157cda900def172b95bb4bc8535e480fe432ab84b9175\n\n $go = \" Go build\" ascii\n\n $s2 = \").ConnectForSocks\" ascii\n $s3 = \").GetAvailableRelayServer\" ascii\n $s4 = \"updateHiddenkilleduserIdconfig\" ascii\n $s5 = \"path%s %q%s=%sHTTP/socksFound\" ascii\n\n $m1 = \"F<>proxyUsername\" ascii fullword\n $m2 = \"buildVersion=\" ascii fullword\n $m3 = \"/api/helper-first-register\" ascii\n\n condition:\n (\n $go and\n all of ($s*)\n )\n or\n (\n 2 of ($s*) and\n all of ($m*)\n )\n}\n", "rule_count": 1, "rule_names": [ "ghostsocks" ], "rule_creation_date": "2025-01-29", "rule_modified_date": "2025-05-09", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.GhostSocks" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1090", "attack.t1573.001", "attack.t1571" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gitl_463502002ddc_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585068Z", "creation_date": "2026-03-23T11:46:25.585070Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585076Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/bats3c/Ghost-In-The-Logs" ], "name": "gitl_463502002ddc.yar", "content": "import \"pe\"\n\nrule gitl_463502002ddc {\n meta:\n title = \"GITL Tool (463502002ddc)\"\n id = \"faf5e786-95ea-4105-93a7-463502002ddc\"\n description = \"Detects the use of Ghost In The Logs (GITL) tool through its clear strings markers.\\nThese strings are related to error messages and logs generated by GITL during its setup or operation, such as driver loading, hooking attempts, and communication with the kernel driver.\\nThe tool is primarily used for kernel hooking and debugging purposes.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/bats3c/Ghost-In-The-Logs\"\n date = \"2021-04-09\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562\"\n classification = \"Windows.Tool.GITL\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $shellcode = {\n C7 00 E8 00 00 00 // mov dword ptr [rax], 0E8h ; 'è'\n [0-3] // mov rcx, rdi\n C7 40 04 00 41 58 49 // mov dword ptr [rax+4], 49584100h\n C7 40 08 83 E8 05 EB // mov dword ptr [rax+8], 0EB05E883h\n C6 40 0C 03 // mov byte ptr [rax+0Ch], 3\n }\n\n condition:\n $shellcode\n}\n", "rule_count": 1, "rule_names": [ "gitl_463502002ddc" ], "rule_creation_date": "2021-04-09", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.GITL" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gitl_c96470795d0e_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576605Z", "creation_date": "2026-03-23T11:46:25.576607Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576612Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/bats3c/Ghost-In-The-Logs" ], "name": "gitl_c96470795d0e.yar", "content": "import \"pe\"\n\nrule gitl_c96470795d0e {\n meta:\n title = \"GITL Tool (c96470795d0e)\"\n id = \"a7f12b03-2527-43bc-9958-c96470795d0e\"\n description = \"Detects the use of Ghost In The Logs (GITL) tool through its clear strings markers.\\nThese strings are related to error messages and logs generated by GITL during its setup or operation, such as driver loading, hooking attempts, and communication with the kernel driver.\\nThe tool is primarily used for kernel hooking and debugging purposes.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/bats3c/Ghost-In-The-Logs\"\n date = \"2021-04-09\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562\"\n classification = \"Windows.Tool.GITL\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n\n $shellcode = {\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 00 // imul rax, 0\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 E8 // mov byte ptr [rcx+rax], 0E8h ; 'è'\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 01 // imul rax, 1\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 00 // mov byte ptr [rcx+rax], 0\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 02 // imul rax, 2\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 00 // mov byte ptr [rcx+rax], 0\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 03 // imul rax, 3\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 00 // mov byte ptr [rcx+rax], 0\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 04 // imul rax, 4\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 00 // mov byte ptr [rcx+rax], 0\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 05 // imul rax, 5\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 41 // mov byte ptr [rcx+rax], 41h ; 'A'\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 06 // imul rax, 6\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 58 // mov byte ptr [rcx+rax], 58h ; 'X'\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 07 // imul rax, 7\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 49 // mov byte ptr [rcx+rax], 49h ; 'I'\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 08 // imul rax, 8\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 83 // mov byte ptr [rcx+rax], 83h ; 'ƒ'\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 09 // imul rax, 9\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 E8 // mov byte ptr [rcx+rax], 0E8h ; 'è'\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 0A // imul rax, 0Ah\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 05 // mov byte ptr [rcx+rax], 5\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 0B // imul rax, 0Bh\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 EB // mov byte ptr [rcx+rax], 0EBh ; 'ë'\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 0C // imul rax, 0Ch\n 48 8B 0D ?? ?? ?? ?? // mov rcx, cs:qword_1400393E0\n C6 04 01 03 // mov byte ptr [rcx+rax], 3\n }\n\n condition:\n $shellcode\n}\n", "rule_count": 1, "rule_names": [ "gitl_c96470795d0e" ], "rule_creation_date": "2021-04-09", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.GITL" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gitl_e95c368869e2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572284Z", "creation_date": "2026-03-23T11:46:25.572286Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572292Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/bats3c/Ghost-In-The-Logs" ], "name": "gitl_e95c368869e2.yar", "content": "import \"pe\"\n\nrule gitl_e95c368869e2 {\n meta:\n title = \"GITL Tool (e95c368869e2)\"\n id = \"966a94b4-3116-49ba-9c7f-e95c368869e2\"\n description = \"Detects the use of Ghost In The Logs (GITL) tool through its clear strings markers.\\nThese strings are related to error messages and logs generated by GITL during its setup or operation, such as driver loading, hooking attempts, and communication with the kernel driver.\\nThe tool is primarily used for kernel hooking and debugging purposes.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/bats3c/Ghost-In-The-Logs\"\n date = \"2021-04-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562\"\n classification = \"Windows.Tool.GITL\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $log_01 = \"[!] Could not extract victim driver, NTSTATUS(0x%lX) abort\" ascii\n $log_02 = \"[!] Error data checksum mismatch!\" ascii\n $log_03 = \"[!] Error decompressing resource, GetLastError %lu\" ascii\n $log_04 = \"[!] Error while loading input driver file, NTSTATUS (0x%lX)\" ascii\n $log_05 = \"[!] Error, invalid NT header\" ascii\n $log_06 = \"[!] Error, %s address not found\" ascii\n $log_07 = \"[!] Cannot query ntoskrnl loaded base, abort\" ascii\n $log_08 = \"[!] Error while loading ntoskrnl.exe, NTSTATUS (0x%lX)\" ascii\n $log_09 = \"[!] Cannot write payload to the registry, abort\" ascii\n $log_10 = \"[!] Bootstrap code size exceeds limit, abort\" ascii\n $log_11 = \"[!] Could not load victim driver, GetLastError %lu\" ascii\n $log_12 = \"[!] Could not read FILE_OBJECT at 0x%llX\" ascii\n $log_13 = \"[!] Could not read DEVICE_OBJECT at 0x%p\" ascii\n $log_14 = \"[!] Could not read DRIVER_OBJECT at 0x%p\" ascii\n $log_15 = \"[!] Physical address is not within same/next page, reload victim driver\" ascii\n $log_16 = \"[!] Too many reloads, abort\" ascii\n $log_17 = \"[!] Error writing shellcode to the target driver, abort\" ascii\n $log_18 = \"[+] Successfully loaded hook\" ascii\n $log_19 = \"[!] Error while building shellcode, abort\" ascii\n $log_20 = \"[!] Error preloading victim driver, abort\" ascii\n $log_21 = \"[!] Error unloading victim driver\" ascii\n $log_22 = \"[!] Error: Unable to communicate with the driver, have you loaded it?\" ascii\n $log_23 = \"[!] Unhandled exception 0x%lx\" ascii\n $log_24 = \"[+] CleanUp successful\" ascii\n $log_25 = \"[!] Kernel hook driver not found\" ascii\n $log_26 = \"[+] Enabled Hook (events will be dropped)\" ascii\n $log_27 = \"[+] Disabled Hook (events will be reported)\" ascii\n $log_28 = \"[!] Vulnerable driver already loaded\" ascii\n $log_29 = \"[!] Driver resource id not found %lu\" ascii\n $log_30 = \"[!] Unable to extract vulnerable driver, NTSTATUS (0x%lX)\" ascii\n $log_31 = \"[!] Unable to load vulnerable driver, NTSTATUS (0x%lX)\" ascii\n $log_32 = \"[!] Unable to open vulnerable driver, NTSTATUS (0x%lX)\" ascii\n $log_33 = \"[!] Unable to unload vulnerable driver, NTSTATUS (0x%lX)\" ascii\n $log_34 = \"[!] Abort: selected provider does not support HVCI\" ascii\n $log_35 = \"[!] Abort: selected provider does not support this Windows NT build\" ascii\n $log_36 = \"[!] Abort: selected provider does not support arbitrary kernel read/write or\" ascii\n $log_37 = \"\tKDU interface is not implemented for these methods.\" ascii\n $log_38 = \"[!] Abort: SeDebugPrivilege is not assigned! NTSTATUS (0x%lX)\" ascii\n $log_39 = \"[!] Abort: SeLoadDriverPrivilege is not assigned! NTSTATUS (0x%lX)\" ascii\n $log_40 = \"[!] Coult not register driver, GetLastError %lu\" ascii\n $log_41 = \"[!] Victim driver already loaded, force reload\" ascii\n $log_42 = \"[!] Attempt to unload %ws\" ascii\n $log_43 = \"[!] Could not force unload victim, NTSTATUS(0x%lX) abort\" ascii\n $log_44 = \"[+] Previous instance of victim driver unloaded\" ascii\n $log_45 = \"ERROR: Drive returned unknown value\" ascii\n $log_46 = \"Enabled (events not being logged)\" ascii\n $log_47 = \"Disabled (all events are being logged)\" ascii\n $log_48 = \"ERROR: During cleanup, %d\" ascii\n\n $usage_1 = \"Usage: gitl.exe \" ascii\n $usage_2 = \"Arguments:\" ascii\n $usage_3 = \"enable\t-\tEnable the kernel hook, this will disable etw\" ascii\n $usage_4 = \"disable\t-\tDisable the kernel hook, this will enable etw\" ascii\n $usage_5 = \"load\t-\tUse KDU to load the kernel driver\" ascii\n $usage_6 = \"clean\t-\tClean up any left over files\" ascii\n\n $critical_1 = \"Ghost In The Logs by @_batsec_\" ascii\n $critical_2 = \"Mad probs to @hfiref0x and @everdox\" ascii\n $critical_3 = \"C:\\\\Users\\\\thejoker\\\\Desktop\\\\ghostinthelogs\\\\Source\\\\x64\\\\Release\\\\kinfinityhook.pdb\" ascii\n $critical_4 = \"ghostinthelogs\" ascii wide\n $critical_5 = \"gitlkernelhook.sys\" ascii wide\n\n condition:\n uint16(0) == 0x5A4D and (\n (1 of ($critical_*)) // Any of these strings is a yikes\n or (4 of ($usage_*)) // 2/3 of 6\n or (32 of ($log_*)) // 2/3 of 48\n )\n}\n", "rule_count": 1, "rule_names": [ "gitl_e95c368869e2" ], "rule_creation_date": "2021-04-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.GITL" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gmailc2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581793Z", "creation_date": "2026-03-23T11:46:25.581795Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581801Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/reveng007/SharpGmailC2/" ], "name": "gmailc2.yar", "content": "rule sharpgmailc2_hacktool {\n meta:\n title = \"SharpGmailC2 HackTool\"\n id = \"e30d933f-bfd0-463a-962c-8e2dea0023ed\"\n description = \"Detects the SharpGmailC2 HackTool.\\nSharpGmailC2 is a server-side implant and client-side tool designed to exfiltrate data over SMTP and receive commands via Gmail's IMAP protocol.\\nIt enables communications between a server and a compromised system, allowing data transfer and command execution.\"\n references = \"https://github.com/reveng007/SharpGmailC2/\"\n date = \"2023-08-30\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.003;attack.exfiltration;attack.t1567\"\n classification = \"Windows.HackTool.SharpGmailC2\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9b0ec57b0edf6d231a85486be29b19fbadde14a57ecd38a48ef05f663df02d34\n\n $s1 = \"[*] Waiting for {0} seconds for the Operator to send Command\" wide fullword\n $s2 = \"Subject of Mail Sent by Operator:\" wide fullword\n $s3 = \"[GmailC2] Command Sent> {0}\" wide fullword\n $s4 = \"GmailC2Prompt\" ascii fullword\n $s5 = \"GmailC2_ProcessedByFody\" ascii fullword\n $s6 = \"\\\\source\\\\repos\\\\SharpGmailC2\\\\obj\\\\Release\\\\GmailC2.pdb\" ascii\n\n $canary = \"3ef6bf78621e4ebcdce50050a9c49427b5c4cee8343b72ab1318d3e3f2806886ccd9c1fb0039f5d6700864a5480c1c7b97855426b9c7fb8e15dc6050560e8369\"\n\n condition:\n 2 of ($s*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "sharpgmailc2_hacktool" ], "rule_creation_date": "2023-08-30", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.SharpGmailC2" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.003", "attack.t1567" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gobitloader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582624Z", "creation_date": "2026-03-23T11:46:25.582626Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582631Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys" ], "name": "gobitloader.yar", "content": "rule gobitloader {\n meta:\n title = \"GoBitLoader\"\n id = \"f2d574bc-5abc-4a77-a9b6-0fb0b6d836b6\"\n description = \"Detects RunPE functions and strings related to GoBitLoader, a loader written in Go often used to inject stealers like Rhadamanthys or ACR Stealer into legitimate system processes.\\nThe RunPE technique consists on starting a legitimate process in a suspended state, then rewriting its memory with a malicious payload before resuming execution, effectively hijacking the new process.\\nIt is recommended to investigate the context around this alert to hunt for malicious actions and to dump any spawned processes to determine the payload.\"\n references = \"https://cyble.com/blog/double-trouble-latrodectus-and-acr-stealer-observed-spreading-via-google-authenticator-phishing-site/\\nhttps://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys\"\n date = \"2025-06-18\"\n modified = \"2025-07-07\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.012;attack.t1140\"\n classification = \"Windows.Loader.GoBitLoader\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c163175cad308e8d96e5629b107bb8a30b6552f117ff8589db18f09991d9f3c9\n // ecaa86e10d633a595be37d68acd217939b770f1f0d4709192b461b0b2df9f5d5\n // d76391b6dca2b5057a0adfb446cf6f80e9be5ec4241cfeddff6e1ca03b331a72\n // a62a2d2bf6bce86b9a0bf8a43ae74004f94e5e712400a68d2cc062ec72e1fc78\n\n $go_binary_1 = \"Go buildinf:\" ascii\n $go_binary_2 = \"fatal error: cgo callback before cgo call\" ascii\n\n $s1 = \"main.main.func1\" ascii\n $s2 = \", size = , tail = ./Data.db: status=\" ascii\n $s3 = \"[%x:]slice bounds out of range [:%x] (types from different packages)C:\\\\Windows\\\\SysWOW64\\\\explorer.exeCertAddCertificateContextToStoreCertVerify\" ascii\n\n // main_LoadPEModule\n $x1_v1 = {\n 49 3B 66 10 // cmp rsp, [r14+10h]\n (76 ?? | 0F 86 ?? ?? ?? ??) // jbe short loc_47DFE5\n 48 83 EC 50 // sub rsp, 50h\n 48 89 6C 24 48 // mov [rsp+50h+var_8], rbp\n 48 8D 6C 24 48 // lea rbp, [rsp+50h+var_8]\n 88 4C 24 27 // mov [rsp+50h+var_29], cl\n 88 5C 24 26 // mov [rsp+50h+var_2A], bl\n 48 89 44 24 40 // mov [rsp+50h+var_10], rax\n 48 C7 44 24 28 00 00 00 00 // mov [rsp+50h+var_28], 0\n 48 8D 44 24 28 // lea rax, [rsp+50h+var_28]\n E8 ?? ?? ?? ?? // call main_LoadFile\n 48 85 C0 // test rax, rax\n 75 ?? // jnz short loc_47DFA5\n 31 C0 // xor eax, eax\n 48 8B 6C 24 48 // mov rbp, [rsp+50h+var_8]\n 48 83 C4 50 // add rsp, 50h\n C3 // retn\n }\n $x1_v2 = {\n 49 3B 66 10 // cmp rsp, [r14+10h]\n (76 ?? | 0F 86 ?? ?? ?? ??) // jbe loc_14026A875\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 48 // sub rsp, 48h\n 48 89 44 24 58 // mov [rsp+48h+arg_0], rax\n 44 88 44 24 27 // mov [rsp+48h+var_21], r8b\n 40 88 74 24 26 // mov [rsp+48h+var_22], sil\n 48 89 7C 24 40 // mov [rsp+48h+var_8], rdi\n 48 C7 44 24 28 00 00 00 00 // mov [rsp+48h+var_20], 0\n 48 8D 7C 24 28 // lea rdi, [rsp+48h+var_20]\n E8 ?? ?? ?? ?? // call main_LoadFile\n 48 85 C0 // test rax, rax\n 75 ?? // jnz short loc_14026A826\n 31 C0 // xor eax, eax\n 48 83 C4 48 // add rsp, 48h\n 5D // pop rbp\n C3 // retn\n }\n $x1_v3 = {\n 49 3B 66 10 // cmp rsp, [r14+10h]\n (76 ?? | 0F 86 ?? ?? ?? ??) // jbe loc_1404123F5\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 38 // sub rsp, 38h\n 48 89 44 24 48 // mov [rsp+38h+arg_0], rax\n 48 89 7C 24 60 // mov [rsp+38h+arg_18], rdi\n 40 88 74 24 68 // mov [rsp+38h+arg_20], sil\n 44 88 44 24 69 // mov [rsp+38h+arg_21], r8b\n 48 C7 44 24 20 00 00 00 00 // mov [rsp+38h+var_18], 0\n 48 8D 7C 24 20 // lea rdi, [rsp+38h+var_18]\n E8 ?? ?? ?? ?? // call main_LoadFile\n 48 85 C0 // test rax, rax\n 75 ?? // jnz short loc_1404123A6\n 31 C0 // xor eax, eax\n 48 83 C4 38 // add rsp, 38h\n 5D // pop rbp\n C3 // retn\n }\n\n // main__LoadPEModule\n $x2_v1 = {\n 49 3B 66 10 // cmp rsp, [r14+10h]\n 0F 86 ?? ?? ?? ?? // jbe loc_4845E1\n 48 83 EC 50 // sub rsp, 50h\n 48 89 6C 24 48 // mov [rsp+50h+var_8], rbp\n 48 8D 6C 24 48 // lea rbp, [rsp+50h+var_8]\n 40 88 74 24 71 // mov [rsp+50h+arg_19], sil\n 48 89 4C 24 68 // mov [rsp+50h+arg_10], rcx\n 40 84 F6 // test sil, sil\n 74 ?? // jz short loc_484558\n 48 89 44 24 40 // mov [rsp+50h+var_10], rax\n 48 89 5C 24 38 // mov [rsp+50h+var_18], rbx\n 40 88 7C 24 2F // mov [rsp+50h+var_21], dil\n E8 ?? ?? ?? ?? // call main_GetDirectoryEntry\n 84 C0 // test al, al\n 74 ?? // jz short loc_48455C\n 48 8B 44 24 40 // mov rax, [rsp+50h+var_10]\n 48 8B 4C 24 68 // mov rcx, [rsp+50h+arg_10]\n 48 8B 5C 24 38 // mov rbx, [rsp+50h+var_18]\n 0F B6 74 24 71 // movzx esi, [rsp+50h+arg_19]\n 0F B6 7C 24 2F // movzx edi, [rsp+50h+var_21]\n\n // loc_484558:\n 31 D2 // xor edx, edx\n EB ?? // jmp short loc_48457D\n\n // loc_48455C:\n 48 8B 44 24 40 // mov rax, [rsp+50h+var_10]\n E8 ?? ?? ?? ?? // call main_GetImageBase\n 48 8B 4C 24 68 // mov rcx, [rsp+50h+arg_10]\n 48 8B 5C 24 38 // mov rbx, [rsp+50h+var_18]\n 0F B6 7C 24 2F // movzx edi, [rsp+50h+var_21]\n 48 89 C2 // mov rdx, rax\n 48 8B 44 24 40 // mov rax, [rsp+50h+var_10]\n }\n $x2_v2 = {\n 49 3B 66 10 // cmp rsp, [r14+10h]\n 0F 86 ?? ?? ?? ?? // jbe loc_14026BC35\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 48 // sub rsp, 48h\n 40 88 74 24 71 // mov [rsp+48h+arg_19], sil\n 48 89 4C 24 68 // mov [rsp+48h+arg_10], rcx\n 0F 1F 40 00 // nop dword ptr [rax+00h]\n 40 84 F6 // test sil, sil\n 75 ?? // jnz short loc_14026BB89\n 31 D2 // xor edx, edx\n EB ?? // jmp short loc_14026BBE3\n\n // loc_14026BB89:\n 48 89 5C 24 40 // mov [rsp+48h+var_8], rbx\n 48 89 44 24 38 // mov [rsp+48h+var_10], rax\n 40 88 7C 24 2F // mov [rsp+48h+var_19], dil\n BB 05 00 00 00 // mov ebx, 5\n 31 C9 // xor ecx, ecx\n 90 // nop\n E8 ?? ?? ?? ?? // call main_GetDirectoryEntry\n 48 85 C0 // test rax, rax\n 74 ?? // jz short loc_14026BBC2\n 48 8B 44 24 38 // mov rax, [rsp+48h+var_10]\n 48 8B 4C 24 68 // mov rcx, [rsp+48h+arg_10]\n 48 8B 5C 24 40 // mov rbx, [rsp+48h+var_8]\n 0F B6 7C 24 2F // movzx edi, [rsp+48h+var_19]\n 31 D2 // xor edx, edx\n EB ?? // jmp short loc_14026BBE3\n }\n $x2_v3 = {\n 49 3B 66 10 // cmp rsp, [r14+10h]\n 0F 86 ?? ?? ?? ?? // jbe loc_1404137D5\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 30 // sub rsp, 30h\n 48 89 4C 24 50 // mov [rsp+30h+arg_10], rcx\n 40 88 74 24 59 // mov [rsp+30h+arg_19], sil\n 0F 1F 40 00 // nop dword ptr [rax+00h]\n 40 84 F6 // test sil, sil\n 75 04 // jnz short loc_140413729\n 31 D2 // xor edx, edx\n EB ?? // jmp short loc_140413783\n\n // loc_140413729:\n 48 89 44 24 40 // mov [rsp+30h+arg_0], rax\n 48 89 5C 24 48 // mov [rsp+30h+arg_8], rbx\n 40 88 7C 24 58 // mov [rsp+30h+arg_18], dil\n BB 05 00 00 00 // mov ebx, 5\n 31 C9 // xor ecx, ecx\n 90 // nop\n E8 ?? ?? ?? ?? // call main_GetDirectoryEntry\n 48 85 C0 // test rax, rax\n 74 ?? // jz short loc_140413762\n 48 8B 44 24 40 // mov rax, [rsp+30h+arg_0]\n 48 8B 4C 24 50 // mov rcx, [rsp+30h+arg_10]\n 48 8B 5C 24 48 // mov rbx, [rsp+30h+arg_8]\n 0F B6 7C 24 58 // movzx edi, [rsp+30h+arg_18]\n 31 D2 // xor edx, edx\n EB ?? // jmp short loc_140413783\n }\n\n // main.main.func2\n $x3 = {\n 48 8B 6D 00 // mov rbp, [rbp+0]\n 31 DB // xor ebx, ebx\n B9 68 00 00 00 // mov ecx, 68h\n 48 8D 44 24 50 // lea rax, [rsp+0C0h+var_70]\n 90 // nop\n E8 ?? ?? ?? ?? // call main_sailintact\n C7 44 24 50 68 00 00 00 // mov dword ptr [rsp+0C0h+var_70], 68h\n 48 8B 44 24 48 // mov rax, [rsp+0C0h+var_78]\n 31 DB // xor ebx, ebx\n B9 18 00 00 00 // mov ecx, 18h\n E8 ?? ?? ?? ?? // call main_sailintact\n 48 8D 05 ?? ?? ?? 00 // lea rax, aCWindowsSyswow ; \"C:\\\\Windows\\\\SysWOW64\\\\explorer.exe\"\n BB 20 00 00 00 // mov ebx, 20h\n E8 ?? ?? ?? ?? // call syscall_StringToUTF16Ptr\n 48 8B 54 24 48 // mov rdx, [rsp+0C0h+var_78]\n 48 89 14 24 // mov [rsp+0C0h+var_C0], rdx\n 48 89 C3 // mov rbx, rax\n 31 C9 // xor ecx, ecx\n 48 89 CF // mov rdi, rcx\n 31 F6 // xor esi, esi\n 41 B8 04 00 00 00 // mov r8d, 4\n 45 31 C9 // xor r9d, r9d\n 4D 89 CA // mov r10, r9\n 4C 8D 5C 24 50 // lea r11, [rsp+0C0h+var_70]\n 4C 89 C8 // mov rax, r9\n E8 ?? ?? ?? ?? // call syscall_CreateProcess\n }\n\n // https://github.com/SaturnsVoid/Project-Whis/blob/8c9fa2862086ef5755e26c27a99caa47f62c8868/Clients/HTTPS/Windows/core/ExternalRunPE.go#L791\n // Memcpy\n $x4 = {\n 48 89 CA // mov rdx, rcx\n 48 C1 F9 03 // sar rcx, 3\n 31 F6 // xor esi, esi\n EB 0B // jmp short loc_4812B6\n\n // loc_4812AB:\n 48 8B 3C F3 // mov rdi, [rbx+rsi*8]\n 48 89 3C F0 // mov [rax+rsi*8], rdi\n 48 FF C6 // inc rsi\n\n // loc_4812B6:\n 48 39 CE // cmp rsi, rcx\n 7C F0 // jl short loc_4812AB\n (\n 48 83 E2 07 | // and rdx, 7\n 83 E2 07 // and edx, 7\n )\n 31 F6 // xor esi, esi\n EB 10 // jmp short loc_4812D3\n\n // loc_4812C3:\n 48 8D 3C CE // lea rdi, [rsi+rcx*8]\n 44 0F B6 04 3B // movzx r8d, byte ptr [rbx+rdi]\n 44 88 04 38 // mov [rax+rdi], r8b\n 48 FF C6 // inc rsi\n\n // loc_4812D3:\n 48 39 D6 // cmp rsi, rdx\n 7C EB // jl short loc_4812C3\n C3 // retn\n }\n $x4_v2 = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 18 // sub rsp, 18h\n 48 89 CA // mov rdx, rcx\n 48 C1 F9 03 // sar rcx, 3\n 31 F6 // xor esi, esi\n EB 0B // jmp short loc_140524728\n\n // loc_14052471D:\n 48 8B 3C F3 // mov rdi, [rbx+rsi*8]\n 48 89 3C F0 // mov [rax+rsi*8], rdi\n 48 FF C6 // inc rsi\n\n // loc_140524728:\n 48 39 CE // cmp rsi, rcx\n 7C F0 // jl short loc_14052471D\n 48 89 44 24 28 // mov [rsp+28h], rax\n 48 89 5C 24 30 // mov [rsp+30h], rbx\n 48 89 54 24 10 // mov [rsp+10h], rdx\n 48 89 4C 24 08 // mov [rsp+8], rcx\n E8 ?? ?? ?? ?? // call main_RDF\n }\n $x4_v3 = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 40 // sub rsp, 40h\n 48 89 CA // mov rdx, rcx\n 48 C1 F9 03 // sar rcx, 3\n 31 F6 // xor esi, esi\n EB 0B // jmp short loc_14077F268\n\n // loc_14077F25D:\n 48 8B 3C F3 // mov rdi, [rbx+rsi*8]\n 48 89 3C F0 // mov [rax+rsi*8], rdi\n 48 FF C6 // inc rsi\n\n // loc_14077F268:\n 48 39 CE // cmp rsi, rcx\n 7C F0 // jl short loc_14077F25D\n 48 89 44 24 50 // mov [rsp+40h+arg_0], rax\n 48 89 5C 24 58 // mov [rsp+40h+arg_8], rbx\n 48 89 54 24 38 // mov [rsp+40h+var_8], rdx\n 48 89 4C 24 30 // mov [rsp+40h+var_10], rcx\n 31 F6 // xor esi, esi\n EB ?? // jmp short loc_14077F2C6\n }\n\n // https://github.com/SaturnsVoid/Project-Whis/blob/8c9fa2862086ef5755e26c27a99caa47f62c8868/Clients/HTTPS/Windows/core/ExternalRunPE.go#L810\n // Memset\n $x5_v1 = {\n // loc_47DBB0:\n 48 8D 34 D9 // lea rsi, [rcx+rbx*8]\n 48 8B 38 // mov rdi, [rax]\n 48 89 3C 30 // mov [rax+rsi], rdi\n 48 FF C3 // inc rbx\n\n // loc_47DBBE:\n 48 8D 72 FF // lea rsi, [rdx-1]\n 48 39 F3 // cmp rbx, rsi\n 7C E9 // jl short loc_47DBB0\n C3 // retn\n }\n $x5_v2 = {\n // loc_482742:\n 48 8B 2C 24 // mov rbp, [rsp+8+var_8]\n 48 83 C4 08 // add rsp, 8\n C3 // retn\n // loc_48274B:\n 48 8D 34 D9 // lea rsi, [rcx+rbx*8]\n 48 8B 38 // mov rdi, [rax]\n 48 89 3C 30 // mov [rax+rsi], rdi\n 48 FF C3 // inc rbx\n }\n $x5_v3 = {\n // loc_140524842:\n 48 8D 34 DA // lea rsi, [rdx+rbx*8]\n 48 8B 39 // mov rdi, [rcx]\n 48 89 3C 31 // mov [rcx+rsi], rdi\n 48 FF C3 // inc rbx\n\n // loc_140524850:\n 48 8D 70 FF // lea rsi, [rax-1]\n 48 39 F3 // cmp rbx, rsi\n 7C ?? // jl short loc_140524842\n 48 89 C8 // mov rax, rcx\n 48 83 C4 18 // add rsp, 18h\n 5D // pop rbp\n C3 // retn\n }\n $x5_v4 = {\n // loc_14077F661:\n 48 8D 34 D9 // lea rsi, [rcx+rbx*8]\n 48 8B 38 // mov rdi, [rax]\n 48 89 3C 30 // mov [rax+rsi], rdi\n 48 FF C3 // inc rbx\n\n // loc_14077F66F:\n 48 8D 72 FF // lea rsi, [rdx-1]\n 48 39 F3 // cmp rbx, rsi\n 7C ?? // jl short loc_14077F661\n 48 83 C4 18 // add rsp, 18h\n 5D // pop rbp\n C3 // retn\n }\n\n condition:\n 1 of ($go_binary_*) and (all of ($s*) or 1 of ($x*))\n}\n", "rule_count": 1, "rule_names": [ "gobitloader" ], "rule_creation_date": "2025-06-18", "rule_modified_date": "2025-07-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.GoBitLoader" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-godpotato_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571533Z", "creation_date": "2026-03-23T11:46:25.571535Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571540Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BeichenDream/GodPotato\nhttps://twitter.com/SophosXOps/status/1712900190343152010" ], "name": "godpotato.yar", "content": "rule godpotato {\n meta:\n title = \"GodPotato HackTool\"\n id = \"01a4da46-05ec-4ba5-ad50-b46cd3ac2ce8\"\n description = \"Detects the GodPotato HackTool.\\nGodPotato is a tool designed to escalate privileges to System via DCOM, particularly when the user possesses the \\\"ImpersonatePrivilege\\\" permission. It targets systems by exploiting DCOM communication channels, which can be a common vector for privilege escalation attacks.\"\n references = \"https://github.com/BeichenDream/GodPotato\\nhttps://twitter.com/SophosXOps/status/1712900190343152010\"\n date = \"2023-10-16\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.HackTool.GodPotato\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858\n // 56acdd67faeb3b1dd15632102f4cb068acdbdc24e0f78f856824610a8be9ab91\n // 9a8e9d587b570d4074f1c8317b163aa8d0c566efd88f294d9d85bc7776352a28\n\n $s1 = \"Cannot find IDL structure\" wide fullword\n $s2 = \"delegateFun\" wide fullword\n $s3 = \"D:(A;OICI;GA;;;WD)\" wide fullword\n $s4 = \"\\\\pipe\\\\epmapper\" wide fullword\n $s5 = \"IsHook == false\" wide fullword\n $s6 = \"ncacn_np:localhost/pipe/\" wide fullword\n\n $s7 = \"[*] CombaseModule: 0x{0:x}\" wide fullword\n $s8 = \"[*] HookRPC\" wide fullword\n $s9 = \"[!] Failed to impersonate security context token\" wide fullword\n $s10 = \"ncacn_ip_tcp:fuck you !\" wide fullword\n $s11 = \"[*] DCOM obj PublicRefs: 0x{0:x}\" wide fullword\n $s12 = \"[*] PID : {0} Token:0x{1:x} User: {2} ImpersonationLevel: {3}\" wide fullword\n\n $fun = {\n 18 // ldc.i4.2\n 8D[4] // newarr [mscorlib]System.String\n 25 // dup\n 16 // ldc.i4.0\n 72[4] // ldstr \"ncacn_np:localhost/pipe/\"\n 02 // ldarg.0\n 7B[4] // ldfld class GodPotato.NativeAPI.GodPotatoContext GodPotato.NativeAPI.NewOrcbRPC::godPotatoContext\n 6F[4] // callvirt instance string GodPotato.NativeAPI.GodPotatoContext::get_PipeName()\n 72[4] // ldstr \"[\\\\pipe\\\\epmapper]\"\n 28[4] // call string [mscorlib]System.String::Concat(string, string, string)\n A2 // stelem.ref\n 25 // dup\n 17 // ldc.i4.1\n 72[4] // ldstr \"ncacn_ip_tcp:fuck you !\"\n A2 // stelem.ref\n 0A // stloc.0\n 19 // ldc.i4.3\n 0B // stloc.1\n 16 // ldc.i4.0\n 1305 // stloc.s\n 2B16 // br.s\n\n // loop start (head: IL_0049)\n 07 // ldloc.1\n 06 // ldloc.0\n 1105 // ldloc.s\n 9A // ldelem.ref\n 6F??0000?? // callvirt instance int32 [mscorlib]System.String::get_Length()\n 58 // add\n 0B // stloc.1\n 07 // ldloc.1\n 17 // ldc.i4.1\n 58 // add\n 0B // stloc.1\n 1105 // ldloc.s\n 17 // ldc.i4.1\n 58 // add\n 1305 // stloc.s\n\n 1105 // ldloc.s\n 06 // ldloc.0\n 8E // ldlen\n 69 // conv.i4\n 32E3 // blt.s\n // end loop\n }\n\n condition:\n 5 of ($s*) or $fun\n}\n", "rule_count": 1, "rule_names": [ "godpotato" ], "rule_creation_date": "2023-10-16", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.GodPotato" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gopuram_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583946Z", "creation_date": "2026-03-23T11:46:25.583948Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583954Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "name": "gopuram_loader.yar", "content": "rule gopuram_loader {\n meta:\n title = \"Gopuram Backdoor Loader\"\n id = \"f675846e-ec26-4a2d-800b-7369de5da496\"\n description = \"Detects the Gopuram Backdoor Loader, an advanced backdoor developed by Lazarus Group to infiltrate and spy on sensitive organizations.\\nThis backdoor is designed to establish persistence and evade detection by leveraging compromised drivers and system processes. It is modular, enabling it to perform various malicious activities such as data exfiltration and system manipulation.\\nThe loader is often delivered through supply chain attacks and is known for its sophisticated techniques to maintain persistence and avoid detection.\\nIt is recommended to isolate the affected system and conduct a thorough investigation of network communications to identify any potential command and control activities.\"\n references = \"https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/\"\n date = \"2023-04-05\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.privilege_escalation;attack.t1055.001;attack.t1055.002;attack.defense_evasion;attack.t1014\"\n classification = \"Windows.Loader.Gopuram\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf\n // bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9\n // dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9\n\n $s1 = \"Windows %d(%d)-%s\" fullword ascii\n $s2 = \"auth_timestamp: \" fullword ascii\n $s3 = \"auth_signature: \" fullword ascii\n $s4 = \"rlz=\" fullword ascii\n $s5 = \"&ei=\" fullword ascii\n $s6 = \"&act=check\" fullword ascii\n\n // AES decrypt and virtual alloc\n $op1 = {\n 48 83 FB 10 // cmp rbx, 10h\n 48 0F 43 D7 // cmovnb rdx, rdi\n 48 ?? ?? ?? ?? // lea rax, [rsp+470h+var_428]\n 48 ?? ?? ?? ?? // mov [rsp+470h+lpOptional], rax\n 45 8B C7 // mov r8d, r15d\n E8 ?? ?? ?? ?? // call aes_thing\n 41 83 C7 80 // add r15d, 0FFFFFF80h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 41 8B D7 // mov edx, r15d ; dwSize\n 33 C9 // xor ecx, ecx ; lpAddress\n FF // call cs:VirtualAlloc\n }\n\n $op2 = {\n B9 60 EA 00 00 // mov ecx, 0EA60h ; dwMilliseconds\n FF // call cs:Sleep\n }\n\n condition:\n 4 of ($s*) and 1 of ($op*)\n}\n", "rule_count": 1, "rule_names": [ "gopuram_loader" ], "rule_creation_date": "2023-04-05", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.Gopuram" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1014", "attack.t1055.002", "attack.t1055.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gopuram_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569428Z", "creation_date": "2026-03-23T11:46:25.569430Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569436Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "name": "gopuram.yar", "content": "rule gopuram {\n meta:\n title = \"Gopuram Backdoor\"\n id = \"19de3609-56a1-49cb-9e45-3713c8a0a318\"\n description = \"Detects the Gopuram Backdoor, an advanced backdoor developed by the Lazarus APT to spy on sensitive organizations.\\nThis backdoor is designed to establish persistence and evade detection by leveraging compromised drivers and system processes. It is modular, enabling it to perform various malicious activities such as data exfiltration and system manipulation.\\nThe loader is often delivered through supply chain attacks and is known for its sophisticated techniques to maintain persistence and avoid detection.\\nIt is recommended to isolate the affected system and conduct a thorough investigation of network communications to identify any potential command and control activities.\"\n references = \"https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/\"\n date = \"2023-04-05\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.privilege_escalation;attack.t1055.001;attack.t1055.002;attack.defense_evasion;attack.t1014\"\n classification = \"Windows.Malware.Gopuram\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 97b95b4a5461f950e712b82783930cb2a152ec0288c00a977983ca7788342df7\n // beb775af5196f30e0ee021790a4978ca7a7ac2a7cf970a5a620ffeb89cc60b2c\n\n $payload_path = \"%s\\\\config\\\\TxR\\\\%s.TxR.0.regtrans-ms\" fullword ascii\n\n $custom_hash = {\n D1 E8 // shr eax, 1\n 33 C3 // xor eax, ebx\n D1 EB // shr ebx, 1\n A8 01 // test al, 1\n 74 ?? // jz short loc_180022DE6\n 81 F3 25 A3 87 DE // xor ebx, 0DE87A325h\n }\n\n $decrypt_shellcode_jmp = {\n 85 C0 // test eax, eax\n 74 ?? // jz short loc_1800230E1\n 48 8B 4C 24 58 // mov rcx, [rsp+320h+var_2D0.pbData] ; lpAddress\n 4C 8D 4C 24 44 // lea r9, [rsp+320h+flOldProtect] ; lpflOldProtect\n 44 8D 43 40 // lea r8d, [rbx+40h] ; flNewProtect\n BA 00 10 00 00 // mov edx, 1000h ; dwSize\n 89 5C 24 44 // mov [rsp+320h+flOldProtect], ebx\n FF ?? ?? ?? ?? ?? // call cs:VirtualProtect\n 85 C0 // test eax, eax\n 74 ?? // jz short loc_1800230C4\n FF ?? ?? ?? // call [rsp+320h+var_2D0.pbData]\n 44 8B 44 24 44 // mov r8d, [rsp+320h+flOldProtect] ; flNewProtect\n 48 8B 4C 24 58 // mov rcx, [rsp+320h+var_2D0.pbData] ; lpAddress\n 4C 8D 4C 24 44 // lea r9, [rsp+320h+flOldProtect] ; lpflOldProtect\n BA 00 10 00 00 // mov edx, 1000h ; dwSize\n FF ?? ?? ?? ?? ?? // call cs:VirtualProtect\n }\n\n condition:\n $payload_path and #custom_hash > 4 and #decrypt_shellcode_jmp\n}\n", "rule_count": 1, "rule_names": [ "gopuram" ], "rule_creation_date": "2023-04-05", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Gopuram" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1014", "attack.t1055.002", "attack.t1055.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-go_reverse_ssh_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572839Z", "creation_date": "2026-03-23T11:46:25.572842Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572847Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/NHAS/reverse_ssh\nhttps://research.aurainfosec.io/pentest/rssh/" ], "name": "go_reverse_ssh.yar", "content": "rule reverse_ssh_go {\n meta:\n title = \"Golang Reverse SSH\"\n id = \"c3cf686c-f1c6-4e95-8e2c-4b18d2056f55\"\n description = \"Detects the NHAS reverse SSH written in Go.\\nThis tool uses reverse SSH connections to manage controlled machines.\\nAttackers can bypass common network level restrictions by initiating a connection back to an attacker controlled host.\\nIt is recommended to verify if the usage of this tool is legitimate.\"\n references = \"https://github.com/NHAS/reverse_ssh\\nhttps://research.aurainfosec.io/pentest/rssh/\"\n date = \"2024-09-25\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1573.001\"\n classification = \"HackTool.GolangReverseSSH\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 84114aec0d38f79dd7657168766292ab957c4cbe4b69cfe5afc62ba88ebac34b\n // d611e8ac73e1010b3446ea22b2fdd8e184ca31671f4da5d308e183e742cfd61a\n // 262591fad9cad6b2adec59110fa396b2eebdc8aa6caa47b1ed45f7e3468b3216\n // ebb5e96b4c084d874b7baac383380cb841b6de4dda4d9390a838d87df7eae4be\n\n $s_strings = \"perunanxtrsshhelptruefilereadopenpipelinkStat\"\n $s_repo = \"github.com/NHAS/reverse_ssh\" wide ascii\n $s_gobuild = \"Go buildinf:\" wide ascii fullword\n\n condition:\n $s_gobuild and ($s_repo or $s_strings)\n}\n", "rule_count": 1, "rule_names": [ "reverse_ssh_go" ], "rule_creation_date": "2024-09-25", "rule_modified_date": "2025-02-27", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.GolangReverseSSH" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gotohttp_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573832Z", "creation_date": "2026-03-23T11:46:25.573834Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573840Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\nhttps://www.elastic.co/security-labs/tollbooth\nhttps://asec.ahnlab.com/en/83283/" ], "name": "gotohttp.yar", "content": "rule gotohttp {\n meta:\n title = \"GotoHTTP Tool\"\n id = \"d3e89a26-1f94-4eb8-8df1-f7135dabe3ce\"\n description = \"Detects GotoHTTP, a remote monitoring and management (RMM) tool.\\nGotoHTTP is a component often utilized for remote execution and lateral movement within a system.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate in your infrastructure.\"\n references = \"https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\\nhttps://www.elastic.co/security-labs/tollbooth\\nhttps://asec.ahnlab.com/en/83283/\"\n date = \"2025-10-24\"\n modified = \"2025-11-20\"\n author = \"HarfangLab\"\n tags = \"attack.lateral_movement;attack.t1021;attack.execution;attack.command_and_control;attack.t1071.001\"\n classification = \"Tool.GotoHTTP\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n\n // Detection for these samples:\n // 230b84398e873938bbcc7e4a1a358bde4345385d58eb45c1726cee22028026e9\n // ff6dc53044f7d0c71292b23ac2718b16f1d6fd34b465d1db1febe64e46362c5f\n // e9211412ea7f4713a256d6f480367c43073e521d7a938e8d2ec8d104e56f1e1f\n\n $str_01 = \"gotohttp.ck\"\n $str_02 = \"gotohttp.ini\"\n $str_03 = \"gotohttp.tmp\"\n $str_04 = \".\\\\GotoHttp.cpp\"\n $str_05 = \"GOTOHTTP_PROXY\"\n $str_06 = \"GotoHTTP_%s.%s\"\n $str_07 = \"\\\\\\\\.\\\\pipe\\\\gotohttp%u\"\n $str_08 = \"SM_GotoHTTP_x64\" wide\n $str_09 = \"GotoHTTP Message\" wide\n $str_10 = \"Global\\\\GotoHTTP_%u\" wide\n $str_11 = \"TTXN GotoHTTP Agent\" wide\n $str_12 = \"\\\\gotohttp\\\\TProcess.h\"\n $str_13 = \"\\\\gotohttp\\\\TShareApe.h\"\n $str_14 = \"Created by GotoHTTP\"\n $str_15 = \"TTXN GotoHTTP agent client.\" wide\n $str_16 = \"Applications/GotoHTTP.app/Contents/MacOS/GotoHTTP\"\n $str_17 = \"GotoHTTP_Mac\"\n $str_18 = \"_gotohttp_config_changed\"\n $str_19 = \"_gotohttp_debug_config\"\n $str_20 = \"GotoHTTP/gotoapp.h\"\n $str_21 = \"GotoHTTP.build/Objects-normal\"\n $str_22 = \"Resources/com.pingbo.gotohttp.plist\"\n $str_23 = \"../GotoHTTP/TConference.cpp\"\n $str_24 = \"../GotoHTTP/TShareApe.cpp\"\n $str_25 = \"../GotoHTTP/TShareCapture.cpp\"\n $str_26 = \"../GotoHTTP/TShareApePng.cpp\"\n $str_27 = \"../GotoHTTP/TInput.cpp\"\n $str_28 = \"../GotoHTTP/TLinuxUtil.cpp\"\n $str_29 = \"../GotoHTTP/TDataSync.cpp\"\n $str_30 = \"gotohttp0\"\n $str_31 = \"gotohttp0Y0\"\n $str_32 = \"gotohttp_ft_temp.zip\"\n $str_33 = \"/etc/systemd/system/gotohttp.service\"\n $str_34 = \"/usr/lib/systemd/system/gotohttp.service\"\n $str_35 = \"Usage: gotohttp [-p access code] [-f 0|1] [-?]\"\n\n condition:\n 10 of ($str*)\n}", "rule_count": 1, "rule_names": [ "gotohttp" ], "rule_creation_date": "2025-10-24", "rule_modified_date": "2025-11-20", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Tool.GotoHTTP" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.execution", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1021" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-grb_net_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581448Z", "creation_date": "2026-03-23T11:46:25.581450Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581456Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy\nhttps://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/" ], "name": "grb_net.yar", "content": "import \"pe\"\n\nrule grb_net {\n meta:\n title = \"GRB_NET Hacktool\"\n id = \"09d8a5d7-f94a-4cf1-b834-2d88ba3aec8d\"\n description = \"Detects GRB_NET, also named Grixba, a network-scanning tool used by ransomware groups.\\nThis tool can enumerate software and services on remote hosts via WMI, WinRM, remote registry and remote services. It can also clear event logs.\"\n references = \"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy\\nhttps://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/\"\n date = \"2023-10-04\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1070.001;attack.discovery;attack.t1046\"\n classification = \"Windows.HackTool.GRB_NET\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb\n\n // some encrypted strings\n $s1 = {\n AE E8 B0 E3 B2 F1 B4 EA B6 F9 B8 FC BA EF BC 9D\n BE E9 C0 A4 C2 B1 C4 B6 C6 AE C8 A6 CA A5 CC F7\n CE EF D0 85 D2 B6 D4 A6 D6 A3 D8 F7 DA FB DC EA\n }\n\n $s2 = {\n AE FB B0 C8 B2 C3 B4 D0 B6 97 B8 CD BA C2 BC CD\n BE DA C0 E1 C2 EE C4 AD C6 E7 C8 AF CA A4 CC BF\n CE EF D0 B9 D2 B6 D4 B9 D6 A7\n }\n\n $s3 = {\n AE F4 B0 9A B2 EE B4 95 B6 E5 B8 D8 BA D5 BC DA\n BE DA C0 E1 C2 A0 C4 AA C6 B2 C8 A7 CA BF CC F7\n CE EF\n }\n\n $decrypt_string = {\n 02 // ldarg.0\n 6F[4] // callvirt instance char[] [mscorlib]System.String::ToCharArray()\n 0A // stloc.0\n 20E343022B // ldc.i4\n 03 // ldarg.1\n 58 // add\n 2057000000 // ldc.i4\n D3 // conv.i\n 58 // add\n 2063000000 // ldc.i4\n D3 // conv.i\n 58 // add\n 0B // stloc.1\n 16 // ldc.i4.0\n 25 // dup\n 17 // ldc.i4.1\n 3233 // blt.s\n\n 25 // dup\n 0C // stloc.2\n 06 // ldloc.0\n 08 // ldloc.2\n 06 // ldloc.0\n 08 // ldloc.2\n 92 // ldelem.i2\n 25 // dup\n 20FF000000 // ldc.i4\n 5F // and\n 07 // ldloc.1\n 25 // dup\n 17 // ldc.i4.1\n 58 // add\n 0B // stloc.1\n 61 // xor\n D2 // conv.u1\n 0D // stloc.3\n 25 // dup\n 1E // ldc.i4.8\n 63 // shr\n 07 // ldloc.1\n 25 // dup\n 17 // ldc.i4.1\n 58 // add\n 0B // stloc.1\n 61 // xor\n D2 // conv.u1\n 1304 // stloc.s\n 26 // pop\n 1104 // ldloc.s\n 09 // ldloc.3\n 1304 // stloc.s\n 0D // stloc.3\n 1104 // ldloc.s\n 1E // ldc.i4.8\n 62 // shl\n 09 // ldloc.3\n 60 // or\n D1 // conv.u2\n 9D // stelem.i2\n 17 // ldc.i4.1\n 58 // add\n 25 // dup\n 06 // ldloc.0\n 8E // ldlen\n 69 // conv.i4\n 32C7 // blt.s\n }\n\n condition:\n 2 of ($s*) or\n $decrypt_string or\n pe.version_info[\"OriginalFilename\"] contains \"GRB_NET.exe\"\n}\n", "rule_count": 1, "rule_names": [ "grb_net" ], "rule_creation_date": "2023-10-04", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.GRB_NET" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery" ], "rule_technique_tags": [ "attack.t1046", "attack.t1070.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-gsecdump_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584508Z", "creation_date": "2026-03-23T11:46:25.584510Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584516Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/\nhttps://attack.mitre.org/software/S0008/\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\nhttps://dmcxblue.gitbook.io/red-team-notes/untitled-1/credential-dumping" ], "name": "gsecdump.yar", "content": "rule gsecdump {\n meta:\n title = \"Gsecdump Tool\"\n id = \"b1b9aa05-a687-452f-86ab-098100dc4fce\"\n description = \"Detects the gsecdump tool, a credential dumper used to extract password hashes and LSA secrets from Windows systems.\\nGsecdump is a tool specifically designed to gather sensitive credentials from compromised Windows operating systems. It targets the Security Accounts Manager (SAM) and Local Security Authority (LSA) to extract plaintext credentials and hashes.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://attack.mitre.org/techniques/T1003/\\nhttps://attack.mitre.org/software/S0008/\\nhttps://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use\\nhttps://dmcxblue.gitbook.io/red-team-notes/untitled-1/credential-dumping\"\n date = \"2022-06-17\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003;attack.s0008\"\n classification = \"Windows.HackTool.gsecdump\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $s1 = \"SamIFree_SAMPR_ENUMERATION_BUFFER\" fullword ascii\n $s2 = \"SystemFunction025\" fullword ascii\n $s3 = \"%.*s\\\\%.*s::%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x:::\" fullword wide\n $s4 = \"SOFTWARE\\\\Microsoft\\\\WZCSVC\\\\Parameters\\\\Interfaces\" fullword wide\n\n condition:\n (uint16(0) == 0x5a4d) and filesize < 1MB and all of them\n}\n", "rule_count": 1, "rule_names": [ "gsecdump" ], "rule_creation_date": "2022-06-17", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.gsecdump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-guloader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582971Z", "creation_date": "2026-03-23T11:46:25.582972Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582978Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader\nhttps://attack.mitre.org/software/S0561/" ], "name": "guloader.yar", "content": "rule guloader {\n meta:\n title = \"GuLoader Trojan\"\n id = \"bfbaa4ca-765c-4d80-aa84-f0a1132f8555\"\n description = \"Detects GuLoader, a file downloader that has been used since at least December 2019 to distribute a variety of malware, such as Agent Tesla.\\nGuLoader is a Windows-based trojan primarily designed to download and execute malicious payloads.\\nIt is recommended to perform a thorough investigation of recent file downloads and network activity and to investigate further malicious actions on the host.\"\n references = \"https://www.elastic.co/security-labs/getting-gooey-with-guloader-downloader\\nhttps://attack.mitre.org/software/S0561/\"\n date = \"2024-03-15\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.s0561;attack.defense_evasion;attack.t1055;attack.command_and_control;attack.t1071.001;attack.t1105;attack.t1102\"\n classification = \"Windows.Trojan.GuLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 5c00609cc1f96a521c3df16a9aa4d35f23f4520c1dedcac30f2935f3b198de05\n // 9a5923c9696f6ba4bb5092af6f4b29b5760c21ea0a60b37e2b6afa726660da32\n\n $x1 = {\n 31 10 // xor [eax], edx\n 83 C0 04 // add eax, 4\n 39 D8 // cmp eax, ebx\n 75 F7 // jnz short loc_4109E6\n [4-400]\n FF D0 // call eax\n [10-500]\n 83 EA 04 // sub edx, 4\n 31 0A // xor [edx], ecx\n 39 DA // cmp edx, ebx\n 75 F7 // jnz short loc_410A15\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "guloader" ], "rule_creation_date": "2024-03-15", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.GuLoader" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1105", "attack.t1102", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hackbrowserdata_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.587737Z", "creation_date": "2026-03-23T11:46:25.587740Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.587747Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1555/003/\nhttps://attack.mitre.org/techniques/T1539/\nhttps://github.com/moonD4rk/HackBrowserData" ], "name": "hackbrowserdata.yar", "content": "rule hack_browser_data {\n meta:\n title = \"HackBrowserData Tool\"\n id = \"736816d2-1987-4298-8940-990492734ae4\"\n description = \"Detects HackBrowserData, an open-source tool designed to extract and decrypt browser data.\\nHackBrowserData is used to gather sensitive information such as credentials, cookies, and form data from various browsers including Chrome, Firefox, and Edge.\\nThe tool can decrypt sensitive information stored in the browser's databases and is often used by attackers to gather credentials for lateral movement or financial gain.\\nIt is recommended to investigate related accounts and systems for potential credential exposure and perform credential validation to ensure no unauthorized access has occurred.\"\n references = \"https://attack.mitre.org/techniques/T1555/003/\\nhttps://attack.mitre.org/techniques/T1539/\\nhttps://github.com/moonD4rk/HackBrowserData\"\n date = \"2022-10-28\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555.003;attack.t1539\"\n classification = \"HackTool.HackBrowserData\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ef9281e777f8083738653683137fffd0d06f2f8f63b19e1424957a9148e7c463\n // b16672f3fa38fbdde1207883fbc7774746141ff824f11ef22fb563da846bdef8\n // 35dcf6a2ef444708fbc21764be7498eb37b2abc3a44e973585123460b8f1c5cd\n // ef9281e777f8083738653683137fffd0d06f2f8f63b19e1424957a9148e7c463\n // 49e62206353bb7f248734f2aad56c31b87a2f4f8e705e2c5730af743dc1515a4\n // 089791d205039a61089efb21ce82d8546107bd2a66b8901bceedd72de46a9835\n // 9ae7cd82ce55a9059368c404e376eb4110a6b0c30ac9e670bdd045470daba59e\n\n $sql_query_1 = \"(SELECT * FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id)\" ascii\n $sql_query_2 = \"SELECT guid, name_on_card, expiration_month, expiration_year, card_number_encrypted\" ascii\n $sql_query_3 = \"SELECT name, encrypted_value, host_key, path, creation_utc, expires_utc, is_secure, is_httponly, has_expires, is_persistent FROM \" ascii\n\n // \"Browingdata\" typo is intentional.\n $browing_structs = \"browingdata.\" ascii\n\n $paths_1 = \"hack-browser-data/internal/\" ascii\n $paths_2 = \"source/internal/browingdata/\" ascii\n\n condition:\n 2 of ($sql_query_*)\n or #browing_structs > 2\n or #paths_1 > 5\n or #paths_2 > 5\n}\n", "rule_count": 1, "rule_names": [ "hack_browser_data" ], "rule_creation_date": "2022-10-28", "rule_modified_date": "2025-03-04", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.HackBrowserData" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.003", "attack.t1539" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hackedteam_dynamicall_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572592Z", "creation_date": "2026-03-23T11:46:25.572594Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572600Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/hackedteam/core-win32/blob/master/DynamiCall/dynamic_import.cpp\nhttps://bromiumlabs.wordpress.com/2015/07/10/government-grade-malware-a-look-at-hackingteams-rat/\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" ], "name": "hackedteam_dynamicall.yar", "content": "rule hackedteam_dynamicall {\n meta:\n title = \"DynamiCall Usage\"\n id = \"bbceb721-8d29-4e4c-b22f-942089c3ca22\"\n description = \"Detects obfuscated dynamic API calls from DynamiCall.\\nDynamiCall is a component from an old HackedTeam RAT leak, known for its dynamic API call generation. It has been observed in Kimsuky's KLogExe and FPSpy malware.\\nIt is recommended to analyze the affected process to determine the nature of its activity.\"\n references = \"https://github.com/hackedteam/core-win32/blob/master/DynamiCall/dynamic_import.cpp\\nhttps://bromiumlabs.wordpress.com/2015/07/10/government-grade-malware-a-look-at-hackingteams-rat/\\nhttps://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/\"\n date = \"2024-10-15\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.DynamiCall\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 990b7eec4e0d9a22ec0b5c82df535cf1666d9021f2e417b49dc5110a67228e27\n // a173a425d17b6f2362eca3c8ea4de9860b52faba414bbb22162895641dda0dc2\n // faf666019333f4515f241c1d3fcfc25c67532463245e358b90f9e498fe4f6801\n // c69cd6a9a09405ae5a60acba2f9770c722afde952bd5a227a72393501b4f5343\n // 2e768cee1c89ad5fc89be9df5061110d2a4953b336309014e0593eb65c75e715\n\n // Some strings that are present in obfuscated_call.h\n $str_obf_call_1 = \"OFUBQJ43/EMM\" ascii fullword // NetApi32.dll\n $str_obf_call_2 = \"OfuVtfsHfuJogp\" ascii fullword // NetUserGetInfo\n $str_obf_call_3 = \"OfuBqjCvggfsGsff\" ascii fullword // NetApiBufferFree\n $str_obf_call_4 = \"XJOIUUQ/EMM\" ascii fullword // WinHttp.dll\n $str_obf_call_5 = \"XjoIuuqHfuJFQspyzDpogjhGpsDvssfouVtfs\" ascii fullword // WinHttpGetIEProxyConfigForCurrentUser\n $str_obf_call_6 = \"XjoIuuqSfbeEbub\" ascii fullword // WinHttpReadData\n $str_obf_call_7 = \"XjoIuuqSfdfjwfSftqpotf\" ascii fullword // WinHttpReceiveResponse\n $str_obf_call_8 = \"XjoIuuqTfoeSfrvftu\" ascii fullword // WinHttpSendRequest\n $str_obf_call_9 = \"XjoIuuqRvfszPqujpo\" ascii fullword // WinHttpQueryOption\n $str_obf_call_10 = \"XjoIuuqXsjufEbub\" ascii fullword // WinHttpWriteData\n\n // https://github.com/hackedteam/core-win32/blob/8eb1326959fcb5c727513b59b86386dae7463683/DynamiCall/dynamic_import.cpp#L383\n $func_load_library_loop_32 = {\n 52 // push edx\n FF 15 ?? ?? ?? ?? // call dword [LoadLibraryA]\n 8B F8 // mov edi, eax\n 85 FF // test edi, edi\n 75 ?? // jne inc_esi\n 6A 64 // push 0x64\n FF 15 ?? ?? ?? ?? // call dword [Sleep]\n 46 // inc esi\n 85 FF // test edi, edi\n 75 ?? // jne get_process_address_loop_start\n 8B 55 F8 // mov edx, dword [ebp-0x8]\n 83 FE 04 // cmp esi, 0x4\n 7C ?? // jl loop_start\n }\n\n // https://github.com/hackedteam/core-win32/blob/8eb1326959fcb5c727513b59b86386dae7463683/DynamiCall/dynamic_import.cpp#L393\n $func_get_process_address_loop_32 = {\n 33 F6 // xor esi, esi\n 53 // push ebx\n 57 // push edi\n FF 15 ?? ?? ?? ?? // call dword [GetProcAddress]\n 8B D8 // mov ebx, eax\n 85 DB // test ebx, ebx\n 75 ?? // jne inc_esi\n 6A 64 // push 0x64\n FF 15 ?? ?? ?? ?? // call dword [Sleep]\n 46 // inc esi\n 85 DB // test ebx, ebx\n 75 ?? // jne loop_success\n 8B 5D FC // mov ebnx, dword [ebp-0x4]\n 83 FE 04 // cmp esi, 0x4\n 7C ?? // jl loop_start\n }\n\n // https://github.com/hackedteam/core-win32/blob/8eb1326959fcb5c727513b59b86386dae7463683/DynamiCall/dynamic_import.cpp#L383\n $func_load_library_loop_64 = {\n 49 8B CE // mov rcx, r14\n FF 15 ?? ?? ?? ?? // call qword [rel LoadLibraryA]\n 48 8B E8 // mov rbp, rax\n 48 85 C0 // test rax, rax\n 75 ?? // jne inc_esi\n 8D 48 64 // lea ecx, [rax+0x64]\n FF 15 ?? ?? ?? ?? // call qword [rel Sleep]\n FF C6 // inc esi\n 48 85 ED // test rbp, rbp\n 75 ?? // jne get_process_address_loop_start\n 83 FE 04 // cmp esi, 0x4\n 7C ?? // jl loop_start\n }\n\n // https://github.com/hackedteam/core-win32/blob/8eb1326959fcb5c727513b59b86386dae7463683/DynamiCall/dynamic_import.cpp#L393\n $func_get_process_address_loop_64 = {\n 49 8B D7 // mov rdx, r15\n 48 8B CD // mov rcx, rbp\n FF 15 ?? ?? ?? ?? // call qword [rel GetProcAddress]\n 48 8B F0 // mov rsi, rax\n 48 85 C0 // test rax, rax\n 75 ?? // jne inc_edi\n 8D 48 64 // lea ecx, [rax+0x64]\n FF 15 ?? ?? ?? ?? // call qword [rel Sleep]\n FF C7 // inc edi\n 48 85 F6 // test rsi, rsi\n 75 ?? // jne loop_success\n 83 FF 04 // cmp edi, 0x4\n 7C ?? // jl loop_start\n }\n\n // https://github.com/hackedteam/core-win32/blob/8eb1326959fcb5c727513b59b86386dae7463683/DynamiCall/dynamic_import.cpp#L356\n $func_shift_by_1 = {\n FE ?? // dec byte [???]\n 80 7? 01 00 // cmp byte [???+0x1], 0x0\n [0-1] 8D 4? 01 // lea ???, [???+0x1]\n 75 ?? // jne shift_start\n }\n\n condition:\n uint16(0) == 0x5a4d and ((3 of ($func_*)) or (6 of ($str_obf_call_*)))\n}\n", "rule_count": 1, "rule_names": [ "hackedteam_dynamicall" ], "rule_creation_date": "2024-10-15", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.DynamiCall" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hacktool_adget_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581938Z", "creation_date": "2026-03-23T11:46:25.581940Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581946Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/" ], "name": "hacktool_adget.yar", "content": "rule hacktool_adget {\n meta:\n title = \"ADGet HackTool\"\n id = \"3d1eb446-8943-4926-9865-b6bc70088de3\"\n description = \"Detects the ADGet HackTool.\\nADGet is a tool used for collecting information from Active Directory. Attackers may misuse it during reconnaissance to gather data.\\nIt is recommended to verify the tool's legitimate use and review the parent process for execution context.\"\n references = \"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\"\n date = \"2023-04-06\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1087.002;attack.t1482;attack.t1069.002;attack.t1018;attack.t1016\"\n classification = \"Windows.HackTool.ADGet\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // fc4da07183de876a2b8ed1b35ec1e2657400da9d99a313452162399c519dbfc6\n\n $s1 = \" is not specified\" fullword ascii\n $s2 = \"AdGet [OPTIONS]\" ascii\n $s3 = \"{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\" fullword ascii\n $s4 = \"Error: ldap_get_option(LDAP_OPT_HOST_NAME) failed with code:\" fullword ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "hacktool_adget" ], "rule_creation_date": "2023-04-06", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.ADGet" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1016", "attack.t1087.002", "attack.t1018", "attack.t1482", "attack.t1069.002" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hacktool_gost_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576976Z", "creation_date": "2026-03-23T11:46:25.576978Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576984Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/go-gost\nhttps://github.com/ginuerzh/gost\nhttps://blog.talosintelligence.com/from-blackmatter-to-blackcat-analyzing/\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/" ], "name": "hacktool_gost.yar", "content": "rule hacktool_gost {\n meta:\n title = \"GOST HackTool\"\n id = \"73015caa-a681-4c00-9ff4-645fadce86f1\"\n description = \"Detects the execution of GOST (GO Simple Tunnel), a Go-based tunneling tool designed to establish network tunnels.\\nGOST can be used by adversaries to create reverse network tunnels to a command-and-control (C2) server, enabling communication between the infected system and the attacker.\\nIt is recommended to investigate the process and its network connections to determine its legitimacy.\"\n references = \"https://github.com/go-gost\\nhttps://github.com/ginuerzh/gost\\nhttps://blog.talosintelligence.com/from-blackmatter-to-blackcat-analyzing/\\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\"\n date = \"2024-09-19\"\n modified = \"2025-06-25\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1087.002;attack.t1482;attack.t1069.002;attack.t1018;attack.t1016\"\n classification = \"HackTool.GOST\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 772b257f1b08e86512180dc79d6d8f349137255b38c8825c0bd202bd40f0780b\n // 448fbd7b3389fe2aa421de224d065cea7064de0869a036610e5363c931df5b7c\n // aa2b80e886c4f93400f919ea0e15392cd2cb3d44320b1440cfbace17b3d2c673\n // 08647765735ed01360a42d314b5e322ce38be7ae93f3c6031d26349f1f764856\n // ff675dc2bdf3c8db01cbf657d3b1b4ac64b1a0cbe178ca334f5e65700341c969\n\n // https://github.com/ginuerzh/gost\n $ginuerzh_1 = \"[socks5] mbind %s <- %s : %s\" ascii\n $ginuerzh_2 = \"[socks5-udp] read %d UNEXPECTED TCP data from client\" ascii\n $ginuerzh_3 = \"[socks5-udp] %s >>> %s length: %d\" ascii\n $ginuerzh_4 = \"[dns] %s - %s request unpack: %v\" ascii\n $ginuerzh_5 = \"[dns] %s - %s exchange: %v\" ascii\n $ginuerzh_6 = \"gost %s (%s %s/%s)\" ascii\n $ginuerzh_7 = \"github.com/ginuerzh/gost.(*tcpRemoteForwardHandler).Init\" ascii\n $ginuerzh_8 = \"github.com/ginuerzh/gost.tlsConfigQUICALPN\" ascii\n $ginuerzh_9 = \"github.com/ginuerzh/gost.(*socks5Handler).handleMuxBind\" ascii\n\n // https://github.com/go-gost\n $gost_1 = \"bind on %s/%s OK\" ascii\n $gost_2 = \"connection pool: size=%d, idle=%d\" ascii\n $gost_3 = \"%s >-< %s\" ascii\n $gost_4 = \"_GOST_ID=%d\" ascii\n $gost_5 = \"gost %s (%s %s/%s)\" ascii\n $gost_6 = \"github.com/go-gost/core/metadata/util.GetStrings\" ascii\n $gost_7 = \"github.com/go-gost/x/config.(*Config).Load\" ascii\n $gost_8 = \"github.com/go-gost/x/internal/loader.HTTPLoader\" ascii\n\n condition:\n 5 of ($ginuerzh_*) or 5 of ($gost_*)\n}\n", "rule_count": 1, "rule_names": [ "hacktool_gost" ], "rule_creation_date": "2024-09-19", "rule_modified_date": "2025-06-25", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.GOST" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1016", "attack.t1087.002", "attack.t1018", "attack.t1482", "attack.t1069.002" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hadesldr_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582063Z", "creation_date": "2026-03-23T11:46:25.582065Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582070Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://labs.cognisys.group/posts/Combining-Indirect-Dynamic-Syscalls-and-API-Hashing/\nhttps://github.com/CognisysGroup/HadesLdr" ], "name": "hadesldr.yar", "content": "rule hadesldr {\n meta:\n title = \"HadesLdr HackTool\"\n id = \"6b60f433-1e9f-4fd7-9852-7feb3d90d13b\"\n description = \"Detects the HadesLdr HackTool, a shellcode loader implementing indirect syscalls and API hashing.\\nHadesLdr is a sophisticated shellcode loader designed to execute malicious payloads on Windows systems. It uses indirect syscalls and API hashing to bypass traditional EDR detection mechanisms, making it difficult to identify and block.\"\n references = \"https://labs.cognisys.group/posts/Combining-Indirect-Dynamic-Syscalls-and-API-Hashing/\\nhttps://github.com/CognisysGroup/HadesLdr\"\n date = \"2023-07-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Windows.HackTool.HadesLdr\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 08abeb5a9b78f61a3f43b6ed09792e048c81f31fa4d4e9da62ebdd14ffbf4137\n\n $string1 = \"Missing argument for -k/--key\" fullword ascii\n $string2 = \"-c / --cipher for cipher\" ascii\n $string3 = \"[-] Failed in retrieving shellcode (%u)\" fullword ascii\n $string4 = \"[-] Failed in sysNtProtectVirtualMemory (%u)\" fullword ascii\n $string5 = \"[+] Finished !!!\" fullword ascii\n\n $syscall = {\n // sub_140002500 proc near\n 66 89 0D ?? ?? ?? 00 // mov cs:word_140006000, cx\n C3 // retn\n // sub_140002500 endp\n\n // sub_140002508 proc near\n 48 89 0D ?? ?? ?? 00 // mov cs:qword_140006002, rcx\n C3 // retn\n // sub_140002508 endp\n\n // sub_140002510 proc near\n 4C 8B D1 // mov r10, rcx\n 66 8B 05 ?? ?? ?? 00 // mov ax, cs:word_140006000\n FF 25 ?? ?? ?? 00 // jmp cs:qword_140006002\n C3 // retn\n // sub_140002510 endp\n\n // sub_140002521 proc near\n 4C 8B D1 // mov r10, rcx\n 66 8B 05 ?? ?? ?? 00 // mov ax, cs:word_140006000\n FF 25 ?? ?? ?? 00 // jmp cs:qword_140006002\n C3 // retn\n // sub_140002521 endp\n\n // sub_140002532 proc near\n 4C 8B D1 // mov r10, rcx\n 66 8B 05 ?? ?? ?? 00 // mov ax, cs:word_140006000\n FF 25 ?? ?? ?? 00 // jmp cs:qword_140006002\n C3 // retn\n // sub_140002532 endp\n\n // sub_140002543 proc near\n 4C 8B D1 // mov r10, rcx\n 66 8B 05 ?? ?? ?? 00 // mov ax, cs:word_140006000\n FF 25 ?? ?? ?? 00 // jmp cs:qword_140006002\n C3 // retn\n // sub_140002543 endp\n }\n\n condition:\n all of ($string*) or $syscall\n}\n", "rule_count": 1, "rule_names": [ "hadesldr" ], "rule_creation_date": "2023-07-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.HadesLdr" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-handlekatz_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568099Z", "creation_date": "2026-03-23T11:46:25.568101Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568108Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/codewhitesec/HandleKatz/" ], "name": "handlekatz.yar", "content": "rule handlekatz_hacktool {\n meta:\n title = \"HandleKatz HackTool\"\n id = \"71105a8b-5f6b-4023-a021-c8fe7166067c\"\n description = \"Detects HandleKatz, a Position Independent Code (PIC) tool similar to Mimikatz, designed to extract NTLM hashes from memory.\\nIt is often used by attackers to compromise credentials and maintain persistence on a compromised system.\"\n references = \"https://github.com/codewhitesec/HandleKatz/\"\n date = \"2023-08-30\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.Handlekatz\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b4d86911f9f86bbf968a55ab552ad88bc1d97da6d856ef45a9411244a828a050\n // bd269ebf41afadfbf4753aed259d20e86c58befaa567ef28219e6127df0983af\n // 65d7870b8422608ce8b9ac04e4f8b4592811de0a92a06e7a5953102938fb0c1d\n // b5e3b38ee7b3096fdc5872ac43dcbe300bbc9178c7219fef486e32fb69372d80\n // 6797c4662bb655383e8e9f9c5d0cfca54d3fcf7ec5c68a19448b56e9957b4547\n\n $canary = \"d83fbc58e09de3a715f50f1c69b2721fab20b8b99e822dd88aad2b925453f3ab\"\n\n $string_loader_1 = \"[*] HandleKatz return value: %d\" ascii fullword\n $string_loader_2 = \"[*] HandleKatz output:\" ascii fullword\n $string_loader_3 = \"[*] Recon only: %d\" ascii fullword\n $string_loader_4 = \"[*] Path dmp: %s\" ascii fullword\n $string_loader_5 = \"[*] Pid to clone from: %d\" ascii fullword\n\n $args = {\n 8B 45 FC // mov eax, [rbp+var_4]\n 48 98 // cdqe\n 48 8D 14 C5 00 00 00 00 // lea rdx, ds:0[rax*8]\n 48 8B 45 30 // mov rax, [rbp+arg_20]\n 48 01 D0 // add rax, rdx\n 48 8B 00 // mov rax, [rax]\n 48 8D 15 ?? ?? ?? 00 // lea rdx, aOutfile\n 48 89 C1 // mov rcx, rax\n E8 ?? ?? 00 00 // call strstr\n 48 85 C0 // test rax, rax\n 74 ?? // jz short loc_40188D\n 8B 45 FC // mov eax, [rbp+var_4]\n 48 98 // cdqe\n 48 8D 14 C5 00 00 00 00 // lea rdx, ds:0[rax*8]\n 48 8B 45 30 // mov rax, [rbp+arg_20]\n 48 01 D0 // add rax, rdx\n 48 8B 00 // mov rax, [rax]\n BA 3A 00 00 00 // mov edx, 3Ah\n 48 89 C1 // mov rcx, rax\n E8 ?? ?? 00 00 // call strchr\n }\n\n condition:\n (3 of ($string_loader_*) or $args) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "handlekatz_hacktool" ], "rule_creation_date": "2023-08-30", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Handlekatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-havoc_demon_4da5d0d28050_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581270Z", "creation_date": "2026-03-23T11:46:25.581272Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581277Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/HavocFramework/Havoc" ], "name": "havoc_demon_4da5d0d28050.yar", "content": "rule havoc_demon_4da5d0d28050 {\n meta:\n title = \"Havoc Demon Implant (4da5d0d28050)\"\n id = \"afe1a39b-e438-4338-aa4d-4da5d0d28050\"\n description = \"Detects the Havoc demon implant for x64.\\nHavoc Demon is a component of the Havoc framework used for post-exploitation activities.\\nIt establishes command and control communication and is often used in persistence mechanisms.\\nThis implant is part of a modular framework that allows attackers to maintain persistence and execute arbitrary commands on compromised systems.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/HavocFramework/Havoc\"\n date = \"2022-10-21\"\n modified = \"2025-06-05\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573.001;attack.privilege_escalation;attack.t1068;attack.persistence;attack.t1053.003\"\n classification = \"Windows.Framework.Havoc\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9aab17c41552d3739f5a7f51462eeea1633fe73ea485f38a0cc762b51bf4ffd5\n // 0774865bd15bc87d73fa119dd92d4bfb3cc9256d999bc243aa33be5614450631\n // a08a994b0febbf5b8f7914e769e81b79ad1b7aff166b49c413131a5ecf2a595e\n // d25a754f5c1c783ff7eee78686497f1ecfc9746780b56a936463f99adabcce9d\n\n // HashStringA\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/core/MiniStd.c#L100\n $x_hash_string_v1 = {\n B8 05 15 00 00 // mov eax, 1505h\n // loc_140009815:\n 0F BE 11 // movsx edx, byte ptr [rcx]\n 48 FF C1 // inc rcx\n 84 D2 // test dl, dl\n (\n 74 07 // jz short locret_140009826\n 6B C0 21 // imul eax, 21h ; '!'\n 01 D0 // add eax, edx\n EB EF // jmp short loc_140009815\n |\n 74 0E // jz short locret_140009C2D\n 41 89 C0 // mov r8d, eax\n 41 C1 E0 05 // shl r8d, 5\n 44 01 C2 // add edx, r8d\n 01 D0 // add eax, edx\n EB E8 // jmp short loc_140009C15\n )\n // locret_140009826:\n C3 // retn\n }\n\n // GetPeArch\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/inject/InjectUtil.c#L72\n $x_get_arch = {\n 31 C0 // xor eax, eax\n 48 85 C9 // test rcx, rcx\n 74 20 // jz short locret_14000B0B7\n 48 63 41 3C // movsxd rax, dword ptr [rcx+3Ch]\n 8B 54 01 18 // mov edx, [rcx+rax+18h]\n B8 01 00 00 00 // mov eax, 1\n 66 81 FA 0B 01 // cmp dx, 10Bh\n 74 0C // jz short locret_14000B0B7\n 31 C0 // xor eax, eax\n 66 81 FA 0B 02 // cmp dx, 20Bh\n 0F 94 C0 // setz al\n 01 C0 // add eax, eax\n\n // locret_14000B0B7:\n C3 // retn\n }\n\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/asm/Spoof.x64.asm\n $x_spoof = {\n 41 5B // pop r11\n 48 83 C4 08 // add rsp, 8\n 48 8B 44 24 18 // mov rax, [rsp-10h+arg_20]\n 4C 8B 10 // mov r10, [rax]\n 4C 89 14 24 // mov [rsp-10h+arg_8], r10\n 4C 8B 50 08 // mov r10, [rax+8]\n 4C 89 58 08 // mov [rax+8], r11\n 48 89 58 10 // mov [rax+10h], rbx\n 48 8D 1D 09 00 00 00 // lea rbx, sub_A2D\n 48 89 18 // mov [rax], rbx\n 48 89 C3 // mov rbx, rax\n 41 FF E2 // jmp r10\n }\n\n // GetReflectiveLoaderOffset\n // if ( HashStringA( FunctionName ) == 0xa6caa1c5 || HashStringA( FunctionName ) == 0xffe885ef )\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/inject/InjectUtil.c#L56\n $get_reflective_offset1 = { C5 A1 CA A6 } // ReflectiveLoader\n $get_reflective_offset2 = { EF 85 E8 FF } // KaynLoader\n\n $string1 = \"amsi.dllATVSH\" ascii fullword\n $string2 = \"X-Havoc: true\" ascii fullword\n $string3 = \"X-Havoc-Agent: Demon\" ascii fullword\n $string4 = \"/text.gif\" ascii fullword\n $string5 = \"POST\" wide fullword\n $string6 = \"\\\\??\\\\C:\\\\Windows\\\\System32\\\\ntdll.dll\" wide fullword\n\n condition:\n 5 of ($string*) or\n 2 of ($x_*) or\n (\n all of ($get_reflective_offset*) and\n 1 of ($x_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "havoc_demon_4da5d0d28050" ], "rule_creation_date": "2022-10-21", "rule_modified_date": "2025-06-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Havoc" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1053.003", "attack.t1027", "attack.t1573.001", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-havoc_demon_cec16602e311_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581240Z", "creation_date": "2026-03-23T11:46:25.581242Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581248Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/HavocFramework/Havoc" ], "name": "havoc_demon_cec16602e311.yar", "content": "rule havoc_demon_cec16602e311 {\n meta:\n title = \"Havoc Demon Implant (cec16602e311)\"\n id = \"32ccc95c-2387-45a1-8e4d-cec16602e311\"\n description = \"Detects the Havoc demon implant for x86.\\nHavoc Demon is a component of the Havoc framework used for post-exploitation activities.\\nIt establishes command and control communication and is often used in persistence mechanisms.\\nThis implant is part of a modular framework that allows attackers to maintain persistence and execute arbitrary commands on compromised systems.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/HavocFramework/Havoc\"\n date = \"2025-05-22\"\n modified = \"2025-06-05\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573.001;attack.privilege_escalation;attack.t1068;attack.persistence;attack.t1053.003\"\n classification = \"Windows.Framework.Havoc\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // a64aaa7c96a1a73f521c2d3ade1a3a492840eb7fccc4d3623a26467b40356c3e\n\n // HashStringA\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/core/MiniStd.c#L100\n $x_hash_string = {\n B8 05 15 00 00 // mov eax, 1505h\n 89 E5 // mov ebp, esp\n 8B 4D 08 // mov ecx, [ebp+arg_0]\n // loc_AE56:\n 0F BE 11 // movsx edx, byte ptr [ecx]\n 41 // inc ecx\n 84 D2 // test dl, dl\n 74 07 // jz short loc_AE65\n 6B C0 21 // imul eax, 21h ; '!'\n 01 D0 // add eax, edx\n EB F1 // jmp short loc_AE56\n // loc_AE65:\n 5D // pop ebp\n C3 // retn\n }\n\n // GetPeArch\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/inject/InjectUtil.c#L72\n $x_get_arch = {\n 55 // push ebp\n 31 C0 // xor eax, eax\n 89 E5 // mov ebp, esp\n 8B 55 08 // mov edx, [ebp+arg_0]\n 85 D2 // test edx, edx\n 74 1F // jz short loc_A706\n 8B 42 3C // mov eax, [edx+3Ch]\n 8B 54 02 18 // mov edx, [edx+eax+18h]\n B8 01 00 00 00 // mov eax, 1\n 66 81 FA 0B 01 // cmp dx, 10Bh\n 74 0C // jz short loc_A706\n 31 C0 // xor eax, eax\n 66 81 FA 0B 02 // cmp dx, 20Bh\n 0F 94 C0 // setz al\n 01 C0 // add eax, eax\n\n // loc_A706:\n 5D // pop ebp\n C3 // retn\n }\n\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/asm/Syscall.x86.asm\n $x_syscall = {\n // sub_7FF\n 8B 54 24 04 // mov edx, [esp+arg_0]\n C3 // retn\n\n // sub_804\n 8B 1A // mov ebx, [edx]\n 8B 42 04 // mov eax, [edx+4]\n 89 E2 // mov edx, esp\n 83 EA 04 // sub edx, 4\n FF D3 // call ebx\n C3 // retn\n\n // sub_811\n 64 A1 C0 00 00 00 // mov eax, fs:dword_C0\n 85 C0 // test eax, eax\n 75 06 // jnz short loc_821\n B8 00 00 00 00 // mov eax, 0\n C3 // retn\n // loc_821:\n B8 01 00 00 00 // mov eax, 1\n C3 // retn\n }\n\n // GetReflectiveLoaderOffset\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Demon/src/inject/InjectUtil.c#L56\n // if ( HashStringA( FunctionName ) == 0xa6caa1c5 || HashStringA( FunctionName ) == 0xffe885ef )\n $get_reflective_offset1 = { C5 A1 CA A6 } // ReflectiveLoader\n $get_reflective_offset2 = { EF 85 E8 FF } // KaynLoader\n\n condition:\n 2 of ($x_*) or\n (\n all of ($get_reflective_offset*) and\n 1 of ($x_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "havoc_demon_cec16602e311" ], "rule_creation_date": "2025-05-22", "rule_modified_date": "2025-06-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Havoc" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1053.003", "attack.t1027", "attack.t1573.001", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-havoc_shellcode_812d26fe9030_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575989Z", "creation_date": "2026-03-23T11:46:25.575991Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575997Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/HavocFramework/Havoc" ], "name": "havoc_shellcode_812d26fe9030.yar", "content": "rule havoc_shellcode_812d26fe9030 {\n meta:\n title = \"Havoc Shellcode Implant (812d26fe9030)\"\n id = \"965e6a1e-c5c8-479f-bb92-812d26fe9030\"\n description = \"Detects the Havoc shellcode implant for x64.\\nHavoc Demon is a component of the Havoc framework used for post-exploitation activities.\\nIt establishes command and control communication and is often used in persistence mechanisms.\\nThis implant is part of a modular framework that allows attackers to maintain persistence and execute arbitrary commands on compromised systems.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/HavocFramework/Havoc\"\n date = \"2022-10-21\"\n modified = \"2025-06-05\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573.001;attack.privilege_escalation;attack.t1068;attack.persistence;attack.t1053.003\"\n classification = \"Windows.Framework.Havoc\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5e2f5d13f7eaf0d1f651b3836f405f7fd230eb42491ff741071daf84583acb16\n\n $start = {\n 56 // push rsi\n 48 89 E6 // mov rsi, rsp\n 48 83 E4 F0 // and rsp, 0FFFFFFFFFFFFFFF0h\n 48 83 EC 20 // sub rsp, 20h\n E8 0F 00 00 00 // call Entry\n 48 89 F4 // mov rsp, rsi\n 5E // pop rsi\n C3 // retn\n }\n\n // KaynCaller\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Shellcode/Source/Asm/x64/Asm.s\n $kayn_caller = {\n E8 00 00 00 00 // call $+5\n // loc_345:\n 59 // pop rcx\n // loc_346:\n 48 31 DB // xor rbx, rbx\n BB 4D 5A 00 00 // mov ebx, 5A4Dh\n 48 FF C1 // inc rcx\n (66 3B 19 | 3E 66 3B 19) // cmp bx, [rcx]\n (75 F0 | 75 EF) // jnz short loc_346\n 48 31 C0 // xor rax, rax\n 66 8B 41 3C // mov ax, [rcx+3Ch]\n 48 01 C8 // add rax, rcx\n 48 31 DB // xor rbx, rbx\n 66 81 C3 50 45 // add bx, 4550h\n (66 3B 18 | 3E 66 3B 18) // cmp bx, [rax]\n (75 D9 | 75 D7) // jnz short loc_346\n 48 89 C8 // mov rax, rcx\n C3 // retn\n }\n\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Shellcode/Include/Core.h\n $s1 = {53 17 E6 70} // NTDLL_HASH\n $s2 = {43 6A 45 9E} // SYS_LDRLOADDLL\n $s3 = {EC B8 83 F7} // SYS_NTALLOCATEVIRTUALMEMORY\n $s4 = {88 28 E9 50} // SYS_NTPROTECTEDVIRTUALMEMORY\n\n condition:\n $start and $kayn_caller and all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "havoc_shellcode_812d26fe9030" ], "rule_creation_date": "2022-10-21", "rule_modified_date": "2025-06-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Havoc" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1053.003", "attack.t1027", "attack.t1573.001", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-havoc_shellcode_dbb1510674d0_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567539Z", "creation_date": "2026-03-23T11:46:25.567541Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567547Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/HavocFramework/Havoc" ], "name": "havoc_shellcode_dbb1510674d0.yar", "content": "rule havoc_shellcode_dbb1510674d0 {\n meta:\n title = \"Havoc Shellcode Implant (dbb1510674d0)\"\n id = \"dc5e4119-2611-4564-9ef6-dbb1510674d0\"\n description = \"Detects the Havoc shellcode implant for x86.\\nHavoc Demon is a component of the Havoc framework used for post-exploitation activities.\\nIt establishes command and control communication and is often used in persistence mechanisms.\\nThis implant is part of a modular framework that allows attackers to maintain persistence and execute arbitrary commands on compromised systems.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/HavocFramework/Havoc\"\n date = \"2025-05-22\"\n modified = \"2025-06-05\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1573.001;attack.privilege_escalation;attack.t1068;attack.persistence;attack.t1053.003\"\n classification = \"Windows.Framework.Havoc\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // a64aaa7c96a1a73f521c2d3ade1a3a492840eb7fccc4d3623a26467b40356c3e\n\n $start = {\n 56 // push esi\n 89 E6 // mov esi, esp\n 83 E4 F0 // and esp, 0FFFFFFF0h\n 83 EC 20 // sub esp, 20h\n E8 06 00 00 00 // call Entry\n 89 F4 // mov esp, esi\n 5E // pop esi\n C3 // retn\n }\n\n // KaynCaller\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Shellcode/Source/Asm/x86/Asm.s\n $kayn_caller = {\n E8 00 00 00 00 // call $+5\n // loc_375:\n 59 // pop ecx\n // loc_376:\n 31 DB // xor ebx, ebx\n BB 4D 5A 00 00 // mov ebx, 5A4Dh\n 41 // inc ecx\n 66 3B 19 // cmp bx, [ecx]\n 75 F3 // jnz short loc_376\n 31 C0 // xor eax, eax\n 66 8B 41 3C // mov ax, [ecx+3Ch]\n 01 C8 // add eax, ecx\n 31 DB // xor ebx, ebx\n 66 81 C3 50 45 // add bx, 4550h\n 66 3B 18 // cmp bx, [eax]\n 75 DF // jnz short loc_376\n 89 C8 // mov eax, ecx\n C3 // retn\n }\n\n // https://github.com/HavocFramework/Havoc/blob/main/payloads/Shellcode/Include/Core.h\n $s1 = {53 17 E6 70} // NTDLL_HASH\n $s2 = {43 6A 45 9E} // SYS_LDRLOADDLL\n $s3 = {EC B8 83 F7} // SYS_NTALLOCATEVIRTUALMEMORY\n $s4 = {88 28 E9 50} // SYS_NTPROTECTEDVIRTUALMEMORY\n\n condition:\n $start and $kayn_caller and all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "havoc_shellcode_dbb1510674d0" ], "rule_creation_date": "2025-05-22", "rule_modified_date": "2025-06-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Havoc" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1053.003", "attack.t1027", "attack.t1573.001", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hellsgate_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563870Z", "creation_date": "2026-03-23T11:46:25.563887Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563892Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/" ], "name": "hellsgate.yar", "content": "rule hellsgate {\n meta:\n title = \"Hell's Gate Technique\"\n id = \"548ea86e-c89c-43b5-b73d-1aa748959fc4\"\n description = \"Detects the Hell's Gate Technique used to bypass user-mode hooking in EDRs.\\nHell's Gate is a technique designed to bypass user-mode hooking mechanisms employed by security tools like EDRs. It achieves this by utilizing direct syscalls to avoid detection by user-mode hooks. This technique allows malicious actors to execute code and communicate with command-and-control servers without being intercepted by traditional hooking mechanisms.\\nIt is recommended to analyze the process for potential malicious content, either within the binary itself or within the process' memory space.\"\n references = \"https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf\\nhttps://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/\"\n date = \"2023-06-30\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Windows.Generic.HellsGate\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 0b39e3f681917ea74ea212ee263f03e80636d053e6024da4785238eb6edcc540\n // 6fb8c0ceb16c7dc09a8a842cb07360c1619e8f787f69ab035c948c2d674bf1f2\n // 2172ea7a87830a82d1608e0f795122900e094f9eab9291299c64cb24f6dfcc05\n // 8c961f2e751ba13ae357f7a78e44d1e4ebd8965b7e97a61c150dc22ed29e5fc9\n // 4ece1fdacc7a45007fd1b41686caab90853a47f4b43d25170dbf86d946943dff\n // b2ec0322936623af316fe1c2d00373cf2c87b20bb93d221f533e9500bba4b39c\n\n $ntdll1 = { 9B B8 A6 80 34 37 BD F5 } // NtAllocateVirtualMemory\n $ntdll2 = { 5F 01 C5 88 B2 7D DC 64 } // NtCreateThreadEx\n $ntdll3 = { 37 6A FB 46 10 CB 8B 85 } // NtProtectVirtualMemory\n $ntdll4 = { CB 1B 55 4E 17 FA A2 C6 } // NtWaitForSingleObject\n\n // djb2 Hashing\n $djb2 = { 77 34 77 34 77 34 77 }\n\n // https://github.com/am0nsec/HellsGate\n $syscall1 = {\n // sub_1400020B0 proc near\n C7 05 ?? ?? ?? 00 00 00 00 00 // mov cs:dword_140005000, 0\n 89 0D ?? ?? ?? 00 // mov cs:dword_140005000, ecx\n C3 // retn\n // sub_1400020B0 endp\n\n // sub_1400020C1 proc near\n 4C 8B D1 // mov r10, rcx\n 8B 05 ?? ?? ?? 00 // mov eax, cs:dword_140005000\n 0F 05 // syscall\n C3 // retn\n // sub_1400020C1 endp\n }\n\n // https://github.com/trickster0/TartarusGate\n $syscall2 = {\n // sub_140002AD0 proc near\n 90 // nop\n C7 05 ?? ?? ?? 00 00 00 00 00 // mov cs:dword_140004010, 0\n 90 // nop\n 89 0D ?? ?? ?? 00 // mov cs:dword_140004010, ecx\n 90 // nop\n C3 // retn\n // sub_140002AD0 endp\n\n // sub_140002AE4 proc near\n 90 // nop\n 48 8B C1 // mov rax, rcx\n 90 // nop\n 4C 8B D0 // mov r10, rax\n 90 // nop\n 8B 05 ?? ?? ?? 00 // mov eax, cs:dword_140004010\n 90 // nop\n 0F 05 // syscall ; Low latency system call\n C3 // retn\n // sub_140002AE4 endp\n }\n\n // https://github.com/Y3A/someredthings/tree/main/charons_ferry\n $syscall3 = {\n // sub_140001970 proc near\n C7 05 ?? ?? ?? 00 00 00 00 00 // mov cs:dword_140005000, 0\n 89 0D ?? ?? ?? 00 // mov cs:dword_140005000, ecx\n C3 // retn\n //sub_140001970 endp\n\n // sub_140001981 proc near\n 48 C7 ?? ?? ?? 00 00 00 00 00 00 // mov cs:qword_140005004, 0\n 48 89 ?? ?? ?? 00 00 // mov cs:qword_140005004, rcx\n C3 // retn\n // sub_140001981 endp\n\n // sub_140001994 proc near\n 4C 8B D1 // mov r10, rcx\n 8B 05 ?? ?? ?? 00 // mov eax, cs:dword_140005000\n FF 35 ?? ?? ?? 00 // push cs:qword_140005004\n C3 // retn\n // sub_140001994 endp\n }\n\n // https://github.com/emredavut/RAVEN/\n $syscall4 = {\n // sub_140002AD0 proc near\n 48 33 D2 // xor rdx, rdx\n 8B D1 // mov edx, ecx\n 83 E8 04 // sub eax, 4\n C7 05 ?? ?? ?? 00 00 00 00 00 // mov cs:dword_140004010, 0\n 83 C0 04 // add eax, 4\n 89 15 ?? ?? ?? 00 // mov cs:dword_140004010, edx\n 33 C0 // xor eax, eax\n C3 // retn\n // sub_140002AD0 endp\n\n // sub_140002AEE proc near\n 48 83 C2 52 // add rdx, 52h\n 4C 8B D1 // mov r10, rcx\n 49 83 C1 1F // add r9, 1Fh\n 8B 05 ?? ?? ?? 00 // mov eax, cs:dword_140004010\n 48 83 EA 52 // sub rdx, 52h\n 49 83 E9 1F // sub r9, 1Fh\n 0F 05 // syscall\n 49 83 C2 03 // add r10, 3\n 49 83 EA 03 // sub r10, 3\n C3 // retn\n // sub_140002AEE endp\n }\n\n // https://github.com/MalwareApiLib/MalwareApiLibrary\n $syscall5 = {\n // sub_140002AD0 proc near\n C7 05 ?? ?? ?? 00 00 00 00 00 // mov cs:dword_140004010, 0\n 89 0D ?? ?? ?? 00 // mov cs:dword_140004010, ecx\n C3 // retn\n // sub_140002AD0 endp\n\n // sub_140002AE1 proc near\n 48 8B C1 // mov rax, rcx\n 4C 8B D0 // mov r10, rax\n 8B 05 ?? ?? ?? 00 // mov eax, cs:dword_140004010\n 0F 05 // syscall\n C3 // retn\n // sub_140002AE1 endp\n }\n\n $syscall_finder_1 = {\n 3C C3 // cmp al, 0C3h\n 74 ?? // jz short loc_140003448\n 3C 4C // cmp al, 4Ch ; 'L'\n 75 ?? // jnz short loc_1400033B0\n 80 7A 01 8B // cmp byte ptr [rdx+1], 8Bh\n 75 ?? // jnz short loc_1400033B0\n 80 7A 02 D1 // cmp byte ptr [rdx+2], 0D1h\n 75 ?? // jnz short loc_1400033B0\n 80 7A 03 B8 // cmp byte ptr [rdx+3], 0B8h\n 75 ?? // jnz short loc_1400033B0\n 80 7A 06 00 // cmp byte ptr [rdx+6], 0\n 75 ?? // jnz short loc_1400033B0\n 80 7A 07 00 // cmp byte ptr [rdx+7], 0\n 75 ?? // jnz short loc_1400033B0\n }\n\n $syscall_finder_2 = {\n (80 F9 4C | 83 F8 4C | 3D 4C 00 00 00) // cmp eax, 4Ch ; 'L' | cmp cl, 0x4c\n (0F 85 ?? ?? ?? ?? | 75 ??) // jnz loc_140011F2C | jne\n [0-21] // Move around variables\n (3D 8B 00 00 00 | 42 80 7C ?? ?? 8B) // cmp eax, 8Bh | cmp byte [rax+r8+0x1], 0x8b\n (0F 85 ?? ?? ?? ?? | 75 ??) // jnz loc_140011F2C | jne\n [0-21] // Move around variables\n (3D D1 00 00 00 | 42 80 7C ?? ?? D1) // cmp eax, 0D1h | cmp byte [rax+r8+0x2], 0xd1\n (0F 85 ?? ?? ?? ?? | 75 ??) // jnz loc_140011F2C | jne\n [0-21] // Move around variables\n (3D B8 00 00 00 | 42 80 7C ?? ?? B8) // cmp eax, 0B8h | cmp byte [rax+r8+0x3], 0xb8\n (0F 85 ?? ?? ?? ?? | 75 ??) // jnz loc_140011F2C | jne\n }\n\n // NEP2.dll Game Engine Protector\n // 9716148baf2a1bdf3ec32a139edd26507ff1a8bd714fa4a70ff3f8bce4611762\n $exclusion_nep2_1 = \"NEP_StartScan\" ascii fullword\n $exclusion_nep2_2 = \"NEP2.dll\" ascii fullword\n $exclusion_nep2_3 = \"\\\\\\\\.\\\\NEPKernel\" wide fullword\n $exclusion_nep2_4 = \"StartEngineProtect\" wide fullword\n $exclusion_nep2_5 = \"nepgameengineprotector\" wide\n\n condition:\n ((all of ($ntdll*) and $djb2) or 1 of ($syscall*) or 1 of ($syscall_finder_*)) and not all of ($exclusion_nep2_*)\n}\n", "rule_count": 1, "rule_names": [ "hellsgate" ], "rule_creation_date": "2023-06-30", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.HellsGate" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hermetic_wizard_smb_spreader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574674Z", "creation_date": "2026-03-23T11:46:25.574676Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574681Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/" ], "name": "hermetic_wizard_smb_spreader.yar", "content": "rule hermetic_wizard_smb_spreader {\n meta:\n title = \"HermeticWizard Worm romance.dll\"\n id = \"b1ae6529-fbc6-470c-a6e9-86f181cf28a5\"\n description = \"Detects the HermeticWizard worm malware involved in Ukraine cyberattacks in February 2022.\\nHermeticWizard is a destructive malware known for its data wiping and system sabotage capabilities. It is primarily targeted at Ukrainian systems and operates by leveraging obfuscated code and specific propagation techniques.\\nIt is recommended to isolate the affected system and conduct a thorough investigation to prevent further damage.\"\n references = \"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\"\n date = \"2022-03-14\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.002;attack.lateral_movement;attack.t1570;attack.t1021.002\"\n classification = \"Windows.Worm.HermeticWizard\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48\n\n $s1 = \"romance.dll\" ascii\n $s2 = \"Hermetica Digital Ltd\" ascii\n $s3 = \"cmd /c start regsvr32 /s /i ..\\\\\" ascii\n $s4 = \"c%02X%02X%02X%02X%02X%02X\" wide\n $s5 = \" & start cmd /c \\\"ping localhost -n 7 & wevtutil cl System\\\"\" ascii\n $s6 = \"Qaz123\" wide\n $s7 = \"Qwerty123\" wide\n $s8 = \".dat\" ascii\n $s9 = \"{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}\" wide\n $s10 = \"IPC$\" ascii\n\n $smb_propagate_function = {\n 68 ?? ?? ?? ?? // push offset \"IPC$\"\n FF 76 04 // push dword ptr [esi + 4] // hostname\n 68 ?? ?? ?? ?? // push offset \"\\\\\\\\%s\\\\%s\"\n 57 // push edi // buffer\n E8 ?? ?? ?? ?? // call sprintf // sprintf(buffer, \"\\\\\\\\%s\\\\%s\", hostname, \"IPC$\");\n A1 60 F0 04 10 // mov eax, dword ptr [0x1004f060]\n 8B CE // mov ecx, esi\n 89 45 E0 // mov dword ptr [ebp - 0x20], eax\n 66 A1 64 F0 04 10 // mov ax, word ptr [0x1004f064]\n 66 89 45 E4 // mov word ptr [ebp - 0x1c], ax\n 8D 45 E0 // lea eax, [ebp - 0x20]\n 89 46 30 // mov dword ptr [esi + 0x30], eax\n 89 7E 2C // mov dword ptr [esi + 0x2c], edi\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX\n 6A 12 // push 0x12\n 59 // pop ecx\n 3B C1 // cmp eax, ecx\n B8 34 02 00 00 // mov eax, 0x234\n 57 // push edi\n 0F 44 C1 // cmove eax, ecx\n 89 45 E8 // mov dword ptr [ebp - 0x18], eax\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX\n 83 C4 14 // add esp, 0x14\n 33 C0 // xor eax, eax\n 89 46 2C // mov dword ptr [esi + 0x2c], eax\n 89 46 30 // mov dword ptr [esi + 0x30], eax\n 6A 12 // push 0x12\n 5F // pop edi\n 39 7D E8 // cmp dword ptr [ebp - 0x18], edi\n 0F 85 ?? ?? ?? ?? // jne 0xXXXXXX\n B2 01 // mov dl, 1\n 8B CE // mov ecx, esi\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX\n 3B C7 // cmp eax, edi\n 0F 85 ?? ?? ?? ?? // jne 0xXXXXXX\n 8B CE // mov ecx, esi\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX\n 8B CE // mov ecx, esi\n 8B F8 // mov edi, eax\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX\n 33 C0 // xor eax, eax\n 6A 12 // push 0x12\n 66 89 46 10 // mov word ptr [esi + 0x10], ax\n 58 // pop eax\n 3B F8 // cmp edi, eax\n 0F 85 ?? ?? ?? ?? // jne 0xXXXXXX\n 8D 45 FC // lea eax, [ebp - 4]\n 50 // push eax\n FF 75 F0 // push dword ptr [ebp - 0x10]\n FF 75 F4 // push dword ptr [ebp - 0xc]\n 53 // push ebx\n 51 // push ecx\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX\n 83 C4 14 // add esp, 0x14\n 6A 12 // push 0x12\n 59 // pop ecx\n 3B C1 // cmp eax, ecx\n 0F 85 ?? ?? ?? ?? // jne 0xXXXXXX\n 8B 45 EC // mov eax, dword ptr [ebp - 0x14]\n 83 C0 5A // add eax, 0x5a\n 50 // push eax\n 6A 40 // push 0x40\n FF 15 ?? ?? ?? ?? // call LocalAlloc\n 8B F0 // mov esi, eax\n 85 F6 // test esi, esi\n 74 ?? // je 0xXX\n B9 20 EF 04 10 // mov ecx, 0x1004ef20\n 8B D6 // mov edx, esi\n 2B D1 // sub edx, ecx\n\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 500KB and all of ($s*) and $smb_propagate_function\n}\n", "rule_count": 1, "rule_names": [ "hermetic_wizard_smb_spreader" ], "rule_creation_date": "2022-03-14", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Worm.HermeticWizard" ], "rule_tactic_tags": [ "attack.impact", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1021.002", "attack.t1485", "attack.t1570", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hermetic_wizard_wmi_spreader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574705Z", "creation_date": "2026-03-23T11:46:25.574707Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574712Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/" ], "name": "hermetic_wizard_wmi_spreader.yar", "content": "rule hermetic_wizard_wmi_spreader {\n meta:\n title = \"HermeticWizard Worm exec_x32.dll\"\n id = \"ec3e846d-9d19-4c4f-b290-cd0e9051e8ce\"\n description = \"Detects the HermeticWizard worm malware involved in Ukraine cyberattacks in February 2022.\\nHermeticWizard is a destructive malware known for its data wiping and system sabotage capabilities. It is primarily targeted at Ukrainian systems and operates by leveraging obfuscated code and specific propagation techniques.\\nIt is recommended to isolate the affected system and conduct a thorough investigation to prevent further damage.\"\n references = \"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\"\n date = \"2022-03-16\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.002;attack.lateral_movement;attack.t1570;attack.t1021.006\"\n classification = \"Windows.Worm.HermeticWizard\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b\n\n $s1 = \"exec_x32.dll\" ascii\n $s2 = \"Hermetica Digital Ltd\" ascii\n\n $inlined_string_win32_process = {\n 6A 57 // push 0x57\n 58 // pop eax\n 6A 69 // push 0x69\n 66 89 85 6C FF FF FF // mov word ptr [ebp - 0x94], ax\n 58 // pop eax\n 6A 6E // push 0x6e\n 66 89 85 6E FF FF FF // mov word ptr [ebp - 0x92], ax\n 58 // pop eax\n 6A 33 // push 0x33\n 66 89 85 70 FF FF FF // mov word ptr [ebp - 0x90], ax\n 58 // pop eax\n 6A 32 // push 0x32\n 66 89 85 72 FF FF FF // mov word ptr [ebp - 0x8e], ax\n 58 // pop eax\n 6A 5F // push 0x5f\n 66 89 85 74 FF FF FF // mov word ptr [ebp - 0x8c], ax\n 58 // pop eax\n 6A 50 // push 0x50\n 66 89 85 76 FF FF FF // mov word ptr [ebp - 0x8a], ax\n 58 // pop eax\n 6A 72 // push 0x72\n 5A // pop edx\n 6A 6F // push 0x6f\n 59 // pop ecx\n 6A 63 // push 0x63\n 66 89 85 78 FF FF FF // mov word ptr [ebp - 0x88], ax\n 58 // pop eax\n 6A 65 // push 0x65\n 66 89 85 7E FF FF FF // mov word ptr [ebp - 0x82], ax\n 58 // pop eax\n 66 89 45 80 // mov word ptr [ebp - 0x80], ax\n 6A 73 // push 0x73\n 58 // pop eax\n 66 89 45 82 // mov word ptr [ebp - 0x7e], ax\n 66 89 45 84 // mov word ptr [ebp - 0x7c], ax\n 33 C0 // xor eax, eax\n 66 89 45 86 // mov word ptr [ebp - 0x7a], ax\n 8D 85 6C FF FF FF // lea eax, [ebp - 0x94]\n 50 // push eax\n 66 89 95 7A FF FF FF // mov word ptr [ebp - 0x86], dx\n 66 89 8D 7C FF FF FF // mov word ptr [ebp - 0x84], cx\n FF 15 ?? ?? ?? ?? // call SysAllocString // SysAllocString(\"Win32_Process\")\n }\n\n $inlined_string_create = {\n 6A 43 // push 0x43\n 58 // pop eax\n 6A 72 // push 0x72\n 66 89 45 B8 // mov word ptr [ebp - 0x48], ax\n 58 // pop eax\n 6A 65 // push 0x65\n 66 89 45 BA // mov word ptr [ebp - 0x46], ax\n 58 // pop eax\n 6A 61 // push 0x61\n 59 // pop ecx\n 66 89 45 BC // mov word ptr [ebp - 0x44], ax\n 66 89 45 C2 // mov word ptr [ebp - 0x3e], ax\n 33 C0 // xor eax, eax\n 6A 74 // push 0x74\n 66 89 4D BE // mov word ptr [ebp - 0x42], cx\n 59 // pop ecx\n 66 89 45 C4 // mov word ptr [ebp - 0x3c], ax\n 8D 45 B8 // lea eax, [ebp - 0x48]\n 50 // push eax\n 66 89 4D C0 // mov word ptr [ebp - 0x40], cx\n FF 15 ?? ?? ?? ?? // call SysAllocString // SysAllocString(\"Create\")\n }\n\n // \"C:\\\\Windows\\\\system32\\\\cmd.exe /c start C:\\\\Windows\\\\system32\\\\regsvr32.exe /s /i C:\\\\Windows\\\\%s.dll\"\n $inlined_string_propagation = {\n 59 // pop ecx\n 6A 6D // push 0x6d\n 58 // pop eax\n 6A 33 // push 0x33\n 66 89 85 F2 FE FF FF // mov word ptr [ebp - 0x10e], ax\n 58 // pop eax\n 6A 32 // push 0x32\n 66 89 85 F4 FE FF FF // mov word ptr [ebp - 0x10c], ax\n 58 // pop eax\n 6A 72 // push 0x72\n 66 89 95 D6 FE FF FF // mov word ptr [ebp - 0x12a], dx\n 66 89 95 E6 FE FF FF // mov word ptr [ebp - 0x11a], dx\n 66 89 95 F8 FE FF FF // mov word ptr [ebp - 0x108], dx\n 5A // pop edx\n 6A 67 // push 0x67\n 66 89 85 F6 FE FF FF // mov word ptr [ebp - 0x10a], ax\n 58 // pop eax\n 6A 73 // push 0x73\n 66 89 85 FE FE FF FF // mov word ptr [ebp - 0x102], ax\n 58 // pop eax\n 6A 76 // push 0x76\n 66 89 85 00 FF FF FF // mov word ptr [ebp - 0x100], ax\n 58 // pop eax\n 66 89 8D F0 FE FF FF // mov word ptr [ebp - 0x110], cx\n 66 89 95 FA FE FF FF // mov word ptr [ebp - 0x106], dx\n 66 89 8D FC FE FF FF // mov word ptr [ebp - 0x104], cx\n 66 89 85 02 FF FF FF // mov word ptr [ebp - 0xfe], ax\n 6A 33 // push 0x33\n 58 // pop eax\n 6A 32 // push 0x32\n 66 89 85 06 FF FF FF // mov word ptr [ebp - 0xfa], ax\n 58 // pop eax\n 6A 2E // push 0x2e\n 66 89 85 08 FF FF FF // mov word ptr [ebp - 0xf8], ax\n 58 // pop eax\n 6A 78 // push 0x78\n 66 89 85 0A FF FF FF // mov word ptr [ebp - 0xf6], ax\n 66 89 8D 0C FF FF FF // mov word ptr [ebp - 0xf4], cx\n 59 // pop ecx\n 6A 65 // push 0x65\n 58 // pop eax\n 6A 20 // push 0x20\n 66 89 85 10 FF FF FF // mov word ptr [ebp - 0xf0], ax\n 58 // pop eax\n 6A 2F // push 0x2f\n 66 89 95 04 FF FF FF // mov word ptr [ebp - 0xfc], dx\n 5A // pop edx\n 6A 73 // push 0x73\n 66 89 85 12 FF FF FF // mov word ptr [ebp - 0xee], ax\n 66 89 85 18 FF FF FF // mov word ptr [ebp - 0xe8], ax\n 66 89 85 1E FF FF FF // mov word ptr [ebp - 0xe2], ax\n 66 89 8D 0E FF FF FF // mov word ptr [ebp - 0xf2], cx\n 59 // pop ecx\n 6A 69 // push 0x69\n 66 89 95 14 FF FF FF // mov word ptr [ebp - 0xec], dx\n 66 89 95 1A FF FF FF // mov word ptr [ebp - 0xe6], dx\n 5A // pop edx\n 6A 43 // push 0x43\n 58 // pop eax\n 6A 3A // push 0x3a\n 66 89 85 20 FF FF FF // mov word ptr [ebp - 0xe0], ax\n 58 // pop eax\n 6A 5C // push 0x5c\n 66 89 85 22 FF FF FF // mov word ptr [ebp - 0xde], ax\n 66 89 95 1C FF FF FF // mov word ptr [ebp - 0xe4], dx\n 5A // pop edx\n 6A 57 // push 0x57\n 58 // pop eax\n 6A 69 // push 0x69\n 66 89 85 26 FF FF FF // mov word ptr [ebp - 0xda], ax\n 58 // pop eax\n 6A 6E // push 0x6e\n 66 89 85 28 FF FF FF // mov word ptr [ebp - 0xd8], ax\n 58 // pop eax\n 6A 64 // push 0x64\n 66 89 85 2A FF FF FF // mov word ptr [ebp - 0xd6], ax\n 58 // pop eax\n 6A 6F // push 0x6f\n 66 89 85 2C FF FF FF // mov word ptr [ebp - 0xd4], ax\n 58 // pop eax\n 6A 77 // push 0x77\n 66 89 85 2E FF FF FF // mov word ptr [ebp - 0xd2], ax\n 58 // pop eax\n 6A 25 // push 0x25\n 66 89 85 30 FF FF FF // mov word ptr [ebp - 0xd0], ax\n 58 // pop eax\n 6A 2E // push 0x2e\n 66 89 85 36 FF FF FF // mov word ptr [ebp - 0xca], ax\n 58 // pop eax\n 6A 64 // push 0x64\n 66 89 85 3A FF FF FF // mov word ptr [ebp - 0xc6], ax\n 58 // pop eax\n 66 89 85 3C FF FF FF // mov word ptr [ebp - 0xc4], ax\n 6A 6C // push 0x6c\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 200KB and all of ($s*) and 2 of ($inlined_string_*)\n}\n", "rule_count": 1, "rule_names": [ "hermetic_wizard_wmi_spreader" ], "rule_creation_date": "2022-03-16", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Worm.HermeticWizard" ], "rule_tactic_tags": [ "attack.impact", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1021.006", "attack.t1485", "attack.t1570", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hermetic_wizard_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569153Z", "creation_date": "2026-03-23T11:46:25.569155Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569160Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/" ], "name": "hermetic_wizard.yar", "content": "rule hermetic_wizard {\n meta:\n title = \"HermeticWizard Worm\"\n id = \"1d1e9c25-c5b0-4ab3-8750-6913a210ee5c\"\n description = \"Detects the HermeticWizard worm malware involved in Ukraine cyberattacks in February 2022.\\nHermeticWizard is a destructive malware known for its data wiping and system sabotage capabilities. It is primarily targeted at Ukrainian systems and operates by leveraging obfuscated code and specific propagation techniques.\\nIt is recommended to isolate the affected system and conduct a thorough investigation to prevent further damage.\"\n references = \"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\"\n date = \"2022-03-10\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.002;attack.lateral_movement;attack.t1570;attack.t1021.002\"\n classification = \"Windows.Worm.HermeticWizard\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec\n\n $s1 = \"Wizard.dll\" ascii\n $s2 = \"Hermetica Digital Ltd\" ascii\n $s3 = \"\\\\rundll32.exe\" wide\n $s4 = \"\\\" #1\" wide\n $s5 = \".ocx\" wide\n\n // paylaod decryption loop (inplace)\n $payload_inplace_decryption_loop = {\n 53 // push ebx\n 8B D9 // mov ebx, ecx\n 56 // push esi\n 57 // push edi\n 8B 13 // mov edx, dword ptr [ebx]\n 8B 43 04 // mov eax, dword ptr [ebx + 4]\n 2B C2 // sub eax, edx\n C1 E8 02 // shr eax, 2\n 8D 72 FC // lea esi, [edx - 4]\n 8D 78 FF // lea edi, [eax - 1]\n 8D 34 86 // lea esi, [esi + eax*4]\n 85 FF // test edi, edi\n 7E 16 // jle function_epiologue\n 8B 16 // mov edx, dword ptr [esi]\n // decryption_loop:\n 8D 4E FC // lea ecx, [esi - 4]\n 8B 01 // mov eax, dword ptr [ecx]\n 33 C2 // xor eax, edx // decrypted_block[i] = encrypted_bloc[i] ^ encrypted_bloc[i - 1]\n 8B 11 // mov edx, dword ptr [ecx]\n 4F // dec edi\n 89 06 // mov dword ptr [esi], eax\n 8D 31 // lea esi, [ecx]\n 85 FF // test edi, edi\n 7F EE // jg decryption_loop\n 8B 13 // mov edx, dword ptr [ebx]\n // function_epiologue:\n 81 32 A3 B1 29 4A // xor dword ptr [edx], 0x4a29b1a3 // decrypted_block[0] = encrypted_bloc[0] ^ 0x4A29B1A3\n 5F // pop edi\n 5E // pop esi\n 5B // pop ebx\n C3 // ret\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 1MB and all of ($s*) and $payload_inplace_decryption_loop\n}\n", "rule_count": 1, "rule_names": [ "hermetic_wizard" ], "rule_creation_date": "2022-03-10", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Worm.HermeticWizard" ], "rule_tactic_tags": [ "attack.impact", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1021.002", "attack.t1485", "attack.t1570", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-herpaderping_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585471Z", "creation_date": "2026-03-23T11:46:25.585473Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585479Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/jxy-s/herpaderping\nhttps://attack.mitre.org/techniques/T1055/" ], "name": "herpaderping.yar", "content": "rule generic_process_herpaderping {\n meta:\n title = \"Generic Process Herpaderping Injection\"\n id = \"328c6813-3b63-4064-a03a-76827050f2c6\"\n description = \"Detects the stubs of function calls associated with the process herpaderping injection technique used to bypass security products.\\nHerpaderping is a process injection technique that creates malicious processes by manipulating legitimate system calls. This rule identifies specific patterns in function calls such as CreateFile, NtCreateSection, NtCreateProcessEx, and NtCreateThreadEx, which are commonly exploited by this technique. The detection focuses on the way these system calls are made and how they are used to inject malicious code into legitimate processes.\\nIt is recommended to review the process' creation details for any signs of unauthorized injection activity.\"\n references = \"https://github.com/jxy-s/herpaderping\\nhttps://attack.mitre.org/techniques/T1055/\"\n date = \"2024-02-27\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Windows.Generic.ProcessHerpaderping\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n strings:\n // Detection for this sample:\n // edc4dbb4d5d448bac55ddc2631d975551659b28dc82546644c220f81de03e43a\n\n $stub_createfile_00 = {\n (C7 ?? ?? ?? 80 00 00 00) // mov [rsp+0AC0h+dwFlagsAndAttributes], 80h ; dwFlagsAndAttributes\n (C7 ?? ?? ?? 03 00 00 00) // mov [rsp+0AC0h+dwCreationDisposition], 2 ; dwCreationDisposition\n (?? 33 ??) // xor r9d, r9d ; lpSecurityAttributes\n [0-16] // place holder\n (BA 00 00 00 80) // mov edx, 80000000h ; dwDesiredAccess\n [0-16] // place holder\n (E8|FF|9A) // call cs:CreateFileWgi\n }\n\n $stub_createfile_01 = {\n (C7 ?? ?? ?? 80 00 00 00) // mov [rsp+0AC0h+dwFlagsAndAttributes], 80h ; dwFlagsAndAttributes\n [0-16] // place holder\n (?? 33 ??) // xor r9d, r9d ; lpSecurityAttributes\n [0-16] // place holder\n (BA 00 00 00 C0) // mov edx, 0C0000000h ; dwDesiredAccess\n (E8|FF|9A) // call cs:CreateFileW\n }\n\n $stub_ntcreatesection = {\n (C7 ?? ?? ?? 00 00 00 01) // mov [rsp+0AC0h+dwFlagsAndAttributes], 1000000h ; AllocationAttributes\n [0-16] // place holder\n (?? 33 ??) // xor r9d, r9d ; MaximumSize\n (?? 33 ??) // xor r8d, r8d ; ObjectAttributes\n (BA 1F 00 0F 00) // mov edx, 0F001Fh ; DesiredAccess\n [0-16] // place holder\n (E8|FF|9A) // call cs:NtCreateSection\n }\n\n $stub_ntcreateprocessex = {\n (C7 ?? ?? ?? 04 00 00 00) // mov [rsp+0AC0h+dwCreationDisposition], 4 ; Flags\n [0-16] // place holder\n (?? 33 ??) // xor r8d, r8d ; ObjectAttributes\n (BA FF FF 1F 00) // mov edx, 1FFFFFh ; DesiredAccess\n [0-16] // place holder\n (E8|FF|9A) // call cs:NtCreateProcessEx\n }\n\n $stub_ntcreatethreadex = {\n (BA FF FF 1F 00) // mov edx, 1FFFFFh\n [0-16] // place holder\n (E8|FF|9A) // call cs:NtCreateThreadEx\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "generic_process_herpaderping" ], "rule_creation_date": "2024-02-27", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ProcessHerpaderping" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hiddengh0st_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573391Z", "creation_date": "2026-03-23T11:46:25.573393Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573399Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://asec.ahnlab.com/en/57185/\nhttps://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\nhttps://attack.mitre.org/software/S0032/" ], "name": "hiddengh0st.yar", "content": "rule hiddengh0st {\n meta:\n title = \"HiddenGh0st RAT\"\n id = \"6bc13282-278f-4e28-a8f8-896f45f857c4\"\n description = \"Detects HiddenGh0st, a variant of Gh0stRAT.\\nHiddenGh0st is a remote access tool (RAT) used by threat actors to gain unauthorized access to systems.\\nIt is recommended to perform a thorough investigation for any signs of unauthorized access or persistence mechanisms.\"\n references = \"https://asec.ahnlab.com/en/57185/\\nhttps://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant\\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\\nhttps://attack.mitre.org/software/S0032/\"\n date = \"2024-05-29\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.s0032;attack.discovery;attack.t1082;attack.defense_evasion;attack.t1140;attack.collection;attack.t1113;attack.t1056.001;attack.command_and_control;attack.t1132.001;attack.t1573\"\n classification = \"Windows.Trojan.HiddenGh0st\"\n context = \"process,memory,thread,file.pe\"\n arch = \"x86,x64\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // fd3821dd52bd332caa567bb09a2188de3284c035d57e9bf2f3626c1622b330e4\n // 8fe8de4b1ffe1aab3103aefc0c694c5fb7b786c963a011ce66f9b5062dc5b2a9\n // 356698b6b89f7ab04f2ca347f191d262dc0797e143a02acbfe2c35d4831973e2\n\n $s1 = \" /c ping -n 2 127.0.0.1 > nul && del\" ascii fullword\n $s2 = \"GetMP privilege::debug sekurlsa::logonpasswords exit\" ascii fullword\n $s3 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\%s\" ascii fullword\n $s4 = \"HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\0\" ascii fullword\n $s5 = \"set cdaudio door closed wait\" ascii fullword\n $s6 = \"cmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255\" ascii fullword\n $s7 = \"

403 Forbidden

\" ascii fullword\n $s8 = \":]%d-%d-%d %d:%d:%d\" ascii fullword\n\n $a1 = \"avcenter.exe\" ascii fullword\n $a2 = \"K7TSecurity.exe\" ascii fullword\n $a3 = \"TMBMSRV.exe\" ascii fullword\n $a4 = \"AYAgent.aye\" ascii fullword\n $a5 = \"QUHLPSVC.EXE\" ascii fullword\n $a6 = \"KvMonXP.exe\" ascii fullword\n $a7 = \"BaiduSd.exe\" ascii fullword\n $a8 = \"ZhuDongFangYu.exe\" ascii fullword\n\n $x1 = {\n 8B 41 02 // mov eax, [ecx+2]\n 83 C1 04 // add ecx, 4\n 8D B0 FF FE FE 7E // lea esi, [eax+7EFEFEFFh]\n F7 D0 // not eax\n 33 F0 // xor esi, eax\n F7 C6 00 01 01 81 // test esi, 81010100h\n 74 E8 // jz short loc_4044EC\n 8A 59 FE // mov bl, [ecx-2]\n 8D 41 FE // lea eax, [ecx-2]\n 84 DB // test bl, bl\n 74 15 // jz short loc_404523\n 8A 59 FF // mov bl, [ecx-1]\n 84 DB // test bl, bl\n 74 15 // jz short loc_40452A\n 80 39 00 // cmp byte ptr [ecx], 0\n 74 18 // jz short loc_404532\n 8A 59 01 // mov bl, [ecx+1]\n 84 DB // test bl, bl\n 74 1B // jz short loc_40453C\n EB C9 // jmp short loc_4044EC\n }\n\n $x2 = {\n B8 BD 16 9C 06 // mov eax, 69C16BDh\n F7 E1 // mul ecx\n 2B CA // sub ecx, edx\n D1 E9 // shr ecx, 1\n 03 CA // add ecx, edx\n C1 E9 10 // shr ecx, 10h\n 8D 04 C9 // lea eax, [ecx+ecx*8]\n C1 E0 03 // shl eax, 3\n 2B C1 // sub eax, ecx\n 8D 14 80 // lea edx, [eax+eax*4]\n D1 E2 // shl edx, 1\n 2B D1 // sub edx, ecx\n C1 E2 02 // shl edx, 2\n }\n\n $x_keylogger1 = {\n 66 85 C0 // test ax, ax\n 74 ?? // jz short loc_1000D49A\n 83 FF FF // cmp edi, 0FFFFFFFFh\n 7E ?? // jle short loc_1000D49A\n 83 FE 40 // cmp esi, 40h ; '@'\n 7E ?? // jle short loc_1000D49A\n 83 FE 5D // cmp esi, 5Dh ; ']'\n 7D ?? // jge short loc_1000D49A\n }\n\n $x_keylogger2 = {\n // loc_1000D255:\n 8A 14 01 // mov dl, [ecx+eax]\n 80 F2 62 // xor dl, 62h\n 88 10 // mov [eax], dl\n 40 // inc eax\n 4E // dec esi\n 75 F4 // jnz short loc_1000D255\n }\n\n $x_cnc_communication = {\n 8A 14 01 // mov dl, [ecx+eax]\n 80 EA 7A // sub dl, 7Ah ; 'z'\n 80 F2 19 // xor dl, 19h\n 88 14 01 // mov [ecx+eax], dl\n 41 // inc ecx\n 3B ?? // cmp ecx, esi\n }\n\n condition:\n (3 of ($s*) and 3 of ($a*)) or\n (2 of ($x*)) or\n (1 of ($s*) and 1 of ($a*) and 1 of ($x*))\n}\n", "rule_count": 1, "rule_names": [ "hiddengh0st" ], "rule_creation_date": "2024-05-29", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.HiddenGh0st" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.discovery" ], "rule_technique_tags": [ "attack.t1140", "attack.t1113", "attack.t1056.001", "attack.t1132.001", "attack.t1082", "attack.t1573" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hidden_malware_builder_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573654Z", "creation_date": "2026-03-23T11:46:25.573656Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573662Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://poison.tools/product/poison-fud-crypter/\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\nhttps://attack.mitre.org/techniques/T1027/" ], "name": "hidden_malware_builder.yar", "content": "rule hidden_malware_builder {\n meta:\n title = \"Detection for the commercial Hidden Malware Packer.\\nHidden Malware Builder is a commercial packer sold on the web.\\nThe purpose of a packer is to obfuscate malicious code in order to bypass detection from security products.\"\n id = \"444592e2-1049-4597-8df4-60bd919d6ee5\"\n description = \"Detects the Hidden Malware Builder packer.\\nHidden Malware Builder is a commercial packer used to obfuscate malicious code, making it harder for security products to detect.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://poison.tools/product/poison-fud-crypter/\\nhttps://harfanglab.io/insidethelab/unpacking-packxor/\\nhttps://attack.mitre.org/techniques/T1027/\"\n date = \"2024-08-28\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Tool.HiddenMalwareBuilder\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 67f032d2d15952305a137782de36ac6a77aab7b25e50e1c7d66a8730792b9c06\n // d7d2bc547eeab16c077fa8e7edce63c43beb45b62ed77016198f7dc9a1dcd14b\n // 46631f196a2547cd4f9bfa6c279601ddb4b0ec307f8a0709a621b81cab682ef2\n // 53f7ec230dc8b9e09e595617ab20589de36cf86bbb423288ffc86a9084adc828\n // c1d6380fceff98531d4?508a3761ce82f16121db369cbf81265efd940b5b30ba\n // 08e13ae59c37bf688661c6aaa9a5027b674f43277724?6e26ddd5500a5bd5712\n\n $s_stub00 = {\n 0A ?? // or dl, cl\n 4? 88 [1-6] // mov [r9-7], dl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-0Bh]\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-0Ah]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A ?? // or cl, al\n 4? 88 [1-6] // mov [r9-6], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-9]\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-8]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A ?? // or cl, al\n 4? 88 [1-6] // mov [r9-5], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-7]\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-6]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A ?? // or cl, al\n 4? 88 [1-6] // mov [r9-4], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-5]\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-4]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A ?? // or cl, al\n 4? 88 [1-6] // mov [r9-3], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-3]\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-2]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n }\n\n $s_stub01 = {\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 0F B6 [1-6] // movzx eax, byte ptr [edx-0Ah]\n 88 [1-6] // mov [esi-8], cl\n 0F B6 [1-6] // movzx ecx, byte ptr [edx-0Bh]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 0F B6 [1-6] // movzx eax, byte ptr [edx-8]\n 88 [1-6] // mov [esi-7], cl\n 0F B6 [1-6] // movzx ecx, byte ptr [edx-9]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 0F B6 [1-6] // movzx eax, byte ptr [edx-6]\n 88 [1-6] // mov [esi-6], cl\n 0F B6 [1-6] // movzx ecx, byte ptr [edx-7]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 0F B6 [1-6] // movzx eax, byte ptr [edx-4]\n 88 [1-6] // mov [esi-5], cl\n 0F B6 [1-6] // movzx ecx, byte ptr [edx-5]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 0F B6 [1-6] // movzx eax, byte ptr [edx-2]\n 88 [1-6] // mov [esi-4], cl\n 0F B6 [1-6] // movzx ecx, byte ptr [edx-3]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n }\n\n $s_stub02 = {\n C0 ?? 04 // shl cl, 4\n 0A [1-6] // or dl, cl\n C0 ?? 04 // shl al, 4\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-0Bh]\n 80 ?? 0F // and cl, 0Fh\n 4? 88 [1-6] // mov [r9-8], dl\n 0A [1-6] // or cl, al\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-8]\n 4? 88 [1-6] // mov [r9-7], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-9]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-6]\n 4? 88 [1-6] // mov [r9-6], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-7]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-4]\n 4? 88 [1-6] // mov [r9-5], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-5]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-2]\n 4? 88 [1-6] // mov [r9-4], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-3]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n }\n\n $s_stub03 = {\n 4? 83 [1-6] // add r9, 4\n C0 ?? 04 // shl cl, 4\n 80 [1-6] // and dl, 0Fh\n 4? 83 [1-6] // add r8, 8\n 0A [1-6] // or dl, cl\n 4? 88 [1-6] // mov [r9-5], dl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-7]\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-6]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 4? 88 [1-6] // mov [r9-4], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-5]\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-4]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n 0A [1-6] // or cl, al\n 4? 88 [1-6] // mov [r9-3], cl\n 4? 0F B6 [1-6] // movzx ecx, byte ptr [r8-3]\n 4? 0F B6 [1-6] // movzx eax, byte ptr [r8-2]\n 80 ?? 0F // and cl, 0Fh\n C0 ?? 04 // shl al, 4\n }\n\n $s_pdb00 = \"\\\\sistam.\" ascii nocase\n $s_pdb01 = \".CEEMPCL17\\\\\" ascii nocase\n $s_pdb02 = \"\\\\HIDDEN MALWARE\\\\\" ascii nocase\n $s_pdb03 = \"By PoisonTools\\\\\" ascii nocase\n $s_pdb04 = \"\\\\Hidden Malware Builder\" ascii nocase\n $s_pdb05 = \"crypt64cui.pdb\" ascii nocase\n $s_pdb06 = \".VMI263768\\\\\" ascii nocase\n $s_pdb07 = \"\\\\VISUAL-C++-CRYPTER\\\\\" ascii nocase\n\n $s_exclusion00 = \"Dolphin.pdb\" ascii wide\n $s_exclusion01 = \"dolphin-emu\" ascii wide\n $s_exclusion02 = \"dtsoftbus01.sys\" ascii wide\n $s_exclusion03 = \"DTSoftBusCtl\" ascii wide\n $s_exclusion04 = \"GRAPH_MATH+_Simulator_Ver_USB.exe\" ascii wide\n $s_exclusion05 = \"GRAPH MATH+ Simulator Ver\" ascii wide\n\n condition:\n (1 of ($s_stub*) or 1 of ($s_pdb*))\n and not 1 of ($s_exclusion*)\n}\n", "rule_count": 1, "rule_names": [ "hidden_malware_builder" ], "rule_creation_date": "2024-08-28", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.HiddenMalwareBuilder" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hijackdrivermanager_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577976Z", "creation_date": "2026-03-23T11:46:25.577978Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577984Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\nhttps://asec.ahnlab.com/en/87804/\nhttps://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks" ], "name": "hijackdrivermanager.yar", "content": "rule hijackdrivermanager_hacktool {\n meta:\n title = \"HijackDriverManager HackTool\"\n id = \"4aff399d-1c26-43ea-8b50-14a60caa67d3\"\n description = \"Detects HijackDriverManger, a chinese GUI tool used to manage a hidden rootkit.\\nHijackDriverManger is a Chinese-language file-hiding utility that controls a rootkit driver (Winkbj.sys) to block access to kernel objects—specific files, images and registry keys—thereby concealing a malicious IIS native module from security products.\\nIt is recommended to analyze the context around this alert and investigate further suspicious actions.\"\n references = \"https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\\nhttps://asec.ahnlab.com/en/87804/\\nhttps://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks\"\n date = \"2025-09-02\"\n modified = \"2025-10-23\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1564.001;attack.t1562\"\n classification = \"Windows.HackTool.HijackDriverManager\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 7260f09e95353781f2bebf722a2f83c500145c17cf145d7bda0e4f83aafd4d20\n\n $GUI_text00 = \"启用保护\" // Enable Protection\n $GUI_text01 = \"暂停保护\" // Protection Suspended\n $GUI_text02 = \"结束保护\" // Terminate Protection\n $GUI_text03 = \"保护已启用\" // Protection Enabled\n $GUI_text04 = \"保护已暂停\" // Protection has been suspended\n $GUI_text05 = \"保护已结束\" // Protection has ended\n $GUI_text06 = \"键部署\" // key deployment\n $GUI_text07 = \"卸载插件\" // Uninstall plugin\n $GUI_text08 = \"解锁全部\" // Unlock all\n\n condition:\n 3 of ($GUI_*)\n}\n", "rule_count": 1, "rule_names": [ "hijackdrivermanager_hacktool" ], "rule_creation_date": "2025-09-02", "rule_modified_date": "2025-10-23", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.HijackDriverManager" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1562" ], "rule_score": 70, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hijackloader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572918Z", "creation_date": "2026-03-23T11:46:25.572921Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572929Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1055/012/\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader\nhttps://www.zscaler.com/blogs/security-research/hijackloader-updates\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/" ], "name": "hijackloader.yar", "content": "rule hijackloader {\n meta:\n title = \"HijackLoader\"\n id = \"651ed25e-4160-4a2e-9e25-490fc31cbbbe\"\n description = \"Detects the HijackLoader.\\nHijackLoader is a defense evasion oriented loader that usesDLL sideloading and a custom variant of process hollowing to evade detection. It is designed to drop various payloads, typically stealers, onto the infected system.\\nIt is recommended to analyze the process's memory for potential payloads.\"\n references = \"https://attack.mitre.org/techniques/T1055/012/\\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader\\nhttps://www.zscaler.com/blogs/security-research/hijackloader-updates\\nhttps://www.crowdstrike.com/blog/hijackloader-expands-techniques/\"\n date = \"2024-09-13\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.012\"\n classification = \"Windows.Loader.HijackLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b8582c06725263925cfc01a420eee9914a62d83605b2dc800ae5b7c46e03fb4d\n // fc9a6be2dd23a64f5b3201e43ff8c0edb4852ba1d716bda4c6c557286cb2e658\n\n $stub00_find_dll_base_addr = {\n // find base dll address\n 64 ?? 30 00 00 00 // mov eax, dword [fs:0x30]\n 56 // push esi {__saved_esi}\n 57 // push edi {__saved_edi}\n 8b ?? 0c // mov edi, dword [eax+0xc {_PEB::Ldr}]\n 83 ?? 0c // add edi, 0xc {_PEB_LDR_DATA::InLoadOrderModuleList}\n 8b ?? // mov esi, dword [edi {_PEB_LDR_DATA::InLoadOrderModuleList.Flink}]\n eb // jmp 0x10003076\n }\n\n $stub_01_multiply_dll_name = {\n // multiply by 3 the results of the computed letters of the dll name\n e8 [1-6] // call sub_100030b5\n (6b|69) ?? 03 // imul eax, eax, 0x3\n 59 // pop ecx {var_2c4_5}\n 39 [1-4] 0c // cmp dword [esp+0xc {var_2b4}], eax\n 74 // je 0x1000307f\n }\n\n $stub02_lower_case_dll_name = {\n // lower case the dll name\n 8b [1-3] 04 // mov eax, dword [esp+0x4 {arg1}]\n 6a 41 // push 0x41 {var_4}\n 5a // pop edx {var_4} {0x41}\n 0f b7 c8 // movzx ecx, ax\n 66 3b d0 // cmp dx, ax\n 77 0c // ja 0x100030b1\n 66 [1-3] 5a // cmp ax, 0x5a\n 77 ?? // ja 0x100030b1\n 83 ?? 20 // add eax, 0x20\n 0f b7 // movzx ecx, ax\n }\n\n $stub03_compute_dll_name = {\n // function that compute dll name letters\n 53 // push ebx {__saved_ebx}\n 8b [1-3] 08 // mov ebx, dword [esp+0x8 {dll_name}]\n 56 // push esi {__saved_esi}\n 33 f6 // xor esi, esi\n 57 // push edi {__saved_edi}\n 0f b7 ?? // movzx eax, word [ebx]\n 8b fe // mov edi, esi {0x0}\n eb ?? // jmp 0x100030d6\n 50 // push eax {var_10_1}\n e8 [1-6] // call lowercase_char\n 59 // pop ecx {var_10}\n 0f b7 ?? // movzx ecx, ax\n 03 f1 // add esi, ecx\n 47 // inc edi\n 0f b7 [1-3] // movzx eax, word [ebx+edi*2]\n 66 85 c0 // test ax, ax\n 75 ?? // jne 0x100030c5\n 5f // pop edi {__saved_edi}\n 8b c6 // mov eax, esi\n 5e // pop esi {__saved_esi}\n 5b // pop ebx {__saved_ebx}\n c3 // retn {__return_addr}\n }\n\n $stub04_api_hashing_variant = {\n 0f af ca // imul ecx, edx\n 0f b6 1e // movzx ebx, byte [esi]\n 01 d9 // add ecx, ebx\n 46 // inc esi\n 4d // dec ebp\n 75 // jne 0x10007790\n }\n\n $stub05_api_hashing_return_address = {\n 8b 0c 24 // mov ecx, dword [esp {var_20_1}]\n 0f b7 0c 79 // movzx ecx, word [ecx+edi*2]\n 8b 54 24 04 // mov edx, dword [esp+0x4 {var_1c_1}]\n 03 04 8a // add eax, dword [edx+ecx*4]\n }\n\n $stub_06_compute_name_dll = {\n 0f b7 c8 // movzx ecx, ax\n 03 f1 // add esi, ecx\n 47 // inc edi\n 0f b7 04 7b // movzx eax, word [ebx+edi*2]\n 66 85 c0 // test ax, ax\n 75 ?? // jne 0x20403ae4\n 5f // pop edi {__saved_edi}\n 8b c6 // mov eax, esi\n 5e // pop esi {__saved_esi}\n 5b // pop ebx {__saved_ebx}\n }\n\n $stub_07_compute_name_dll = {\n 66 83 f9 19 // cmp cx, 0x19\n 77 06 // ja 0x40647e\n 83 c0 20 // add eax, 0x20\n 0f b7 d0 // movzx edx, ax\n 46 // inc esi\n 0f b7 c2 // movzx eax, dx\n 03 f8 // add edi, eax\n 0f b7 04 73 // movzx eax, word [ebx+esi*2]\n 66 85 c0 // test ax, ax\n 75 // jne 0x40646a\n }\n\n condition:\n 2 of them\n}\n", "rule_count": 1, "rule_names": [ "hijackloader" ], "rule_creation_date": "2024-09-13", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.HijackLoader" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.012" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hivenightmare_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588406Z", "creation_date": "2026-03-23T11:46:25.588408Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588414Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/GossiTheDog/HiveNightmare" ], "name": "hivenightmare.yar", "content": "rule hivenightmare {\n meta:\n title = \"HiveNightmare Hacktool\"\n id = \"055e4187-23a3-4f4b-9e77-9e1620a2e48e\"\n description = \"Detects HiveNightmare, a tool that exploits the CVE-2021-36934 vulnerability.\\nHiveNightmare is a tool designed to exploit a vulnerability in Windows, allowing attackers to dump sensitive registry hives without requiring administrative privileges. This tool enables unauthorized access to critical system information, specifically targeting the SAM, SECURITY, and SYSTEM registry hives, which contain sensitive user credentials and system information.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/GossiTheDog/HiveNightmare\"\n date = \"2021-07-26\"\n modified = \"2025-03-17\"\n tags = \"cve.2021-36934;attack.credential_access;attack.t1552.001\"\n author = \"HarfangLab\"\n classification = \"Windows.HackTool.HiveNightmare\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $clear_string_marker_pdb = \"HiveNightmare.pdb\" ascii\n $clear_string_marker_usage = \"Usage: HiveNightmare.exe [max shadows to look at (default 15)]\" ascii\n $clear_string_marker_base_shadow_path = \"\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy\" wide\n $clear_string_marker_sam_path = \"Windows\\\\System32\\\\config\\\\SAM\" wide\n $clear_string_marker_security_path = \"Windows\\\\System32\\\\config\\\\SECURITY\" wide\n $clear_string_marker_system_path = \"Windows\\\\System32\\\\config\\\\SYSTEM\" wide\n $clear_string_marker_description_part1 = \"HiveNightmare v\" wide\n $clear_string_marker_description_part2 = \"dump registry hives as non-admin users\" wide\n $clear_string_marker_error_open_sam = \"Could not open SAM :( Is System Protection not enabled or vulnerability fixed?\" ascii\n $clear_string_marker_error_open_security = \"Could not open SECURITY :( Is System Protection not enabled or vulnerability fixed?\" ascii\n $clear_string_marker_error_open_system = \"Could not open SYSTEM :( Is System Protection not enabled or vulnerability fixed?\" ascii\n\n condition:\n filesize < 300KB and 5 of ($clear_string_marker_*)\n}\n", "rule_count": 1, "rule_names": [ "hivenightmare" ], "rule_creation_date": "2021-07-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.HiveNightmare" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1552.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hooksigntool_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571410Z", "creation_date": "2026-03-23T11:46:25.571413Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571418Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.talosintelligence.com/old-certificate-new-signature/\nhttps://github.com/Jemmy1228/HookSigntool" ], "name": "hooksigntool.yar", "content": "import \"pe\"\n\nrule hooksigntool {\n meta:\n title = \"Binary Signed via HookSignTool\"\n id = \"1cc534e2-0303-4fa9-a9c5-f45fa7e45621\"\n description = \"Detects binaries signed via HookSignTool.\\nHookSignTool is a driver signature forging tool that manipulates the signing date of a driver by hooking Windows API calls and modifying the import table of a legitimate code signing tool. This technique requires the use of a non-revoked code signing certificate issued before July 29, 2015, along with its private key and password. Attackers can leverage this tool to sign malicious drivers using older, leaked certificates, potentially leading to privilege escalation.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://blog.talosintelligence.com/old-certificate-new-signature/\\nhttps://github.com/Jemmy1228/HookSigntool\"\n date = \"2023-07-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1553.002\"\n classification = \"Windows.HackTool.HookSignTool\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3b64b4e2ba27ca361752fa52df1e70a64e59e7fe40a34441d87e9fb61ea8c70e\n // 0db87b96b23af06f42e160a041e8e07fb56555585bbb93c15a8e59336bebca64\n\n // Fake TimeStamp Responder\n $certificate_fake_serial = {\n 02 10 1e b1 32 d5 7e 79 68 96 0d f2 6e 85 4e b0 // 1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6\n dd a6 30\n }\n // JemmyLoveJenny SHA1 TimeStamping Services CA\n $certificate_fake_issuer = {\n 0c 2c 4a 65 6d 6d 79 4c 6f 76 65 4a 65 6e 6e 79\n 20 53 48 41 31 20 54 69 6d 65 53 74 61 6d 70 69\n 6e 67 20 53 65 72 76 69 63 65 73 20 43 41 30\n }\n\n // JemmyLoveJenny EV Root CA\n $certificate_jemmy_serial = { 02 04 1e b1 32 d5 30 } // 1e:b1:32:d5\n // JemmyLoveJenny EV Root CA\n $certificate_jemmy_issuer = {\n 0c 19 4a 65 6d 6d 79 4c 6f 76 65 4a 65 6e 6e 79\n 20 45 56 20 52 6f 6f 74 20 43 41 30\n }\n\n condition:\n uint16(0) == 0x5a4d and\n (\n (\n uint16be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+8) == 0x3082 or\n uint16be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+8) == 0x3083\n )\n and\n (\n (\n $certificate_fake_serial in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize) and\n $certificate_fake_issuer in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize)\n )\n or\n (\n $certificate_jemmy_serial in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize) and\n $certificate_jemmy_issuer in (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address..filesize)\n )\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "hooksigntool" ], "rule_creation_date": "2023-07-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.HookSignTool" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1553.002" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hotpotato_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576184Z", "creation_date": "2026-03-23T11:46:25.576186Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576192Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://foxglovesecurity.com/2016/01/16/hot-potato/\nhttps://github.com/foxglovesec/Potato/\nhttps://attack.mitre.org/techniques/T1068/" ], "name": "hotpotato.yar", "content": "rule hotpotato {\n meta:\n title = \"HotPotato HackTool\"\n id = \"231b5d58-098a-4947-a133-59c26cca8264\"\n description = \"Detects the HotPotato HackTool.\\nHotPotato is a privilege escalation tool that leverages wpad server spoofing and NTLM relay to achieve local privilege escalation. It creates a malicious wpad.dat file to intercept and manipulate DNS queries, and can also establish SMB relays for further attacks. The tool is known to use various techniques including DNS hijacking and UDP port exhaustion to bypass Windows security mechanisms.\"\n references = \"https://foxglovesecurity.com/2016/01/16/hot-potato/\\nhttps://github.com/foxglovesec/Potato/\\nhttps://attack.mitre.org/techniques/T1068/\"\n date = \"2024-02-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.HackTool.HotPotato\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 7e21c5b9cf9cb3cc0b3c6909fdf3a7820c6feaa45e86722ed4e7a43d39aee819\n\n $s1 = \"http://127.0.0.1/wpad.dat\" wide fullword\n $s2 = \"function FindProxyForURL(url,host){if (dnsDomainIs(host, \\\"localhost\\\")) return \\\"DIRECT\\\";\" wide fullword\n $s3 = \"Setting up SMB relay...\" wide fullword\n $s4 = \"Spoofing wpad...\" wide fullword\n $s5 = \"[\\\\pipe\\\\svcctl]\" wide fullword\n $s6 = \"Exhausting UDP source ports so DNS lookups will fail...\" wide fullword\n $s7 = \"/C schtasks.exe /Create /TN omg /TR \\\\\\\\127.0.0.1@\" wide fullword\n $s8 = \"DNS lookup succeeds - UDP Exhaustion failed!\" wide fullword\n $s9 = \"DNS lookup fails - UDP Exhaustion worked!\" wide fullword\n\n condition:\n 3 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "hotpotato" ], "rule_creation_date": "2024-02-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.HotPotato" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hrserv_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569646Z", "creation_date": "2026-03-23T11:46:25.569648Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569653Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/hrserv-apt-web-shell/111119/" ], "name": "hrserv.yar", "content": "rule hrserv {\n meta:\n title = \"HrServ Web Shell\"\n id = \"9b72a218-4910-4fbd-8421-6c3561963d73\"\n description = \"Detects the HrServ web shell.\\nHrServ is a DLL file identified in APT attacks, functioning as a web shell with advanced features. It uses custom encoding for client communication and executes in memory to avoid detection and persistence. This web shell allows attackers to maintain control over the infected system, making it a sophisticated tool for malicious activities.\\nIt is recommended to dump the affected process and investigate network traffic for potential command and control (C2) communication.\"\n references = \"https://securelist.com/hrserv-apt-web-shell/111119/\"\n date = \"2023-11-23\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1505.003;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Malware.HrServ\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // f38517692ab3e817182a396a407d9fe1c260c89bb6b733764737562f235115f0\n\n $f1 = \"RegisterServiceCtrlHandlerW\" fullword ascii\n $f2 = \"SetServiceStatus\" fullword ascii\n $f3 = \"HttpInitialize\" fullword ascii\n $f4 = \"HttpCreateHttpHandle\" fullword ascii\n $f5 = \"HttpAddUrl\" fullword ascii\n\n $url1 = \"https://+:443/owa/MSExchangeService.svc\" fullword wide\n $url2 = \"http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/\" fullword wide\n\n $s1 = \"--> Set the Response to 404\" fullword wide\n $s2 = \"HttpSendHttpResponse failed with %lu\" fullword wide\n $s3 = \"[!] Try again please!\" fullword wide\n $s4 = \"The Moudule will be re-installed again.\" fullword wide\n $s5 = \"The Module will be re-installed again.\" fullword wide\n\n // FNV1A64 hashing algorithms\n $fnv1 = { 48 ?? 25 23 22 84 E4 9C F2 CB } // mov rdx, 0CBF29CE484222325h\n $fnv2 = { 49 ?? B3 01 00 00 00 01 00 00 } // mov r9, 100000001B3h\n\n condition:\n all of ($f*) and\n all of ($fnv*) and\n (\n (1 of ($url*) and 1 of ($s*)) or\n (2 of ($s*))\n )\n}\n", "rule_count": 1, "rule_names": [ "hrserv" ], "rule_creation_date": "2023-11-23", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.HrServ" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.persistence" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1505.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hrsword_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584854Z", "creation_date": "2026-03-23T11:46:25.584856Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584862Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://twitter.com/jxd_io/status/1429478992982204416\nhttps://www.52pojie.cn/thread-1358235-1-1.html\nhttps://github.com/szdyg/HRSword\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "hrsword.yar", "content": "rule hrsword {\n meta:\n title = \"HRSword Tool\"\n id = \"e977f17a-dcdc-45eb-8189-beadd7a10e26\"\n description = \"Detects the HRSword tool, a legitimate AV executable extracted from the original software.\\nHRSword is a legitimate diagnostic tool that, when paired with its driver, can be used to terminate protected processes such as AV/EDR agents. This functionality has been exploited by ransomware operators like Lockbit and Ragnarok, as well as APT groups such as Camaro Dragon, to bypass security measures.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://twitter.com/jxd_io/status/1429478992982204416\\nhttps://www.52pojie.cn/thread-1358235-1-1.html\\nhttps://github.com/szdyg/HRSword\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2023-11-20\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562\"\n classification = \"Windows.Tool.HRSword\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b44dd12179a15a7d89c18444d36e8d70b51d30c7989d3ab71330061401f731fe\n\n $str1 = \"Really KILL this process?_TID: %d\" wide\n $str2 = \"Hide Non-Commited Regions\u001bHide Non-Executable Regions\u0016Hide In-Module Regions\" wide\n $str3 = \"Dump Strings from Memory\" wide\n $str4 = \"Huorong System Diagnostics Toolkit\" wide\n $sig1 = \"HuoRongBoRui (Beijing) Technology\" ascii\n $sig2 = \"Beijing Huorong Network Technology\" ascii\n $sig3 = \"BaseTruck Security\" ascii\n\n condition:\n uint16(0) == 0x5a4d and all of ($str*) and 1 of ($sig*)\n}\n", "rule_count": 1, "rule_names": [ "hrsword" ], "rule_creation_date": "2023-11-20", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.HRSword" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-hyperbro_backdoor_stage3_november_2021_campaign_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574736Z", "creation_date": "2026-03-23T11:46:25.574738Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574744Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0398/\nhttps://www.intrinsec.com/apt27-analysis/" ], "name": "hyperbro_backdoor_stage3_november_2021_campaign.yar", "content": "rule hyperbro_backdoor_b45ff27fe87c {\n meta:\n title = \"APT27 HyperBro Backdoor (b45ff27fe87c)\"\n id = \"0bb79ee0-5b1f-4dd3-9317-b45ff27fe87c\"\n description = \"Detects HyperBro stage 3 related to the November 2021 campaign, a custom in-memory RAT backdoor used by APT27 and associated groups.\\nHyperBro is a sophisticated malware that enables remote command execution from a C2 server.\\nIt includes features such as screenshot capture, clipboard theft, Windows service modification, registry editing, and file manipulation.\\nIt is recommended to isolate the affected system and analyze network traffic for potential C2 communication.\"\n references = \"https://attack.mitre.org/software/S0398/\\nhttps://www.intrinsec.com/apt27-analysis/\"\n date = \"2022-10-24\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1574.002;attack.defense_evasion;attack.t1055;attack.t1027;attack.t1140;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Malware.Hyperbro\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 083800e8eaaeb8a4bb413b685477d43a295907dc5f2ef5e35886519cc3f1ef92\n\n $token_impersonation = {\n FF 15 ?? ?? ?? ?? // call ds:SetTokenInformation ; Token Impersonation\n 85 C0 // test eax, eax\n 0F 84 ?? ?? ?? ?? // jz loc_10010925\n 8D 45 ?? // lea eax, [ebp+NewTokenHandle]\n C7 45 ?? 00 00 00 00 // mov [ebp+NewTokenHandle], 0\n 50 // push eax ; NewTokenHandle\n 6A 00 // push 0 ; SidsToRestrict\n 6A 00 // push 0 ; RestrictedSidCount\n 6A 00 // push 0 ; PrivilegesToDelete\n 6A 00 // push 0 ; DeletePrivilegeCount\n 6A 00 // push 0 ; SidsToDisable\n 6A 00 // push 0 ; DisableSidCount\n 6A 04 // push 4 ; Flags\n FF 75 ?? // push [ebp+phNewToken] ; ExistingTokenHandle\n FF 15 ?? ?? ?? ?? // call ds:CreateRestrictedToken\n 85 C0 // test eax, eax\n 0F 84 ?? ?? ?? ?? // jz loc_10010925\n 8D 45 ?? // lea eax, [ebp+phNewToken]\n 50 // push eax ; phNewToken\n 6A 02 // push 2 ; TokenType\n 6A 02 // push 2 ; ImpersonationLevel\n 6A 00 // push 0 ; lpTokenAttributes\n 6A 0C // push 0Ch ; dwDesiredAccess\n FF 75 ?? // push [ebp+NewTokenHandle] ; hExistingToken\n FF D6 // call esi ; DuplicateTokenEx\n 85 C0 // test eax, eax\n 0F 84 ?? ?? ?? ?? // jz loc_????????\n FF 75 ?? // push [ebp+phNewToken] ; hToken\n FF 15 ?? ?? ?? ?? // call ds:ImpersonateLoggedOnUser\n }\n\n // UAC bypass exploiting the ICMLuaUtil\n $uac_bypass_1 = \"{6EDD6D74-C007-4E75-B76A-E5740995E24C}\" wide // cmlua.dll\n $uac_bypass_2 = \"Elevation:Administrator!new:{3E5FC7F9-9A51-4367-906\" wide // cmstplua.dll\n $uac_bypass_3 = \"3-A120244FBEC7}\" wide\n\n $masquerading_string_1 = \"wermgr.exe\" wide\n $masquerading_string_2 = \"-k networkservice\" wide\n\n $proc_masquerading = {\n 68 ?? ?? ?? ?? // push offset aWermgrExe ; \"wermgr.exe\"\n 8D 4D ?? // lea ecx, [ebp+TokenHandle]\n E8 ?? ?? ?? ?? // call sub_100057E0\n 68 ?? ?? ?? ?? // push offset aKNetworkservic ; \" -k networkservice\"\n 8D 4D ?? // lea ecx, [ebp+TokenHandle]\n E8 ?? ?? ?? ?? // call sub_100057E0\n 6A 00 // push 0 ; bInherit\n 56 // push esi ; hToken\n 8D ?? ?? // lea eax, [ebp+Environment]\n C7 ?? ?? 00 00 00 00 // mov [ebp+Environment], 0\n 50 // push eax ; lpEnvironment\n FF 15 ?? ?? ?? ?? // call ds:CreateEnvironmentBlock\n 8D ?? ?? // lea eax, [ebp+ProcessInformation]\n 50 // push eax ; lpProcessInformation\n 8D ?? ?? ?? ?? ?? // lea eax, [ebp+StartupInfo]\n 50 // push eax ; lpStartupInfo\n 6A 00 // push 0 ; lpCurrentDirectory\n FF ?? ?? // push [ebp+Environment] ; lpEnvironment\n 68 04 04 00 01 // push 1000404h ; dwCreationFlags\n 6A 00 // push 0 ; bInheritHandles\n 6A 00 // push 0 ; lpThreadAttributes\n 6A 00 // push 0 ; lpProcessAttributes\n FF ?? ?? // push [ebp+TokenHandle] ; lpCommandLine\n 6A 00 // push 0 ; lpApplicationName\n 56 // push esi ; hToken\n FF 15 ?? ?? ?? ?? // call ds:CreateProcessAsUserW\n }\n\n condition:\n $token_impersonation\n or (all of ($uac_bypass_*))\n or (all of ($masquerading_string_*) and $proc_masquerading)\n}\n", "rule_count": 1, "rule_names": [ "hyperbro_backdoor_b45ff27fe87c" ], "rule_creation_date": "2022-10-24", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Hyperbro" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1027", "attack.t1055", "attack.t1574.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-icedid_gzip_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584139Z", "creation_date": "2026-03-23T11:46:25.584142Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584150Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0483/\nhttps://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240" ], "name": "icedid_gzip_loader.yar", "content": "rule icedid_gzip_loader {\n meta:\n title = \"IcedID GZIP Loader\"\n id = \"f5ea711a-bb93-4cd2-9eef-b2e71be90d3c\"\n description = \"Detects the IcedID GZIP loader.\\nIcedID is a modular banking malware designed to steal financial information. It has been active since at least 2017 and is often delivered via phishing emails.\\nThis loader executes via rundll32.exe and performs initial reconnaissance, system fingerprinting, and communication with the C&C server.\\nIt is recommended to monitor for any suspicious network activity related to known C&C domains.\"\n references = \"https://attack.mitre.org/software/S0483/\\nhttps://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240\"\n date = \"2023-01-20\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1218.011;attack.t1017.002;attack.initial_access;attack.t1566.001;attack.discovery;attack.t1082;attack.s0483\"\n classification = \"Windows.Trojan.IcedID\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples :\n // c2e3097e2de547d70f1d4543b51fdb0c016a066646e7d51b74ca4f29c69f5a85\n // 5086374cc908c1858031c0ed13de99e3916971bb1bf4dc6e5fd73393c8e3f9b8\n // a7cdd68a2203782035dcb4ce08b9d7719d81575cb29739415f3d3fce25c89fae\n // d2986a18991c306e9ad665b42df0fb39296b1cba644cdcef89fb35c2f95ebcca\n // d8d914d2a7e074e12b6087f16dbbb2bba6b78c676354c2fa48ae3eaf15129d76\n\n $s1 = \"loader_dll_64.dll\" fullword ascii\n $s2 = \"GetNativeSystemInfo\" fullword ascii\n $s3 = \"Cookie: _s=\" fullword wide\n $s4 = \"Cookie: __gads=\" fullword wide\n $s5 = \"GetComputerNameEWinHttpSetStatus0123456789ABCDEF\" fullword ascii\n $s6 = \"LookupAccountNamGetModuleFileNamOutputDebugStrinZwQuerySystemInfGetNativeSystemIWideCharToMultiBRegQueryValueExAc:\\\\ProgramData\\\\\" fullword ascii\n $s7 = \"WinHttpQueryDataWinHttpSetOptionGetAdaptersInfo\" fullword ascii\n\n condition:\n 4 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "icedid_gzip_loader" ], "rule_creation_date": "2023-01-20", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.IcedID" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1017.002", "attack.t1218.011", "attack.t1566.001", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-icedid_loader_745d28bf2539_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584215Z", "creation_date": "2026-03-23T11:46:25.584217Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584223Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0483/\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-11-27-IOCs-for-TA577-pushing-IcedID-variant.txt" ], "name": "icedid_loader_745d28bf2539.yar", "content": "rule icedid_loader_745d28bf2539 {\n meta:\n title = \"IcedID Loader (745d28bf2539)\"\n id = \"a9acfca3-2526-47b2-a1bd-745d28bf2539\"\n description = \"Detects malicious DLLs related to IcedID Loader.\\nIcedID is a modular banking malware designed to steal financial information. It has been active since at least 2017 and is commonly delivered via phishing emails.\\nThis specific loader variant is executed via rundll32.exe and is responsible for initial system reconnaissance, fingerprinting, and communication with the command-and-control (C&C) server.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://attack.mitre.org/software/S0483/\\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-11-27-IOCs-for-TA577-pushing-IcedID-variant.txt\"\n date = \"2023-11-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1218.011;attack.t1017.002;attack.initial_access;attack.t1566.001;attack.discovery;attack.t1082;attack.s0483\"\n classification = \"Windows.Trojan.IcedID\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7\n\n $s1 = \"&systeminfo=\" fullword ascii\n $s2 = \"&domain_trusts_all=\" fullword ascii\n $s3 = \"&net_wmic_av=\" fullword ascii\n $s4 = \"\\\"subproc\\\": [\" fullword ascii\n $s5 = \"&desklinks=[\" fullword ascii\n $s6 = \"Update_%x\" fullword wide\n $s7 = \"Custom_update\" fullword wide\n\n // FNV1A32 hashing algorithms\n // https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240\n // https://www.group-ib.com/blog/icedid/\n $fnv1 = { C5 9D 1C 81 }\n $fnv2 = { 93 01 00 01 }\n\n condition:\n 5 of ($s*) and all of ($fnv*)\n}\n", "rule_count": 1, "rule_names": [ "icedid_loader_745d28bf2539" ], "rule_creation_date": "2023-11-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.IcedID" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1017.002", "attack.t1218.011", "attack.t1566.001", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-icedid_loader_stage_1_march_2021_campaign_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584185Z", "creation_date": "2026-03-23T11:46:25.584188Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584193Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid\nhttps://attack.mitre.org/software/S0483/" ], "name": "icedid_loader_stage_1_march_2021_campaign.yar", "content": "rule icedid_loader_stage_1_march_2021_campaign {\n meta:\n title = \"IcedID Loader Stage 1\"\n id = \"17dd3136-a212-4ef7-9455-83752fbda7be\"\n description = \"Detects the IcedID loader stage 1 in memory related to the March 2021 Campaign.\\nIcedID is a modular banking malware designed to steal financial information. It has been observed in the wild since at least 2017 and is often delivered via phishing emails.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid\\nhttps://attack.mitre.org/software/S0483/\"\n date = \"2021-03-31\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1218.011;attack.t1017.002;attack.initial_access;attack.t1566.001;attack.discovery;attack.t1082;attack.s0483\"\n classification = \"Windows.Trojan.IcedID\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $inline_array_1 = {\n C6 45 ?? 40 // mov [rbp+arg_8], 40h ; '@'\n C6 45 ?? 69 // mov [rbp+arg_8+1], 69h ; 'i'\n C6 45 ?? 13 // mov [rbp+arg_8+2], 13h\n C6 45 ?? 57 // mov [rbp+arg_8+3], 57h ; 'W'\n 8A 45 ?? // mov al, [rbp+arg_8]\n C6 45 ?? 00 // mov [rbp+arg_8+4], 0\n C6 45 ?? 0F // mov [rbp+str], 0Fh\n C6 45 ?? 7A // mov [rbp+str+1], 7Ah ; 'z'\n C6 45 ?? 66 // mov [rbp+str+2], 66h ; 'f'\n C6 45 ?? 52 // mov [rbp+str+3], 52h ; 'R'\n C6 45 ?? 3E // mov [rbp+str+4], 3Eh ; '>'\n C6 45 ?? 6A // mov [rbp+str+5], 6Ah ; 'j'\n 8A 45 ?? // mov al, [rbp+str]\n C6 45 ?? 00 // mov [rbp+str+6], 0\n }\n\n $inline_array_2 = {\n C6 45 ?? 24 //mov [rbp+str2], 24h ; '$'\n C6 45 ?? 4D //mov [rbp+str2+1], 4Dh ; 'M'\n C6 45 ?? 05 //mov [rbp+str2+2], 5\n C6 45 ?? 59 //mov [rbp+str2+3], 59h ; 'Y'\n 44 88 ?5 ?? //mov [rbp+str2+4], r12b\n C6 45 ?? 36 //mov [rbp+str2+5], 36h ; '6'\n 8A 45 ?? //mov al, [rbp+str2]\n C6 45 ?? 00 //mov [rbp+str2+6], 0\n }\n\n $inline_array_3 = {\n C6 45 ?? 0E // mov [rbp+arg_8], 0Eh\n C6 45 ?? 3C // mov [rbp+arg_9], 3Ch ; '<'\n C6 45 ?? 12 // mov [rbp+arg_A], 12h\n C6 45 ?? 47 // mov [rbp+arg_B], 47h ; 'G'\n C6 45 ?? 4A // mov [rbp+arg_B+1], 4Ah ; 'J'\n C6 45 ?? 55 // mov [rbp+arg_B+2], 55h ; 'U'\n C6 45 ?? 31 // mov [rbp+arg_B+3], 31h ; '1'\n 8A 45 ?? // mov al, [rbp+arg_8]\n C6 45 ?? 00 // mov [rbp+arg_B+4], 0\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "icedid_loader_stage_1_march_2021_campaign" ], "rule_creation_date": "2021-03-31", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.IcedID" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1017.002", "attack.t1218.011", "attack.t1566.001", "attack.t1082" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-icedid_loader_stage_2_march_2021_campaign_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584094Z", "creation_date": "2026-03-23T11:46:25.584096Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584102Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid\nhttps://attack.mitre.org/software/S0483/" ], "name": "icedid_loader_stage_2_march_2021_campaign.yar", "content": "rule icedid_loader_stage_2_march_2021_campaign {\n meta:\n title = \"IcedID Loader Stage 2\"\n id = \"f2828561-e642-43cb-9de0-3adb2dfa5a5c\"\n description = \"Detects the IcedID loader stage 2 in memory related to the March 2021 Campaign.\\nIcedID is a modular banking malware designed to steal financial information. It has been observed in the wild since at least 2017 and is often delivered via phishing emails.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid\\nhttps://attack.mitre.org/software/S0483/\"\n date = \"2021-03-31\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1218.011;attack.t1017.002;attack.initial_access;attack.t1566.001;attack.discovery;attack.t1082;attack.s0483\"\n classification = \"Windows.Trojan.IcedID\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // This payload use those APIs for \"icedid_loader_parse_command_line\"\n $api_used_s1 = \"GetCommandLineA\" ascii\n $api_used_s2 = \"StrStrIA\" ascii\n $api_used_s3 = \"SHGetFolderPathA\" ascii\n $api_used_s4 = \"lstrcatA\" ascii\n $api_used_s5 = \"lstrcpyA\" ascii\n $api_used_s6 = \"StrChrA\" ascii\n\n // This payload use those APIs to load decrypted payload\n $api_used_s7 = \"VirtualAlloc\" ascii\n $api_used_s8 = \"VirtualProtect\" ascii\n\n // Strings used by \"icedid_loader_parse_command_line\"\n $clear_string_s1 = \"c:\\\\ProgramData\\\\\" ascii\n\n // NOTE: Attackers may change this easially so this is too fragile.\n // $clear_string_s2 = \"/i:\\\"\" ascii\n\n // The command line parser.\n $icedid_loader_parse_command_line = {\n 48 8B F2 // mov rsi, rdx\n 48 8B D9 // mov rbx, rcx\n FF 15 ?? ?? ?? ?? // call dword ptr [rip + 0xXX] // GetCommandLineA\n 48 85 C0 // test rax, rax\n 75 04 // jne get_command_line_success\n // error_out:\n 33 C0 // xor eax, eax\n EB ?? // jmp return\n // get_command_line_success:\n 48 8D 15 ?? ?? ?? ?? // lea rdx, [rip + 0xXX] // \"/i:\\\"\"\n 48 8B C8 //\n FF 15 ?? ?? ?? ?? // call dword ptr [rip + 0xXX] // StrStrIA\n 48 8B F8 // mov rdi, rax\n 48 85 C0 // test rax, rax\n 74 E4 // je error_out\n 45 33 C9 // xor r9d, r9d // dwFlags\n 48 89 5C 24 ?? // mov qword ptr [rsp + ??], rbx // pszPath\n 45 33 C0 // xor r8d, r8d // hToken\n 33 C9 // xor ecx, ecx // hwnd\n 41 8D 51 1A // lea edx, [r9 + 0x1a] // csidl = APPDATA\n FF 15 ?? ?? ?? ?? // call dword ptr [rip + 0xXX] // SHGetFolderPathA\n 48 8B CB // mov rcx, rbx\n 48 8D 15 ?? ?? ?? ?? // lea rdx, [rip + 0xXX] // \"c:\\\\ProgramData\\\\\"\n 85 C0 // test eax, eax\n 75 07 // jnz compute_path\n 48 8D 15 ?? ?? ?? ?? // lea rdx, [rip + 0xXX] // \"\\\\\"\n // compute_path:\n FF 15 ?? ?? ?? ?? // call dword ptr [rip + 0xXX] // lstrcatA\n 48 8D 57 04 // lea rdx, [rdi + 4] // 4 = strlen(\"/i:\\\"\")\n 48 8B CE // mov rcx, rsi\n FF 15 ?? ?? ?? ?? // call dword ptr [rip + 0xXX] // lstrcpyA\n BA 22 00 00 00 // mov edx, 0x22 // '\"'\n 48 8B CE // mov rcx, rsi\n FF 15 ?? ?? ?? ?? // call dword ptr [rip + 0xXX] // StrChrA\n 48 85 C0 // test rax, rax\n 74 03 // je success_out\n C6 00 00 // mov byte ptr [rax], 0\n // success_out:\n 48 8B D6 // mov rdx, rsi\n 48 8B CB // mov rcx, rbx\n FF 15 ?? ?? ?? ?? // call dword ptr [rip + 0xXX] // lstrcatA\n B8 01 00 00 00 // mov eax, 1\n }\n\n // The decryption algorithm used to decrypt IcedID.\n $icedid_loader_decrypt_next_payload = {\n // icedid_main_decrypt_payload_loop:\n 41 0F B6 D3 // movzx edx, r11b\n 44 8D 42 01 // lea r8d, [rdx + 1]\n 83 E2 03 // and edx, 3\n 41 83 E0 03 // and r8d, 3\n 42 8A 44 84 ?? // mov al, byte ptr [rsp + r8*4 + 0xXX]\n 02 44 94 ?? // add al, byte ptr [rsp + rdx*4 + 0xXX]\n 43 32 04 33 // xor al, byte ptr [r11 + r14]\n 42 8B 4C 84 ?? // mov ecx, dword ptr [rsp + r8*4 + 0xXX]\n 41 88 04 1B // mov byte ptr [r11 + rbx], al\n 83 E1 07 // and ecx, 7\n 8B 44 94 ?? // mov eax, dword ptr [rsp + rdx*4 + 0xXX]\n 49 FF C3 // inc r11\n D3 C8 // ror eax, cl\n FF C0 // inc eax\n 89 44 94 ?? // mov dword ptr [rsp + rdx*4 + 0xXX], eax\n 83 E0 07 // and eax, 7\n 8A C8 // mov cl, al\n 42 8B 44 84 ?? // mov eax, dword ptr [rsp + r8*4 + 0xXX]\n D3 C8 // ror eax, cl\n FF C0 // inc eax\n 42 89 44 84 ?? // mov dword ptr [rsp + r8*4 + 0xXX], eax\n 48 8B 5C 24 28 // mov rbx, qword ptr [rsp + 0x28]\n 4C 3B 5C 24 30 // cmp r11, qword ptr [rsp + 0x30]\n 73 07 // jae icedid_main_decrypt_payload_done\n 4C 8B 74 24 20 // mov r14, qword ptr [rsp + 0x20]\n EB A3 // jmp icedid_main_decrypt_payload_loop\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "icedid_loader_stage_2_march_2021_campaign" ], "rule_creation_date": "2021-03-31", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.IcedID" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1017.002", "attack.t1218.011", "attack.t1566.001", "attack.t1082" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-icedid_loader_stage_3_march_2021_campaign_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584064Z", "creation_date": "2026-03-23T11:46:25.584066Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584072Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid\nhttps://attack.mitre.org/software/S0483/" ], "name": "icedid_loader_stage_3_march_2021_campaign.yar", "content": "rule icedid_loader_stage_3_march_2021_campaign {\n meta:\n title = \"IcedID Loader Stage 3\"\n id = \"fa8fc1d1-089e-45d8-a985-38382016e06c\"\n description = \"Detects the IcedID loader stage 3 in memory related to the March 2021 Campaign.\\nIcedID is a modular banking malware designed to steal financial information. It has been observed in the wild since at least 2017 and is often delivered via phishing emails.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid\\nhttps://attack.mitre.org/software/S0483/\"\n date = \"2021-03-31\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1218.011;attack.t1017.002;attack.initial_access;attack.t1566.001;attack.discovery;attack.t1082;attack.s0483\"\n classification = \"Windows.Trojan.IcedID\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples :\n // ea0f00b4b41bbdd9e49c5747454242dc0beddcd38a59fb819059456714c381f5\n // 5e41f538d053ad1a0defef561fde940d70f627d24a22d05f5cf104c62fd540ac\n // be10ef45a43a03cc0163a106bd36d39b05c58dd929e57a2f6078350a48f3c730\n\n $vm_detect = {\n FF 15 ?? ?? ?? ?? // call cs:kernel32__SwitchToThread\n 0F 31 // rdtsc\n 48 C1 E2 20 // shl rdx, 20h\n 48 0B C2 // or rax, rdx\n 4C 8B C0 // mov r8, rax\n 33 C9 // xor ecx, ecx\n B8 01 00 00 00 // mov eax, 1\n 0F A2 // cpuid\n 89 44 24 ?? // mov [rsp+38h+var_18], eax\n 89 5C 24 ?? // mov [rsp+38h+var_14], ebx\n 89 4C 24 ?? // mov [rsp+38h+var_10], ecx\n 89 54 24 ?? // mov [rsp+38h+var_C], edx\n 0F 31 // rdtsc\n 48 C1 E2 20 // shl rdx, 20h\n 48 0B C2 // or rax, rdx\n 49 2B C0 // sub rax, r8\n 48 03 F8 // add rdi, rax\n FF 15 ?? ?? ?? ?? // call cs:kernel32__SwitchToThread\n 0F 31 // rdtsc\n 48 C1 E2 20 // shl rdx, 20h\n 90 // nop\n 48 0B C2 // or rax, rdx\n 48 8B C8 // mov rcx, rax\n 0F 31 // rdtsc\n 48 C1 E2 20 // shl rdx, 20h\n 48 0B C2 // or rax, rdx\n 48 2B C1 // sub rax, rcx\n }\n\n // Interesting bits of strings found in the decrypted license.dat which\n // are unlikely to generate false-positives.\n $s1 = \"{0ccac395-7d1d-4641-913a-7558812ddea2}\" ascii nocase\n $s2 = \"{d65f4087-1de4-4175-bbc8-f27a1d070723}\" ascii nocase\n $s3 = \"abe2869f-9b47-4cd9-a358-c22904dba7f7\" ascii nocase\n $s4 = \"{e3f38493-f850-4c6e-a48e-1b5c1f4dd35f}\" ascii nocase\n $s5 = \"passff.tar\" ascii nocase\n $s6 = \"cookie.tar\" ascii nocase\n $s7 = \"1.2.840.113549.1.1.5\" ascii nocase\n $s8 = \"cmd.exe /c chcp >&2\" ascii\n $s9 = \"20847809\" ascii\n $s10 = \"55090927\" ascii\n\n condition:\n $vm_detect and (7 of ($s*))\n}\n", "rule_count": 1, "rule_names": [ "icedid_loader_stage_3_march_2021_campaign" ], "rule_creation_date": "2021-03-31", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.IcedID" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1017.002", "attack.t1218.011", "attack.t1566.001", "attack.t1082" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-iis_hijackserver_module_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569491Z", "creation_date": "2026-03-23T11:46:25.569493Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569498Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\nhttps://asec.ahnlab.com/en/87804/\nhttps://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks" ], "name": "iis_hijackserver_module.yar", "content": "rule iis_hijackserver_module {\n meta:\n title = \"IIS HijackServer Module\"\n id = \"975a3e67-7622-43dc-a146-9a9774c6a733\"\n description = \"Detects a malicious DLL loaded as a native IIS module related to HijackServer.\\nThis malicious module is loaded into the w3wp.exe process and intercept HTTP requests to perform actions according to the content of the requests.\\nIt is recommended to analyze the context around this alert and investigate further suspicious actions or network connections.\"\n references = \"https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\\nhttps://asec.ahnlab.com/en/87804/\\nhttps://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks\"\n date = \"2025-09-02\"\n modified = \"2025-10-23\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1505.004\"\n classification = \"Windows.Malware.HijackServerModule\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2\n // 82b7f077021df9dc2cf1db802ed48e0dec8f6fa39a34e3f2ade2f0b63a1b5788\n\n $str_affiliate00 = \"affLinkSeoRes\"\n $str_affiliate01 = \"affLinkSeoResArr\"\n $str_affiliate02 = \"affLinkCenter\"\n $str_affiliate03 = \"Aff Link SEO Result Array\"\n $str_affiliate04 = \"Aff Link SEO Result\"\n $str_affiliate05 = \"affLinkTemplateSeoRes\"\n $str_affiliate06 = \"seoSiteAffLinkNum\"\n $str_affiliate07 = \"SEO Site Affiliate Link Number\"\n\n $str_diskclean00 = \"diskCleanRatio\"\n $str_diskclean01 = \"diskCleanThreshold\"\n $str_diskclean02 = \"Disk Clean Threshold\"\n $str_diskclean03 = \"Disk Clean Ratio\"\n $str_diskclean04 = \"clean?type=tmp\"\n $str_diskclean05 = \"clean?type=conf\"\n $str_diskclean06 = \"clean?type=all\"\n\n $str_hijack00 = \"seoGroupHijackbotUaMatchRules\"\n $str_hijack01 = \"SEO Group Hijackbot UA Match Rules\"\n $str_hijack02 = \"Hijackbot\"\n\n $str_tryclean00 = \"TryCleanTmp:-------------------START----------------------\"\n $str_tryclean01 = \"TryCleanTmp:admin setting diskCleanThreshold\"\n $str_tryclean02 = \"TryCleanTmp:currentUsagePercentage\"\n $str_tryclean03 = \"TryCleanTmp:need to clean tmp\"\n $str_tryclean04 = \"TryCleanTmp:admin setting diskCleanRatio\"\n $str_tryclean05 = \"TryCleanTmp:clean after! currentUsagePercentage\"\n $str_tryclean06 = \"TryCleanTmp:no clean tmp\"\n $str_tryclean07 = \"TryCleanTmp:-------------------END----------------------\"\n\n $str_mode00 = \"/debug\"\n $str_mode01 = \"/conf\"\n $str_mode02 = \"/health\"\n $str_mode03 = \"/clean\"\n $str_mode04 = \"/delete_tmp\"\n\n $str_shell00 = \"hack123456!\"\n $str_shell01 = \"CMD:\"\n $str_shell02 = \"RESULT:\"\n\n condition:\n 4 of ($str_affiliate*)\n or 4 of ($str_diskclean*)\n or 2 of ($str_hijack*)\n or 3 of ($str_tryclean*)\n or all of ($str_mode*)\n or (all of ($str_shell*) and 1 of ($str_affiliate*))\n}\n", "rule_count": 1, "rule_names": [ "iis_hijackserver_module" ], "rule_creation_date": "2025-09-02", "rule_modified_date": "2025-10-23", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.HijackServerModule" ], "rule_tactic_tags": [ "attack.persistence" ], "rule_technique_tags": [ "attack.t1505.004" ], "rule_score": 70, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-infinityhook_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572342Z", "creation_date": "2026-03-23T11:46:25.572344Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572350Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/everdox/InfinityHook\nhttps://attack.mitre.org/techniques/T1014/" ], "name": "infinityhook.yar", "content": "rule infinity_hook {\n meta:\n title = \"Infinity Hook Technique\"\n id = \"e3f3fd0f-2f4a-4b32-8412-e8ca08a67cb2\"\n description = \"Detects the Infinity Hook technique used to inject malicious code into legitimate processes.\\nInfinity Hook is a technique that hooks various system events such as system calls, context switches, page faults, and Deferred Procedure Calls (DPCs). This rule identifies activity characteristic of Infinity Hook, which is commonly used to hide malicious behavior by injecting into legitimate processes. The detection is based on specific patterns related to Infinity Hook's implementation and known indicators.\\nIt is recommended to investigate the associated process for signs of malicious code injection or unauthorized modifications.\"\n references = \"https://github.com/everdox/InfinityHook\\nhttps://attack.mitre.org/techniques/T1014/\"\n date = \"2024-02-08\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1014\"\n classification = \"Windows.Generic.InfinityHook\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9f4614684cba3d21cda7013c1982a09e5ef58e123783a0586ddf0ab0fb3fdf09\n // b8536bc844e04009f8d9890f63693eb707bfa7ae8dd6430f68d09cd082c8a56b\n\n // https://github.com/everdox/InfinityHook/blob/864a0eabc44e7cd8581be499bf88857e6fd28bfb/src/libinfinityhook/infinityhook.cpp#L51\n $etw_data_pattern = {\n 2c 08 04 38 0c\n }\n\n // https://github.com/everdox/InfinityHook/blob/864a0eabc44e7cd8581be499bf88857e6fd28bfb/src/libinfinityhook/hde/table64.h#L37\n $hde_table_64 = {\n a5aaa5b8a5aaa5aaa5b8a5b8a5b8a5b8c0c0c0c0c0c0c0c0acc0ccc0a1a1a1a1b1a5a5a6c0c0d7dae0c0e4c0eaeae0e098c8eef1a5d3a5a5a1ea9ec0c0c2c0e6037f117f017f013f0101ab8b90645b5b5b5b5b925b5b769092925b5b5b5b5b5b5b5b5b5b5b5b6a73905b525252525b5b5b5b777c77855b5b705b7aaf76765b5b5b5b5b5b5b5b5b5b5b860103010403d503d503cc01bc03f00303040050505050ff2020202001010101c40210ffffff01000311ff03c4c6c8021000ffcc0101010000000001010301ffffc0c210110203010101ffffff000000ff0000ffffffff1010101002100000c6c8020202020600040002ff00c0c20101030303ca40000a0004000000007f003301000000000000ffbfffff00000000070000ff0000000000000000000000000000ffff000000bf00000000000000007f0000ff404040404149404040404c4240404040404040404f44534040404457435c4060404040404040404040404040404064666e6b40406a464040444640405b44404000000000060606060106060206060006000a0a00000002070706020d0606060e05050202000004040404050606060000000e0000080010001800200028003000800182018600f6cffe3fab00b000b100b300baf8bb00c000c100c7bf62ff008dff00c4ff00c5ff00ffffeb01ff0e1208001309001608001709002b0900aeff07b2ff00b4ff00b5ff00c30100c7ffbfe70800f00200\n }\n\n $EtwpDebuggerDataPattern = {2c 08 04 38 0c}\n\n // Exhaustive match over cmp ??, INFINITYHOOK_MAGIC_1 (0x501802)/INFINITYHOOK_MAGIC_2 (0xf33) followed by je/jne based on https://www.felixcloutier.com/x86/cmp and https://www.felixcloutier.com/x86/jcc\n $magic = {\n 02 18 50 00 // cmp dword [??], 0x501802\n (74 ?? | 0F 84 ?? | 75 ?? | 0F 85 ??) // je/jne 0x?????????\n [10-60]\n 33 0f 00 00 // cmp ??, 0xf33\n (74 ?? | 0F 84 ?? | 75 ?? | 0F 85 ??) // je/jne 0x?????????\n }\n\n $s1 = \"KVASCODE\" ascii fullword\n\n // const GUID CkclSessionGuid = { 0x54dea73a, 0xed1f, 0x42a4, { 0xaf, 0x71, 0x3e, 0x63, 0xd0, 0x56, 0xf1, 0x74 } };\n $s2 = {3a a7 de 54 1f ed a4 42 af 71 3e 63 d0 56 f1 74}\n\n // PVOID SyscallEntry = (PVOID)__readmsr(IA32_LSTAR_MSR);\n $s3 = {\n b9 82 00 00 c0 // mov ecx, 0xC0000082 (IA32_LSTAR_MSR)\n 0F 32 // rdmsr\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "infinity_hook" ], "rule_creation_date": "2024-02-08", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.InfinityHook" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1014" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-invisibleferret_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563014Z", "creation_date": "2026-03-23T11:46:25.563016Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563021Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\nhttps://objective-see.org/blog/blog_0x7A.html\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\nhttps://attack.mitre.org/groups/G0032/" ], "name": "invisibleferret.yar", "content": "rule invisibleferret {\n meta:\n title = \"InvisibleFerret Backdoor\"\n id = \"d0bd18b8-ce81-407e-a4e5-1eb4257703c9\"\n description = \"Detects the InvisibleFerret backdoor, a cross-platform malware associated with the Lazarus Group (also known as APT38 or DPRK), a North Korean state-sponsored threat actor.\\nInvisibleFerret is designed to steal sensitive data from popular web browsers on Windows, Linux, and macOS by targeting login credentials and other stored information.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\\nhttps://objective-see.org/blog/blog_0x7A.html\\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\\nhttps://attack.mitre.org/groups/G0032/\"\n date = \"2024-10-25\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.credential_access;attack.t1056.001;attack.t1555.003;attack.command_and_control;attack.t1571;attack.exfiltration;attack.t1041\"\n classification = \"Backdoor.InvisibleFerret\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n\n // Initial script\n $init1 = \"download_payload\" ascii fullword\n $init2 = \"/pay\" ascii fullword\n $init3 = \"download_browse\" ascii fullword\n $init4 = \"/bow\" ascii fullword\n $init5 = \"download_mclip\" ascii fullword\n $init6 = \"/mlip\" ascii fullword\n $init7 = \"Darwin\" ascii fullword\n\n // pay component\n $pay_f1 = \"Geo.getGeo\" ascii fullword\n $pay_f2 = \"Information.get_info\" ascii fullword\n $pay_f3 = \"Comm.contact_server\" ascii fullword\n $pay_f4 = \"write_flist\" ascii fullword\n $pay_f5 = \"Shell.bro_down\" ascii fullword\n $pay_f6 = \"Client.make_connection\" ascii fullword\n\n $pay_s1 = \"start ses recv\" ascii fullword\n $pay_s2 = \"ses recv size:\" ascii fullword\n $pay_s3 = \"error_listen:\" ascii fullword\n $pay_s4 = \"start shell\" ascii fullword\n $pay_s5 = \" >> upload start:\" ascii fullword\n $pay_s6 = \" >> ufind start:\" ascii fullword\n $pay_s7 = \"--- uenv start\" ascii fullword\n $pay_s8 = \"Chrome & Browser are terminated\" ascii fullword\n\n // bow component\n $bow_f1 = \"ChromeBase.decrypt_windows_password\" ascii fullword\n $bow_f2 = \"ChromeBase.decrypt_unix_password\" ascii fullword\n $bow_f3 = \"Windows.brw_paths\" ascii fullword\n $bow_f4 = \"Windows.get_encryption_key\" ascii fullword\n $bow_f5 = \"Linux.brw_paths\" ascii fullword\n $bow_f6 = \"Linux.get_encryption_key\" ascii fullword\n $bow_f7 = \"Mac.brw_paths\" ascii fullword\n $bow_f8 = \"Mac.get_encryption_key\" ascii fullword\n\n $bow_s1 = \"LoginData.db\" ascii fullword\n $bow_s2 = \"select origin_url, action_url, username_value, password_value, date_created, date_last_used from logins order by date_created\" ascii fullword\n $bow_s3 = \"webdata.db\" ascii fullword\n $bow_s4 = \"SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted, date_modified FROM credit_cards\" ascii fullword\n\n condition:\n all of ($init*) or\n (\n 4 of ($pay_f*) and\n 4 of ($pay_s*)\n ) or\n (\n 4 of ($bow_f*) and\n all of ($bow_s*)\n )\n}\n", "rule_count": 1, "rule_names": [ "invisibleferret" ], "rule_creation_date": "2024-10-25", "rule_modified_date": "2025-02-27", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Backdoor.InvisibleFerret" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1056.001", "attack.t1041", "attack.t1555.003", "attack.t1571" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-invisishell_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584800Z", "creation_date": "2026-03-23T11:46:25.584802Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584807Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/OmerYa/Invisi-Shell" ], "name": "invisishell_dll.yar", "content": "rule invisishell_dll {\n meta:\n title = \"Invisi-Shell Tool\"\n id = \"0729fb0a-e615-42d7-bca8-902c130638cf\"\n description = \"Detects Invisi-Shell tool.\\nInvisi-Shell is a tool that enables attackers to bypass PowerShell security features such as logging, ScriptBlock, and AMSI by using a COR Profiler and .NET assemblies hooking. It allows for undetected execution and persistence.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/OmerYa/Invisi-Shell\"\n date = \"2022-10-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1574.012\"\n classification = \"Windows.Tool.InvisiShell\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 833d68452ea956b5d23bcb243cd327bd05dfd79fb5a4a34064783749eafa1ddf\n\n $s1 = \"System.Management.Automation\" fullword wide\n $s2 = \"System.Management.Automation.AmsiUtils\" fullword wide\n $s3 = \"ScanContent\" fullword wide\n $s4 = \"System.Management.Automation.ScriptBlock\" fullword wide\n $s5 = \"WriteScriptBlockToLog\" fullword wide\n $s6 = \"LogScriptBlockStart\" fullword wide\n $s7 = \"LogScriptBlockEnd\" fullword wide\n\n $setup_hook = {\n 33 D2 // xor edx, edx ; Val\n 41 B8 00 01 00 00 // mov r8d, 100h ; Size\n 40 88 B5 ?? ?? ?? ?? // mov [rbp+5C90h+var_5028], sil\n C7 85 ?? ?? ?? ?? 33 C0 C3 00 // mov [rbp+5C90h+var_5027], 0C3C033h\n E8 // call memset\n }\n\n condition:\n all of ($s*) and #setup_hook > 2\n}\n", "rule_count": 1, "rule_names": [ "invisishell_dll" ], "rule_creation_date": "2022-10-11", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.InvisiShell" ], "rule_tactic_tags": [ "attack.persistence" ], "rule_technique_tags": [ "attack.t1574.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-iobitunlocker_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566661Z", "creation_date": "2026-03-23T11:46:25.566663Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566669Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.reliaquest.com/blog/double-extortion-attack-analysis/\nhttps://www.iobit.com/fr/iobit-unlocker.php\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "iobitunlocker_driver.yar", "content": "rule driver_iobitunlocker {\n meta:\n title = \"IObit Unlocker Driver\"\n id = \"0cd252a3-ad03-4cb9-91e7-29996fad1ebd\"\n description = \"Detects the IObit Unlocker driver.\\nIObit Unlocker is a utility tool designed to remove locked system files.\\nAdversaries may use this tool to disable security tools and evade detection.\\nIt is recommended to investigate the process tree for suspicious activities.\"\n references = \"https://www.reliaquest.com/blog/double-extortion-attack-analysis/\\nhttps://www.iobit.com/fr/iobit-unlocker.php\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2023-09-19\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001\"\n classification = \"Windows.Driver.IObitUnlocker\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1845fe8545b6708e64250b8807f26d095f1875cc1f6159b24c2d0589feb74f0c\n // f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004\n // a6b6b37e5efaf4a9c7fde9efd53f93ce1b3d040e5c60ab960ef7d4fd7568cb50\n // c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66\n\n $s1 = \"ULKDeleteFile: 0x%08x, %wZ\" ascii fullword\n $s2 = \"ULKCopyFile: 0x%08x, %wZ, %wZ\" ascii fullword\n $s3 = \"\\\\Device\\\\HarddiskVolume1\\\\unlocker.log\" wide fullword\n\n $device1 = \"\\\\Device\\\\IObitUnlockerDevice\" wide fullword\n $device2 = \"\\\\DosDevices\\\\IObitUnlockerDevice\" wide fullword\n\n $pdb1 = \"\\\\i386\\\\IObitUnlocker.pdb\" ascii\n $pdb2 = \"\\\\amd64\\\\IObitUnlocker.pdb\" ascii\n\n // 317b772c7ed9c1ebb808746b02c0ccec4860894f4192fdd095ecaebb223d08f3\n // f601db241a7e5a6191a5b06c1e828af04fdf8a4b022de8dbba357563b03cceb5\n $installer = \"dll:uninstall:{app}\\\\IObitUnlocker.dll\" ascii fullword\n\n condition:\n uint16(0) == 0x5a4d and\n (\n all of ($s*) or\n (1 of ($device*) and 1 of ($s*)) or\n 1 of ($pdb*)\n )\n and not $installer\n}\n", "rule_count": 1, "rule_names": [ "driver_iobitunlocker" ], "rule_creation_date": "2023-09-19", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Driver.IObitUnlocker" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-iori_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582536Z", "creation_date": "2026-03-23T11:46:25.582538Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582543Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/D1rkMtr/IORI_Loader" ], "name": "iori_loader.yar", "content": "rule loader_iori {\n meta:\n title = \"IORI Loader\"\n id = \"6ff9d830-2f24-4a44-9793-24c4a9d7100e\"\n description = \"Detects the IORI Loader.\\nThe IORI Loader uses dynamic indirect syscalls to load shellcodes encoded into UUIDs. This loader also unhooks the syscalls it uses to avoid detection by security products.\"\n references = \"https://github.com/D1rkMtr/IORI_Loader\"\n date = \"2022-11-03\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106\"\n classification = \"Windows.Loader.IORI\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b1f882cd8d26d614f236ccc4d5f02a152e8d825d148f12ecfbccc5edc58f3fec\n\n $syscall_hash_1 = { 35 2B BE A6 } // ZwAllocateVirtualMemory\n $syscall_hash_2 = { 38 C3 EC F7 } // NtCreateThreadEx\n $syscall_hash_3 = { BC 93 C9 AF } // NtWaitForSingleObject\n\n $op_pe_header_parsing = {\n 8B F2 // mov esi, edx\n 48 8B D9 // mov rbx, rcx\n 44 8B 84 08 88 00 00 00 // mov r8d, [rax+rcx+136]\n 41 8B 7C 08 1C // mov edi, [r8+rcx+28]\n 45 8B 5C 08 20 // mov r11d, [r8+rcx+32]\n 45 8B 74 08 24 // mov r14d, [r8+rcx+36]\n 4C 03 D9 // add r11, rcx\n 4C 03 F1 // add r14, rcx\n 48 8D 2C 39 // lea rbp, [rcx+rdi]\n 85 FF // test edi, edi\n }\n\n $op_find_api_hash = {\n 47 8D 04 40 // lea r8d, [r8+r8*2]\n 41 FF C1 // inc r9d\n 48 8D 52 01 // lea rdx, [rdx+1]\n 44 03 C1 // add r8d, ecx\n 49 63 C9 // movsxd rcx, r9d\n 48 3B C8 // cmp rcx, rax\n 72 ?? // jb short loc_1400010F0\n }\n\n condition:\n all of ($syscall_hash_*) and 1 of ($op_*)\n}\n", "rule_count": 1, "rule_names": [ "loader_iori" ], "rule_creation_date": "2022-11-03", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.IORI" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1106" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-iox_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564993Z", "creation_date": "2026-03-23T11:46:25.564995Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565001Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/EddieIvan01/iox" ], "name": "iox.yar", "content": "rule iox {\n meta:\n title = \"iox Tunneling Tool\"\n id = \"2b5c320a-cf7f-4600-96da-61af57462eeb\"\n description = \"Detects the iox tunneling tool.\\nIox can used by attackers to establish TCP/UDP tunnels for command and control or data exfiltration.\\nIox enables attackers to pivot into victim environments by creating encrypted or unencrypted tunnels, often bypassing network security measures.\\nIt is recommended to investigate the context around the execution of Iox to determine the legitimacy of its presence of the host.\"\n references = \"https://github.com/EddieIvan01/iox\"\n date = \"2024-01-31\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1572\"\n classification = \"Tool.iox\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731\n // b9c40960259b9b14d80c8b1cb3438913f8550fe56dbdfe314b53c7ceae77ccb0\n // 4806fd64647e02a34dd49f9057c6bf95325dcc923764ff2ef61cbbab40ca8c48\n // 13c1cfb12017aa138e2f8d788dcd867806cc8fd6ae05c3ab7d886c18bcd4c48a\n // e92c85b36d0848171ada787862413e0edd8291c8ae6a43e13b075b9ccbd53434\n // 35d83137ea70e94187a9ad9b7fa2d7b6c6b9128eb9d104380f2ac525784b9a78\n\n $string_gobuild_1 = \"Go build ID: \\\"hXCPM6VGLAOVYcuOtkpk/zW_AWft3N-aavPfuefBC/_jZi_qx4N2RgvR76LfqD/-MhsqjIF67wPrZy8U5JH\\\"\" ascii fullword\n $string_gobuild_2 = \"Go build ID: \\\"l7ffIUJGE5-y6vGZJcCa/L1-Pwl9z21dvGvtlWQGS/1tDt28jpySbiGSJlZFkJ/ggMEGfUtUSpF3hMa5S74\\\"\" ascii fullword\n $string_gobuild_3 = \"Go build ID: \\\"2o6xVl_1exK2-tBeoPrw/yoCBbeFQOG-TFGp8jtej/NohGyDNgwkZPr3Tct-_N/i7CPR2XZvHSHKVFEOAql\\\"\" ascii fullword\n $string_gobuild_4 = \"Go build ID: \\\"TQpP3IgmGAtFZdKaROz6/kWHAbZ68Ak3-AR-JimWq/eNeLkDdKHqmzN8s-aB4M/7ex-T_UrCTjLX4eURpL5\\\"\" ascii fullword\n\n // object\n $string_object_1 = \"iox/crypto.\" ascii\n $string_object_2 = \"iox/socks5.\" ascii\n $string_object_3 = \"iox/operate.\" ascii\n $string_object_4 = \"iox/option.\" ascii\n $string_object_5 = \"iox/logger.\" ascii\n $string_object_6 = \"iox/netio.\" ascii\n\n // helper\n $string_helper_1 = \"Access intranet easily (https://github.com/eddieivan01/iox)\" ascii\n $string_helper_2 = \"Usage: iox fwd/proxy [-l [*][HOST:]PORT] [-r [*]HOST:PORT] [-k HEX] [-t TIMEOUT] [-u] [-h] [-v]\" ascii fullword\n $string_helper_3 = \"address to listen on. `*` means encrypted socket\" ascii fullword\n $string_helper_4 = \"remote host to connect, HOST can be IP or Domain. `*` means encrypted socket\" ascii fullword\n $string_helper_5 = \"hexadecimal format key, be used to generate Key and IV\" ascii fullword\n $string_helper_6 = \"udp forward mode\" ascii fullword\n $string_helper_7 = \"set connection timeout(millisecond), default is 5000\" ascii fullword\n $string_helper_8 = \"enable log output\" ascii fullword\n\n condition:\n 1 of ($string_gobuild_*)\n or 3 of ($string_object_*)\n or 3 of ($string_helper_*)\n}\n", "rule_count": 1, "rule_names": [ "iox" ], "rule_creation_date": "2024-01-31", "rule_modified_date": "2025-03-04", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Tool.iox" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1572", "attack.t1071.001" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-jokerspy_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577197Z", "creation_date": "2026-03-23T11:46:25.577200Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577205Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy" ], "name": "jokerspy.yar", "content": "rule jokerspy {\n meta:\n title = \"JokerSpy Backdoor\"\n id = \"2a44bea8-9e22-4dae-8a29-c3b30e02f662\"\n description = \"Detects JokerSpy (aka COVERTCATCH), a multi-platform Python backdoor designed to execute commands and deploy additional post-exploitation tools.\\nIt enables remote control over compromised systems, allowing attackers to perform various malicious activities, including data exfiltration and persistence.\\nIt is recommended to investigate the process activity to identify unauthorized actions and assess potential data exfiltration or system compromise.\"\n references = \"https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html\\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\"\n date = \"2024-09-12\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.010;attack.collection;attack.t1005;attack.command_and_control;attack.t1071.001;attack.exfiltration;attack.t1041\"\n classification = \"Backdoor.JokerSpy\"\n context = \"process,memory,thread\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 39bbc16028fd46bf4ddad49c21439504d3f6f42cccbd30945a2d2fdb4ce393a4\n // aa951c053baf011d08f3a60a10c1d09bbac32f332413db5b38b8737558a08dc1\n\n // shared.dat\n $dat1 = \"down_exec\" ascii\n $dat2 = \"check_os\" ascii\n $dat3 = \"distro_info\" ascii\n $dat4 = \"/Hfref/Funerq\" ascii\n $dat5 = \"drop_f\" ascii\n $dat6 = \"res_cmd\" ascii\n $dat7 = \"preexec_fn\" ascii\n $dat8 = \"VQ=qrovna\" ascii\n\n // sh.py\n $sh1 = \"get_basic_information\" ascii\n $sh2 = \"BasicInformation\" ascii\n $sh3 = \"get_volume_type\" ascii\n $sh4 = \"load_setting\" ascii\n $sh5 = \"SleepCycleMin\" ascii\n $sh6 = \"save_setting\" ascii\n $sh7 = \"process_command\" ascii\n $sh8 = \"ServerUrlString\" ascii\n $sh9 = \"GetVolumeInformationW\" ascii\n $sh10 = \"GetDriveTypeW\" ascii\n\n condition:\n all of ($dat*) or all of ($sh*)\n}\n", "rule_count": 1, "rule_names": [ "jokerspy" ], "rule_creation_date": "2024-09-12", "rule_modified_date": "2025-03-04", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Backdoor.JokerSpy" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1041", "attack.t1027.010", "attack.t1005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-jynx_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572372Z", "creation_date": "2026-03-23T11:46:25.572374Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572379Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/chokepoint/jynxkit/\nhttps://github.com/chokepoint/Jynx2/" ], "name": "jynx.yar", "content": "rule linux_library_rootkit_jynx {\n meta:\n title = \"Jynx Rootkit\"\n id = \"493b8dfd-a08d-40ad-a804-daccc0491796\"\n description = \"Detects the Jynx/Jynx2 userland rootkit.\\nJynx/Jynx2 uses LD_PRELOAD to inject malicious shared libraries and hijack function calls.\\nIt is recommended to isolate the affected machine and perform a full system scan for any signs of compromise.\"\n references = \"https://github.com/chokepoint/jynxkit/\\nhttps://github.com/chokepoint/Jynx2/\"\n date = \"2023-12-12\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.004;attack.persistence;attack.t1574.006;attack.defense_evasion;attack.t1014;attack.t1070;attack.t1564;attack.command_and_control;attack.t1095\"\n classification = \"Linux.Rootkit.Jynx\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6cd339d568768fefb86f4a298c57807616157de929b9c5d7b26e98a2922cf1df\n // d561024595ac93853565f55a42fed4735812dd27ac82a865d8863f9448e68d1b\n // 147e0d7478e947f68c7951e592b095cbabcb6120371b9a65cea7f04a72b55ee1\n\n $a1 = \"xochi\" ascii fullword\n $a3 = \"ld_poison loaded\" ascii\n $a4 = \"XxJynx\" ascii fullword\n $a5 = \"reality.so\" ascii\n $a6 = \"Bump with shell\" ascii\n $a7 = \"forge_proc_net_tcp\" ascii fullword\n $a8 = \"drop_suid_shell_if_env_set\" ascii fullword\n $e1 = \"old_fxstat\" ascii fullword\n $e2 = \"old_fxstat64\" ascii fullword\n $e3 = \"old_lxstat\" ascii fullword\n $e4 = \"old_lxstat64\" ascii fullword\n $e5 = \"old_open\" ascii fullword\n $e6 = \"old_rmdir\" ascii fullword\n $e7 = \"old_unlink\" ascii fullword\n $e8 = \"old_unlinkat\" ascii fullword\n $e9 = \"old_xstat\" ascii fullword\n $e10 = \"old_xstat64\" ascii fullword\n $e11 = \"old_fdopendir\" ascii fullword\n $e12 = \"old_opendir\" ascii fullword\n $e13 = \"old_readdir\" ascii fullword\n $e14 = \"old_readdir64\" ascii fullword\n $e20 = \"old_accept\" ascii fullword\n $e21 = \"old_fopen\" ascii fullword\n $e22 = \"old_fopen64\" ascii fullword\n\n condition:\n (uint32be(0) == 0x7F454c46) // ELF\n and ((uint16be(0x10) == 0x03) or (uint16(0x10) == 0x03)) // ET_DYN\n and (3 of ($a*) or 10 of ($e*))\n}\n", "rule_count": 1, "rule_names": [ "linux_library_rootkit_jynx" ], "rule_creation_date": "2023-12-12", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Rootkit.Jynx" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1095", "attack.t1070", "attack.t1564", "attack.t1014", "attack.t1574.006", "attack.t1059.004" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-kamikakabot_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574858Z", "creation_date": "2026-03-23T11:46:25.574860Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574866Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.group-ib.com/blog/dark-pink-apt/\nhttps://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/\nhttps://attack.mitre.org/techniques/T1102/002/" ], "name": "kamikakabot.yar", "content": "rule kamikakabot {\n meta:\n title = \"KamiKakaBot Malware\"\n id = \"2fb836a2-2245-42ff-b40d-468f91a9b996\"\n description = \"Detects KamiKakaBot, a malware used by the Dark Pink advanced persistent threat (APT) to run arbitrary commands and exfiltrate sensitive information.\\nKamiKakaBot steals browser data and sends it to the attackers' Telegram bot channel in a compressed ZIP format.\\nIt is commonly distributed through phishing campaigns.\\nIt is recommended to analyze network traffic for potential exfiltration channels.\"\n references = \"https://www.group-ib.com/blog/dark-pink-apt/\\nhttps://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/\\nhttps://attack.mitre.org/techniques/T1102/002/\"\n date = \"2024-03-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.003;attack.credential_access;attack.t1555.003;attack.collection;attack.t1560;attack.command_and_control;attack.t1102.002\"\n classification = \"Windows.Malware.KamiKakaBot\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 4af3798c81a6eb2fc90b0c7f644e004cc2eadac29b308a1136102b5ea814bd69\n // b23d6ab48067fd01e954ecefa70a8469256e70cee815d4a1249196deb0760043\n // 06ecb4ae52acd132706830e3f1d4885dfb1a89b2925130d62a55b635e8ef36fd\n\n $f1 = \"getIndentifyName\" ascii fullword\n $f2 = \"getMessageAsync\" ascii fullword\n $f3 = \"run_command\" ascii fullword\n $f4 = \"sendFile\" ascii fullword\n $f5 = \"sendMessage\" ascii fullword\n $f6 = \"send_brw_data\" ascii fullword\n $f7 = \"updateMessageID\" ascii fullword\n $f8 = \"update_new_token\" ascii fullword\n $f9 = \"update_new_xml\" ascii fullword\n $f10 = \"ResultRequestMessage\" ascii fullword\n\n $s1 = \"_CHATID\" ascii fullword\n $s2 = \"DELAYTIME\" ascii fullword\n $s3 = \"IdentifyName\" ascii fullword\n $s4 = \"/file/{0}/{1}\" wide\n $s5 = \"{0}/getUpdates\" wide\n $s6 = \"%TMP%\\\\\" wide\n $s7 = \"Update new xml success!\" wide fullword\n\n // getMessageAsync()\n $x_get_message_async = {\n 1200 // ldloca.s V_0\n 28??00000A // call valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1 valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1::Create()\n 7D????0004 // stfld valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1 svchost.main/'d__21'::'<>t__builder'\n 1200 // ldloca.s V_0\n 15 // ldc.i4.m1\n 7D????0004 // stfld int32 svchost.main/'d__21'::'<>1__state'\n 1200 // ldloca.s V_0\n 7C????0004 // ldflda valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1 svchost.main/'d__21'::'<>t__builder'\n 1200 // ldloca.s V_0\n 28??00002B // call instance void valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1::Startd__21'>(!!0&)\n 1200 // ldloca.s V_0\n 7C????0004 // ldflda valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1 svchost.main/'d__21'::'<>t__builder'\n 28??00000A // call instance class [mscorlib]System.Threading.Tasks.Task`1 valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1::get_Task()\n 2A // ret\n }\n\n // update_new_xml()\n $x_update_new_xml = {\n 1200 // ldloca.s V_0\n 28????000A // call valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1 valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1::Create()\n 7D????0004 // stfld valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1 svchost.main/'d__25'::'<>t__builder'\n 1200 // ldloca.s V_0\n 02 // ldarg.0\n 7D????0004 // stfld string svchost.main/'d__25'::file_path\n 1200 // ldloca.s V_0\n 03 // ldarg.1\n 7D????0004 // stfld string svchost.main/'d__25'::old_xml_name\n 1200 // ldloca.s V_0\n 15 // ldc.i4.m1\n 7D????0004 // stfld int32 svchost.main/'d__25'::'<>1__state'\n 1200 // ldloca.s V_0\n 7C????0004 // ldflda valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1 svchost.main/'d__25'::'<>t__builder'\n 1200 // ldloca.s V_0\n 28????002B // call instance void valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1::Startd__25'>(!!0&)\n 1200 // ldloca.s V_0\n 7C????0004 // ldflda valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1 svchost.main/'d__25'::'<>t__builder'\n 28??00000A // call instance class [mscorlib]System.Threading.Tasks.Task`1 valuetype [mscorlib]System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1::get_Task()\n 2A // ret\n }\n\n // requestMessageID()\n $x_request_message_id = {\n 06 // ldloc.0\n 28??00000A // call string [mscorlib]System.IO.File::ReadAllText(string)\n 0C // stloc.2\n 08 // ldloc.2\n 17 // ldc.i4.1\n 8D??000001 // newarr [mscorlib]System.Char\n 25 // dup\n 16 // ldc.i4.0\n 1F3A // ldc.i4.s 58\n 9D // stelem.i2\n 6F??00000A // callvirt instance string[] [mscorlib]System.String::Split(char[])\n 16 // ldc.i4.0\n A3??000001 // ldelem [mscorlib]System.String\n 07 // ldloc.1\n 28??00000A // call bool [mscorlib]System.String::op_Equality(string, string)\n [2-5] // brfalse.s\n\n 08 // ldloc.2\n 17 // ldc.i4.1\n 8D??000001 // newarr [mscorlib]System.Char\n 25 // dup\n 16 // ldc.i4.0\n 1F3A // ldc.i4.s 58\n 9D // stelem.i2\n 6F??00000A // callvirt instance string[] [mscorlib]System.String::Split(char[])\n 17 // ldc.i4.1\n A3??000001 // ldelem [mscorlib]System.String\n 28??00000A // call int32 [mscorlib]System.Int32::Parse(string)\n 2A // ret\n\n 06 // ldloc.0\n }\n\n condition:\n 5 of ($f*) and 4 of ($s*) and 1 of ($x_*)\n}\n", "rule_count": 1, "rule_names": [ "kamikakabot" ], "rule_creation_date": "2024-03-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.KamiKakaBot" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.execution" ], "rule_technique_tags": [ "attack.t1059.003", "attack.t1560", "attack.t1555.003", "attack.t1102.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-kaynldr_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582595Z", "creation_date": "2026-03-23T11:46:25.582597Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582602Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Cracked5pider/KaynLd" ], "name": "kaynldr.yar", "content": "rule kaynldr {\n meta:\n title = \"KaynLdr Reflective Loader\"\n id = \"16802361-3d54-4cd2-9024-cfc3460d48f8\"\n description = \"Detects KaynLdr, a Reflective Loader.\\nKaynLdr is a Windows user-mode loader designed to execute position-independent shellcode or PE files in memory, while employing basic obfuscation techniques to evade detection.\\nA reflective loader is a technique that allows code, such as DLLs or shellcode, to load and execute itself directly from memory without using the standard Windows loader, helping to evade detection.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/Cracked5pider/KaynLd\"\n date = \"2025-05-22\"\n modified = \"2025-06-05\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1620;attack.t1055.002;attack.execution;attack.t1129\"\n classification = \"Windows.Loader.KaynLdr\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5e2f5d13f7eaf0d1f651b3836f405f7fd230eb42491ff741071daf84583acb16\n\n // KaynCaller\n // https://github.com/Cracked5pider/KaynLdr/blob/main/KaynLdr/src/Util.s\n $kayn_caller = {\n E8 00 00 00 00 // call $+5\n // loc_345:\n 59 // pop rcx\n // loc_346:\n 48 31 DB // xor rbx, rbx\n BB 4D 5A 00 00 // mov ebx, 5A4Dh\n 48 FF C1 // inc rcx\n (66 3B 19 | 3E 66 3B 19) // cmp bx, [rcx]\n (75 F0 | 75 EF) // jnz short loc_346\n 48 31 C0 // xor rax, rax\n 66 8B 41 3C // mov ax, [rcx+3Ch]\n 48 01 C8 // add rax, rcx\n 48 31 DB // xor rbx, rbx\n 66 81 C3 50 45 // add bx, 4550h\n (66 3B 18 | 3E 66 3B 18) // cmp bx, [rax]\n (75 D9 | 75 D7) // jnz short loc_346\n 48 89 C8 // mov rax, rcx\n C3 // retn\n }\n\n // https://github.com/Cracked5pider/KaynLdr/blob/main/KaynLdr/include/Macros.h\n $s1 = {53 17 E6 70} // NTDLL_HASH\n $s2 = {43 6A 45 9E} // SYS_LDRLOADDLL\n $s3 = {EC B8 83 F7} // SYS_NTALLOCATEVIRTUALMEMORY\n $s4 = {88 28 E9 50} // SYS_NTPROTECTEDVIRTUALMEMORY\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "kaynldr" ], "rule_creation_date": "2025-05-22", "rule_modified_date": "2025-06-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.KaynLdr" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1129", "attack.t1620", "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-kdu_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567658Z", "creation_date": "2026-03-23T11:46:25.567660Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567665Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/hfiref0x/KDU" ], "name": "kdu.yar", "content": "rule kernel_driver_utility {\n meta:\n title = \"Kernel Driver Utility HackTool\"\n id = \"ae3710a2-3040-41f0-850f-1045c36cefac\"\n description = \"Detects the Kernel Driver Utility (KDU) hacktool targeting the Windows Kernel.\\nKernel Driver Utility (KDU) is a tool designed to interact with vulnerable kernel drivers. It can disable Driver Signature Enforcement, launch processes with PPL (Protected Process Light) privileges, dump memory from any process at the kernel level, and execute shellcode in Kernel Mode.\"\n references = \"https://github.com/hfiref0x/KDU\"\n date = \"2024-04-22\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1014;attack.t1562.001\"\n classification = \"Windows.HackTool.KernelDriverUtility\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 356f102057cfcbe6f000398a1278f80acfabcb88bcf8fcef09d912977f3cd3b0\n\n // Match Page Walk function with hardcoded value\n $s_stub_page_walk = {\n 00 f0 ff ff ff ff 0f 00 // mov r12, 0xffffffffff000\n [2-6] // and rdx, r12\n 27 00 00 00 // mov edi, 0x27\n [80-100]\n 4? b? 00 00 e0 ff ff ff 0f 00 // mov rcx, 0xfffffffe00000\n 4? 2? ?? // and rdx, rcx\n ?? ?? ff ff 1f 00 // and ebx, 0x1fffff\n e? ?? // jmp 0x14000e38e\n 4? b? 00 00 00 c0 ff ff 0f 00 // mov rax, 0xfffffc0000000\n 4? 2? ?? // and rdx, rax\n ?? ?? ff ff ff 3f // and ebx, 0x3fffffff\n }\n\n // Match shellcode function with hardcoded value\n $s_stub_shellcode = {\n 4? b? 88 77 66 55 44 33 22 11 // mov rax, 0x1122334455667788\n 4? b? 11 22 33 44 55 66 77 88 // mov rdx, 0x8877665544332211\n 4? 33 ?? // xor rax, rdx {0x9955551111555599}\n 4? ?? ?? // mov rdi, rax {0x9955551111555599}\n 4? b? 88 77 66 55 44 33 22 11 // mov rsi, 0x1122334455667788\n 4? b? 11 22 33 44 55 66 77 88 // mov rdx, 0x8877665544332211\n 4? 33 ?? // xor rsi, rdx {0x9955551111555599}\n 4? 33 ?? // xor rcx, rcx {0x0}\n [10-16]\n 4? b? 88 77 66 55 44 33 22 11 // mov rax, 0x1122334455667788\n 4? b? 11 22 33 44 55 66 77 88 // mov rdx, 0x8877665544332211\n 4? 33 ?? // xor rax, rdx {0x9955551111555599}\n 4? b? 88 77 66 55 44 33 22 11 // mov rcx, 0x1122334455667788\n 4? b? 11 22 33 44 55 66 77 88 // mov rdx, 0x8877665544332211\n [6-12]\n 4? b? 88 77 66 55 44 33 22 11 // mov rax, 0x1122334455667788\n 4? b? 11 22 33 44 55 66 77 88 // mov rcx, 0x8877665544332211\n }\n\n condition:\n 1 of ($s_stub_*)\n}\n", "rule_count": 1, "rule_names": [ "kernel_driver_utility" ], "rule_creation_date": "2024-04-22", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.KernelDriverUtility" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1014" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-keepass_dumper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582264Z", "creation_date": "2026-03-23T11:46:25.582266Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582272Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/vdohney/keepass-password-dumper\nhttps://github.com/CTM1/CVE-2023-32784-keepass-linux\nhttps://github.com/Orange-Cyberdefense/KeePwn" ], "name": "keepass_dumper.yar", "content": "import \"pe\"\n\nrule keepass_dumper {\n meta:\n title = \"Keepass Password Dumper HackTool\"\n id = \"d475e2c1-ea8f-4ef2-9c0c-2c04ca5af590\"\n description = \"Detects vdohney's open-source application exploiting CVE-2023-32748.\\nThis application enables attackers to extract the master password from KeePass <2.53 by searching for residual characters in process memory.\\nIt is recommended to ensure that all instances of KeePass are updated to versions 2.53 or later to mitigate this vulnerability.\"\n references = \"https://github.com/vdohney/keepass-password-dumper\\nhttps://github.com/CTM1/CVE-2023-32784-keepass-linux\\nhttps://github.com/Orange-Cyberdefense/KeePwn\"\n date = \"2023-09-22\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555.005\"\n classification = \"Windows.HackTool.KeePassDump\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 66c5017dcb9adb769e0c25f4dd3eda4ac2d7fcdce37d7cb895e52b2608264ffe\n // a45510b16627aa1ddb14b44466a62d854f3071f98dee375f97247e2876c35ef9\n\n $vdohney_1 = \"Password candidates (character positions):\" wide fullword\n $vdohney_2 = \"Unknown characters are displayed as \\\"\" wide fullword\n $vdohney_3 = \"possible passwords saved in\" wide\n $vdohney_4 = \". Unknown characters indicated as\"\n\n condition:\n (uint16(0) == 0x5a4d and all of ($vdohney*)) or\n pe.version_info[\"CompanyName\"] contains \"keepass_password_dumper\" or\n pe.version_info[\"FileDescription\"] contains \"keepass_password_dumper\" or\n pe.version_info[\"ProductName\"] contains \"keepass_password_dumper\"\n}\n", "rule_count": 1, "rule_names": [ "keepass_dumper" ], "rule_creation_date": "2023-09-22", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.KeePassDump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.005" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-kernelcactus_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571286Z", "creation_date": "2026-03-23T11:46:25.571288Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571294Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/SpikySabra/Kernel-Cactus" ], "name": "kernelcactus.yar", "content": "rule kernelcactus {\n meta:\n title = \"KernelCactus Tool\"\n id = \"b7a34f71-8f63-4381-8659-1a02e92dc940\"\n description = \"Detects KernelCactus, a tool designed to exploit CVE-2021-21551 (Dell vulnerable driver) to perform various Ring0 attacks.\\nKernelCactus is a tool used for kernel-level attacks that leverage the Dell vulnerable driver to gain high-level privileges. The tool is often associated with privilege escalation and attack techniques such as recredentialing and kernel code injection.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/SpikySabra/Kernel-Cactus\"\n date = \"2022-10-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;attack.defense_evasion;attack.t1211\"\n classification = \"Windows.Tool.KernelCactus\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 04b2f45cd58f86bc771a28834824491ffcf947647dbc56e7ab952f193220c1ee\n\n $s1 = \"NtoskrnlCSV.csv\" fullword wide\n $s2 = \"\\\\\\\\.\\\\DBUtil_2_3\" fullword wide\n $s3 = \"[!] Offset CSV file connot be opened\" fullword wide\n $s4 = \"NtoskrnlCSV.csv\" fullword wide\n $s5 = \"[#]Stealing Token from: \" fullword ascii\n $s6 = \"[#]Hi Jack...How Are you?\" fullword ascii\n\n condition:\n all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "kernelcactus" ], "rule_creation_date": "2022-10-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.KernelCactus" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1211", "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-keyhole_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573424Z", "creation_date": "2026-03-23T11:46:25.573426Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573432Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.keyhole\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\nhttps://www.trendmicro.com/fr_fr/research/25/b/black-basta-cactus-ransomware-backconnect.html" ], "name": "keyhole.yar", "content": "rule keyhole_vnc {\n meta:\n title = \"Keyhole VNC Module\"\n id = \"8c1de7f4-98d4-44e1-8da1-c851265cc149\"\n description = \"Detects the Keyhole VNC module, also known as BackConnect module.\\nKeyhole is a multi-functional backconnect component used to establish and maintain persistence over compromised systems.\\nThis module has been used in the past by ransomware groups and is related to trojans like IcedID, Qakbot, TrickBot and Latrodectus.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://medium.com/walmartglobaltech/keyhole-analysis-60302922aa03\\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.keyhole\\nhttps://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/\\nhttps://www.trendmicro.com/fr_fr/research/25/b/black-basta-cactus-ransomware-backconnect.html\"\n date = \"2025-07-09\"\n modified = \"2025-08-05\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.t1018;attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1095;attack.lateral_movement;attack.t1021.005\"\n classification = \"Windows.Trojan.Keyhole\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // f86ca3b45eb5d1d0e35d44879773d0d335e8ee1fc58737e3ee27a1335aaea984\n // c1bef81621e6d9188170cb1bb2c55930b00a8d946e03bdb788bb123f59ee8e97\n\n $s1 = \"hdesk\" ascii fullword\n $s2 = \"{%0.8X-%0.4X-%0.4X-%0.4X-%0.4X%0.8X}\" ascii fullword\n $s3 = \"__compat_layer\" ascii fullword\n $s4 = \"divice not readed\" ascii fullword\n $s5 = \"MS Shell Dlg\" ascii fullword\n $s6 = \"Chrome_WidgetWin_\" ascii\n $s7 = \"-err-\" ascii fullword\n $s8 = \"AD not found\" ascii\n $s9 = \"Grayscale\" wide fullword\n $s10 = \"High Definition Audio\" wide fullword\n\n $loader = {\n 78 09 // js short loc_B\n 74 07 // jz short loc_B\n 73 05 // jnb short loc_B\n EB 03 // jmp short loc_B\n 39 41 61 // cmp [rcx+61h], eax\n\n // loc_B:\n 52 // push rdx\n 9C // pushfq\n }\n\n $x_decrypt_strings = {\n 0F B7 04 24 // movzx eax, [rsp+18h+var_18]\n 0F B7 4C 24 04 // movzx ecx, [rsp+18h+var_14]\n 3B C1 // cmp eax, ecx\n 7D 3C // jge short loc_175F9\n 8B 44 24 08 // mov eax, [rsp+18h+var_10]\n C1 E8 03 // shr eax, 3\n }\n\n $x_commands = {\n C1 C0 07 // rol eax, 7\n FF C0 // inc eax\n 30 45 E5 // xor byte ptr [rbp+var_1C+1], al\n C1 C0 07 // rol eax, 7\n 83 C0 02 // add eax, 2\n 30 45 E6 // xor byte ptr [rbp+var_1C+2], al\n C1 C0 07 // rol eax, 7\n 83 C0 03 // add eax, 3\n }\n\n $x_console_command = {\n 3C 63 // cmp al, 63h\n 75 09 // jnz short loc_4A22\n 48 8B ?? ?? ?? ?? 00 // mov rcx, cs:commad_cmd\n EB 0F // jmp short loc_4A31\n\n // loc_4A22:\n 3C 70 // cmp al, 70h\n 0F 85 ?? ?? 00 00 // jnz loc_4BBB\n 48 8B ?? ?? ?? ?? 00 // mov rcx, cs:commad_powershell\n\n // loc_4A31:\n 48 85 C9 // test rcx, rcx\n }\n\n $x_get_information = {\n FF 15 ?? ?? ?? 00 // call cs:GetNativeSystemInfo\n 66 83 ?? ?? ?? 09 // cmp word ptr [rsp+390h+var_350], 9\n B8 20 00 00 00 // mov eax, 20h\n B9 40 00 00 00 // mov ecx, 40h\n 0F 44 C1 // cmovz eax, ecx\n 88 05 ?? ?? 01 00 // mov cs:SystemBitness, al\n }\n\n condition:\n all of ($s*) or $loader or 1 of ($x_*)\n}\n", "rule_count": 1, "rule_names": [ "keyhole_vnc" ], "rule_creation_date": "2025-07-09", "rule_modified_date": "2025-08-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Keyhole" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.discovery", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1018", "attack.t1095", "attack.t1027", "attack.t1021.005", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-killers-avast_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581765Z", "creation_date": "2026-03-23T11:46:25.581767Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581773Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/xalicex/Killers/tree/main/avast/\nhttps://www.loldrivers.io/drivers/57fc510a-e649-4599-b83e-8f3605e3d1d9/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "killers-avast.yar", "content": "rule killers_avast {\n meta:\n title = \"Killers-Avast HackTool\"\n id = \"bb2d61f4-4f05-40aa-bf59-9d760624f973\"\n description = \"Detects Killers-Avast, a tool that uses the aswArPot.sys vulnerable driver to terminate protected processes.\\nThis tool loads the aswArPot.sys driver, then leverages its functionalities to kill the specified processes.\"\n references = \"https://github.com/xalicex/Killers/tree/main/avast/\\nhttps://www.loldrivers.io/drivers/57fc510a-e649-4599-b83e-8f3605e3d1d9/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n os = \"Windows\"\n classification = \"Windows.HackTool.KillersAvast\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 35c317b635dd448c4a07afc5b989a5fce9fc0d359737f949008f75828befd707\n\n $device_01 = \"\\\\\\\\.\\\\aswSP_Avar\" wide ascii\n $device_02 = \"\\\\\\\\.\\\\avgSP_Avar\" wide ascii\n $s_winapi_01 = \"CreateFile\" wide ascii\n $s_winapi_02 = \"DeviceIoControl\" wide ascii\n $s_IOCTL_kill = { (99 88 c0 94|94 c0 88 99) }\n\n condition:\n 1 of ($device_*)\n and all of ($s_*)\n}\n", "rule_count": 1, "rule_names": [ "killers_avast" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.KillersAvast" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-killers-powertool_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568148Z", "creation_date": "2026-03-23T11:46:25.568151Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568160Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/xalicex/Killers/tree/main/PowerTool/\nhttps://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "killers-powertool.yar", "content": "rule killers_powertool {\n meta:\n title = \"Killers-PowerTool HackTool\"\n id = \"749b27a8-d75f-4f5b-b834-73a19aedc979\"\n description = \"Detects Killers-PowerTool, a tool that uses the KevP64.sys vulnerable driver to terminate protected processes.\\nThe tool loads the KevP64.sys driver and uses it to kill specified processes, often to disrupt legitimate software or system components.\"\n references = \"https://github.com/xalicex/Killers/tree/main/PowerTool/\\nhttps://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n os = \"Windows\"\n classification = \"Windows.HackTool.KillersPowerTool\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // ff073d9bbb5e4fe3622ac1c10ad1f8475b97f7874825d42893db418cd99bc5ea\n\n $device = \"\\\\\\\\.\\\\KevP64\" wide ascii\n $winapi_01 = \"CreateFile\" wide ascii\n $winapi_02 = \"DeviceIoControl\" wide ascii\n $IOCTL_kill = { (22 20 34|34 20 22) }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "killers_powertool" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.KillersPowerTool" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-knotweed_obfuscated_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568451Z", "creation_date": "2026-03-23T11:46:25.568453Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568459Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\nhttps://attack.mitre.org/techniques/T1204/002/\nhttps://attack.mitre.org/techniques/T1027/009/" ], "name": "knotweed_obfuscated_loader.yar", "content": "rule knotweed_obfuscated_loader {\n meta:\n title = \"Knotweed Obfuscated Loader\"\n id = \"402eb440-983c-4dfa-9707-9bb2c77463e4\"\n description = \"Detects Knotweed (aka Denim Tsunami, DSIRF) obfuscated loader.\\nKnotweed is a threat actor known for providing malicious capabilities as a service. Their infection chain typically involves malicious documents and obfuscated shellcode loaders to achieve evasive execution on targeted systems.\\nThis rule focuses on detecting loaders such as CORELUMP and JUMPLUMP, which are generated by a custom obfuscation tool.\\nThese loaders leave unique, singular names in memory during execution, making them distinctive indicators of compromise.\"\n references = \"https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\\nhttps://attack.mitre.org/techniques/T1204/002/\\nhttps://attack.mitre.org/techniques/T1027/009/\"\n date = \"2023-12-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1204.002;attack.defense_evasion;attack.t1027.009\"\n classification = \"Windows.Loader.KnotweedObfuscated\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // fa30be45c5c5a8f679b42ae85410f6099f66fe2b38eb7aa460bcc022babb41ca\n // e64bea4032cf2694e85ede1745811e7585d3580821a00ae1b9123bb3d2d442d6\n // c96ae21b4cf2e28eec222cfe6ca903c4767a068630a73eca58424f9a975c6b7d\n\n $o1 = \".?AVmodbuf@@\" ascii fullword\n $o2 = \".?AVrc4@@\" ascii fullword\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "knotweed_obfuscated_loader" ], "rule_creation_date": "2023-12-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.KnotweedObfuscated" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1027.009", "attack.t1204.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-koadic_mimishim_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580815Z", "creation_date": "2026-03-23T11:46:25.580817Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580822Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0250/\nhttps://github.com/offsecginger/koadic" ], "name": "koadic_mimishim.yar", "content": "rule koadic_mimishim {\n meta:\n title = \"Generic Koadic mimishim.dll\"\n id = \"37615992-45e0-465e-bf5e-8ce93755def2\"\n description = \"Detects Koadic, a Windows post-exploitation rootkit known as COM Command & Control.\\nKoadic is used for persistence and privilege escalation, functioning similarly to Meterpreter and Powershell Empire.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://attack.mitre.org/software/S0250/\\nhttps://github.com/offsecginger/koadic\"\n date = \"2020-03-04\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0250;attack.t1055\"\n classification = \"Windows.Framework.Koadic\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = \"powershell_reflective_mimikatz\" ascii\n $s2 = \"Failed to load powerkatz.dll.\" ascii\n $s3 = \"Failed to get SeDebugPriv.\" ascii\n $s4 = \"Failed to fork to x64.\" ascii\n $s5 = \"Successfully forked to x64.\" ascii\n $s6 = \"privilege::debug\" wide\n $s7 = \"token::elevate\" wide\n $s8 = \"Catastrophic error occurred!\" ascii\n\n $libname_1 = \"mimishim.x64.dll\" ascii\n $libname_2 = \"mimishim.dll\" ascii\n\n condition:\n all of ($s*) and 1 of ($libname_*)\n}\n", "rule_count": 1, "rule_names": [ "koadic_mimishim" ], "rule_creation_date": "2020-03-04", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Koadic" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-kportscan_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570696Z", "creation_date": "2026-03-23T11:46:25.570699Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570705Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1046/" ], "name": "kportscan.yar", "content": "rule kportscan {\n meta:\n title = \"KPortScan Tool\"\n id = \"a427d57a-2213-41a0-8a41-c458f27399ad\"\n description = \"Detects KPortScan, a port scanner binary.\\nKPortScan is a tool used for enumerating services running on remote hosts and network devices. It is part of the KLazy loader family and is often used by adversaries for reconnaissance purposes. This rule detects instances of the KPortScan binary being executed, which may indicate active network scanning and service discovery activities.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine if the usage of this tool is legitimate.\"\n references = \"https://attack.mitre.org/techniques/T1046/\"\n date = \"2023-03-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.reconnaissance;attack.t1595.001;attack.discovery;attack.t1046\"\n classification = \"Windows.Tool.KPortScan\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 080c6108c3bd0f8a43d5647db36dc434032842339f0ba38ad1ff62f72999c4e5\n\n $s1 = \"1on_scanDiapFinished()\" fullword ascii\n $s2 = \"http://www.proxysecurity.com/ip-address-range.php?country=\" fullword ascii\n $s3 = \"Count of goods:\" fullword ascii\n $s4 = \"ScanWindow\" fullword ascii\n $s5 = \"(\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}-\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3})\" fullword ascii\n $s6 = \"IP ranges list is clear\" fullword ascii\n $s7 = \"results.txt\" fullword ascii\n $s8 = \"scanFinished()\" fullword ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "kportscan" ], "rule_creation_date": "2023-03-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.KPortScan" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1046", "attack.t1595.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-krampus_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568513Z", "creation_date": "2026-03-23T11:46:25.568515Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568521Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cybersecuritynews.com/beware-of-new-krampus-loader/" ], "name": "krampus_loader.yar", "content": "rule krampus_loader {\n meta:\n title = \"Krampus Loader\"\n id = \"798970ab-a9ee-42f5-8c75-a5faa049d847\"\n description = \"Detects Krampus Loader, a loader used by threat actors to deliver a wide range of information stealers such as Lumma Stealer.\\nIt is recommended to investigate the context around this alert and to investigate suspicious actions or network connections.\"\n references = \"https://cybersecuritynews.com/beware-of-new-krampus-loader/\"\n date = \"2024-12-13\"\n modified = \"2025-07-07\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1140;attack.t1036;attack.t1055\"\n classification = \"Windows.Loader.Krampus\"\n context = \"process,memory,thread\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 773d3cb5edef063fb5084efcd8d9d7ac7624b271f94706d4598df058a89f77fd\n\n $s1 = \"|mirror_url|-Wait|R_AD|DESKTOP-WG|&userdata=|\" ascii\n $s2 = \"|random|zip-lib|virtual|\" ascii\n $s3 = \"./preload.js\" ascii fullword\n $s4 = \"findstr /C:\\\"Detected boot environment\\\" \\\"%windir%\\\\Panther\\\\setupact.log\\\"\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "krampus_loader" ], "rule_creation_date": "2024-12-13", "rule_modified_date": "2025-07-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.Krampus" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1036", "attack.t1140", "attack.t1106", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-krbrelayup_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584479Z", "creation_date": "2026-03-23T11:46:25.584481Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584486Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Dec0ne/KrbRelayUp" ], "name": "krbrelayup.yar", "content": "rule krbrelayup {\n meta:\n title = \"KrbRelayUp HackTool\"\n id = \"c0a4f994-e2e6-4614-97b2-63fdedf937ca\"\n description = \"Detects the KrbRelayUp HackTool.\\nKrbRelayUp is a no-fix local privilege escalation tool targeting Windows domain environments where LDAP signing is not enforced. It exploits a vulnerability in the Kerberos protocol to intercept and manipulate service tickets, allowing attackers to escalate privileges and gain unauthorized access. The tool can relay these tickets to achieve persistence and lateral movement within the network.\\nThis rule detects the tool's activity by identifying specific process and network behavior indicative of its operations, including error messages and function calls related to Kerberos ticket handling.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/Dec0ne/KrbRelayUp\"\n date = \"2022-08-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1558.003;attack.lateral_movement;attack.t1550.003\"\n classification = \"Windows.HackTool.KrbRelayUp\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 00c5cbf50c23fceebe76e18e53699cadf94d345edfba1356f21c1e37205bdc58\n // 4fbf17e849e9036781093309d541adcacf1db740a209ea58291cf3cc88f6d3d6\n\n $s1 = \"KrbRelayUp.Kerberos.PAC\" fullword ascii\n $s2 = \"KrbRelayUp.Ndr.Marshal.INdrConformantStructure.GetConformantDimensions\" fullword ascii\n $s3 = \"/KrbRelayUp.Relay.Helpers\" ascii\n $s4 = \"[-] Unable to get domain controller address\" fullword wide\n $s5 = \"[*] Ticket written to {0}\" fullword wide\n $s6 = \"[+] InitializeSecurityContextHook called for target\" fullword wide\n $s7 = \"[+] Created process ID: {0}\" fullword wide\n $s8 = \"[+] Ticket successfully imported!\" fullword wide\n $s9 = \"[*] Using domain controller: {0}\" fullword wide\n $s10 = \"[X] Error binding to LDAP server: {0}\" fullword wide\n\n condition:\n 8 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "krbrelayup" ], "rule_creation_date": "2022-08-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.KrbRelayUp" ], "rule_tactic_tags": [ "attack.credential_access", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1558.003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-krbrelay_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571349Z", "creation_date": "2026-03-23T11:46:25.571351Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571356Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/cube0x0/KrbRelay/\nhttps://www.microsoft.com/en-us/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/" ], "name": "krbrelay.yar", "content": "rule krbrelay {\n meta:\n title = \"KrbRelay HackTool\"\n id = \"34d6189f-92e8-4db0-9d84-8a2fd1ef1d04\"\n description = \"Detects the KrbRelay HackTool, which is a no-fix local privilege escalation in Windows domain environments.\\nKrbRelay is a tool that exploits Kerberos relay attacks to gain unauthorized access in Windows environments. It specifically targets scenarios where LDAP signing is not enforced, allowing attackers to relay authentication tickets and escalate privileges. This technique enables attackers to move laterally within a domain and access resources beyond their original permissions.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/cube0x0/KrbRelay/\\nhttps://www.microsoft.com/en-us/security/blog/2022/05/25/detecting-and-preventing-privilege-escalation-attacks-leveraging-kerberos-relaying-krbrelayup/\"\n date = \"2023-07-06\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1558.003;attack.lateral_movement;attack.t1550.003\"\n classification = \"Windows.HackTool.KrbRelay\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 03287199422762cf4bd3279610ac5cb48a49bbccf77cf7caa292ef1ecc70aaab\n\n $s1 = \"!Error parsing distinguished name.\" fullword ascii\n $s2 = \"(Unsupported secret encryption algorithm.\" fullword ascii\n $s3 = \"[{0}:{1}] New connection request rejected\" fullword wide\n $s4 = \"SMB1 message received: {0} requests, First request: {1}, Packet length: {2}\" fullword wide\n $s5 = \"{0} failed. Invalid TID (UID: {1}, TID: {2})\" fullword wide\n $s6 = \"KGS!@#$%\" fullword wide\n $s7 = \"[-] -rbcd requires an argument\" fullword wide\n $s8 = \"Missing /clsid: parameter\" fullword wide\n $s9 = \"windows\\\\temp\\\\sam.tmp\" fullword wide\n $s10 = \"{0} {1,22} {2, -5} {3}\" fullword wide\n\n condition:\n 8 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "krbrelay" ], "rule_creation_date": "2023-07-06", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.KrbRelay" ], "rule_tactic_tags": [ "attack.credential_access", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1558.003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ksapi64-killer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567729Z", "creation_date": "2026-03-23T11:46:25.567731Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567737Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BlackSnufkin/BYOVD/tree/main/Ksapi64-Killer/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "ksapi64-killer.yar", "content": "rule ksapi64_killer {\n meta:\n title = \"Ksapi64-Killer HackTool\"\n id = \"76e4b887-c19f-46df-b79e-e0fa616c4263\"\n description = \"Detects Ksapi64-Killer, a tool that exploits the ksapi64.sys vulnerable driver to terminate protected processes.\\nKsapi64-Killer loads the malicious driver and uses it to terminate specific processes.\"\n references = \"https://github.com/BlackSnufkin/BYOVD/tree/main/Ksapi64-Killer/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n os = \"Windows\"\n classification = \"Windows.HackTool.Ksapi64Killer\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 2bc2614ed5356c2359858beb5ee1b0ab6218e76989f8d967292c55eb081556ce\n\n $device = \"\\\\\\\\.\\\\ksapi64_dev\" wide ascii\n $winapi_01 = \"CreateFile\" wide ascii\n $winapi_02 = \"DeviceIoControl\" wide ascii\n $winapi_03 = \"CreateToolhelp32Snapshot\" wide ascii\n $winapi_04 = \"Process32First\" wide ascii\n $winapi_05 = \"Process32Next\" wide ascii\n $winapi_06 = \"OpenSCManager\" wide ascii\n $winapi_07 = \"OpenService\" wide ascii\n $winapi_08 = \"StartService\" wide ascii\n $winapi_09 = \"CreateService\" wide ascii\n $IOCTL_kill = { (22 37 50 40|40 50 37 22|02 23 75 04|04 75 23 02) }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "ksapi64_killer" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Ksapi64Killer" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-latrodectus_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573456Z", "creation_date": "2026-03-23T11:46:25.573459Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573464Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.bitsight.com/blog/latrodectus-are-you-coming-back\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" ], "name": "latrodectus_loader.yar", "content": "rule latrodectus_loader {\n meta:\n title = \"Latrodectus Loader\"\n id = \"ce9e99ca-9730-4e89-83cb-b3e1d270d25d\"\n description = \"Detects Latrodectus, a sophisticated malware loader serving as a successor to IcedID with capabilities including payload delivery, reconnaissance, and evasion techniques.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.bitsight.com/blog/latrodectus-are-you-coming-back\\nhttps://www.elastic.co/security-labs/spring-cleaning-with-latrodectus\"\n date = \"2025-05-23\"\n modified = \"2025-07-23\"\n author = \"HarfangLab\"\n tags = \"attack.initial_access;attack.t1566.001;attack.defense_evasion;attack.t1218.011;attack.t1027;attack.discovery;attack.t1057;attack.t1082;attack.execution;attack.t1059.003;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Trojan.Latrodectus\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 0407b7cb8cd1aa15df244917547935b340b79adfcb7b550fbf251ffed9bf967d\n // 1faa8e7a55214085f71663ed79e023a1df09819e3b92b5a61fbc2fc4ee92c6eb\n // 3c6a09869d0be8d3dd7136badce27a9de47db08f9e065b8a6ba8843e2a43a09b\n // 4d7b0b80d4877bbff8c227c29df72aefd0ec18c7204a7f05f85e2494e62c7f87\n // 59eed9c82f60210e2a58df96fe1ab54a7bb96d2c5e7d5d3cc3b16de433b9958b\n\n $s1 = \"counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s\" ascii\n $s2 = \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)\" wide\n $s3 = \"runnung\" wide\n\n $x_api_resolution = {\n 48 81 EC 88 00 00 00 // sub rsp, 88h\n C7 44 24 30 1B 04 0A 7A // mov [rsp+88h+var_58], 7A0A041Bh\n 48 8D 05 ?? ?? 00 00 // lea rax, unk_180011A50\n 48 89 44 24 38 // mov [rsp+88h+var_50], rax\n 48 8D 05 ?? ?? 00 00 // lea rax, unk_1800119E0\n 48 89 44 24 40 // mov [rsp+88h+var_48], rax\n C7 44 24 48 CE 2B 52 0C // mov [rsp+88h+var_40], 0C522BCEh\n 48 8D 05 ?? ?? 00 00 // lea rax, unk_180011A50\n 48 89 44 24 50 // mov [rsp+88h+var_38], rax\n 48 8D 05 ?? ?? 00 00 // lea rax, unk_1800119D8\n 48 89 44 24 58 // mov [rsp+88h+var_30], rax\n C7 44 24 60 B5 44 DE 8B // mov [rsp+88h+var_28], 8BDE44B5h\n 48 8D 05 ?? ?? 00 00 // lea rax, unk_180011A50\n 48 89 44 24 68 // mov [rsp+88h+var_20], rax\n 48 8D 05 ?? ?? 00 00 // lea rax, unk_1800119E8\n 48 89 44 24 70 // mov [rsp+88h+var_18], rax\n C7 44 24 20 00 00 00 00 // mov [rsp+88h+var_68], 0\n EB 0A // jmp short loc_18000BDA7\n }\n\n $x_resolve_dll = {\n 89 44 24 28 // mov [rsp+2E8h+var_2C0], eax\n 8B 84 24 F0 02 00 00 // mov eax, [rsp+2E8h+arg_0]\n 39 44 24 28 // cmp [rsp+2E8h+var_2C0], eax\n 75 15 // jnz short loc_18000B47B\n 48 8D 8C 24 BC 00 00 00 // lea rcx, [rsp+2E8h+var_22C]\n FF 15 ?? ?? 00 00 // call cs:LoadLibraryW\n 48 89 44 24 40 // mov [rsp+2E8h+var_2A8], rax\n EB 02 // jmp short loc_18000B47D\n\n // loc_18000B47B:\n EB 90 // jmp short loc_18000B40D\n\n\n // loc_18000B47D:\n 48 8B 4C 24 20 // mov rcx, [rsp+2E8h+var_2C8]\n E8 ?? ?? FF FF // call FreeUpMemoryViaSyscall\n 48 8B 44 24 40 // mov rax, [rsp+2E8h+var_2A8]\n\n // loc_18000B48C:\n 48 81 C4 E8 02 00 00 // add rsp, 2E8h\n C3 // retn\n }\n\n $x_campagn_id = {\n 48 03 C8 // add rcx, rax\n 48 8B C1 // mov rax, rcx\n 48 39 44 24 08 // cmp [rsp+18h+var_10], rax\n 73 1E // jnb short loc_18000D7E7\n 48 8B 44 24 08 // mov rax, [rsp+18h+var_10]\n 0F BE 00 // movsx eax, byte ptr [rax]\n 8B 0C 24 // mov ecx, [rsp+18h+var_18]\n 33 C8 // xor ecx, eax\n 8B C1 // mov eax, ecx\n 89 04 24 // mov [rsp+18h+var_18], eax\n 69 04 24 93 01 00 01 // imul eax, [rsp+18h+var_18], 1000193h\n 89 04 24 // mov [rsp+18h+var_18], eax\n EB BE // jmp short loc_18000D7A5\n }\n\n $x_command_id = {\n 83 BC 24 ?? ?? 00 00 12 // cmp [rsp+268h+arg_8], 12h\n 74 ?? // jz short loc_180004828\n 83 BC 24 ?? ?? 00 00 0E // cmp [rsp+268h+arg_8], 0Eh\n 74 ?? // jz short loc_180004828\n 83 BC 24 ?? ?? 00 00 0C // cmp [rsp+268h+arg_8], 0Ch\n 74 ?? // jz short loc_180004828\n 83 BC 24 ?? ?? 00 00 0D // cmp [rsp+268h+arg_8], 0Dh\n 74 ?? // jz short loc_180004828\n 83 BC 24 ?? ?? 00 00 0F // cmp [rsp+268h+arg_8], 0Fh\n 74 ?? // jz short loc_180004828\n 83 BC 24 ?? ?? 00 00 04 // cmp [rsp+268h+arg_8], 4\n 74 ?? // jz short loc_180004828\n 83 BC 24 ?? ?? 00 00 15 // cmp [rsp+268h+arg_8], 15h\n 74 ?? // jz short loc_180004828\n }\n\n $x_download_and_execute_shellcode = {\n 48 8B 44 24 38 // mov rax, [rsp+278h+var_240]\n 0F BE 00 // movsx eax, byte ptr [rax]\n 85 C0 // test eax, eax\n 0F 84 AA 00 00 00 // jz loc_180008273\n 83 7C 24 40 00 // cmp [rsp+278h+var_238], 0\n 0F 84 9F 00 00 00 // jz loc_180008273\n 83 7C 24 30 00 // cmp [rsp+278h+var_248], 0\n 0F 84 94 00 00 00 // jz loc_180008273\n 8B 44 24 30 // mov eax, [rsp+278h+var_248]\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@'\n 41 B8 00 10 00 00 // mov r8d, 1000h\n 8B D0 // mov edx, eax\n 33 C9 // xor ecx, ecx\n }\n\n $x_bot_id = {\n B8 01 00 00 00 // mov eax, 1\n 48 6B C0 06 // imul rax, 6\n 48 8B 8C 24 A0 00 00 00 // mov rcx, [rsp+98h+arg_0]\n 0F B7 44 01 08 // movzx eax, word ptr [rcx+rax+8]\n 66 C1 C8 08 // ror ax, 8\n 0F B7 C0 // movzx eax, ax\n B9 01 00 00 00 // mov ecx, 1\n 48 6B C9 02 // imul rcx, 2\n 48 8B 94 24 A0 00 00 00 // mov rdx, [rsp+98h+arg_0]\n 8B 4C 0A 08 // mov ecx, [rdx+rcx+8]\n 0F C9 // bswap ecx\n BA 01 00 00 00 // mov edx, 1\n 48 6B D2 00 // imul rdx, 0\n 4C 8B 84 24 A0 00 00 00 // mov r8, [rsp+98h+arg_0]\n 41 0F B7 54 10 08 // movzx edx, word ptr [r8+rdx+8]\n 66 C1 CA 08 // ror dx, 8\n 0F B7 D2 // movzx edx, dx\n 4C 8B 84 24 A0 00 00 00 // mov r8, [rsp+98h+arg_0]\n 45 0F B7 40 06 // movzx r8d, word ptr [r8+6]\n 66 41 C1 C8 08 // ror r8w, 8\n 45 0F B7 C0 // movzx r8d, r8w\n 4C 8B 8C 24 A0 00 00 00 // mov r9, [rsp+98h+arg_0]\n 45 0F B7 49 04 // movzx r9d, word ptr [r9+4]\n 66 41 C1 C9 08 // ror r9w, 8\n 45 0F B7 C9 // movzx r9d, r9w\n 4C 8B 94 24 A0 00 00 00 // mov r10, [rsp+98h+arg_0]\n 45 0F B7 12 // movzx r10d, word ptr [r10]\n 66 41 C1 CA 08 // ror r10w, 8\n 45 0F B7 D2 // movzx r10d, r10w\n }\n\n $x_unpack_routine_first_stage = {\n 4D 21 E3 // and r11, r12\n 41 88 0C 08 // mov [r8+rcx], cl\n 48 FF C1 // inc rcx\n 90 // nop\n 90 // nop\n 48 83 F9 72 // cmp rcx, 72h ; 'r'\n 76 EE // jbe short loc_1800F3DEF\n }\n\n $x_decrypt_strings = {\n C6 44 24 28 D6 // mov [rsp+178h+key], 0D6h\n C6 44 24 29 23 // mov [rsp+178h+var_14F], 23h ; '#'\n C6 44 24 2A B8 // mov [rsp+178h+var_14E], 0B8h\n C6 44 24 2B EF // mov [rsp+178h+var_14D], 0EFh\n C6 44 24 2C 62 // mov [rsp+178h+var_14C], 62h ; 'b'\n C6 44 24 2D 26 // mov [rsp+178h+var_14B], 26h ; '&'\n C6 44 24 2E CE // mov [rsp+178h+var_14A], 0CEh\n C6 44 24 2F C3 // mov [rsp+178h+var_149], 0C3h\n C6 44 24 30 E2 // mov [rsp+178h+var_148], 0E2h\n C6 44 24 31 4C // mov [rsp+178h+var_147], 4Ch ; 'L'\n C6 44 24 32 55 // mov [rsp+178h+var_146], 55h ; 'U'\n C6 44 24 33 12 // mov [rsp+178h+var_145], 12h\n C6 44 24 34 7D // mov [rsp+178h+var_144], 7Dh ; '}'\n C6 44 24 35 E8 // mov [rsp+178h+var_143], 0E8h\n C6 44 24 36 73 // mov [rsp+178h+var_142], 73h ; 's'\n C6 44 24 37 E7 // mov [rsp+178h+var_141], 0E7h\n C6 44 24 38 83 // mov [rsp+178h+var_140], 83h\n C6 44 24 39 9C // mov [rsp+178h+var_13F], 9Ch\n C6 44 24 3A 77 // mov [rsp+178h+var_13E], 77h ; 'w'\n C6 44 24 3B 6B // mov [rsp+178h+var_13D], 6Bh ; 'k'\n C6 44 24 3C B1 // mov [rsp+178h+var_13C], 0B1h\n C6 44 24 3D A9 // mov [rsp+178h+var_13B], 0A9h\n C6 44 24 3E 3B // mov [rsp+178h+var_13A], 3Bh ; ';'\n C6 44 24 3F 57 // mov [rsp+178h+var_139], 57h ; 'W'\n C6 44 24 40 B2 // mov [rsp+178h+var_138], 0B2h\n C6 44 24 41 5F // mov [rsp+178h+var_137], 5Fh ; '_'\n C6 44 24 42 DB // mov [rsp+178h+var_136], 0DBh\n C6 44 24 43 EA // mov [rsp+178h+var_135], 0EAh\n C6 44 24 44 0D // mov [rsp+178h+var_134], 0Dh\n C6 44 24 45 B6 // mov [rsp+178h+var_133], 0B6h\n C6 44 24 46 8E // mov [rsp+178h+var_132], 8Eh\n C6 44 24 47 A2 // mov [rsp+178h+var_131], 0A2h\n\n }\n\n condition:\n 2 of ($s*) or\n 1 of ($x*)\n}", "rule_count": 1, "rule_names": [ "latrodectus_loader" ], "rule_creation_date": "2025-05-23", "rule_modified_date": "2025-07-23", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Latrodectus" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.discovery", "attack.execution", "attack.initial_access" ], "rule_technique_tags": [ "attack.t1059.003", "attack.t1071.001", "attack.t1218.011", "attack.t1027", "attack.t1057", "attack.t1566.001", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-letmeowin_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581738Z", "creation_date": "2026-03-23T11:46:25.581740Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581745Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/001/\nhttps://github.com/Meowmycks/LetMeowIn" ], "name": "letmeowin.yar", "content": "rule letmeowin {\n meta:\n title = \"LetMeowIn HackTool\"\n id = \"f8cf3f47-0811-4421-a7e7-b39c7f63d094\"\n description = \"Detects LetMeowIn HackTool.\\nLetMeowIn is a tool designed to dump LSASS memory using indirect system calls, handle duplication, and creation of offline LSASS copies. It is used for obtaining credentials and other sensitive information from memory.\\nIt is recommended to analyze the parent process to determine if the activity is part of authorized auditing or testing, or if it indicates malicious intent.\"\n references = \"https://attack.mitre.org/techniques/T1003/001/\\nhttps://github.com/Meowmycks/LetMeowIn\"\n date = \"2024-04-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.LetMeowIn\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // c56c26ed3159f91d1907f79fa7c239232ddc8c0f76f22f68beed99884a800741\n\n $syscall1 = {\n 48 89 0D ?? ?? ?? ?? // mov [jumpAddress], rcx ; Assume the new address is passed in RCX\n C3 // ret\n }\n\n $syscall2 = {\n 4C 8B 1D ?? ?? ?? ?? // mov r11, [jumpAddress] ; Load indirect syscall address into R11 register\n 48 8B 44 24 (30 | 28 | 40 | 38) // mov rax, [rsp+??h] ; Move syscall ID into RAX register\n 4C 8B D1 // mov r10, rcx\n 41 FF E3 // jmp r11 ; Indirect syscall via jump to address stored in R11\n }\n\n $syscall3 = {\n 4C 8B 1D ?? ?? ?? ?? // mov r11, [jumpAddress] ; Load indirect syscall address into R11 register\n 49 8B C1 // mov rax, r9 ; Move syscall ID into RAX register. Syscall ID is fourth parameter passed. Assume it's in R9.\n 4C 8B D1 // mov r10, rcx\n 41 FF E3 // jmp r11 ; Indirect syscall via jump to address stored in R11\n }\n\n $syscall4 = {\n 4C 8B 1D ?? ?? ?? ?? // mov r11, [jumpAddress] ; Load indirect syscall address into R11 register\n 48 8B C2 // mov rax, rdx ; Move syscall ID into RAX register. Syscall ID is second parameter passed. Assume it's in RDX.\n 4C 8B D1 // mov r10, rcx\n 41 FF E3 // jmp r11 ; Indirect syscall via jump to address stored in R11\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "letmeowin" ], "rule_creation_date": "2024-04-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.LetMeowIn" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-libprocesshider_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586235Z", "creation_date": "2026-03-23T11:46:25.586237Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586242Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/gianlucaborello/libprocesshider/\nhttps://securitylabs.datadoghq.com/articles/analysis-of-teamtnt-doppelganger/\nhttps://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool\nhttps://attack.mitre.org/techniques/T1574/006/" ], "name": "libprocesshider.yar", "content": "rule libprocesshider {\n meta:\n title = \"libprocesshider Hacktool\"\n id = \"c38d6f3d-b14e-4e85-a121-0a1b33f1f25d\"\n description = \"Detects the libprocesshider hack tool used for process hiding on Linux systems.\\nlibprocesshider is an open-source tool designed to hide processes by exploiting Linux's library preloading technique. It achieves this by overwriting the readdir() function in libc using a malicious shared library, causing tools like ps and top to fail in displaying the hidden processes.\\nThis evasion technique allows malicious processes to remain undetected, making it difficult to monitor and identify them using standard system tools.\"\n references = \"https://github.com/gianlucaborello/libprocesshider/\\nhttps://securitylabs.datadoghq.com/articles/analysis-of-teamtnt-doppelganger/\\nhttps://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool\\nhttps://attack.mitre.org/techniques/T1574/006/\"\n date = \"2024-02-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.defense_evasion;attack.t1574.006\"\n classification = \"Linux.HackTool.libprocesshider\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 7797a3c8063fd805a568ce9cfc453b74cfcd9836e2f7c3ae61ec3ec4f66521be\n // f9a872a323bc787f19e70afd0148c9fa160375c462b30622b98e9e70c8da832a\n // bad0728fd007ea3b6cf3575f658ba2c3d518e06353338233f4dff3ac149410a3\n\n $s1 = \"/proc/self/fd/%d\" ascii fullword\n $s2 = \"0123456789\" ascii fullword\n $s3 = \"/proc/%s/stat\" ascii fullword\n $s4 = \"%d (%[^)]s\" ascii fullword\n $s5 = \"readdir64\" ascii fullword\n $s6 = \"Error in dlsym: %s\" ascii fullword\n $s7 = \"/proc\" ascii fullword\n $s8 = \"readdir\" ascii fullword\n\n // Canary\n $canary = \"4215198522a09bed73b44877eb7671180f62bae794bcccb857a3faa568ed7cee\" ascii\n\n condition:\n all of ($s*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "libprocesshider" ], "rule_creation_date": "2024-02-02", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.HackTool.libprocesshider" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1574.006" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lightneuron_companion_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584277Z", "creation_date": "2026-03-23T11:46:25.584279Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584284Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\nhttps://attack.mitre.org/software/S0154/" ], "name": "lightneuron_companion_dll.yar", "content": "import \"pe\"\n\nrule lightneuron_companion_dll {\n meta:\n title = \"Exchange TransportAgent Companion DLL related to LightNeuron\"\n id = \"671fd11c-c33f-4fe1-8c14-da584436f0da\"\n description = \"Detects the companion DLL loaded by the malicious Microsoft Exchange Transport Agent from the LightNeuron malware.\\nLightNeuron is a Turla-related malware family known for targeting Exchange servers.\\nThis rule identifies the companion DLL injected into the Exchange process, which is responsible for intercepting and modifying emails in transit.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2022-12-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0395;attack.persistence;attack.t1505.002;attack.collection;attack.t1005;attack.command_and_control;attack.t1071.003\"\n classification = \"Windows.Malware.LightNeuron\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 20fe600cba0ff61c16f5e3e06438e3c4db006f22bc9b3b9b51ef440462444252\n // 0a82b93cf19f6fcc9076ace561733014aa0b44c6611fe1909c2f1836a02f8e85\n // cffac1039659857f410f5069751c6cc1c8aa413daecb27d50d85e29c5636ef63\n // 88c90c2b123a357423ab3241624cba49d57122ee3b8ff4130504090c174bb09d\n // 64fdf023bd9389e8df8250cdc92470215d6dbb38643d2eada50d30ded41f3692\n // 7b15b5c30f2715723fdd96974e700c03cced5f49c0aff08ce2d24da60c549431\n // 22b71792c99630a331c2e3b4f4ce4326d3f189475ce8e08e79898b9c603c306a\n // b4d336a0c86841dd7ad8bac6fe1f0143cbc261d63230bba13ff5d6ed64e6aa58\n\n $s1 = \"c:\\\\windows\\\\serviceprofiles\\\\networkservice\\\\appdata\\\\local\\\\temp\\\\\" ascii\n $s2 = \"c:\\\\windows\\\\serviceprofiles\\\\networkservice\\\\appdata\\\\Roaming\\\\Microsoft\\\\Windows\\\\\" ascii\n\n $winmail = {\n 04 01 00 00 // mov r8d, 104h ; nSize\n C6 [2-3] 77 // mov [rsp+148h+String2], 77h ; 'w'\n C6 [2-3] 69 // mov [rsp+148h+var_127], 69h ; 'i'\n C6 [2-3] 6E // mov [rsp+148h+var_126], 6Eh ; 'n'\n C6 [2-3] 6D // mov [rsp+148h+var_125], 6Dh ; 'm'\n C6 [2-3] 61 // mov [rsp+148h+var_124], 61h ; 'a'\n C6 [2-3] 69 // mov [rsp+148h+var_123], 69h ; 'i'\n C6 [2-3] 6C // mov [rsp+148h+var_122], 6Ch ; 'l'\n C6 [2-3] 2E // mov [rsp+148h+var_121], 2Eh ; '.'\n C6 [2-3] 64 // mov [rsp+148h+var_120], 64h ; 'd'\n C6 [2-3] 61 // mov [rsp+148h+var_11F], 61h ; 'a'\n C6 [2-3] 74 // mov [rsp+148h+var_11E], 74h ; 't'\n C6 [2-3] 00 // mov [rsp+148h+var_11D], 0\n FF 15 ?? ?? 02 00 // call cs:GetModuleFileNameA\n }\n\n condition:\n (uint16(0) == 0x5a4d) and filesize < 500KB and\n (\n (1 of ($s*) and $winmail) or\n (\n (\n pe.exports(\"FL\") and\n pe.exports(\"BLE\") and\n pe.exports(\"SV\")\n )\n or\n (\n pe.exports(\"ForLoading\") and\n pe.exports(\"BinaryLogEx\") and\n pe.exports(\"SimpleValidate\")\n )\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "lightneuron_companion_dll" ], "rule_creation_date": "2022-12-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.LightNeuron" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.persistence" ], "rule_technique_tags": [ "attack.t1071.003", "attack.t1005", "attack.t1505.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lightneuron_transport_agent_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576111Z", "creation_date": "2026-03-23T11:46:25.576114Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576128Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\nhttps://attack.mitre.org/software/S0154/" ], "name": "lightneuron_transport_agent.yar", "content": "rule lightneuron_transport_agent {\n meta:\n title = \"Malicious Transport Agent related to LightNeuron\"\n id = \"9c1de57b-c326-4031-9600-d31a4f8242ac\"\n description = \"Detects the malicious Microsoft Exchange Transport Agent related to LightNeuron malware.\\nLightNeuron, associated with the Turla group, uses this transport agent for persistence, allowing it to intercept and modify emails processed by the Exchange server. The malicious agent is registered by updating the \\\"\\\\TransportRoles\\\\Agents\\\\agents.config\\\" file in the Exchange installation directory, which is typically located in the service profiles directory.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf\\nhttps://attack.mitre.org/software/S0154/\"\n date = \"2022-12-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0395;attack.persistence;attack.t1505.002;attack.collection;attack.t1560;attack.t1119;attack.t1020;attack.t1074.001;attack.impact;attack.t1565.002;attack.command_and_control;attack.t1001.002\"\n classification = \"Windows.Malware.LightNeuron\"\n context = \"process,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 14f530e16e8c6dbac02f1bde53594f01b7edab9c45c4c371a3093120276ffaf1\n // 25facbc4265ca90f0508e77e97e1e6fcc7e46f6cca316b251b06d41232f6360c\n\n $s1 = \"common_utl\" ascii fullword\n $s2 = \"RoutingAgent\" ascii fullword\n $s3 = \"SmtpReceiveAgent\" ascii fullword\n $s4 = \"CheckMessage\" ascii fullword\n $s5 = \"UpdateMessage\" ascii fullword\n $s6 = \"MessageToEml\" ascii fullword\n $s7 = \"EmlToMessage\" ascii fullword\n $s8 = \"MailToEml\" ascii fullword\n $s9 = \"EmlToMail\" ascii fullword\n $s10 = \"RejectMessage\" ascii fullword\n $s11 = \"c:\\\\windows\\\\serviceprofiles\\\\networkservice\\\\appdata\\\\local\\\\temp\\\\\" wide\n\n condition:\n (uint16(0) == 0x5a4d) and 9 of them\n}\n", "rule_count": 1, "rule_names": [ "lightneuron_transport_agent" ], "rule_creation_date": "2022-12-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.LightNeuron" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.impact", "attack.persistence" ], "rule_technique_tags": [ "attack.t1565.002", "attack.t1001.002", "attack.t1560", "attack.t1119", "attack.t1074.001", "attack.t1020", "attack.t1505.002" ], "rule_score": 100, "rule_context": [ "thread", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lightning_core_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564009Z", "creation_date": "2026-03-23T11:46:25.564018Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564024Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/?s=09" ], "name": "lightning_core.yar", "content": "rule linux_lightning_core {\n meta:\n title = \"Lightning C2 Core\"\n id = \"c1f6ee92-28b1-44c0-a1a9-cd909bbbc000\"\n description = \"Detects the Lightning Core samples that perform command and control operations in the Linux Lightning malware framework.\\nLightning Core is part of a Linux-oriented malware framework designed to establish command and control (C2) communication and perform malicious activities on infected systems. The malware is known to load kernel modules for persistence, manipulate SSH services for remote access, and delete files to cover its tracks. It also attempts to hide its processes and network activity to avoid detection.\\nThese activities can indicate a compromised system with potential unauthorized access and data exfiltration.\\nIt is recommended to isolate the infected machine from the network and perform a full forensic analysis to ensure complete eradication of the malware.\"\n references = \"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/?s=09\"\n date = \"2022-08-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1095\"\n classification = \"Linux.Framework.Lightning\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e\n\n $critical_str_1 = \"/usr/lib64/seahorses/\" fullword ascii\n $critical_str_2 = \"Linux.Plugin.Kernel_%s\" fullword ascii\n $critical_str_3 = \"elastisearch.ko\" fullword ascii\n $critical_str_4 = \"RootkieHideVersion\" fullword ascii\n $critical_str_5 = \"KernelHideVersion\" fullword ascii\n $critical_str_6 = \"Linux.Plugin.RootkieHide\" fullword ascii\n $critical_str_7 = \"Linux.Plugin.Kernel_\" fullword ascii\n $critical_str_8 = \"InstallKernelHide\" fullword ascii\n $critical_str_9 = \"RemoveKernelHide\" fullword ascii\n $critical_str_10 = \"kernel module install Success!\" fullword ascii\n $critical_str_11 = \"remove kernel module install Success!\" fullword ascii\n $critical_str_12 = \"Enable Our SSHD Success,port:%d\" fullword ascii\n $critical_str_13 = \"Linux.Plugin.RootkieHide\" fullword ascii\n $critical_str_14 = \"insmod %s\" fullword ascii\n\n $specific_str_1 = \"[-] Remove File Faild\" fullword ascii\n $specific_str_2 = \"[-] Write To File Faild\" fullword ascii\n $specific_str_3 = \"[-] GetFile Attribute Faild!\" fullword ascii\n $specific_str_4 = \"[-] Get FileInfo(%s) Faild!\" fullword ascii\n $specific_str_5 = \"[-] Change File(%s) Faild!\" fullword ascii\n $specific_str_6 = \"[-] Socks5 are Running!\" fullword ascii\n $specific_str_7 = \"[-] Get FileSize Faild.\" fullword ascii\n $specific_str_8 = \"LocalPluginRequest\" fullword ascii\n $specific_str_9 = \"kernel module install Failed!\" fullword ascii\n $specific_str_10 = \"rm -rf %s\" fullword ascii\n $specific_str_11 = \"Not Find Listen Prot!\" fullword ascii\n $specific_str_12 = \"sshod\" fullword ascii\n $specific_str_13 = \"kill -9 %d\" fullword ascii\n $specific_str_14 = \"Executed Our sshd faild!\" fullword ascii\n $specific_str_15 = \"Hide Ports Success.\" fullword ascii\n $specific_str_16 = \"Hide Pids Success.\" fullword ascii\n $specific_str_17 = \"Start\" fullword ascii\n $specific_str_18 = \"/etc/rc.d/init.d/elastisearch\" fullword ascii\n $specific_str_19 = \"kill -9 %s\" fullword ascii\n $specific_str_21= \"Lightning.Downloader\" fullword ascii\n $specific_str_22 = \"PureShellCommand\" fullword ascii\n $specific_str_23 = \"RunShellPure\" fullword ascii\n $specific_str_24 = \"CloseShellPure\" fullword ascii\n $specific_str_25 = \"TryPassSSH\" fullword ascii\n\n $suspicious_str_1 = \"/etc/rc.local\" fullword ascii\n $suspicious_str_2 = \"/etc/rc.d/rc.local\" fullword ascii\n $suspicious_str_3 = \"/usr/bin/whoami\" fullword ascii\n $suspicious_str_4 = \"/usr/bin/find\" fullword ascii\n $suspicious_str_5 = \"/usr/bin/su\" fullword ascii\n $suspicious_str_6 = \"sleep 60 && ./%s &\" fullword ascii\n $suspicious_str_7 = \"/etc/ld.so.preload\" fullword ascii\n $suspicious_str_8 = \"/etc/ssh/sshd_config\" fullword ascii\n $suspicious_str_9 = \"/root/.ssh\" fullword ascii\n $suspicious_str_10 = \"/root/.ssh/authorized_keys\" fullword ascii\n $suspicious_str_11 = \"/etc/redhat-release\" fullword ascii\n $suspicious_str_12 = \"/etc/os-release\" fullword ascii\n\n condition:\n uint16(0) == 0x457f and filesize < 200KB and 5 of ($critical_str_*) or (10 of ($specific_str_*)) or (10 of ($suspicious_str_*) and (2 of ($specific_str_*)))\n}\n", "rule_count": 1, "rule_names": [ "linux_lightning_core" ], "rule_creation_date": "2022-08-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.Lightning" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1095" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lightning_downloader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563978Z", "creation_date": "2026-03-23T11:46:25.563980Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563986Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/?s=09" ], "name": "lightning_downloader.yar", "content": "rule linux_lightning_downloader {\n meta:\n title = \"Lightning C2 Downloader\"\n id = \"e72b9525-cad8-43b5-95bc-66084a6bb133\"\n description = \"Detects the Lightning Downloader samples that are part of the Linux Lightning malware framework.\\nLightning Downloader enables the downloading and execution of malicious payloads on infected Linux systems. It is known to establish command and control (C2) communication via SSH and includes functionality for network monitoring and traffic analysis.\\nThe framework contains various plugins, including Sshd, iftop, iptraf, and others, which are used for different malicious activities.\\nAnalysis of the samples reveals the use of specific process attributes and sleep patterns, which are employed to avoid detection and maintain persistence on the compromised system.\\nIt is recommended to isolate the affected machine and perform a thorough system scan to remove any associated malicious artifacts. Additionally, monitor network traffic for any unusual SSH activities that may indicate C2 communication.\"\n references = \"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/?s=09\"\n date = \"2022-08-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1095\"\n classification = \"Linux.Framework.Lightning\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // 48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7\n\n $s1 = \"/usr/lib64/seahorses/\" fullword ascii\n $s2 = \"/proc/%d/status\" fullword ascii\n $s3 = \"/etc/rc.d/rc.local\" fullword ascii\n $s4 = \"/etc/rc.local\" fullword ascii\n $s5 = \"/usr/bin/whoami\" fullword ascii\n $s6 = \"/usr/bin/find\" fullword ascii\n $s7 = \"/usr/bin/su\" fullword ascii\n $s8 = \"kill -9 %s\" fullword ascii\n $s9 = \"cat /sys/class/net/%s/address\" fullword ascii\n $s10 = \"mv %s %s\" fullword ascii\n\n $custom_bin_str_1 = \"soss\" fullword ascii\n $custom_bin_str_2 = \"sshod\" fullword ascii\n $custom_bin_str_3 = \"nethoogs\" fullword ascii\n $custom_bin_str_4 = \"iftoop\" fullword ascii\n $custom_bin_str_5 = \"iptraof\" fullword ascii\n $custom_bin_str_6 = \"kkdmflush\" fullword ascii\n\n $lightning_str_1 = \"Linux.Plugin.Lightning.Sshd\" fullword ascii\n $lightning_str_2 = \"Linux.Plugin.Lightning.iftop\" fullword ascii\n $lightning_str_3 = \"Linux.Plugin.Lightning.iptraf\" fullword ascii\n $lightning_str_4 = \"Lightning.Core\" fullword ascii\n $lightning_str_5 = \"Linux.Plugin.Lightning.SsHijacker\" fullword ascii\n $lightning_str_6 = \"Linux.Plugin.Lightning.Nethogs\" fullword ascii\n\n $check_process_attributes = {\n 83 FD 09 // cmp ebp, 9\n 0F 8F ?? ?? ?? ?? // jg loc_402948\n 80 7A ?? 2E // cmp byte ptr [rdx+13h], 2Eh ; '.'\n 0F 84 ?? ?? ?? ?? // jz loc_402968\n 80 7A ?? 04 // cmp byte ptr [rdx+12h], 4\n 75 ?? // jnz short loc_402820\n 4C 89 F8 // mov rax, r15\n B9 20 00 00 00 // mov ecx, 20h ; ' '\n 4C 89 E7 // mov rdi, r12\n }\n\n $sleep_and_mkdir = {\n BF 08 07 00 00 // mov edi, 708h ; seconds\n E8 ?? ?? ?? ?? // call _sleep\n 31 FF // xor edi, edi ; mask\n E8 ?? ?? ?? ?? // call _umask\n BE FF 01 00 00 // mov esi, 1FFh ; mode\n 89 C5 // mov ebp, ea\n }\n\n condition:\n uint16(0) == 0x457f and filesize < 200KB and\n (1 of ($lightning_str_*) or (5 of ($s*) and 3 of ($custom_bin_str_*))) and\n ($check_process_attributes or $sleep_and_mkdir)\n}\n", "rule_count": 1, "rule_names": [ "linux_lightning_downloader" ], "rule_creation_date": "2022-08-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.Lightning" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1095" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ligolo_agent_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.587810Z", "creation_date": "2026-03-23T11:46:25.587812Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.587817Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Nicocha30/ligolo-ng" ], "name": "ligolo_agent.yar", "content": "rule ligolo_ng_agent {\n meta:\n title = \"Ligolo-ng Agent\"\n id = \"63b05e59-79ce-42df-ae60-6bb98095f1f8\"\n description = \"Detects the Ligolo-ng tunneling tool.\\nLigolo-ng is a lightweight tunneling tool designed to create tunnels using TUN interfaces.\\nIt allows for routing traffic through a specified target (domain:port) and supports SOCKS5 proxy configurations with username and password authentication.\\nThe tool is cross-platform and can be used to establish secure communication channels.\\nIt is recommended to investigate the context around the usage of this tool to determine whether its presence on the host is legitimate.\"\n references = \"https://github.com/Nicocha30/ligolo-ng\"\n date = \"2023-05-15\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1572\"\n classification = \"Framework.Ligolo-ng\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c67c7cb854e433828db08a8d089674806a991f8017d990b42bced062e85ae109\n // b12b1b9f26385546000a723223889265edd24da4574e8edb3b3345f7f444cb37\n\n $a1 = \"/ligolo-ng\" ascii\n $a2 = \"socks-pass\" ascii\n $a3 = \"ignore-cert\" ascii\n $a4 = \"socks-user\" ascii\n\n $b1 = \"the target (domain:port)unpacking\" ascii\n $b2 = \"socks5 passwordsocks5 username\" ascii\n $b3 = \"ignore-certlocal errormSpanManua\" ascii\n\n $d1 = \"https://github.com/nicocha30/ligolo-ng\"\n $d2 = \"Made in France with love by @Nicocha30!\"\n $d3 = \"Ligolo-ng %s / %s / %s\"\n\n $canary = \"8b79f0e6053345a831d6b06126455d075ed273c14fed80e3c4e3340d1cd3ae9c66a3fc616ff09a5846424998a120e8aa4f94491089cc140eb89fbe0d207d95b1\"\n\n condition:\n all of ($a*) or all of ($b*) or all of ($d*)\n and not $canary\n}\n", "rule_count": 1, "rule_names": [ "ligolo_ng_agent" ], "rule_creation_date": "2023-05-15", "rule_modified_date": "2025-03-04", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Framework.Ligolo-ng" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1572" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linpeas_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564662Z", "creation_date": "2026-03-23T11:46:25.564664Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564670Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1589/\nhttps://attack.mitre.org/techniques/T1590/\nhttps://attack.mitre.org/techniques/T1592/\nhttps://github.com/carlospolop/PEASS-ng/tree/master/linPEAS" ], "name": "linpeas.yar", "content": "rule linpeas_binaries {\n meta:\n title = \"LinPEAS Binaries\"\n id = \"27fba6a3-b52b-4c4d-92d5-4f8886bcb8b9\"\n description = \"Detects the LinPEAS enumeration tool, commonly used for Linux privilege escalation.\\nLinPEAS is a popular open-source tool designed to enumerate system information, services, and misconfigurations that could be exploited for privilege escalation.\\nIt is often dropped or executed by attackers during initial access to gather detailed system information and identify potential attack vectors.\\nThe tool is part of the PEASS-ng project and is widely used in post-exploitation scenarios.\"\n references = \"https://attack.mitre.org/techniques/T1589/\\nhttps://attack.mitre.org/techniques/T1590/\\nhttps://attack.mitre.org/techniques/T1592/\\nhttps://github.com/carlospolop/PEASS-ng/tree/master/linPEAS\"\n date = \"2022-10-17\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1589;attack.t1590;attack.t1592\"\n classification = \"Linux.Tool.linPEAS\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n\n // Detection for these samples:\n // 9fa5802cf3402727101bb74ae9329a43279263ada5c248db25fd0748d12b09e5\n // f0268b956209d3dc976??91e53119bd48157effb6ceb4764fa515211d34417e1\n\n // Checks for 3 different types of shells.\n $amd64_shell_check = {\n 48 8D ?? ?? ?? 01 00 // lea rax, ???\n BB ?? 00 00 00 // mov ebx, ?\n 66 90 // xchg ax, ax\n E8 ?? ?? ?? FF // call main_Exists\n 84 C0 // test al, al\n 74 ?? // jz short loc_??????\n 48 8D ?? ?? ?? 01 00 // lea rax, unk_??????\n EB ?? // jmp short loc_??????\n }\n\n // Launches the script\n $amd64_script_launch = {\n BB 06 00 00 00 // mov ebx, 6\n BF 01 00 00 00 // mov edi, 1\n 48 89 FE // mov rsi, rdi\n 48 8D ?? ?? ?? 01 00 // lea rax, unk_??????\n 48 8D ?? ?? ?? 00 00 00 // lea rcx, [rsp+0??h+var_18]\n E8 ?? ?? FF FF // call os_exec_Command\n 48 89 ?? ?? ?? // mov [rsp+0??h+var_50], rax\n 48 8B ?? ?? ?? // mov rbx, [rsp+0??h+var_90]\n 31 C9 // xor ecx, ecx\n 31 FF // xor edi, edi\n 48 89 FE // mov rsi, rdi\n 48 8B ?? ?? ?? // mov rax, [rsp+0??h+var_??]\n E8 ?? ?? FF FF // call os_exec_Command\n 48 89 ?? ?? ?? // mov [rsp+0??h+var_??], rax\n 48 8B ?? ?? ?? 1C 00 // mov rdx, cs:main_scriptB64\n 48 89 ?? ?? ?? // mov [rsp+0??h+var_??], rdx\n 4C 8B ?? ?? ?? 1C 00 // mov r8, cs:qword_6659B8\n 4C 89 ?? 24 ?? // mov [rsp+0??h+var_??], r8\n 48 8D ?? ?? ?? ?? 00 // lea rax, RTYPE_strings_Reader\n E8 ?? ?? F7 FF // call runtime_newobject\n 48 8B ?? 24 ?? // mov rdx, [rsp+0??h+var_??]\n 48 89 50 08 // mov [rax+8], rdx\n 83 3D ?? ?? ?? 00 00 // cmp cs:runtime_writeBarrier, 0\n 90 // nop\n }\n\n // Checks for 3 different types of shell\n $836_shell_check = {\n 8D 05 ?? ?? ?? 08 // lea eax, aBin?sh ; \"/bin/?sh\"\n 89 04 ?? // mov [esp+??h+name.str], eax ; name\n C7 ?? ?? ?? 08 00 00 00 // mov [esp+??h+name.len], 8\n E8 ?? ?? ?? FF // call main_Exists\n 0F B6 ?? ?? 08 // movzx eax, byte ptr [esp+??h+arg.array]\n 84 C0 // test al, al\n 74 08 // jz short loc_??????\n 8D 05 ?? ?? ?? 08 // lea eax, aBin?sh ; \"/bin/?sh\"\n EB ?? // jmp short loc_??????\n }\n\n // Launches the script\n $836_script_launch = {\n 89 ?? ?? 2C // mov [esp+??h+var_44], eax\n 89 4C ?? 38 // mov [esp+??h+var_38.str], ecx\n C7 ?? ?? ?? 00 00 00 00 // mov [esp+??h+a.cap], 0\n C7 ?? ?? ?? 00 00 00 00 // mov [esp+??h+var_4], 0\n 8D 15 ?? ?? ?? ?? // lea edx, unk_???????\n 89 ?? ?? ?? // mov [esp+??h+a.cap], edx\n C7 ?? ?? ?? 02 00 00 00 // mov [esp+??h+var_4], 2\n 8D ?? ?? ?? ?? 08 // lea edx, aBase64 ; \"base64\"\n 89 ?? ?? // mov [esp+??h+name.str], edx ; name\n C7 ?? ?? ?? 06 00 00 00 // mov [esp+??h+name.len], 6\n 8D 54 ?? ?? // lea edx, [esp+??h+a.cap]\n 89 54 ?? 08 // mov [esp+??h+arg.array], edx ; arg\n C7 ?? ?? ?? 01 00 00 00 // mov [esp+??h+arg.len], 1\n C7 ?? ?? ?? 01 00 00 00 // mov [esp+??h+arg.cap], 1\n E8 ?? ?? ?? FF // call os_exec_Command\n }\n\n condition:\n (uint16(0) == 0x457f) and ((#amd64_shell_check > 1 and $amd64_script_launch) or (#836_shell_check > 1 and $836_script_launch))\n}\n", "rule_count": 1, "rule_names": [ "linpeas_binaries" ], "rule_creation_date": "2022-10-17", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Tool.linPEAS" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1589", "attack.t1592", "attack.t1590" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linux_acidwipers_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572810Z", "creation_date": "2026-03-23T11:46:25.572813Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572818Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.youtube.com/watch?v=Y1lzm3sZ_ao\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\nhttps://twitter.com/juanandres_gs/status/1769731460674494716" ], "name": "linux_acidwipers.yar", "content": "rule acidwipers_strings {\n meta:\n title = \"AcidPour Wiper\"\n id = \"e03b4ea0-5a22-4f9a-bf23-3b76edd06e0e\"\n description = \"Detects the AcidWiper malware.\\nAcidWiper is a wiper targeting Linux platforms on Intel or MIPS architectures. It is commonly known as AcidRain, CosmicWiper, and AcidPour.\\nCosmicWiper is notably associated with the KA-SAT modems disruption in February 2022.\"\n references = \"https://www.youtube.com/watch?v=Y1lzm3sZ_ao\\nhttps://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/\\nhttps://twitter.com/juanandres_gs/status/1769731460674494716\"\n date = \"2024-03-21\"\n modified = \"2025-03-12\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1083;attack.impact;attack.t1485\"\n classification = \"Linux.Wiper.AcidWiper\"\n os = \"Linux\"\n context = \"process,file.elf\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a\n // 6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728\n\n $s1 = \"/dev/sdX\" ascii\n $s2 = \"/dev/mtd\" ascii\n $s3 = \"/dev/ubiXX\" ascii\n $s4 = /\\/usr\\/(s)?bin\\/reboot/ ascii\n $s5 = /\\/dev\\/(block\\/)?mtdblockXX/ ascii\n $s6 = /\\/dev\\/(block\\/)?mmcblk/ ascii\n $s7 = \"Look out!\" ascii fullword\n\n condition:\n uint32be(0) == 0x7F454C46\n and filesize > 5KB and filesize < 100KB\n and ( 5 of ($s*) )\n}\n", "rule_count": 1, "rule_names": [ "acidwipers_strings" ], "rule_creation_date": "2024-03-21", "rule_modified_date": "2025-03-12", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Wiper.AcidWiper" ], "rule_tactic_tags": [ "attack.discovery", "attack.impact" ], "rule_technique_tags": [ "attack.t1083", "attack.t1485" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linux_backdoor_bpfdoor_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564541Z", "creation_date": "2026-03-23T11:46:25.564543Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564548Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896" ], "name": "linux_backdoor_bpfdoor.yar", "content": "rule linux_bpfdoor {\n meta:\n title = \"BPFDoor Backdoor\"\n id = \"442ae216-db1d-4e20-8249-007bca87d41c\"\n description = \"Detects the passive network implant BPFDoor associated with Red Menshen.\\nBPFDoor is a backdoor that allows attackers to establish persistence on a compromised system by using a BPF (Berkeley Packet Filter) for communication.\\nIf a packet is observed that matches the BPF filters and contains the required data, it is passed to the backdoor for processing.\\nIt is recommended to investigate for additional malicious files related to the BPFDoor backdoor.\"\n references = \"https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896\"\n date = \"2022-05-10\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1573.001;attack.t1095\"\n classification = \"Linux.Backdoor.BPFDoor\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // 591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78\n\n $string_v1_1 = \"export TERM=vt100\" ascii fullword\n $string_v1_2 = \"export MYSQL_HISTFILE=/dev/null\" ascii fullword\n $string_v1_3 = \"export HISTFILE=/dev/null\" ascii fullword\n $string_v1_4 = \"export PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin\" ascii fullword\n $string_v1_5 = \"unset PROMPT_COMMAND\" ascii fullword\n $string_v1_6 = \"export HISTSIZE=100\" ascii fullword\n $string_v1_7 = \"[+] Spawn shell ok.\" ascii fullword\n $string_v1_8 = \"3458\" ascii fullword\n $string_v1_9 = \"[+] crypt\" ascii fullword\n $string_v1_10 = \"[roo\" ascii fullword\n\n // Detection for these samples :\n // 07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d\n // 144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3\n // 2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb\n // 3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155\n // 4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d\n // 5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9\n // 5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3\n // 74ef6cc38f5a1a80148752b63c117e6846984debd2af806c65887195a8eccc56\n // 8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95\n // 97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc\n // a002f27f1abb599f24e727c811efa36d2d523e586a82134e9b3e8454dde6a089\n // ac06771774538f33b0e95a92ae1a3e8aaf27e188b51700a03c14ca097af09cac\n // bd353a28886815f43fe71c561a027fdeff5cd83e17e2055c0e52bea344ae51d3\n // c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276\n // c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c\n // db91fce6304a787a8602ced95eda81aa6a000fbb645c63f36da79e9663f3794b\n // dfdabe9013e783535a76407b61b63e97db283daab202218077cc0b846b3caa42\n // f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72\n // f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27\n // fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73\n // fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a\n // fe9f3b7451913f184e1f53b52a03a981dcea5564633cfcb70d01bd0aec8f30a7\n\n $string_v2_1 = \"/sbin/udevd -d\" ascii fullword\n $string_v2_2 = \"/sbin/mingetty /dev/tty\" ascii\n $string_v2_3 = \"/usr/sbin/console-kit-daemon --no-daemon\" ascii fullword\n $string_v2_4 = \"hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event\" ascii fullword\n $string_v2_5 = \"dbus-daemon --system\" ascii fullword\n $string_v2_6 = \"hald-runner\" ascii fullword\n $string_v2_7 = \"pickup -l -t fifo -u\" ascii fullword\n $string_v2_8 = \"avahi-daemon: chroot helper\" ascii fullword\n $string_v2_9 = \"/sbin/auditd -n\" ascii fullword\n $string_v2_10 = \"/usr/lib/systemd/systemd-journald\" ascii fullword\n\n // Detection for these samples :\n // 599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683\n // 96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9\n\n $string_v3_1 = \"%02x\" ascii fullword\n $string_v3_2 = \"/dev/ptm\" ascii\n $string_v3_3 = \"ptem\" ascii fullword\n $string_v3_4 = \"ldterm\" ascii fullword\n $string_v3_5 = \"ttcompat\" ascii fullword\n $string_v3_6 = \"3458\" ascii fullword\n $string_v3_7 = \"/usr/lib/systemd/systemd-machined\" ascii fullword\n $string_v3_8 = \"grantpt\" ascii fullword\n $string_v3_9 = \"ptsname\" ascii fullword\n $string_v3_10 = \"vhangup\" ascii fullword\n\n // Detection for this sample :\n // 54a4b3c2ac34f1913634ab9be5f85cde19445d01260bb15bcd1d52ebcc85af2c\n\n $string_v4_1 = \"\\\\x4a\\\\x8a\\\\xba\\\\xab\\\\xa8\\\\x80\\\\xf7\\\\xf0\\\\x24\\\\xc6\\\\xa5\\\\x4b\\\\x4a\\\\xb4\\\\x0d\\\\xdd\\\\xe4\\\\xc6\\\\xff\\\\x80\\\\x75\\\\x0e\\\\xb7\\\\x25\\\\x7c\\\\x95\\\\xb2\\\\x9a\\\\xe6\\\\x6c\\\\xa6\\\\x87\\\\xb2\\\\xcc\\\\x06\\\\xff\\\\x26\\\\xd2\\\\x3d\\\\xff\\\\x26\\\\x7e\\\\x37\\\\x1b\\\\x10\\\\xd3\\\\x1b\\\\x51\\\\xac\\\\x7b\\\\x81\\\\x60\\\\x08\\\\xf8\\\\x50\\\\xec\\\\x05\\\\x90\\\\x68\\\\x4b\\\\xff\\\\x44\\\\x14\\\\x8b\" ascii fullword\n $string_v4_2 = \"Start time\" ascii fullword\n $string_v4_3 = \"/sbin/mingetty\" ascii fullword\n $string_v4_4 = \"PS1=[\\\\u@\\\\h \\\\W]\\\\\\\\$\" ascii fullword\n $string_v4_5 = \"HISTFILE=/dev/null\" ascii fullword\n $string_v4_6 = \"MYSQL_HISTFILE=/dev/null\" ascii fullword\n $string_v4_7 = \"PATH=/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:./bin\" ascii fullword\n $string_v4_8 = \"Cant fork pty\" ascii fullword\n\n // Detection for these samples :\n // 07ecb1f2d9ffbd20a46cd36cd06b022db3cc8e45b1ecab62cd11f9ca7a26ab6d\n // 144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3\n // 3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155\n // 4c5cf8f977fc7c368a8e095700a44be36c8332462c0b1e41bff03238b2bf2a2d\n // 599ae527f10ddb4625687748b7d3734ee51673b664f2e5d0346e64f85e185683\n // 5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9\n // 5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3\n // 76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925\n // 8b84336e73c6a6d154e685d3729dfa4e08e4a3f136f0b2e7c6e5970df9145e95\n // 96e906128095dead57fdc9ce8688bb889166b67c9a1b8fdb93d7cff7f3836bb9\n // 97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc\n // ac06771774538f33b0e95a92ae1a3e8aaf27e188b51700a03c14ca097af09cac\n // bd353a28886815f43fe71c561a027fdeff5cd83e17e2055c0e52bea344ae51d3\n // c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276\n // c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c\n // f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72\n // f8a5e735d6e79eb587954a371515a82a15883cf2eda9d7ddb8938b86e714ea27\n // fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73\n // fd1b20ee5bd429046d3c04e9c675c41e9095bea70e0329bd32d7edd17ebaf68a\n // fe9f3b7451913f184e1f53b52a03a981dcea5564633cfcb70d01bd0aec8f30a7\n\n $histfile = {\n C6 85 ?? 7? FF FF 48 // mov [rbp+var_8960], 48h ; 'H'\n C6 85 ?? 7? FF FF 49 // mov [rbp+var_8960+1], 49h ; 'I'\n C6 85 ?? 7? FF FF 53 // mov [rbp+var_8960+2], 53h ; 'S'\n C6 85 ?? 7? FF FF 54 // mov [rbp+var_8960+3], 54h ; 'T'\n C6 85 ?? 7? FF FF 46 // mov [rbp+var_8960+4], 46h ; 'F'\n C6 85 ?? 7? FF FF 49 // mov [rbp+var_8960+5], 49h ; 'I'\n C6 85 ?? 7? FF FF 4C // mov [rbp+var_8960+6], 4Ch ; 'L'\n C6 85 ?? 7? FF FF 45 // mov [rbp+var_8960+7], 45h ; 'E'\n C6 85 ?? 7? FF FF 3D // mov [rbp+var_8960+8], 3Dh ; '='\n C6 85 ?? 7? FF FF 2F // mov [rbp+var_8960+9], 2Fh ; '/'\n C6 85 ?? 7? FF FF 64 // mov [rbp+var_8960+0Ah], 64h ; 'd'\n C6 85 ?? 7? FF FF 65 // mov [rbp+var_8960+0Bh], 65h ; 'e'\n C6 85 ?? 7? FF FF 76 // mov [rbp+var_8960+0Ch], 76h ; 'v'\n C6 85 ?? 7? FF FF 2F // mov [rbp+var_8960+0Dh], 2Fh ; '/'\n C6 85 ?? 7? FF FF 6E // mov [rbp+var_8960+0Eh], 6Eh ; 'n'\n C6 85 ?? 7? FF FF 75 // mov [rbp+var_8960+0Fh], 75h ; 'u'\n C6 85 ?? 7? FF FF 6C // mov [rbp+var_8960+10h], 6Ch ; 'l'\n C6 85 ?? 7? FF FF 6C // mov [rbp+var_8960+11h], 6Ch ; 'l'\n C6 85 ?? 7? FF FF 00 // mov [rbp+var_8960+12h], 0\n }\n\n $bpf_code = {\n 28 00 00 00 0C 00 00 00\n 15 00 00 1B 00 08 00 00\n 30 00 00 00 17 00 00 00\n 15 00 00 05 11 00 00 00\n 28 00 00 00 14 00 00 00\n 45 00 17 00 FF 1F 00 00\n B1 00 00 00 0E 00 00 00\n 48 00 00 00 16 00 00 00\n 15 00 13 14 55 72 00 00\n 15 00 00 07 01 00 00 00\n 28 00 00 00 14 00 00 00\n 45 00 11 00 FF 1F 00 00\n B1 00 00 00 0E 00 00 00\n 48 00 00 00 16 00 00 00\n 15 00 00 0E 55 72 00 00\n 50 00 00 00 0E 00 00 00\n 15 00 0B 0C 08 00 00 00\n 15 00 00 0B 06 00 00 00\n 28 00 00 00 14 00 00 00\n 45 00 09 00 FF 1F 00 00\n B1 00 00 00 0E 00 00 00\n 50 00 00 00 1A 00 00 00\n 54 00 00 00 F0 00 00 00\n 74 00 00 00 02 00 00 00\n 0C 00 00 00 00 00 00 00\n 07 00 00 00 00 00 00 00\n 48 00 00 00 0E 00 00 00\n 15 00 00 01 93 52 00 00\n 06 00 00 00 FF FF 00 00\n 06 00 00 00 00 00 00 00\n }\n\n condition:\n uint16(0) == 0x457f and filesize < 100KB and (\n all of ($string_v1*) or all of ($string_v2*) or\n all of ($string_v3*) or all of ($string_v4*) or\n ($histfile and $bpf_code))\n}\n", "rule_count": 1, "rule_names": [ "linux_bpfdoor" ], "rule_creation_date": "2022-05-10", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Backdoor.BPFDoor" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1095", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linux_dirty_cred_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572690Z", "creation_date": "2026-03-23T11:46:25.572693Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572698Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1068/\nhttps://github.com/Markakd/CVE-2022-2588" ], "name": "linux_dirty_cred.yar", "content": "rule dirty_cred {\n meta:\n title = \"Dirty Cred PoC\"\n id = \"f17906e4-71d9-4fe8-9209-3d1b3827b354\"\n description = \"Detects strings related to a potential exploitation of the Dirty Cred vulnerability (CVE-2022-2588) in Linux systems.\\nThis vulnerability exists in the network packet scheduler and can be exploited by a local attacker to cause a denial of service or arbitrary code execution by manipulating route filter references.\\nIt is recommended to isolate the affected system and monitor for any signs of privilege escalation or malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1068/\\nhttps://github.com/Markakd/CVE-2022-2588\"\n date = \"2022-10-07\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;cve.2022-2588\"\n classification = \"Windows.Exploit.DirtyCred\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // e0dae22e68fa74a0d61c7cca42cdc964f3e76fabcf01fcde66e6cb51a1f3cbca\n\n $s1 = \"sched_setaffinity()\" fullword ascii\n $s2 = \"/sys/fs/fuse/connections\" fullword ascii\n $s3 = \"/proc/self/setgroups\" fullword ascii\n $s4 = \"/proc/self/uid_map\" fullword ascii\n $s5 = \"/proc/self/gid_map\" fullword ascii\n $s6 = \"from <= 0xff && to <= 0xff\" fullword ascii\n $s7 = \"spray_len * spray_count < 0x3000\" fullword ascii\n $s8 = \"found overlap, id : %d, %d\" fullword ascii\n $s9 = \"pipe(pipe_main) == 0\" fullword ascii\n\n condition:\n uint16(0) == 0x457f and filesize < 60KB and all of them\n}\n", "rule_count": 1, "rule_names": [ "dirty_cred" ], "rule_creation_date": "2022-10-07", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Windows.Exploit.DirtyCred" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linux_orbit_dropper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564449Z", "creation_date": "2026-03-23T11:46:25.564451Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564456Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" ], "name": "linux_orbit_dropper.yar", "content": "rule linux_orbit_dropper {\n meta:\n title = \"Orbit Dropper\"\n id = \"794c2337-3ce4-40b4-bcd0-8258e1a4ae9a\"\n description = \"Detects the Orbit dropper implant.\\nOrbit is a Linux backdoor that hooks system calls to steal data and hide itself.\\nIt infects systems by hijacking the dynamic linker and hooking system calls.\"\n references = \"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\"\n date = \"2022-07-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.credential_access;attack.t1056.004;attack.persistence;attack.t1574.006\"\n classification = \"Linux.Backdoor.Orbit\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8\n\n $s1 = \"-o UserKnownHostsFile=/dev/null\" fullword ascii\n $s2 = \"-o StrictHostKeyChecking=no\" fullword ascii\n $s3 = \"access(\\\"/etc/ld.so.preload\\\", R_OK) = -1 ENOENT (No such file or directory)\" fullword ascii\n\n $dropper_str_1 = \"/lib/libntpVnQE6mk/.boot.sh\" fullword ascii\n $dropper_str_2 = \"chown -R 920366:920366 /lib/\" ascii\n $dropper_str_3 = \"/bin/escalator\" ascii\n $dropper_str_4 = \"/lib/libntpVnQE6mk/.logpam\" ascii\n $dropper_str_5 = \"DYNAMIC LINKER BUG!!!\" fullword ascii\n $dropper_str_6 = \"sshd_tmp_t:s0\" ascii\n $dropper_str_7 = \".backup_ld.so\" ascii\n $dropper_str_8 = \"/lib/lib0UZ0LfvWZ.so\" fullword ascii\n $dropper_str_9 = \"ls -l /lib64/ld-linux-x86-64.so.2\" fullword ascii\n $dropper_str_10 = \"\" fullword ascii\n $dropper_str_11 = \"/lib/libntpVnQE6mk/.l\" fullword ascii\n $dropper_str_12 = \"/dev/shm/ldx/.l\" fullword ascii\n $dropper_str_13 = \"/etc/ld.so.preload\" fullword ascii\n\n // checking for specific ld.so versions\n $dropper_op_1 = {\n 48 8B 45 ?? // mov rax, [rbp+var_8]\n 48 83 C0 05 // add rax, 5\n 0F B6 00 // movzx eax, byte ptr [rax]\n 3C 34 // cmp al, 34h ; '4'\n 7F ?? // jg short loc_4006E5\n 48 8B 45 ?? // mov rax, [rbp+var_8]\n 48 83 C0 06 // add rax, 6\n 0F B6 00 // movzx eax, byte ptr [rax]\n 3C 2E // cmp al, 2Eh ; '.'\n 75 ?? // jnz short loc_4006E5\n B8 ?? ?? ?? ?? // mov eax, offset aLdErrorS ; \"ld error: %s\\n\"\n 48 8D 95 ?? ?? ?? ?? // lea rdx, [rbp+haystack]\n 48 89 D6 // mov rsi, rdx\n 48 89 C7 // mov rdi, rax\n B8 00 00 00 00 // mov eax, 0\n E8 ?? ?? ?? ?? // call printf\n 8B 05 ?? ?? ?? ?? // mov eax, cs:override_version\n 85 C0 // test eax, eax\n 74 ?? // jz short loc_4006DE\n B8 01 00 00 00 // mov eax, 1\n }\n\n // if forest searching for OS version\n // must match 7 times\n $dropper_op_2 = {\n 48 8D 85 ?? ?? ?? ?? // lea rax, [rbp+haystack]\n BE ?? ?? ?? ?? // mov esi, offset aUbuntu ; \"Ubuntu\"\n 48 89 C7 // mov rdi, rax ; haystack\n E8 ?? ?? ?? ?? // call _strstr\n 48 85 C0 // test rax, rax\n 74 ?? // jz short loc_4007A0\n BF ?? ?? ?? ?? // mov edi, offset aInstallingForU ; \"Installing for Ubuntu\"\n E8 ?? ?? ?? ?? // call puts\n }\n\n condition:\n uint16(0) == 0x457f and filesize < 1500KB and 2 of ($s*) and 8 of ($dropper_str_*) and ($dropper_op_1 or #dropper_op_2 > 5)\n}\n", "rule_count": 1, "rule_names": [ "linux_orbit_dropper" ], "rule_creation_date": "2022-07-11", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Backdoor.Orbit" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.persistence" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1574.006", "attack.t1056.004" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linux_orbit_payload_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564510Z", "creation_date": "2026-03-23T11:46:25.564512Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564518Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" ], "name": "linux_orbit_payload.yar", "content": "rule linux_orbit_payload {\n meta:\n title = \"Orbit Payload\"\n id = \"cb638b1c-a9b1-44a4-a4d0-03495be902d9\"\n description = \"Detects the Orbit payload implant.\\nOrbit is a Linux backdoor that hooks system calls to steal data and hide itself.\\nIt infects systems by hijacking the dynamic linker and hooking system calls.\"\n references = \"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\"\n date = \"2022-07-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.credential_access;attack.t1056.004;attack.persistence;attack.t1574.006\"\n classification = \"Linux.Backdoor.Orbit\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020\n\n $s1 = \"-o UserKnownHostsFile=/dev/null\" fullword ascii\n $s2 = \"-o StrictHostKeyChecking=no\" fullword ascii\n $s3 = \"access(\\\"/etc/ld.so.preload\\\", R_OK) = -1 ENOENT (No such file or directory)\" fullword ascii\n\n $payload_str_1 = \"/tmp/.orbit\" fullword ascii\n $payload_str_2 = \"/usr/bin/ssh\" fullword ascii\n $payload_str_3 = \"/usr/bin/scp\" fullword ascii\n $payload_str_4 = \"A/tmp/\" fullword ascii\n $payload_str_5 = \"920366\" fullword ascii\n $payload_str_6 = \"/dev/shm/.lck\" fullword ascii\n\n $xor_payload_str_1 = \"/lib/libntpVnQE6mk/.l2\" ascii xor\n $xor_payload_str_2 = \"/lib/libntpVnQE6mk/.l\" ascii xor\n $xor_payload_str_3 = \"/lib64/ld-linux-x86-64.so.2\" ascii xor\n $xor_payload_str_4 = \"/lib64/%s\" ascii xor\n $xor_payload_str_5 = \"mv /lib/libUDd5O.so %\" ascii xor\n\n // searching for specific paths in hooked syscall functions\n $payload_op_1 = {\n 3D 70 72 6F 63 // cmp eax, 'corp'\n 75 ?? // jnz short loc_950A\n 48 83 45 ?? 05 // add [rbp+s1], 5\n 80 7D ?? 30 // cmp [rbp+var_1], 30h ; '0'\n 7E 34 // jle short loc_9544\n 80 7D ?? 39 // cmp [rbp+var_1], 39h ; '9'\n 7F ?? // jg short loc_9544\n EB ?? // jmp short loc_9532\n 48 83 45 ?? 01 // add [rbp+s1], 1\n 48 8B 45 ?? // mov rax, [rbp+s1]\n 0F B6 00 // movzx eax, byte ptr [rax]\n 3C 30 // cmp al, 30h ; '0'\n 75 ?? // jnz short loc_9532\n B8 00 00 00 00 // mov eax, 0\n E9 ?? ?? ?? ?? // jmp locret_95CE\n 48 8B 45 ?? // mov rax, [rbp+s1]\n 0F B6 00 // movzx eax, byte ptr [rax]\n 3C 2F // cmp al, 2Fh ; '/'\n 75 ?? // jnz short loc_9518\n 48 83 45 ?? 01 // add [rbp+s1], 1\n EB ?? // jmp short loc_9556\n 48 8B 45 ?? // mov rax, [rbp+s1]\n 8B 00 // mov eax, [rax]\n 3D 73 65 6C 66 // cmp eax, 'fles'\n 75 ?? // jnz short loc_9556\n 48 83 45 ?? 05 // add [rbp+s1], 5\n }\n\n // filters out hidden port from packet capture\n $payload_op_2 = {\n 48 63 D0 // movsxd rdx, eax\n 48 8D 05 ?? ?? ?? ?? // lea rax, byte_17535\n 0F B6 04 02 // movzx eax, byte ptr [rdx+rax]\n 89 C2 // mov edx, eax\n 83 F2 A2 // xor edx, 0FFFFFFA2h\n 48 63 C1 // movsxd rax, ecx\n 88 94 05 ?? ?? ?? ?? // mov [rbp+rax+var_240], dl\n 83 45 F? 01 // add [rbp+var_4], 1\n 8B 45 F? // mov eax, [rbp+var_4]\n 3B 45 F? // cmp eax, [rbp+var_8]\n 7C ?? // jl short loc_16B6C\n 8B 45 F? // mov eax, [rbp+var_8]\n 48 98 // cdqe\n C6 84 05 ?? ?? ?? ?? 00 // mov [rbp+rax+var_240], 0\n 48 8D 85 ?? ?? ?? ?? // lea rax, [rbp+var_240]\n 48 8D 95 ?? ?? ?? ?? // lea rdx, [rbp+var_244]\n 48 8D 8D ?? ?? ?? ?? // lea rcx, [rbp+var_200]\n 48 89 CE // mov rsi, rcx\n 48 89 C7 // mov rdi, rax\n E8 ?? ?? ?? ?? // call load_hidden_ports\n }\n\n condition:\n uint16(0) == 0x457f and filesize < 250KB and 2 of ($s*) and 4 of ($payload_str_*) and 2 of ($xor_payload_str_*) and 1 of ($payload_op_*)\n}\n", "rule_count": 1, "rule_names": [ "linux_orbit_payload" ], "rule_creation_date": "2022-07-11", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Backdoor.Orbit" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.persistence" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1574.006", "attack.t1056.004" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linux_turla_penquin_1805b27b70c6_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572436Z", "creation_date": "2026-03-23T11:46:25.572439Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572444Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0587/\nhttps://securelist.com/the-penquin-turla-2/67962/\nhttps://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" ], "name": "linux_turla_penquin_1805b27b70c6.yar", "content": "rule linux_turla_penquin_1805b27b70c6 {\n meta:\n title = \"Penquin Malware (1805b27b70c6)\"\n id = \"399d4821-a779-4557-9aa6-1805b27b70c6\"\n description = \"Detects Penquin, a Linux malware related to the Turla APT group.\\nPenquin is designed to gather system information and facilitate command and control communication on infected Linux systems. It employs various techniques to maintain persistence and exfiltrate data.\"\n references = \"https://attack.mitre.org/software/S0587/\\nhttps://securelist.com/the-penquin-turla-2/67962/\\nhttps://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf\"\n date = \"2023-01-11\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.s0587;attack.command_and_control;attack.t1573.002;attack.t1105;attack.t1205;attack.discovery;attack.t1083;attack.t1040;attack.execution;attack.t1059\"\n classification = \"Linux.Malware.TurlaPenquin\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 8ccc081d4940c5d8aa6b782c16ed82528c0885bbb08210a8d0a8c519c54215bc\n // 67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502\n // d9f2467ff11efae921ec83e074e4f8d2eac7881d76bff60a872a801bd45ce3d5\n\n $s1 = \"/root/.sess\" ascii fullword\n $s2 = \"/root/.hsperfdata\" ascii fullword\n $s3 = \"/tmp/.sync.pid\" ascii fullword\n $s4 = \"ZYSZLRTS^Z@@NM@@G_Y_FE\" ascii fullword\n $s5 = \"Desc| Filename | size |state|\" ascii fullword\n $s6 = \"VS filesystem: %s\" ascii fullword\n $s7 = \"File already exist on remote filesystem !\" ascii fullword\n $s8 = \"File exist on local filesystem !\" ascii fullword\n $s9 = \"Write 0 bytes, Check filename !\" ascii fullword\n $s10 = \"rem_fd: ssl keypair error, try reconnect !\" ascii fullword\n\n condition:\n uint16(0) == 0x457f and filesize < 10MB and (\n 7 of ($s*) // 3/4 of all strings\n )\n}\n", "rule_count": 1, "rule_names": [ "linux_turla_penquin_1805b27b70c6" ], "rule_creation_date": "2023-01-11", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Malware.TurlaPenquin" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.discovery", "attack.execution" ], "rule_technique_tags": [ "attack.t1083", "attack.t1040", "attack.t1059", "attack.t1573.002", "attack.t1105", "attack.t1205" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linux_turla_penquin_669a2fe790f1_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564384Z", "creation_date": "2026-03-23T11:46:25.564386Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564392Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0587/\nhttps://securelist.com/the-penquin-turla-2/67962/\nhttps://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" ], "name": "linux_turla_penquin_669a2fe790f1.yar", "content": "rule linux_turla_penquin_669a2fe790f1 {\n meta:\n title = \"Penquin Malware (669a2fe790f1)\"\n id = \"29ad3842-641c-404c-acbe-669a2fe790f1\"\n description = \"Detects Penquin, a Linux malware related to the Turla APT group.\\nPenquin is designed to gather system information and facilitate command and control communication on infected Linux systems. It employs various techniques to maintain persistence and exfiltrate data.\"\n references = \"https://attack.mitre.org/software/S0587/\\nhttps://securelist.com/the-penquin-turla-2/67962/\\nhttps://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf\"\n date = \"2023-01-11\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.s0587;attack.command_and_control;attack.t1573.002;attack.t1105;attack.t1205;attack.discovery;attack.t1083;attack.t1040;attack.execution;attack.t1059\"\n classification = \"Linux.Malware.TurlaPenquin\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3e138e4e34c6eed3506efc7c805fce19af13bd62aeb35544f81f111e83b5d0d4\n // 1d5e4466a6c5723cd30caf8b1c3d33d1a3d4c94c25e2ebe186c02b8b41daf905\n // 5a204263cac112318cd162f1c372437abf7f2092902b05e943e8784869629dd8\n // 8856a68d95e4e79301779770a83e3fad8f122b849a9e9e31cfe06bf3418fa667\n // 2dabb2c5c04da560a6b56dbaa565d1eab8189d1fa4a85557a22157877065ea08\n // d49690ccb82ff9d42d3ee9d7da693fd7d302734562de088e9298413d56b86ed0\n\n // Commands\n $cc_lookup_versioned = \"do_lookup_versioned\" ascii fullword\n $cc_system = \"do_system\" ascii fullword\n $cc_out = \"do_out\" ascii fullword\n $cc_unshift = \"do_unshift\" ascii fullword\n $cc_in = \"do_in\" ascii fullword\n $cc_encoding = \"do_encoding\" ascii fullword\n $cc_always_noconv = \"do_always_noconv\" ascii fullword\n $cc_length = \"do_length\" ascii fullword\n $cc_max_length = \"do_max_length\" ascii fullword\n $cc_lookup_alias = \"do_lookup_alias\" ascii fullword\n $cc_release_shlib = \"do_release_shlib\" ascii fullword\n $cc_release_all = \"do_release_all\" ascii fullword\n $cc_lookup = \"do_lookup\" ascii fullword\n $cc_dlopen = \"do_dlopen\" ascii fullword\n $cc_dlsym = \"do_dlsym\" ascii fullword\n $cc_dlclose = \"do_dlclose\" ascii fullword\n $cc_dlsym_private = \"do_dlsym_private\" ascii fullword\n $cc_readv = \"do_readv\" ascii fullword\n $cc_writev = \"do_writev\" ascii fullword\n $cc_vslist = \"do_vslist\" ascii fullword\n $cc_start = \"do_start\" ascii fullword\n $cc_vsdownlod = \"do_vsdownlod\" ascii fullword\n $cc_ssl_connect = \"do_ssl_connect\" ascii fullword\n $cc_vsstat = \"do_vsstat\" ascii fullword\n $cc_cd = \"do_cd\" ascii fullword\n $cc_download = \"do_download\" ascii fullword\n $cc_exit = \"do_exit\" ascii fullword\n $cc_exec = \"do_exec\" ascii fullword\n $cc_upload = \"do_upload\" ascii fullword\n $cc_vsupload = \"do_vsupload\" ascii fullword\n $cc_vsdelete = \"do_vsdelete\" ascii fullword\n $cc_setenv = \"do_setenv\" ascii fullword\n $cc_vsshutdown = \"do_vsshutdown\" ascii fullword\n $user_s1 = \"Extracted ip : %s Hex: %lx\" ascii fullword\n $user_s2 = \"Extracted port: %d Hex: %x\" ascii fullword\n $user_s3 = \"TREX_PID=%u\" ascii fullword\n $user_s4 = \"File olready exist on VS !\" ascii fullword\n $user_s5 = \"Read or recive 0 status\" ascii fullword\n $user_s6 = \"Err open on remote side: %s\" ascii fullword\n\n $fatal_s1 = \"__we_are_happy__\" ascii fullword\n $fatal_s2 = \"/tmp/.xdfg\" ascii fullword\n $fatal_s3 = \"__TREX__STOP__STRING__\" ascii fullword\n $fatal_s4 = \"news-bbc.podzone.org\" ascii fullword\n\n condition:\n uint16(0) == 0x457f and filesize < 10MB and (\n 25 of ($cc_*) // 3/4 of C&C commands\n or 4 of ($user_s*) // 3/4 of user strings\n or any of ($fatal_s*) // Any fatal string\n )\n}\n", "rule_count": 1, "rule_names": [ "linux_turla_penquin_669a2fe790f1" ], "rule_creation_date": "2023-01-11", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Malware.TurlaPenquin" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.discovery", "attack.execution" ], "rule_technique_tags": [ "attack.t1083", "attack.t1040", "attack.t1059", "attack.t1573.002", "attack.t1105", "attack.t1205" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-linux_xmrig_cryptominer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586467Z", "creation_date": "2026-03-23T11:46:25.586469Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586475Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1496/\nhttps://github.com/xmrig/xmrig" ], "name": "linux_xmrig_cryptominer.yar", "content": "rule xmrig_linux {\n meta:\n title = \"XMRig Cyrptominer (Linux)\"\n id = \"1bd67941-ad3d-46d5-a064-02e13241e521\"\n description = \"Detects the XMRig Cryptominer on Linux systems.\\nXMRig is a widely-used open-source cryptocurrency miner that can be abused by adversaries to perform unauthorized mining activities on victim machines.\\nThis can lead to significant resource consumption and impact system performance.\\nIt is recommended to disable unnecessary cryptocurrency mining activities on systems to mitigate the risk of abuse.\"\n references = \"https://attack.mitre.org/techniques/T1496/\\nhttps://github.com/xmrig/xmrig\"\n date = \"2022-11-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1496\"\n classification = \"Linux.CryptoMiner.XMRig\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c41ebb332668c6f12a02c044136783e0cb98915a68fe2cc7d2413799f835ee8d\n // d911a685f62ef904030b1fffab7e6b93a1e2ce1d44dc55c859fcb8bbcec11b6b xmrig-6.21.3-focal-x64\n // 4e855dab9cba525518aa6782ba70c4f7519930d9c8c58a575dfbe25ec2cc4a35 xmrig-6.21.3-jammy-x64\n // 72ac2877c9e4cd7d70673c0643eb16805977a9b8d55b6b2e5a6491db565cee1f xmrig-6.21.3-linux-static-x64\n // 0366f72ee68e80a6f21fa61a854cd445142238bbad12a04a5d8e20ae72b4702c xmrig-6.21.3-noble-x64\n\n $s1 = \"libxmrig-cuda.so\" ascii\n $s2 = \"xmrig_ar2_\" ascii\n $s3 = \"XMRIG_VERSION\" fullword ascii\n $s4 = \"XMRIG_KIND\" fullword ascii\n $s5 = \"xmrig.json\" ascii\n\n condition:\n uint16(0) == 0x457f and 3 of them\n}\n", "rule_count": 1, "rule_names": [ "xmrig_linux" ], "rule_creation_date": "2022-11-15", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.CryptoMiner.XMRig" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1496" ], "rule_score": 70, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-loader_mustangpanda_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576514Z", "creation_date": "2026-03-23T11:46:25.576516Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576522Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims" ], "name": "loader_mustangpanda.yar", "content": "rule loader_mustangpanda {\n meta:\n title = \"MustangPanda Loader\"\n id = \"9c6fe632-8f1b-452f-bd49-01af4acb4e5d\"\n description = \"Detects the MustangPanda loader usually included into malicious DLL destined to be side-loaded by legitimate software.\\nThe loader has been utilized by the MustangPanda attacker group in a campaign targeting Myanmar.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims\"\n date = \"2022-10-10\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.persistence;attack.t1574.001\"\n classification = \"Windows.Loader.MustangPanda\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detects these samples:\n // 74fe609eb8f344405b41708a3bb3c39b9c1e12ff93232d4b7efe648d66ea7380\n // a0d7e541d5c579d2e0493794879fee58d8603b4f3fb146df227efa34c23d830e\n // efade7cf8f2caeb5a5d1cf647796975b0b153feac67217fccbdd203e473a4928\n\n $payload_decryption_1 = {\n 34 FF // xor al, 0FFh\n 80 CC 01 // or ah, 1\n 20 E0 // and al, ah\n 08 C6 // or dh, al\n 88 F0 // mov al, dh\n 34 FF // xor al, 0FFh\n 88 CA // mov dl, cl\n 30 C2 // xor dl, al\n 20 CA // and dl, cl\n 88 C8 // mov al, cl\n 34 FF // xor al, 0FFh\n 88 F4 // mov ah, dh\n 20 C4 // and ah, al\n 80 F6 FF // xor dh, 0FFh\n 20 F1 // and cl, dh\n 08 CC // or ah, cl\n 88 D0 // mov al, dl\n 20 E0 // and al, ah\n 30 E2 // xor dl, ah\n 08 D0 // or al, dl\n A8 01 // test al, 1\n }\n\n $payload_decryption_2 = {\n 83 E8 01 // sub eax, 1\n 89 CE // mov esi, ecx\n 01 C6 // add esi, eax\n 0F AF CE // imul ecx, esi\n 83 E1 01 // and ecx, 1\n 83 F9 00 // cmp ecx, 0\n 0F 94 C3 // setz bl\n 83 FA 0A // cmp edx, 0Ah\n 0F 9C C7 // setl bh\n 88 D8 // mov al, bl\n 20 F8 // and al, bh\n 30 FB // xor bl, bh\n 08 D8 // or al, bl\n A8 01 // test al, 1\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 10MB and all of them\n}\n", "rule_count": 1, "rule_names": [ "loader_mustangpanda" ], "rule_creation_date": "2022-10-10", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.MustangPanda" ], "rule_tactic_tags": [ "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1574.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-loader_samecoin_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583663Z", "creation_date": "2026-03-23T11:46:25.583665Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583671Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://twitter.com/NicoleFishi19/status/1756936882095534532" ], "name": "loader_samecoin.yar", "content": "rule samecoin_campaign_loader {\n meta:\n title = \"SameCoin Loader\"\n id = \"fee803e8-9ffd-4827-83a5-d456e9a368aa\"\n description = \"Detects the SameCoin loader.\\nThe SameCoin campaign uses a loader to distribute its malicious payloads. This loader is designed to inject malicious code into legitimate processes to evade detection and establish persistence on the compromised system.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://twitter.com/NicoleFishi19/status/1756936882095534532\"\n date = \"2024-02-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.privilege_escalation;attack.t1548.004;attack.defense_evasion;attack.t1656;attack.t1036.005;attack.discovery;attack.t1614.001\"\n classification = \"Windows.Loader.SameCoin\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6\n\n $hebrew_layout = \"0000040d\" fullword ascii\n $runas = \"runas\" fullword ascii\n $jpg_magic = { FF D8 FF E0 00 10 4A 46 49 46 00 01 }\n $wl_1 = \"C:\\\\Users\\\\Public\\\\Microsoft Connection Agent.jpg\" ascii\n $wl_2 = \"C:\\\\Users\\\\Public\\\\Video.mp4\" ascii\n $wl_3 = \"C:\\\\Users\\\\Public\\\\Microsoft System Agent.exe\" ascii\n $wl_4 = \"C:\\\\Users\\\\Public\\\\Microsoft System Manager.exe\" ascii\n $wl_5 = \"C:\\\\Users\\\\Public\\\\Windows Defender Agent.exe\"\n\n condition:\n uint16(0) == 0x5A4D and filesize > 5MB and filesize < 7MB and\n $hebrew_layout and $runas and $jpg_magic and 3 of ($wl_*)\n}\n", "rule_count": 1, "rule_names": [ "samecoin_campaign_loader" ], "rule_creation_date": "2024-02-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.SameCoin" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.execution", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1614.001", "attack.t1548.004", "attack.t1036.005", "attack.t1106", "attack.t1656" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-loadthatpe_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566462Z", "creation_date": "2026-03-23T11:46:25.566464Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566470Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ProcessusT/LoadThat-PEandAssembly" ], "name": "loadthatpe.yar", "content": "rule loadthatpe {\n meta:\n title = \"LoadThatPe HackTool\"\n id = \"1202979d-de81-47a7-adcf-6872c21a2941\"\n description = \"Detects LoadThatPe.exe, a tool designed to execute a Portable Executable file without using the native Windows PE loader.\\nIt is recommended to examine the context in which this tool is executed to determine whether its use is legitimate.\"\n references = \"https://github.com/ProcessusT/LoadThat-PEandAssembly\"\n date = \"2025-09-29\"\n modified = \"2025-10-23\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Windows.HackTool.LoadThatPe\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for theses samples:\n // 78729188b083b1235a01b4ceb4a34306e02fed30c24eb972644557d8b817d0f6\n // 62ae7f52b6f0e0f93e71eac7c1d522e1254c60e02ddc45c890a41b6cc8e80430\n // 18bdb0c78a10e586230760cfbb8826d703c71a1ffbdf3cd73c557ae4d0471fbc\n // f0b0449d4aea4ab23e9067ad8e386cb1157fdc778dd97baafdd380d12da5135e\n\n $s1 = \"[-] Table des imports non trouvee ou adresse invalide.\" ascii fullword\n $s2 = \"[-] Nom de module invalide ou introuvable.\" ascii fullword\n $s3 = \"[-] Echec du chargement de la bibliotheque :\" ascii fullword\n $s4 = \"[-] Nom de fonction invalide ou introuvable.\" ascii fullword\n $s5 = \"[-] Echec de la resolution de l'importation.\" ascii fullword\n $s6 = \"[-] Erreur dans ResolveImports :\" ascii fullword\n $s7 = \"[-] Erreur inconnue dans ResolveImports.\" ascii fullword\n $s8 = \"[-] Erreur : echec de la recuperation du contexte du thread. Code d'erreur :\" ascii fullword\n $s9 = \"[-] Acces refuse. Verifiez les permissions ou le mode 32/64 bits.\" ascii fullword\n $s10 = \"[-] Handle de thread invalide.\" ascii fullword\n $s11 = \"[-] Architecture non prise en charge (32/64 bits incompatible ?).\" ascii fullword\n $s12 = \"[+] Redefinition de RIP : 0x\" ascii fullword\n $s13 = \"[-] L'adresse d'entree est hors des limites du PE mappe.\" ascii fullword\n $s14 = \"[-] Erreur : echec de la definition du point d'entree.\" ascii fullword\n $s15 = \"D:\\\\lab\\\\LoadThatPE-main\\\\x64\\\\Release\\\\LoadThatPE.pdb\" ascii fullword\n\n condition:\n 2 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "loadthatpe" ], "rule_creation_date": "2025-09-29", "rule_modified_date": "2025-10-23", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.LoadThatPe" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lobster_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586352Z", "creation_date": "2026-03-23T11:46:25.586354Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586359Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://dl.acm.org/doi/10.1145/3688808\nhttps://www.virustotal.com/gui/file/b9b22cea4758eaacea8c80dc1094a754b9fa3ecca4698e92726f3e4ae15d2664" ], "name": "lobster.yar", "content": "rule linux_library_rootkit_lobster {\n meta:\n title = \"Lobster Rootkit\"\n id = \"06cda615-b5d5-43a1-8b25-48cf07abb5b6\"\n description = \"Detects the Lobster LD_PRELOAD userland rootkit.\\nLobster is a userland rootkit that hijacks environment variables used by the dynamic linker to load shared libraries.\\nThis technique allows the rootkit to intercept and control function calls, establishing persistence on the system.\"\n references = \"https://dl.acm.org/doi/10.1145/3688808\\nhttps://www.virustotal.com/gui/file/b9b22cea4758eaacea8c80dc1094a754b9fa3ecca4698e92726f3e4ae15d2664\"\n date = \"2023-12-12\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.004;attack.persistence;attack.t1574.006;attack.defense_evasion;attack.t1014;attack.t1070;attack.t1564;attack.credential_access;attack.t1556;attack.command_and_control;attack.t1095\"\n classification = \"Linux.Rootkit.Lobster\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1d9e5dc2e81397f478764792de229efe110f2448478ca8e314af20864447cca3\n // a4d707a75d655eb5f55e8d0a44483499c57b98cbd42ed90dd5e6783c94b90c1b\n // ac1d77340df2ee1f96e659e8fdfc581dec77ac2ae7479e873eda5816ef6e24a1\n\n $a1 = \"falsify_tcp\" ascii fullword\n $a2 = \"lpe_drop_shell\" ascii fullword\n $a3 = \"D431\" ascii fullword\n $a4 = \"lobster\" ascii fullword\n $a5 = \"Enjoy the shell!\" ascii fullword\n $a6 = \"backconnect\" ascii fullword\n $a7 = \"timebomb\" ascii fullword\n $a8 = \"\\n\\nAUTHENTICATE: \" ascii fullword\n $a9 = \"\\x1B[1m\" ascii fullword\n $a10 = { 6F444045530A5E424F0A59424F46460B } // Frobnicated \"Enjoy the shell!\"\n\n condition:\n (uint32be(0) == 0x7F454c46) // ELF\n and ((uint16be(0x10) == 0x03) or (uint16(0x10) == 0x03)) // ET_DYN\n and (6 of them)\n}\n", "rule_count": 1, "rule_names": [ "linux_library_rootkit_lobster" ], "rule_creation_date": "2023-12-12", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Rootkit.Lobster" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1095", "attack.t1070", "attack.t1564", "attack.t1014", "attack.t1556", "attack.t1574.006", "attack.t1059.004" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lsasssilentprocessexit_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567849Z", "creation_date": "2026-03-23T11:46:25.567851Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567857Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/001/\nhttps://github.com/deepinstinct/LsassSilentProcessExit/" ], "name": "lsasssilentprocessexit.yar", "content": "rule lsass_silent_process_exit {\n meta:\n title = \"LsassSilentProcessExit HackTool\"\n id = \"de5b24c8-cfbf-4678-a416-f75854db9adb\"\n description = \"Detects LsassSilentProcessExit, a memory dumper that extracts LSASS process memory using the silent process exit mechanism without crashing the target process.\\nLsassSilentProcessExit is a tool designed to dump the memory of the LSASS process on Windows systems. It operates by leveraging the silent process exit technique to avoid crashing the LSASS process, which is commonly used for credential access and persistence. The tool allows users to specify the LSASS process ID and dump mode, and it attempts to enable debug privileges and modify system registry settings to facilitate the dumping process.\\nIt is recommended to investigate for any dumped LSASS memory files in the default location, typically \\\"C:\\\\temp.\\\"\"\n references = \"https://attack.mitre.org/techniques/T1003/001/\\nhttps://github.com/deepinstinct/LsassSilentProcessExit/\"\n date = \"2024-01-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.LsassSilentProcessExit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ecc61aa00d4a6e08282e4bb0ef8f8771b1c7b54e6a99bdfe274adbdf8f84ea20\n // 73932cb7095cd17e59e79a2c61b8fd1d02ddeb8105faa73f135af393b0e6753a\n // 0ab2164ad6a20ce290a7327816b8f771620a6245ac32b9c8c150308c9808767b\n\n $s1 = \"Usage: LsassSilentProcessExit.exe \" fullword ascii\n $s2 = \"DUMP_MODE:\" fullword ascii\n $s3 = \"0 - Call RtlSilentProcessExit on LSASS process handle\" fullword ascii\n $s4 = \"1 - Call CreateRemoteThread on RtlSilentProcessExit on LSASS\" fullword ascii\n $s5 = \"Setting up debug privilege...\" fullword ascii\n $s6 = \"ERROR: Failed to enable debug privilege!\" fullword ascii\n $s7 = \"Setting up GFlags & SilentProcessExit settings in registry...\" fullword ascii\n $s8 = \"ERROR: Could not set registry values!\" fullword ascii\n $s9 = \"RtlReportSilentProcessExit\" fullword ascii\n $s10 = \"ERROR OpenProcess() failed with error:\" fullword ascii\n $s11 = \"RtlReportSilentProcessExit() NTSTATUS:\" fullword ascii\n $s12 = \"DONE! Check out the dump folder (C:\\temp)\" fullword ascii\n $s13 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\\" fullword ascii\n $s14 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\\" fullword ascii\n\n condition:\n 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "lsass_silent_process_exit" ], "rule_creation_date": "2024-01-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.LsassSilentProcessExit" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lumma_stealer_memory_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576275Z", "creation_date": "2026-03-23T11:46:25.576278Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576283Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\nhttps://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf\nhttps://www.0x1c.zip/0001-lummastealer/" ], "name": "lumma_stealer_memory.yar", "content": "rule lumma_stealer_memory {\n meta:\n title = \"Lumma Stealer Memory\"\n id = \"a8290d54-f88b-4cdf-9854-7ea6235c0efb\"\n description = \"Detects Lumma Stealer v2 (aka LummaC2 Stealer) memory artifacts. Lumma Stealer is an information stealer written in the C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\\nhttps://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf\\nhttps://www.0x1c.zip/0001-lummastealer/\"\n date = \"2025-07-07\"\n modified = \"2025-08-05\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.credential_access;attack.t1555.003;attack.command_and_control;attack.t1071.001;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Stealer.Lumma\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // bba2b3ffc0e417957f22666d5f5d10e7b77198e5bd7ee43f3b48f6285f62b2be\n // f792634c1d9ff2bc7b169714bd6ae69ec36a73f76985e07141a761884d863ae0\n\n $self_injected_stub = {\n 83 EC 08 // sub esp, 8\n 8B 44 24 ?? // mov eax, [esp+0Ch+arg_0]\n C7 04 24 00 00 00 00 // mov [esp+0Ch+var_C], 0\n\n // loc_43330F:\n 83 3C 24 ?? // cmp [esp+0Ch+var_C], 2Eh\n 72 02 // jb short loc_433317\n EB ?? // jmp short loc_433358\n }\n\n $browser_injected_code = {\n 48 BE ?? ?? ?? ?? ?? ?? 00 00 // movabs rsi, 0x3cdc01b72c00\n 48 BF ?? ?? ?? ?? ?? ?? 00 00 // movabs rdi, 0x1c893a60000\n 48 B9 20 00 00 00 00 00 00 00 // movabs rcx, 0x20\n F3 A4 // rep movsb byte ptr [rdi], byte ptr [rsi]\n 48 B9 ?? ?? ?? ?? ?? ?? 00 00 // movabs rcx, 0x1c893a60000\n BA 20 00 00 00 // mov edx, 0x20\n 45 31 C0 // xor r8d, r8d\n 48 B8 ?? ?? ?? ?? ?? ?? 00 00 // movabs rax, 0x7ffd661c16f0\n FF D0 // call rax\n C3 // ret\n }\n\n condition:\n #self_injected_stub > 200 or $browser_injected_code\n}\n", "rule_count": 1, "rule_names": [ "lumma_stealer_memory" ], "rule_creation_date": "2025-07-07", "rule_modified_date": "2025-08-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Lumma" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.discovery", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1041", "attack.t1555.003", "attack.t1082" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lumma_stealer_stager_shellcode_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568418Z", "creation_date": "2026-03-23T11:46:25.568421Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568427Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\nhttps://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf\nhttps://www.0x1c.zip/0001-lummastealer/" ], "name": "lumma_stealer_stager_shellcode.yar", "content": "rule lumma_stealer_stager_shellcode {\n meta:\n title = \"Lumma Stealer Stager Shellcode\"\n id = \"3f51e303-458e-4adb-826d-c2aea4d82ba5\"\n description = \"Detects the Lumma Stealer stager shellcode used to download and execute the stealer into a remote process.\\nLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is recommended to investigate network traffic for potential C2 communication.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\\nhttps://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf\\nhttps://www.0x1c.zip/0001-lummastealer/\"\n date = \"2024-08-30\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055.002;attack.execution;attack.t1106;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Stealer.Lumma\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // efd18e4ccd52ea2ffca936d8c5eac450df9024717c4fe5cfe079cff4ef69785a\n // bd3dceca7b73f73d83a0c46f43d42d8925f094412213ec36273c33b80ad80ce1\n\n $x1 = {\n 41 // inc ecx\n FF D7 // call edi ; InternetOpenUrlW\n 48 // dec eax\n 8D 56 18 // lea edx, [esi+18h]\n 45 // inc ebp\n 33 C9 // xor ecx, ecx\n 45 // inc ebp\n 33 C0 // xor eax, eax\n 48 // dec eax\n 8B C8 // mov ecx, eax\n 4C // dec esp\n }\n\n $x2 = {\n 41 // inc ecx\n 8B C8 // mov ecx, eax\n 49 // dec ecx\n F7 E0 // mul eax\n 48 // dec eax\n 2B CA // sub ecx, edx\n 48 // dec eax\n D1 E9 // shr ecx, 1\n 48 // dec eax\n 03 CA // add ecx, edx\n 48 // dec eax\n C1 E9 04 // shr ecx, 4\n 48 // dec eax\n 6B C9 15 // imul ecx, 15h\n 4C // dec esp\n 2B C1 // sub eax, ecx\n 49 // dec ecx\n 8D 40 0A // lea eax, [eax+0Ah]\n 48 // dec eax\n 83 C4 28 // add esp, 28h\n C3 // retn\n }\n\n $x3 = {\n // sub_406\n 48 // dec eax\n 33 C0 // xor eax, eax\n 4C // dec esp\n 8B D1 // mov edx, ecx\n B8 15 00 00 00 // mov eax, 15h\n 0F 05 // syscall\n C3 // retn\n\n // sub_414\n 48 // dec eax\n 33 C0 // xor eax, eax\n 4C // dec esp\n 8B D1 // mov edx, ecx\n B8 29 00 00 00 // mov eax, 29h\n 0F 05 // syscall\n C3 // retn\n\n // sub_422\n 48 // dec eax\n 33 C0 // xor eax, eax\n 4C // dec esp\n 8B D1 // mov edx, ecx\n B8 2E 00 00 00 // mov eax, 2Eh\n 0F 05 // syscall\n C3 // retn\n\n // sub_430\n 48 // dec eax\n 33 C0 // xor eax, eax\n 4C // dec esp\n 8B D1 // mov edx, ecx\n B8 31 00 00 00 // mov eax, 31h\n 0F 05 // syscal\n C3 // retn\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "lumma_stealer_stager_shellcode" ], "rule_creation_date": "2024-08-30", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Lumma" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1106", "attack.t1071.001", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-lumma_stealer_v2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575652Z", "creation_date": "2026-03-23T11:46:25.575655Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575660Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\nhttps://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf\nhttps://www.0x1c.zip/0001-lummastealer/" ], "name": "lumma_stealer_v2.yar", "content": "rule lumma_stealer_v2 {\n meta:\n title = \"Lumma Stealer v2\"\n id = \"b1f74ddf-6e1c-468c-8743-24c3571cc912\"\n description = \"Detects Lumma Stealer v2 (aka LummaC2 Stealer), an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. This stealer is designed to extract sensitive information such as system details, clipboard contents, and installed software. It may inject into legitimate processes to avoid detection and create or modify system files related to its activities.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma\\nhttps://www.intrinsec.com/wp-content/uploads/2023/10/TLP-CLEAR-Lumma-Stealer-EN-Information-report.pdf\\nhttps://www.0x1c.zip/0001-lummastealer/\"\n date = \"2024-08-30\"\n modified = \"2025-05-12\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.credential_access;attack.t1555.003;attack.command_and_control;attack.t1071.001;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Stealer.Lumma\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 35e5f8f573216bf3c4d308c8556ac17043986cfd17a9f25824ca54f7a2483892\n // 0d295e2c53c2f33f6582c03767e0692ce8c366210dd5bca7a671152c763cce4f\n // 8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7\n // fbb0f6f5d7f6482d15ca97b8500806d9aff10a82ebc555e1beb4644159c3da07\n\n $s_a = \"# Buy now: TG @lummanowork\" ascii fullword\n\n $s_b1 = \"- LummaC2 Build:\" ascii\n $s_b2 = \"- LID:\" ascii\n $s_b3 = \"- Install Date:\" ascii\n $s_b4 = \"- HWID:\" ascii\n\n $s_c1 = \"System.txtPK\" ascii fullword\n $s_c2 = \"Clipboard.txtPK\" ascii fullword\n $s_c3 = \"Software.txtPK\" ascii fullword\n $s_c4 = \"Processes.txtPK\" ascii fullword\n\n $s_d1 = \"act=recive_message&ver=\" ascii\n $s_d2 = \"act=get_message&ver=\" ascii\n $s_d3 = \"act=life\" ascii fullword\n\n $s_e1 = \"%programfiles%\\\\Telegram Desktop\" ascii fullword\n $s_e2 = \"%localappdata%\\\\Chedot\\\\User Data\" ascii fullword\n $s_e3 = \"%localappdata%\\\\1Password\" ascii fullword\n $s_e4 = \"%appdata%\\\\Bitcoin\\\\wallets\" ascii fullword\n\n $x1 = {\n 88 (18|19|1A|1B) // mov [edx], bl\n (40|41|42|43) // inc edx\n 0F B6 (1E|1F) // movzx ebx, byte ptr [edi]\n (46|47) // inc edi\n 84 DB // test bl, bl\n 75 F5 // jnz short loc_4098C0\n\n // loc_4098CB:\n C6 (00|01|02|03) 00 // mov byte ptr [edx], 0\n 0F B6 (1E|1F) // movzx ebx, byte ptr [esi]\n 84 DB // test bl, bl\n 74 16 // jz short loc_4098EB\n (46|47) // inc esi\n }\n\n $x2 = {\n 88 (18|19|1A|1B) // mov [eax], bl\n (40|41|42|43) // inc eax\n 0F B6 (1E|1F) // movzx ebx, byte ptr [esi]\n (46|47) // inc esi\n 84 DB // test bl, bl\n 75 F5 // jnz short loc_4113D0\n EB 03 // jmp short loc_4113E0\n\n // loc_4113DD:\n 8B ?? ?? // mov ecx, [esp+0CBCh+var_CBC]\n\n // loc_4113E0:\n C6 (00|01|02|03) 00 // mov byte ptr [eax], 0\n 0F B6 (18|19|1A|1B) // movzx ebx, byte ptr [edx]\n 84 DB // test bl, bl\n 74 11 // jz short loc_4113FB\n (40|41|42|43) // inc edx\n }\n\n $x3 = {\n 8B 4C 24 04 // mov ecx, [esp+4Ch+var_48]\n 8B 7C 24 04 // mov edi, [esp+4Ch+var_48]\n 0F B6 7C 3C 10 // movzx edi, byte ptr [esp+edi+4Ch+var_3C]\n 81 C1 40 59 9D B9 // add ecx, 0B99D5940h\n 31 F9 // xor ecx, edi\n 89 4C 24 0C // mov [esp+4Ch+var_40], ecx\n 8B 4C 24 0C // mov ecx, [esp+4Ch+var_40]\n 80 C1 40 // add cl, 40h ; '@'\n 8B 7C 24 04 // mov edi, [esp+4Ch+var_48]\n 88 4C 3C 10 // mov byte ptr [esp+edi+4Ch+var_3C], cl\n FF 44 24 04 // inc [esp+4Ch+var_48]\n 8B 4C 24 04 // mov ecx, [esp+4Ch+var_48]\n 83 F9 0A // cmp ecx, 0Ah\n 72 CB // jb short loc_43C050\n }\n\n $x4 = {\n 66 89 ?? // mov [eax], cx\n 83 C0 02 // add eax, 2\n 0F B7 ?? // movzx ecx, word ptr [edx]\n 83 ?? 02 // add edx, 2\n 66 85 ?? // test cx, cx\n 75 EF // jnz short loc_410700\n\n // loc_410711:\n 66 C7 00 00 00 // mov word ptr [eax], 0\n 0F B7 (00 00 00| ?? ?? ?? ?? ??) // movzx ecx, word_451E32\n 66 85 ?? // test cx, cx\n 74 ?? // jz short loc_410745\n }\n\n $x5 = {\n 66 61 69 6C 65 64 20 66 69 6E 64 69 6E 67 20 63 // failed finding central directory\n 65 6E 74 72 61 6C 20 64 69 72 65 63 74 6F 72 79\n 00\n [6] 2D 2D [24] 00 // \"Lumma ID\"\n (\n 73 79 73 74 65 6D 20 6F 72 20 63 68 61 72 61 63 // system or character via spellings glyphsa\n 74 65 72 20 76 69 61 20 73 70 65 6C 6C 69 6E 67\n 73 20 67 6C 79 70 68 73 20 61 20 69 73 20 75 73\n 65\n |\n 74 6f 74 61 6c 20 65 72 72 6f 72 73 00 // total errors\n )\n }\n\n $x6 = {\n 21 D7 // and edi, edx\n 89 C6 // mov esi, eax\n 31 D6 // xor esi, edx\n 01 D6 // add esi, edx\n 29 FE // sub esi, edi\n 89 C7 // mov edi, eax\n 21 D7 // and edi, edx\n 01 FF // add edi, edi\n 29 D7 // sub edi, edx\n 01 CF // add edi, ecx\n 09 C2 // or edx, eax\n 21 FA // and edx, edi\n F7 D2 // not edx\n 21 F2 // and edx, esi\n }\n\n condition:\n (\n $s_a and\n (\n 2 of ($s_b*) or\n 2 of ($s_c*) or\n 1 of ($s_d*) or\n 3 of ($s_e*)\n )\n ) or\n (\n 1 of ($s_b*) and\n 1 of ($s_c*) and\n 1 of ($s_d*) and\n 1 of ($s_e*)\n ) or\n (\n 2 of ($s_b*) and\n 1 of ($s_d*) and\n 2 of ($s_e*)\n ) or\n (\n 2 of ($s_c*) and\n 1 of ($s_d*) and\n 2 of ($s_e*)\n ) or\n 1 of ($x*)\n}\n", "rule_count": 1, "rule_names": [ "lumma_stealer_v2" ], "rule_creation_date": "2024-08-30", "rule_modified_date": "2025-05-12", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Lumma" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.discovery", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1041", "attack.t1555.003", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-magnuskatz_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568192Z", "creation_date": "2026-03-23T11:46:25.568195Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568204Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://improsec.com/tech-blog/mimikatz-under-the-hood\nhttps://attack.mitre.org/techniques/T1003/001/" ], "name": "magnuskatz.yar", "content": "rule hacktool_magnuskatz {\n meta:\n title = \"MagnusKatz HackTool\"\n id = \"76ebaea8-5ff8-42ae-9d7d-b40d663d1688\"\n description = \"Detects the execution of MagnusKatz, a post-exploitation tool used to extract NTLM hashes from memory.\\nMagnusKatz is an implementation similar to Mimikatz, designed to retrieve NTLM credentials of logged-in users at runtime. It operates by enumerating running processes and extracting the NTLM hashes from their memory space. This tool is often used in red teaming and security testing to demonstrate weaknesses in credential protection mechanisms.\"\n references = \"https://improsec.com/tech-blog/mimikatz-under-the-hood\\nhttps://attack.mitre.org/techniques/T1003/001/\"\n date = \"2023-05-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.MagnusKatz\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // af41c403c50c343aa31c7cdd7bd8f019ad228fbff6b4dc5319cd0210fff73fa8\n\n $s1 = \"[!] EnumProcessModules failed: %d\" fullword ascii\n $s2 = \"[!] GetModuleFileNameExA failed: %d\" fullword ascii\n $s3 = \"[!] Search for pattern in lsasrv.dll module memory came up empty, or something else messed up in memmem()\" fullword ascii\n $s4 = \"[!] logon session is empty. Skipping...\" fullword ascii\n $s5 = \"ChainingModeCBC\" fullword wide\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "hacktool_magnuskatz" ], "rule_creation_date": "2023-05-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.MagnusKatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-maldev_academy_hacktool_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588910Z", "creation_date": "2026-03-23T11:46:25.588912Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588918Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://maldevacademy.com/\nhttps://joostagterhoek.nl/study/maldev-academy" ], "name": "maldev_academy_hacktool.yar", "content": "rule maldev_academy_hacktool {\n meta:\n title = \"Maldev Academy HackTool\"\n id = \"06c79a88-8aab-43cb-b886-1c6c7487be21\"\n description = \"Detects hacktools compiled from MalDev Academy projects.\\nMalDev Academy is an educational platform that provides hands-on training in malware development and offensive security techniques, which can also be leveraged by attackers to create real-world malicious tools.\\nIt is recommended to examine the context in which this tool is executed to determine whether its use is legitimate.\"\n references = \"https://maldevacademy.com/\\nhttps://joostagterhoek.nl/study/maldev-academy\"\n date = \"2026-01-15\"\n modified = \"2026-01-27\"\n author = \"HarfangLab\"\n tags = \"attack.resource_development;attack.t1587.001\"\n classification = \"Windows.HackTool.MaldevAcademy\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 7dd078a57d842c1cf0c598cbe08c4ecbde21916fe636daa868329f31df35c138\n\n $pdb = \"C:\\\\Users\\\\MALDEV01\\\\Desktop\\\\Maldev-code\\\\\" ascii wide\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "maldev_academy_hacktool" ], "rule_creation_date": "2026-01-15", "rule_modified_date": "2026-01-27", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.MaldevAcademy" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1587.001" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mandibule_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575836Z", "creation_date": "2026-03-23T11:46:25.575838Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575844Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ixty/mandibule\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html" ], "name": "mandibule.yar", "content": "rule mandibule {\n meta:\n title = \"Mandibule Loader\"\n id = \"add4d841-db08-4bcd-ab81-5ad00a456bd8\"\n description = \"Detects Mandibule, a program allowing the injection of an ELF file inside a remote process.\\nMandibule is a Linux loader designed to inject malicious ELF files into legitimate processes. It enables remote code injection, a technique often employed for defense evasion and persistence.\\nThe injection process typically involves mapping the ELF file into the target process's memory and executing it from there.\\nIt is recommended to isolate the endpoint, analyze the injected process for potential malicious activities, and monitor for any related suspicious behavior.\"\n references = \"https://github.com/ixty/mandibule\\nhttps://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\"\n date = \"2023-09-22\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Linux.Loader.Mandibule\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 901c92e93f635260eb149cae03eedfa1ac85994bf90cacb5638b9cea47bbc2c6\n\n $s1 = \"> auto-detected manual mapping address 0x%lx\" ascii fullword\n $s2 = \"> load segment addr 0x%llx len 0x%llx => 0x%llx\\n\" ascii fullword\n $s3 = \"> no executable section is large enough :/\" ascii fullword\n $s4 = \"> shellcode injection addr: 0x%lx size: 0x%lx (available: 0x%lx)\" ascii fullword\n $s5 = \"> shellcode executed!\" ascii fullword\n $s6 = \"> malloc for injected code failed\" ascii fullword\n\n $mkmom_end = {\n 48 8D 05 ?? ?? 00 00 // lea rax, aEndRodata\n 48 89 44 24 F8 // mov [rsp+var_8], rax\n 48 8B 44 24 F8 // mov rax, [rsp+var_8]\n 25 FF 0F 00 00 // and eax, 0FFFh\n (\n BA 00 10 00 00 // mov edx, 1000h\n 48 29 C2 // sub rdx, rax\n 48 89 D0 // mov rax, rdx\n |\n 48 89 C2 // mov rdx, rax\n B8 00 10 00 00 // mov eax, 1000h\n 48 29 D0 // sub rax, rdx\n )\n 48 01 44 24 F8 // add [rsp+var_8], rax\n 48 8B 44 24 F8 // mov rax, [rsp+var_8]\n C3 // retn\n }\n\n $get_mapmax = {\n EB 06 // jmp short loc_25E1\n\n // loc_25DB:\n 48 C1 6C 24 38 08 // shr [rsp+58h+var_20], 8\n\n // loc_25E1:\n 48 81 7C 24 38 FF 00 00 00 // cmp [rsp+58h+var_20], 0FFh\n 77 EF // ja short loc_25DB\n 48 81 7C 24 38 FF 00 00 00 // cmp [rsp+58h+var_20], 0FFh\n 74 12 // jz short loc_2609\n 48 83 7C 24 38 7F // cmp [rsp+58h+var_20], 7Fh\n 74 0A // jz short loc_2609\n 48 8B 44 24 28 // mov rax, [rsp+58h+var_30]\n 48 89 44 24 40 // mov [rsp+58h+var_18], rax\n\n // loc_2609:\n 48 8B 44 24 30 // mov rax, [rsp+58h+var_28]\n 48 83 C0 01 // add rax, 1\n 48 89 44 24 48 // mov [rsp+58h+var_10], rax\n }\n\n $_syscall = {\n 0F 05 // syscall\n 89 44 24 ?? // mov [rsp+ret], eax\n 8B 44 24 ?? // mov eax, [rsp+ret]\n C3 // retn\n }\n\n condition:\n uint16(0) == 0x457f and\n (\n 3 of ($s*) or\n (#_syscall > 4 and ($mkmom_end or $get_mapmax)) or\n ($mkmom_end and $get_mapmax) or\n 1 of ($s*) and\n (\n $mkmom_end or\n $get_mapmax or\n #_syscall > 4\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "mandibule" ], "rule_creation_date": "2023-09-22", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Loader.Mandibule" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-masky_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585415Z", "creation_date": "2026-03-23T11:46:25.585417Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585423Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Z4kSec/Masky\nhttps://z4ksec.github.io/posts/masky-release-v0.0.3/" ], "name": "masky.yar", "content": "rule masky {\n meta:\n title = \"Masky Tool\"\n id = \"41443de7-8275-4543-b6d1-6282fcfea1df\"\n description = \"Detects the use of Masky, a tool designed to exploit Active Directory Certificate Services (ADCS) misconfigurations to remotely dump domain users' credentials.\\nMasky works by impersonating users and extracting certificates from the ADCS server. The tool can be executed with specific parameters to target different users and output credentials to files.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/Z4kSec/Masky\\nhttps://z4ksec.github.io/posts/masky-release-v0.0.3/\"\n date = \"2022-09-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003\"\n classification = \"Windows.Tool.Masky\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // e6993fbffaaf284abf6ddf209578ded243cdf961f757681debe9f12a45fa88bc\n\n $s1 = \"./Masky_results.txt\" fullword wide\n $s2 = \"./Masky_debug.txt\" fullword wide\n $s3 = \".\\\\Masky.exe /ca:'CA SERVER\\\\CA NAME' (/template:User) (/currentUser) (/output:./output.txt) (/debug:./debug.txt)\" fullword wide\n $s4 = \"[*] Successful impersonation of: \" fullword wide\n $s5 = \"[-] Please provide the parameter /ca:'CA server\\\\CA name'\" fullword wide\n $s6 = \"[+] Gathered certificate related to: '{0}'\" fullword wide\n $s7 = \"Empty Certificate for the user '{0}'\" fullword wide\n\n condition:\n uint16(0) == 0x5a4d and filesize < 600KB and 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "masky" ], "rule_creation_date": "2022-09-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Masky" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meatsploit_shellcode_blockrecv_007a620c4755_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.579056Z", "creation_date": "2026-03-23T11:46:25.579059Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.579068Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meatsploit_shellcode_blockrecv_007a620c4755.yar", "content": "rule meatsploit_shellcode_blockrecv_007a620c4755 {\n meta:\n title = \"Metasploit blockrecv Shellcode (007a620c4755)\"\n id = \"623307b8-816b-429d-bd32-007a620c4755\"\n description = \"Detects Metasploit's blockrecv shellcode in x64 processes.\\nThe shellcode intercepts and blocks recv() calls until a payload is ready to be injected.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2021-09-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode = {\n 48 83 EC 10 // sub rsp, 0x10\n 48 89 E2 // mov rdx, rsp\n 4D 31 C9 // xor r9, r9\n 6A 04 // push 4\n 41 58 // pop r8\n 48 89 F9 // mov rcx, rdi // socket\n 41 BA 02 D9 C8 5F // mov r10d, 0x5FC8D902 // recv\n FF D5 // call rbp // recv(s, &dwLength, 4, 0);\n [0-10] // possible \"reliable\" safe check if enabled on Metasploit.\n 48 83 C4 20 // add rsp, 0x20\n 5E // pop rsi\n 89 F6 // mov esi, esi\n 6A 40 // push 0x40 // PAGE_EXECUTE_READWRITE\n 41 59 // pop r9 // r9 = PAGE_EXECUTE_READWRITE\n 68 00 10 00 00 // push 0x1000 // MEM_COMMIT\n 41 58 // pop r8 // r8 = MEM_COMMIT\n 48 89 F2 // mov rdx, rsi // dwLength\n 48 31 C9 // xor rcx, rcx // NULL\n 41 BA 58 A4 53 E5 // mov r10d, 0xE553A458 // VirtualAlloc\n FF D5 // call rbp // VirtualAlloc(NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n 48 89 C3 // mov rbx, rax\n 49 89 C7 // mov r15, rax\n // read_more:\n 4D 31 C9 // xor r9, r9\n 49 89 F0 // mov r8, rsi\n 48 89 DA // mov rdx, rbx\n 48 89 F9 // mov rcx, rdi // socket\n 41 BA 02 D9 C8 5F // mov r10d, 0x5FC8D902 // recv\n FF D5 // call rbp // recv(s, buffer, length, 0);\n [0-50] // possible \"reliable\" clean up stub if enabled on Metasploit.\n 48 01 C3 // add rbx, rax\n 48 29 C6 // sub rsi, rax\n 48 85 F6 // test rsi, rsi\n 75 E1 // jne read_more\n 41 FF E7 // jmp r15\n }\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meatsploit_shellcode_blockrecv_007a620c4755" ], "rule_creation_date": "2021-09-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meatsploit_shellcode_blockrecv_caae49326009_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575534Z", "creation_date": "2026-03-23T11:46:25.575536Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575541Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meatsploit_shellcode_blockrecv_caae49326009.yar", "content": "rule meatsploit_shellcode_blockrecv_caae49326009 {\n meta:\n title = \"Metasploit blockrecv Shellcode (caae49326009)\"\n id = \"a32fd300-e61b-451e-8486-caae49326009\"\n description = \"Detects Metasploit's blockrecv shellcode in x86 processes.\\nThe shellcode intercepts and blocks recv() calls until a payload is ready to be injected.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2021-09-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode = {\n 6A 00 // push 0x00\n 6A 04 // push 0x04\n 56 // push esi\n 57 // push edi // socket\n 68 02 D9 C8 5F // push 0x5FC8D902 // recv\n FF D5 // call ebp // recv(s, &dwLength, 4, 0);\n [0-10] // possible \"reliable\" safe check if enabled on Metasploit.\n 8B 36 // mov esi, dword ptr [esi]\n 6A 40 // push 0x40 // PAGE_EXECUTE_READWRITE\n 68 00 10 00 00 // push 0x1000 // MEM_COMMIT\n 56 // push esi // dwLength\n 6A 00 // push 0x00 // NULL\n 68 58 A4 53 E5 // push 0xE553A458 // VirtualAlloc\n FF D5 // call ebp // VirtualAlloc(NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n 93 // xchg eax, ebx\n 53 // push ebx\n // read_more:\n 6A 00 // push 0x00\n 56 // push esi\n 53 // push ebx\n 57 // push edi // socket\n 68 02 D9 C8 5F // push 0x5FC8D902 // recv\n FF D5 // call ebp // recv(s, buffer, length, 0);\n [0-50] // possible \"reliable\" clean up stub if enabled on Metasploit.\n 01 C3 // add ebx, eax\n 29 C6 // sub esi, eax\n 75 EE // jne read_more\n C3 // ret\n }\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meatsploit_shellcode_blockrecv_caae49326009" ], "rule_creation_date": "2021-09-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meatsploit_shellcode_blockrecv_rc4_13fbe65bba53_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569617Z", "creation_date": "2026-03-23T11:46:25.569619Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569625Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meatsploit_shellcode_blockrecv_rc4_13fbe65bba53.yar", "content": "rule meatsploit_shellcode_blockrecv_rc4_13fbe65bba53 {\n meta:\n title = \"Metasploit blockrecv RC4 Shellcode (13fbe65bba53)\"\n id = \"0332e5f8-3820-4138-a2b8-13fbe65bba53\"\n description = \"Detects Metasploit's blockrecv RC4 shellcode in x86 processes.\\nThe shellcode decrypts data using RC4 cipher and blocks recv() calls until a payload is ready.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2021-09-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode = {\n 6A 00 // push 0\n 6A 04 // push 4\n 56 // push esi\n 57 // push edi // socket\n 68 02 D9 C8 5F // push 0x5FC8D902 // recv\n FF D5 // call ebp // recv(s, &dwLength, 4, 0);\n [0-10] // possible \"reliable\" safe check if enabled on Metasploit.\n 8B 36 // mov esi, dword ptr [esi]\n 81 F6 58 4F 52 4B // xor esi, 0x4B524F58 // \"XORK\"\n 8D 0E // lea ecx, [esi]\n 6A 40 // push 0x40 // PAGE_EXECUTE_READWRITE\n 68 00 10 00 00 // push 0x1000 // MEM_COMMIT\n 51 // push ecx // dwLength\n 6A 00 // push 0 // NULL\n 68 58 A4 53 E5 // push 0xE553A458 // VirtualAlloc\n FF D5 // call ebp // VirtualAlloc(NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n 8D 98 00 01 00 00 // lea ebx, [eax + 0x100]\n 53 // push ebx\n 56 // push esi\n 50 // push eax\n 6A 00 // push 0\n 56 // push esi // length\n 53 // push ebx // buffer\n 57 // push edi // socket\n 68 02 D9 C8 5F // push 0x5FC8D902 // recv\n FF D5 // call ebp // recv(s, buffer, length, 0);\n [0-50] // possible \"reliable\" clean up stub if enabled on Metasploit.\n 01 C3 // add ebx, eax\n 29 C6 // sub esi, eax\n 75 EE // jne 0x31\n 5B // pop ebx\n 59 // pop ecx\n 5D // pop ebp\n 55 // push ebp\n 57 // push edi\n 89 DF // mov edi, ebx\n E8 10 00 00 00 // call 0x5f\n [16] // RC4 key\n // RC4 library start\n // rc4_init:\n 5E // pop esi\n 31 C0 // xor eax, eax\n AA // stosb byte ptr es:[edi], al\n FE C0 // inc al\n 75 FB // jne rc4_init\n 81 EF 00 01 00 00 // sub edi, 0x100\n 31 DB // xor ebx, ebx\n 02 1C 07 // add bl, byte ptr [edi + eax]\n 89 C2 // mov edx, eax\n 80 E2 0F // and dl, 0xf\n // rc4_permute:\n 02 1C 16 // add bl, byte ptr [esi + edx]\n 8A 14 07 // mov dl, byte ptr [edi + eax]\n 86 14 1F // xchg byte ptr [edi + ebx], dl\n 88 14 07 // mov byte ptr [edi + eax], dl\n FE C0 // inc al\n 75 E8 // jne rc4_permute\n 31 DB // xor ebx, ebx\n // rc4_decrypt:\n FE C0 // inc al\n 02 1C 07 // add bl, byte ptr [edi + eax]\n 8A 14 07 // mov dl, byte ptr [edi + eax]\n 86 14 1F // xchg byte ptr [edi + ebx], dl\n 88 14 07 // mov byte ptr [edi + eax], dl\n 02 14 1F // add dl, byte ptr [edi + ebx]\n 8A 14 17 // mov dl, byte ptr [edi + edx]\n 30 55 00 // xor byte ptr [ebp], dl\n 45 // inc ebp\n 49 // dec ecx\n 75 E5 // jne rc4_permute\n // RC4 library end\n 5F // pop edi\n C3 // ret\n }\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meatsploit_shellcode_blockrecv_rc4_13fbe65bba53" ], "rule_creation_date": "2021-09-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_cve_2015_1701_a584df914226_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578459Z", "creation_date": "2026-03-23T11:46:25.578461Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578467Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_cve_2015_1701_a584df914226.yar", "content": "import \"hash\"\n\nrule metasploit_cve_2015_1701_a584df914226 {\n meta:\n title = \"Metasploit CVE-2015-1701 (a584df914226)\"\n id = \"4fad6edd-a5f4-41dd-908e-a584df914226\"\n description = \"Detects the Metasploit CVE-2015-1701 x64 DLL, which exploits a vulnerability in Windows Win32k.sys to gain elevated privileges.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 86016 and hash.sha256(0, filesize) == \"9272edfe8ee184f1b4308e866ad66326552ddae02d37b9bd4dbb1167c9aadcf1\") or\n (filesize == 131072 and hash.sha256(0, filesize) == \"8f09586dc28ea861bf436e07a4cbf6b361aafe0cb83aed7289be5d6b49726c3c\") or\n (filesize == 84992 and hash.sha256(0, filesize) == \"e8950dfc957d2323f55944075134ff945bb8c467e48c1b4b7c86725b09460da2\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_cve_2015_1701_a584df914226" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_cve_2015_1701_bad66166c82e_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578784Z", "creation_date": "2026-03-23T11:46:25.578786Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578791Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_cve_2015_1701_bad66166c82e.yar", "content": "import \"hash\"\n\nrule metasploit_cve_2015_1701_bad66166c82e {\n meta:\n title = \"Metasploit CVE-2015-1701 (bad66166c82e)\"\n id = \"6329c287-c6a6-4d5d-a6d1-bad66166c82e\"\n description = \"Detects the Metasploit CVE-2015-1701 x86 DLL, which exploits a vulnerability in Windows Win32k.sys to gain elevated privileges.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 72192 and hash.sha256(0, filesize) == \"c3b6f81b25c7315d9a856dbc0ed1b129b2e0b39553fbd8a50a4145de6aa8ed42\") or\n (filesize == 73728 and hash.sha256(0, filesize) == \"f194e27fbae17226b9968c306d55f7a2b479161bfa68e3e748fc53a080f21fa9\") or\n (filesize == 131072 and hash.sha256(0, filesize) == \"b77421a5d1d52d1f2189b67a03f27a21853e180a319997f66af299becd730484\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_cve_2015_1701_bad66166c82e" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_cve_2016_0040_4f40010e4fcf_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578430Z", "creation_date": "2026-03-23T11:46:25.578432Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578438Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_cve_2016_0040_4f40010e4fcf.yar", "content": "import \"hash\"\n\nrule metasploit_cve_2016_0040_4f40010e4fcf {\n meta:\n title = \"Metasploit CVE-2016-0040 (4f40010e4fcf)\"\n id = \"75e8cae2-669d-49dc-a1cf-4f40010e4fcf\"\n description = \"Detects the Metasploit CVE-2016-0040 x64 DLL, which exploits a vulnerability in Windows' WebDAV client to elevate privileges.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 86016 and hash.sha256(0, filesize) == \"5327bfd555a8de5a423e15c41b9afa645d360f03b185dd93cf8bfcb346b578f0\") or\n (filesize == 131072 and hash.sha256(0, filesize) == \"a0b2d3282c881a61d588805d71884578afeed218ea60a4ba7b32e69cbaf73c7c\") or\n (filesize == 85504 and hash.sha256(0, filesize) == \"f04204efd259771ddc0d09c5c7be5a8b531281645b4ac113894c1000ea7802b1\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_cve_2016_0040_4f40010e4fcf" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_cve_2016_0051_0b5609cd67cd_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575594Z", "creation_date": "2026-03-23T11:46:25.575596Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575601Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_cve_2016_0051_0b5609cd67cd.yar", "content": "import \"hash\"\n\nrule metasploit_cve_2016_0051_0b5609cd67cd {\n meta:\n title = \"Metasploit CVE-2016-0051 (0b5609cd67cd)\"\n id = \"7c16154b-c21d-483d-9ce1-0b5609cd67cd\"\n description = \"Detects the Metasploit CVE-2016-0051 x86 DLL, which exploits a vulnerability in Windows' WebDAV client to elevate privileges.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 131072 and hash.sha256(0, filesize) == \"1b4d7d0f717a71203adfbd900ef7d907c7ffd7f7d8fdb682f5fdda4be98b669e\") or\n (filesize == 90624 and hash.sha256(0, filesize) == \"f9da84d51a436405bfde86e2a5abbb4bd19cc1226bc07a9f89c1153437a70797\") or\n (filesize == 94208 and hash.sha256(0, filesize) == \"96b653ac7e56dc7c8e0e547a355402f58c04a81aa1fabe393183ba8c97c09b1a\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_cve_2016_0051_0b5609cd67cd" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_cve_2018_8120_313d8d2c5bfe_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566973Z", "creation_date": "2026-03-23T11:46:25.566976Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566982Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_cve_2018_8120_313d8d2c5bfe.yar", "content": "import \"hash\"\n\nrule metasploit_cve_2018_8120_313d8d2c5bfe {\n meta:\n title = \"Metasploit CVE-2018-8120 (313d8d2c5bfe)\"\n id = \"2b54e391-b7e4-4725-9d90-313d8d2c5bfe\"\n description = \"Detects the x64 Metasploit module for the CVE-2018-8120, which exploits a vulnerability in Windows Win32k to gain elevated privileges.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 131072 and hash.sha256(0, filesize) == \"2c87b6ecc592d68e607997cd0f2863fefa7bb4a56f836fa5172cd0be6d07ee1c\") or\n (filesize == 98304 and hash.sha256(0, filesize) == \"8ee8a7cf0d638788b11cf505a5b9266ca5a10a421ded7d4fd1e0bd3e799d8593\") or\n (filesize == 95744 and hash.sha256(0, filesize) == \"a848356ec4479cf3cf749e9b16ee763fa63da0b4074d67519190c2d7d8e1ea34\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_cve_2018_8120_313d8d2c5bfe" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_cve_2018_8120_77edc194de68_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578725Z", "creation_date": "2026-03-23T11:46:25.578727Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578733Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_cve_2018_8120_77edc194de68.yar", "content": "import \"hash\"\n\nrule metasploit_cve_2018_8120_77edc194de68 {\n meta:\n title = \"Metasploit CVE-2018-8120 (77edc194de68)\"\n id = \"f332b9f6-4afb-44f1-840b-77edc194de68\"\n description = \"Detects the x86 Metasploit module for the CVE-2018-8120, which exploits a vulnerability in Windows Win32k to gain elevated privileges.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 131072 and hash.sha256(0, filesize) == \"92e0af30c7129a524e141c75c3e71c5f8008c2f6a7a7e40eee93ded8305f0f9a\") or\n (filesize == 86016 and hash.sha256(0, filesize) == \"04b0d001de0c1e09d9b1e611f13877e9bbdfa5a09b3ca1da280594c54e4d9712\") or\n (filesize == 83456 and hash.sha256(0, filesize) == \"70260bde4040c7b910adfe36e1bde92f3cbecd816cd00c2fc793ad27fedc9d53\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_cve_2018_8120_77edc194de68" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_ext_server_priv_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575563Z", "creation_date": "2026-03-23T11:46:25.575565Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575571Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/" ], "name": "metasploit_ext_server_priv.yar", "content": "rule metasploit_ext_server_priv {\n meta:\n title = \"Metasploit ext_server_priv\"\n id = \"5cdf3912-3e01-46e3-bc79-23380eca03c7\"\n description = \"Detects the Metasploit meterpreter private server extension.\\nThis extension enables communication with a Meterpreter server, allowing attackers to elevate privileges or dump credentials from lsass.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1003/\"\n date = \"2022-02-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.HackTool.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // This payload use those APIs to interact with communication channels and inject payloads in distant process.\n $metasploit_api_import_s1 = \"CreateNamedPipeA\" ascii\n $metasploit_api_import_s2 = \"ConnectNamedPipe\" ascii\n $metasploit_api_import_s3 = \"VirtualAllocEx\" ascii\n $metasploit_api_import_s4 = \"ReadProcessMemory\" ascii\n $metasploit_api_import_s5 = \"WriteProcessMemory\" ascii\n $metasploit_api_import_s6 = \"CreateRemoteThread\" ascii\n\n $metasploit_ext_server_priv_marker_s1 = \":::\\n\" ascii\n $metasploit_ext_server_priv_marker_s2 = \"\\\\\\\\.\\\\pipe\\\\%08x%08x\\\\pipe\\\\spoolss\" ascii\n $metasploit_ext_server_priv_marker_s3 = \"\\\\\\\\localhost\\\\pipe\\\\%08x%08x\" ascii\n $metasploit_ext_server_priv_marker_s4 = \"12345678-1234-ABCD-EF00-0123456789AB\" wide\n $metasploit_ext_server_priv_marker_s5 = \"ncacn_np\" wide\n $metasploit_ext_server_priv_marker_s6 = \"Global\\\\SAM\" ascii\n $metasploit_ext_server_priv_marker_s7 = \"Global\\\\FREE\" ascii\n\n $metasploit_ext_server_priv_passwd_module_s1 = \"Global\\\\SAM\" ascii\n $metasploit_ext_server_priv_passwd_module_s2 = \"Global\\\\FREE\" ascii\n $metasploit_ext_server_priv_passwd_control = {\n 4C 89 AC 24 ?? ?? ?? ?? // mov qword ptr [rsp + 0xXX], r13\n 41 BD 60 EA 00 00 // mov r13d, 60000 // dwMillisecondsToWait // timeout of the SAM dumper\n 48 89 74 24 ?? // mov qword ptr [rsp + 0xXX], rsi\n 8B DE // mov ebx, esi\n 48 89 74 24 ?? // mov qword ptr [rsp + 0xXX], rsi\n 48 89 74 24 ?? // mov qword ptr [rsp + 0xXX], rsi\n 48 89 74 24 ?? // mov qword ptr [rsp + 0xXX], rsi\n 48 89 B5 ?? ?? ?? ?? // mov qword ptr [rbp + 0xXX], rsi\n 44 8B E6 // mov r12d, esi\n 44 8B FE // mov r15d, esi\n 41 3B CD // cmp ecx, r13d\n 72 0E // jb setup_global_events\n B8 E0 93 04 00 // mov eax, 3000000 // dwMillisecondsToWait // timeout of the SAM dumper\n 44 8B E9 // mov r13d, ecx\n 3B C8 // cmp ecx, eax\n 44 0F 47 E8 // cmova r13d, eax\n\n // setup_global_events:\n 4C 8D 0D ?? ?? ?? ?? // lea r9, [rip + 0xXX] //\"Global\\\\SAM\"\n 45 33 C0 // xor r8d, r8d // bInitialState\n 33 D2 // xor edx, edx // bManualReset\n 33 C9 // xor ecx, ecx // lpEventAttributes\n\n [0-8] // possible mov qword ptr [rsp + 0xXX], r14\n\n FF 15 ?? ?? ?? ?? // call qword ptr [rip + 0xXX] // CreateEventA(NULL, 0, 0, \"Global\\\\SAM\");\n 4C 8D 0D ?? ?? ?? ?? // lea r9, [rip + 0xXX] //\"Global\\\\FREE\"\n 45 33 C0 // xor r8d, r8d // bInitialState\n 33 D2 // xor edx, edx // bManualReset\n 33 C9 // xor ecx, ecx // lpEventAttributes\n 48 8B F8 // mov rdi, rax //\n\n [0-8] // possible mov qword ptr [rsp + 0xXX], r14\n\n FF 15 ?? ?? ?? ?? // call qword ptr [rip + 0xXX] // CreateEventA(NULL, 0, 0, \"Global\\\\FREE\");\n 48 89 44 24 ?? // mov qword ptr [rsp + 0xXX], rax //\n 48 85 FF // test rdi, rdi //\n }\n\n condition:\n filesize < 200KB and ((5 of ($metasploit_api_import_s*) and 5 of ($metasploit_ext_server_priv_marker_s*)) or (2 of ($metasploit_ext_server_priv_passwd_module_s*) and $metasploit_ext_server_priv_passwd_control))\n}\n", "rule_count": 1, "rule_names": [ "metasploit_ext_server_priv" ], "rule_creation_date": "2022-02-11", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Metasploit" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_juicypotato_37cc05cca9f9_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578518Z", "creation_date": "2026-03-23T11:46:25.578520Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578526Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_juicypotato_37cc05cca9f9.yar", "content": "import \"hash\"\n\nrule metasploit_juicypotato_37cc05cca9f9 {\n meta:\n title = \"Metasploit Juicypotato (37cc05cca9f9)\"\n id = \"b85b7b37-8a33-4da2-a000-37cc05cca9f9\"\n description = \"Detects the Metasploit juicy potato x64 DLL, which is used to escalate privileges locally.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 393216 and hash.sha256(0, filesize) == \"be60bba31e0abc58bee4c7c40f16073fd2f6aacfba79c885ab7acee16359a9a5\") or\n (filesize == 352256 and hash.sha256(0, filesize) == \"ae9a6fbcb28e66fa8f814c1aa968bad7c774caede61de4e528d79ce616178c8c\") or\n (filesize == 348672 and hash.sha256(0, filesize) == \"ed26bdb3427053d3c5feca22c4a003cc9a2e0ba4c54b86a00cf1d73cf5861c66\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_juicypotato_37cc05cca9f9" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_juicypotato_5b230d6bbccc_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578844Z", "creation_date": "2026-03-23T11:46:25.578846Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578852Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_juicypotato_5b230d6bbccc.yar", "content": "import \"hash\"\n\nrule metasploit_juicypotato_5b230d6bbccc {\n meta:\n title = \"Metasploit juicypotato (5b230d6bbccc)\"\n id = \"3050d4da-bc94-40fa-982f-5b230d6bbccc\"\n description = \"Detects the Metasploit juicy potato x86 DLL, which is used to escalate privileges locally.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 327680 and hash.sha256(0, filesize) == \"a4c53532699dc5fe4a3dda98f016ca96eac2cff5827509db861439ed95447bd0\") or\n (filesize == 270336 and hash.sha256(0, filesize) == \"217093c8ca0628d902f2111edc2bc230c5f410fc987156293fcb0e1a6b4b76a5\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_juicypotato_5b230d6bbccc" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_reflective_dll_aab35aade46c_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566777Z", "creation_date": "2026-03-23T11:46:25.566779Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566784Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_reflective_dll_aab35aade46c.yar", "content": "import \"hash\"\n\nrule metasploit_reflective_dll_aab35aade46c {\n meta:\n title = \"Metasploit Reflective Dll (aab35aade46c)\"\n id = \"39b4c7b4-659e-4fa0-aa54-aab35aade46c\"\n description = \"Detects the Metasploit reflective_dll x64 DLL, which is used to inject malicious code into processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1620\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 872448 and hash.sha256(0, filesize) == \"afae6644fe31d56e5272f1023ffbe724cc75ff4966bfb55ffe470a714859ba32\") or\n (filesize == 917504 and hash.sha256(0, filesize) == \"15774019c4f0247faed5cb518c319b0f3b81e9f10710335865b0ba0ee7f1a412\") or\n (filesize == 870912 and hash.sha256(0, filesize) == \"e618f8e0fbd05aab8ec878940e9018575b16197426a672cf5b07efefadf3d27e\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_reflective_dll_aab35aade46c" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1620" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_rottenpotato_59086a9b5dae_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578755Z", "creation_date": "2026-03-23T11:46:25.578757Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578762Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_rottenpotato_59086a9b5dae.yar", "content": "import \"hash\"\n\nrule metasploit_rottenpotato_59086a9b5dae {\n meta:\n title = \"Metasploit Rottenpotato (59086a9b5dae)\"\n id = \"f5453cf8-69a4-43b9-8458-59086a9b5dae\"\n description = \"Detects the Metasploit rottenpotato x64 DLL, which is used to create a remote service with persistence and escalate privileges.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 393216 and hash.sha256(0, filesize) == \"dd2cc6d7f64d36a006b49fbdfa20b3b061afbdcde1fc6d81397b0c4c63a05691\") or\n (filesize == 331776 and hash.sha256(0, filesize) == \"0298dca87fe48e98f755155a3e9e4dbb4d4169a4c86ab7f4e7a8c6f7a88fb42f\") or\n (filesize == 328192 and hash.sha256(0, filesize) == \"8d4201fc46e530f65b56785b25ec3bd895cc04ef057df41bd7dc592d77bc1daa\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_rottenpotato_59086a9b5dae" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_rottenpotato_b2673d6e65cb_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566944Z", "creation_date": "2026-03-23T11:46:25.566946Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566952Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "metasploit_rottenpotato_b2673d6e65cb.yar", "content": "import \"hash\"\n\nrule metasploit_rottenpotato_b2673d6e65cb {\n meta:\n title = \"Metasploit rottenpotato (b2673d6e65cb)\"\n id = \"bdfb25bc-a618-4e0f-8910-b2673d6e65cb\"\n description = \"Detects the Metasploit rottenpotato x86 DLL, which is used to create a remote service with persistence and escalate privileges.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-11-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n condition:\n (filesize == 253952 and hash.sha256(0, filesize) == \"e7738a5366e32588d0457d32e6f292a0b8ce3b6812735a7e53f885e075bbc199\") or\n (filesize == 250880 and hash.sha256(0, filesize) == \"d84a6a14397bdfb610639b4fc3096ac5ff501d9119b8a845626677bcb303b6d3\") or\n (filesize == 262144 and hash.sha256(0, filesize) == \"130350c0ceaece9097466a735dd2ed838a5d1902a5fdd09f881facd7e8c2aa40\")\n}\n", "rule_count": 1, "rule_names": [ "metasploit_rottenpotato_b2673d6e65cb" ], "rule_creation_date": "2020-11-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_shell_block_x64_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590389Z", "creation_date": "2026-03-23T11:46:25.590391Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590397Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.metasploit.com/\nhttps://attack.mitre.org/techniques/T1059\nhttps://attack.mitre.org/techniques/T1027/007/" ], "name": "metasploit_shell_block_x64.yar", "content": "rule metasploit_api_block_x64 {\n meta:\n title = \"Metasploit API hashing block (48ca3eb93fb0)\"\n id = \"4f304b02-3978-47d5-9265-48ca3eb93fb0\"\n description = \"Detects Metasploit's API Hashing block.\\nMetasploit is a widely-used penetration testing and exploitation framework that provides tools for vulnerability assessment, exploitation, privilege escalation, and post-exploitation activities.\\nMetasploit organizes its Windows shellcode using a modular \\\"block\\\" system. These blocks are reusable assembly components that are combined to create complete payloads.\\nAPI hashing is a technique used by malware to dynamically resolve API function addresses at runtime, which helps in evading static analysis and anti-virus detection.\\nIf possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.metasploit.com/\\nhttps://attack.mitre.org/techniques/T1059\\nhttps://attack.mitre.org/techniques/T1027/007/\"\n date = \"2026-02-02\"\n modified = \"2026-02-19\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1059;attack.t1027.007\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 33aaaebc827f21dc393d66b95e8fc1493ab6ed68fc37482e0b312810a51f4d05\n // 0017fc562706d5b80ec1a80d45176dda51a1a9473c81ee88bf83b3fd4beff3b3\n // ecfe806dd8a43ee14a29419c21b4cbafdaa7df9ea9ce7ac040afc7248078da20\n // 7899d296967e4ce296d2a1242b5e790ae0b583bcdc37eba7990a14ffbe8a21e7\n\n $canary = \"0f4de49f93bdeedeeff33708f2c39f3da3025749116e00eca4a8a573ba0b43b0\"\n\n $get_peb = {\n 41 51 // push r9 {__saved_r9}\n 41 50 // push r8 {__saved_r8}\n 52 // push rdx {__saved_rdx}\n 51 // push rcx\n 56 // push rsi {__saved_rsi}\n 48 31 D2 // xor rdx, rdx {sub_0}\n 65 48 8B 52 60 // mov rdx, qword [gs:rdx+0x60]\n 48 8B 52 18 // mov rdx, qword [rdx+0x18] ; Get PEB->Ldr\n 48 8B 52 20 // mov rdx, qword [rdx+0x20] ; Get the first module from the InMemoryOrder module list\n }\n\n $check_lowercase_name = {\n 3C 61 // cmp al, 0x61\n 7C 02 // jl 0x2d\n 2C 20 // sub al, 0x20\n 41 C1 C9 0D // ror r9d, 0xd\n 41 01 C1 // add r9d, eax\n E2 ED // loop 0x23\n 52 // push rdx {var_30_1}\n 41 51 // push r9 {var_38_1}\n }\n\n $iterate_exp_addr_table = {\n // ; Proceed to iterate the export address table,\n 48 8B 52 20 // mov rdx, qword [rdx+0x20]\n 8B 42 3C // mov eax, dword [rdx+0x3c] ; Get PE header\n 48 01 D0 // add rax, rdx\n 66 81 78 18 0B 02 // cmp word [rax+0x18], 0x20b ; is this module actually a PE64 executable?\n // ; this test case covers when running on wow64 but in a native x64 context via nativex64.asm and\n // ; their may be a PE32 module present in the PEB's module list, (typicaly the main module).\n // ; as we are using the win64 PEB ([gs:96]) we wont see the wow64 modules present in the win32 PEB ([fs:48])\n }\n\n condition:\n $get_peb and $check_lowercase_name and $iterate_exp_addr_table and not $canary\n}\n", "rule_count": 1, "rule_names": [ "metasploit_api_block_x64" ], "rule_creation_date": "2026-02-02", "rule_modified_date": "2026-02-19", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1059", "attack.t1027.007" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_shell_block_x86_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588565Z", "creation_date": "2026-03-23T11:46:25.588567Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588573Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.metasploit.com/\nhttps://attack.mitre.org/techniques/T1059\nhttps://attack.mitre.org/techniques/T1027/007/" ], "name": "metasploit_shell_block_x86.yar", "content": "rule metasploit_api_block_x86 {\n meta:\n title = \"Metasploit API hashing block (f733b4f3f1b3)\"\n id = \"5c970db0-3cbb-4d5b-9137-f733b4f3f1b3\"\n description = \"Detects Metasploit's API Hashing block.\\nMetasploit is a widely-used penetration testing and exploitation framework that provides tools for vulnerability assessment, exploitation, privilege escalation, and post-exploitation activities.\\nMetasploit organizes its Windows shellcode using a modular \\\"block\\\" system. These blocks are reusable assembly components that are combined to create complete payloads.\\nAPI hashing is a technique used by malware to dynamically resolve API function addresses at runtime, which helps in evading static analysis and anti-virus detection.\\nIf possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.metasploit.com/\\nhttps://attack.mitre.org/techniques/T1059\\nhttps://attack.mitre.org/techniques/T1027/007/\"\n date = \"2026-02-02\"\n modified = \"2026-02-19\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1059;attack.t1027.007\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3e706ac92fd452781bee8d4b5c35b09a8fc4e3a5faa08178a0cabeaadd9dd28d\n // eeb873f4de400fcf1e057426efb7fa3aac554f306d8bacbb87bd68213f33d1b6\n // 31f255161c81f70b98f566ea31c42ef748a6463cd0a6730324b596db90e87588\n // 333bc69d8d03fbf55cbb9cedb365655dcfa6ed9f165feafce6fea99dd8b0a703\n\n $canary = \"ad16c8c3a90fbc9cc6749e1e7c8ad3e4b3b9ec3783c1be1639b3442ad82aa9b0\"\n\n $get_peb = {\n 60 // pushad {var_14} {__saved_ebx} {__saved_ecx} {__saved_edx} {__saved_ebp} {__saved_esi} {__saved_edi}\n 89 E5 // mov ebp, esp {__saved_edi}\n 31 D2 // xor edx, edx {sub_0}\n 64 8B 52 30 // mov edx, dword [fs:edx+0x30]\n 8B 52 0C // mov edx, dword [edx+0xc] ; Get PEB->Ldr\n 8B 52 14 // mov edx, dword [edx+0x14] ; Get the first module from the InMemoryOrder module list\n }\n\n $check_lowercase_name = {\n 3C 61 // cmp al, 0x61\n 7C 02 // jl 0x21\n 2C 20 // sub al, 0x20\n C1 CF 0D // ror edi, 0xd\n 01 C7 // add edi, eax\n 49 // dec ecx\n 75 EF // jne 0x18\n 52 // push edx {var_24_1}\n 57 // push edi {var_28_1}\n }\n\n $iterate_exp_addr_table = {\n 8B 52 10 // mov edx, dword [edx+0x10]\n 8B 42 3C // mov eax, dword [edx+0x3c] ; Get PE header\n 01 D0 // add eax, edx\n 8B 40 78 // mov eax, dword [eax+0x78]\n 85 C0 // test eax, eax ; Test if no export address table is present\n 74 4C // je 0x86\n 01 D0 // add eax, edx\n 50 // push eax {var_2c_1}\n 8B 48 18 // mov ecx, dword [eax+0x18]\n 8B 58 20 // mov ebx, dword [eax+0x20]\n 01 D3 // add ebx, edx ; Add the modules base address\n }\n\n condition:\n $get_peb and $check_lowercase_name and $iterate_exp_addr_table and not $canary\n}\n", "rule_count": 1, "rule_names": [ "metasploit_api_block_x86" ], "rule_creation_date": "2026-02-02", "rule_modified_date": "2026-02-19", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1059", "attack.t1027.007" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_shellcode_reverse_http_0ea432bfc201_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575504Z", "creation_date": "2026-03-23T11:46:25.575506Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575512Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1055/002/" ], "name": "metasploit_shellcode_reverse_http_0ea432bfc201.yar", "content": "rule metasploit_shellcode_reverse_http_0ea432bfc201 {\n meta:\n title = \"Metasploit reverse_http Shellcode (0ea432bfc201)\"\n id = \"b63514e0-b7c3-4878-9d01-0ea432bfc201\"\n description = \"Detects Metasploit's WinInet reverse_http(s) shellcode.\\nThe shellcode establishes a reverse HTTP(S) connection using WinInet to communicate with a command-and-control server.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1055/002/\"\n date = \"2024-03-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e405caa28c9829dd9f03cadc70e4d0083a04408ced8ade52fdb75049273187fe\n // 94959b8abaabfc19ed6dfb778286ed3154b08a4efa322f0b366597ac52776269\n // 5d8c5518cdc72b14bdf001308060c78abc38803913d87c8ba3287890f052be18\n // 31ae643d62eeaa3a660ba39995e4b4074dff17a0103056876de100a922610646\n\n $shellcode_load_wininet = {\n 48 31 DB // xor rbx, rbx\n 53 // push rbx\n 49 BE 77 69 6E 69 6E 65 74 00 // mov r14, 74656E696E6977h\n 41 56 // push r14\n 48 89 E1 // mov rcx, rsp\n 49 C7 C2 4C 77 26 07 // mov r10, 726774Ch\n FF D5 // call rbp\n 53 // push rbx\n 53 // push rbx\n 48 89 E1 // mov rcx, rsp\n 53 // push rbx\n 5A // pop rdx\n 4D 31 C0 // xor r8, r8\n 4D 31 C9 // xor r9, r9\n 53 // push rbx\n 53 // push rbx\n 49 BA 3A 56 79 A7 00 00 00 00 // mov r10, 0A779563Ah\n FF D5 // call rbp\n }\n\n $shellcode_got_server_host = {\n 53 // push rbx\n 49 BA 57 89 9F C6 00 00 00 00 // mov r10, 0C69F8957h\n FF D5 // call rbp\n }\n\n $shellcode_httpopenrequest = {\n 53 // push rbx\n 48 B8 [4] 00 00 00 00 // mov rax, 84280200h\n 50 // push rax\n 53 // push rbx\n 53 // push rbx\n 49 C7 C2 EB 55 2E 3B // mov r10, 3B2E55EBh\n FF D5 // call rbp\n 48 89 C6 // mov rsi, rax\n }\n\n $shellcode_download = {\n // allocate_memory:\n 6A 40 // push 40h ; '@'\n 5A // pop rdx\n 49 89 D1 // mov r9, rdx\n C1 E2 10 // shl edx, 10h\n 49 C7 C0 00 10 00 00 // mov r8, 1000h\n 49 BA 58 A4 53 E5 00 00 00 00 // mov r10, 0E553A458h\n FF D5 // call rbp\n\n // download_prep:\n 48 93 // xchg rax, rbx\n 53 // push rbx\n 53 // push rbx\n 48 89 E7 // mov rdi, rsp\n\n // download_more:\n 48 89 F1 // mov rcx, rsi\n 48 89 DA // mov rdx, rbx\n 49 C7 C0 00 20 00 00 // mov r8, 2000h\n 49 89 F9 // mov r9, rdi\n 49 BA 12 96 89 E2 00 00 00 00 // mov r10, 0E2899612h\n FF D5 // call rbp\n 48 83 C4 20 // add rsp, 20h\n 85 C0 // test eax, eax\n 74 B2 // jz short loc_205\n 66 8B 07 // mov ax, [rdi]\n 48 01 C3 // add rbx, rax\n 85 C0 // test eax, eax\n 75 D2 // jnz short loc_22F\n 58 // pop rax\n\n // execute_stage:\n C3 // retn\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "metasploit_shellcode_reverse_http_0ea432bfc201" ], "rule_creation_date": "2024-03-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_shellcode_reverse_http_7b1ac4ebcda2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575622Z", "creation_date": "2026-03-23T11:46:25.575625Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575630Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1055/002/" ], "name": "metasploit_shellcode_reverse_http_7b1ac4ebcda2.yar", "content": "rule metasploit_shellcode_reverse_http_7b1ac4ebcda2 {\n meta:\n title = \"Metasploit reverse_http Shellcode (7b1ac4ebcda2)\"\n id = \"4b763d48-9a0e-4822-b6dc-7b1ac4ebcda2\"\n description = \"Detects Metasploit's WinInet reverse_http(s) shellcode.\\nThe shellcode establishes a reverse HTTP(S) connection using WinInet to communicate with a command-and-control server.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1055/002/\"\n date = \"2024-03-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 79a6a648f05394fe3a243a7528cafba621a55f21c18ec551620451bc944a7078\n // 43262045bd96fc272ef92a3a5ec086e7c49349f0c8167f5d1db6ccd7d514e9e9\n // 2199ba451139a54626d5e57c15b6374a9c698c68bcc5dc70baea9edda7ee715c\n // 013976e93c8a535b3b6e40ed49c9d4b1b18ce5e608984b547389a7b6610590cb\n\n $shellcode_load_wininet = {\n 68 6E 65 74 00 // push 0x0074656e ; Push the bytes 'wininet',0 onto the stack.\n 68 77 69 6E 69 // push 0x696e6977 ; ...\n 54 // push esp ; Push a pointer to the \"wininet\" string on the stack.\n 68 4C 77 26 07 // push 0x0726774C ; hash( \"kernel32.dll\", \"LoadLibraryA\" )\n FF D5 // ; LoadLibraryA( \" \" )\n }\n\n $shellcode_got_server_host = {\n 50 // push eax ; HINTERNET hInternet\n 68 57 89 9F C6 // push 0xC69F8957 ; hash( \"wininet.dll\", \"InternetConnectA\" )\n FF D5 // call ebp\n }\n\n $shellcode_httpopenrequest = {\n 68 [4] // push HTTP_OPEN_FLAGS ; dwFlags\n 53 // push ebx ; accept types\n 53 // push ebx ; referrer\n 53 // push ebx ; version\n 57 // push edi ; server URI\n 53 // push ebx ; method\n 56 // push eax ; hConnection\n // push esi\n 68 EB 55 2E 3B // push 0x3B2E55EB ; hash( \"wininet.dll\", \"HttpOpenRequestA\" )\n FF D5 // call ebp\n 96 // xchg esi, eax ; save hHttpRequest in esi\n }\n\n $shellcode_download = {\n // allocate_memory:\n 6A 40 // push byte 0x40 ; PAGE_EXECUTE_READWRITE\n 68 00 10 00 00 // push 0x1000 ; MEM_COMMIT\n 68 00 00 40 00 // push 0x00400000 ; Stage allocation (8Mb ought to do us)\n 53 // push ebx ; NULL as we dont care where the allocation is\n 68 58 A4 53 E5 // push 0xE553A458 ; hash( \"kernel32.dll\", \"VirtualAlloc\" )\n FF D5 // call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE )\n\n // download_prep:\n 93 // xchg eax, ebx ; place the allocated base address in ebx\n 53 // push ebx ; store a copy of the stage base address on the stack\n 53 // push ebx ; temporary storage for bytes read count\n 89 E7 // mov edi, esp ; &bytesRead\n\n // download_more:\n 57 // push edi ; &bytesRead\n 68 00 20 00 00 // push 8192 ; read length\n 53 // push ebx ; buffer\n 56 // push esi ; hRequest\n 68 12 96 89 E2 // push 0xE2899612 ; hash( \"wininet.dll\", \"InternetReadFile\" )\n FF D5 // call ebp\n 85 C0 // test eax,eax ; download failed? (optional?)\n 74 CF // jz failure\n 8B 07 // mov eax, [edi]\n 01 C3 // add ebx, eax ; buffer += bytes_received\n 85 C0 // test eax,eax ; optional?\n 75 E5 // jnz download_more ; continue until it returns 0\n 58 // pop eax ; clear the temporary storage\n\n // execute_stage:\n C3 // ret ; dive into the stored stage address\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "metasploit_shellcode_reverse_http_7b1ac4ebcda2" ], "rule_creation_date": "2024-03-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_shellcode_reverse_winhttp_2f5d4530e5ec_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569211Z", "creation_date": "2026-03-23T11:46:25.569213Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569219Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1055/002/" ], "name": "metasploit_shellcode_reverse_winhttp_2f5d4530e5ec.yar", "content": "rule metasploit_shellcode_reverse_winhttp_2f5d4530e5ec {\n meta:\n title = \"Metasploit reverse_winhttp Shellcode (2f5d4530e5ec)\"\n id = \"de52c2b2-35f1-41f1-b440-2f5d4530e5ec\"\n description = \"Detects Metasploit's WinHTTP reverse HTTP(S) shellcode.\\nThe shellcode leverages WinHTTP to establish a reverse connection with a command-and-control server.\\nIt is recommended to check for unexpected network connections, to monitor the use of WinHTTP-related processes and to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1055/002/\"\n date = \"2024-03-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a0bf49e71def0819bbaedd3e784bfee125532992a2b8d0e0cf1cad5465f45316\n // 674d863868a2522ec4d1cb0f0df770d0cfbebd5aad040d7638bf112629f481b3\n // 346d554c4500d9de81592bac45b45ab5222b71e63f0fa18bddd2af594dcaa1ba\n // 19968db7da782d256f07a60a170b11987e993eb37312b56b7b1c1d7b33f77cef\n\n $shellcode_load_wininet = {\n 68 74 74 70 00 // push 0x00707474 ; Push the string 'winhttp',0\n 68 77 69 6E 68 // push 0x686E6977 ; ...\n 54 // push esp ; Push a pointer to the \"winhttp\" string\n 68 4C 77 26 07 // push 0x0726774C ; hash( \"kernel32.dll\", \"LoadLibraryA\" )\n FF D5 // call ebp ; LoadLibraryA( \"winhttp\" )\n }\n\n $shellcode_got_server_host = {\n 50 // push eax ; HINTERNET hInternet\n 68 46 9B 1E C2 // push 0xC21E9B46 ; hash( \"winhttp.dll\", \"WinHttpConnect\" )\n FF D5 // call ebp\n }\n\n $shellcode_winhttpopenrequest = {\n 68 [4] // push HTTP_OPEN_FLAGS ; Flags [7]\n 53 // push ebx ; AcceptTypes (NULL) [6]\n 53 // push ebx ; Referrer (NULL) [5]\n 53 // push ebx ; Version (NULL) [4]\n 57 // push edi ; ObjectName (URI) [3]\n 53 // push ebx ; Verb (GET method) (NULL) [2]\n [1] // push eax ; Connect handler returned by WinHttpConnect [1]\n 68 98 10 B3 5B // push 0x5BB31098 ; hash( \"winhttp.dll\", \"WinHttpOpenRequest\" )\n FF D5 // call ebp\n 96 // xchg esi, eax ; save HttpRequest handler in esi\n }\n\n $shellcode_download = {\n // receive_response:\n 53 // push ebx ; Reserved (NULL) [2]\n 56 // push esi ; Request handler returned by WinHttpSendRequest [1]\n 68 05 88 9D 70 // push 0x709D8805 ; hash( \"winhttp.dll\", \"WinHttpReceiveResponse\" )\n FF D5 // call ebp\n 85 C0 // test eax, eax\n 74 EE // jz failure\n\n // allocate_memory:\n 6A 40 // push byte 0x40 ; PAGE_EXECUTE_READWRITE\n 68 00 10 00 00 // push 0x1000 ; MEM_COMMIT\n 68 00 00 40 00 // push 0x00400000 ; Stage allocation (8Mb ought to do us)\n 53 // push ebx ; NULL as we dont care where the allocation is\n 68 58 A4 53 E5 // push 0xE553A458 ; hash( \"kernel32.dll\", \"VirtualAlloc\" )\n FF D5 // call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE )\n\n // download_prep:\n 93 // xchg eax, ebx ; place the allocated base address in ebx\n 53 // push ebx ; store a copy of the stage base address on the stack\n 53 // push ebx ; temporary storage for bytes read count\n 89 E7 // mov edi, esp ; &bytesRead\n\n // download_more:\n 57 // push edi ; NumberOfBytesRead (bytesRead)\n 68 00 20 00 00 // push 8192 ; NumberOfBytesToRead\n 53 // push ebx ; Buffer\n 56 // push esi ; Request handler returned by WinHttpReceiveResponse\n 68 6C 29 24 7E // push 0x7E24296C ; hash( \"winhttp.dll\", \"WinHttpReadData\" )\n FF D5 // call ebp\n 85 C0 // test eax,eax ; if download failed? (optional?)\n 74 C2 // jz failure\n 8B 07 // mov eax, [edi]\n 01 C3 // add ebx, eax ; buffer += bytes_received\n 85 C0 // test eax,eax ; optional?\n 75 E5 // jnz download_more ; continue until it returns 0\n 58 // pop eax ; clear the temporary storage\n\n // execute_stage:\n C3 // ret ; dive into the stored stage address\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "metasploit_shellcode_reverse_winhttp_2f5d4530e5ec" ], "rule_creation_date": "2024-03-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-metasploit_shellcode_reverse_winhttp_8316ced8e124_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569460Z", "creation_date": "2026-03-23T11:46:25.569463Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569468Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1055/002/" ], "name": "metasploit_shellcode_reverse_winhttp_8316ced8e124.yar", "content": "rule metasploit_shellcode_reverse_winhttp_8316ced8e124 {\n meta:\n title = \"Metasploit reverse_winhttp Shellcode (8316ced8e124)\"\n id = \"810db84d-9682-4fb0-9889-8316ced8e124\"\n description = \"Detects Metasploit's WinHTTP reverse HTTP(S) shellcode for x64 systems.\\nThe shellcode uses WinHTTP to communicate with a remote server.\\nIt is recommended to perform process analysis to identify any unauthorized use of WinHTTP, to check for signs of code injection and to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/techniques/T1055/002/\"\n date = \"2024-03-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // a325cf218f5006b29433cfcfc5f7bc76531ad2db635e807c613f0eec37f05440\n\n $shellcode_load_wininet = {\n 48 31 DB // xor rbx, rbx\n 53 // push rbx\n 49 BE 77 69 6E 68 74 74 70 00 // mov r14, 707474686E6977h\n 41 56 // push r14\n 48 89 E1 // mov rcx, rsp\n 49 C7 C2 4C 77 26 07 // mov r10, 726774Ch\n FF D5 // call rbp\n 53 // push rbx\n 53 // push rbx\n 48 89 E1 // mov rcx, rsp\n 53 // push rbx\n 5A // pop rdx\n 4D 31 C0 // xor r8, r8\n 4D 31 C9 // xor r9, r9\n 53 // push rbx\n 53 // push rbx\n 49 BA 04 1F 9D BB 00 00 00 00 // mov r10, 0BB9D1F04h\n FF D5 // call rbp\n }\n\n $shellcode_got_server_host = {\n 4D 31 C9 // xor r9, r9\n 49 BA 46 9B 1E C2 00 00 00 00 // mov r10, 0C21E9B46h\n FF D5 // call rbp\n }\n\n $shellcode_winhttpopenrequest = {\n 4D 31 C9 // xor r9, r9\n 53 // push rbx\n 48 C7 C0 [4] // mov rax, 100h\n 50 // push rax\n 53 // push rbx\n 53 // push rbx\n 49 C7 C2 98 10 B3 5B // mov r10, 5BB31098h\n FF D5 // call rbp\n }\n\n $shellcode_download = {\n // receive_response:\n 53 // push rbx\n 5A // pop rdx\n 49 C7 C2 05 88 9D 70 // mov r10, 709D8805h\n FF D5 // call rbp\n 85 C0 // test eax, eax\n 74 E9 // jz short loc_28F\n\n // allocate_memory:\n 53 // push rbx\n 59 // pop rcx\n 6A 40 // push 40h ; '@'\n 5A // pop rdx\n 49 89 D1 // mov r9, rdx\n C1 E2 10 // shl edx, 10h\n 49 C7 C0 00 10 00 00 // mov r8, 1000h\n 49 BA 58 A4 53 E5 00 00 00 00 // mov r10, 0E553A458h\n FF D5 // call rbp\n\n // download_prep:\n 48 93 // xchg rax, rbx\n 53 // push rbx\n 53 // push rbx\n 48 89 E7 // mov rdi, rsp\n\n // download_more:\n 48 89 F1 // mov rcx, rsi\n 48 89 DA // mov rdx, rbx\n 49 C7 C0 00 20 00 00 // mov r8, 2000h\n 49 89 F9 // mov r9, rdi\n 49 C7 C2 6C 29 24 7E // mov r10, 7E24296Ch\n FF D5 // call rbp\n 48 83 C4 20 // add rsp, 20h\n 85 C0 // test eax, eax\n 0F 84 9F FF FF FF // jz loc_28F\n 66 8B 07 // mov ax, [rdi]\n 48 01 C3 // add rbx, rax\n 85 C0 // test eax, eax\n 75 D1 // jnz short loc_2CB\n 58 // pop rax\n\n // execute_stage:\n C3 // retn\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "metasploit_shellcode_reverse_winhttp_8316ced8e124" ], "rule_creation_date": "2024-03-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_add_sub_5d870ac6959c_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577230Z", "creation_date": "2026-03-23T11:46:25.577232Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577238Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/add_sub.rb" ], "name": "meterpreter_encoder_add_sub_5d870ac6959c.yar", "content": "rule meterpreter_encoder_add_sub_5d870ac6959c {\n meta:\n title = \"Meterpreter Add/Sub Encoder (5d870ac6959c)\"\n id = \"64c82392-db95-4da8-b94d-5d870ac6959c\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the add/sub encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/add_sub.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n 54 // push esp\n 58 // pop eax\n 05 ?? ?? ?? ?? // add eax, 60C817F8h\n 05 ?? ?? ?? ?? // add eax, 0CFA16446h\n 05 ?? ?? ?? ?? // add eax, 0CF9683C2h\n 50 // push eax\n 5C // pop esp\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 94DB326Dh\n 05 ?? ?? ?? ?? // add eax, 757E00BCh\n 05 ?? ?? ?? ?? // add eax, 0F60C453Ch\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 5871B4DEh\n 05 ?? ?? ?? ?? // add eax, 835129A9h\n 05 ?? ?? ?? ?? // add eax, 52A08DDAh\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 0AE632CA7h\n 05 ?? ?? ?? ?? // add eax, 1C39A335h\n 05 ?? ?? ?? ?? // add eax, 98CE9B87h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 0D5876049h\n 05 ?? ?? ?? ?? // add eax, 2DDDDCB8h\n 05 ?? ?? ?? ?? // add eax, 0D29A15FFh\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 0CF3635Bh\n 05 ?? ?? ?? ?? // add eax, 1B8745F9h\n 05 ?? ?? ?? ?? // add eax, 41F4C8BFh\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 84A0613Bh\n 05 ?? ?? ?? ?? // add eax, 5C3050FDh\n 05 ?? ?? ?? ?? // add eax, 66EA533Dh\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 825052BAh\n 05 ?? ?? ?? ?? // add eax, 12C72720h\n 05 ?? ?? ?? ?? // add eax, 4BE40630h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 0EF91F67Eh\n 05 ?? ?? ?? ?? // add eax, 1A6ECEDBh\n 05 ?? ?? ?? ?? // add eax, 7205777Ch\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 0A9143919h\n 05 ?? ?? ?? ?? // add eax, 0B985C426h\n 05 ?? ?? ?? ?? // add eax, 9D03C056h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 5CF82ADDh\n 05 ?? ?? ?? ?? // add eax, 3943CC4Dh\n 05 ?? ?? ?? ?? // add eax, 102C5F78h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 3545DBE0h\n 05 ?? ?? ?? ?? // add eax, 7200437Ch\n 05 ?? ?? ?? ?? // add eax, 0EAA9C79h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 868F1D0Eh\n 05 ?? ?? ?? ?? // add eax, 0C9CF89EFh\n 05 ?? ?? ?? ?? // add eax, 0AF28C88Eh\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 0DAED8870h\n 05 ?? ?? ?? ?? // add eax, 0D25E1FD7h\n 05 ?? ?? ?? ?? // add eax, 841CA7B9h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 125AD717h\n 05 ?? ?? ?? ?? // add eax, 8522A9ADh\n 05 ?? ?? ?? ?? // add eax, 688331C1h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 11C5911h\n 05 ?? ?? ?? ?? // add eax, 63A07D9h\n 05 ?? ?? ?? ?? // add eax, 85AB0973h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 186F7858h\n 05 ?? ?? ?? ?? // add eax, 411CDB6Ch\n 05 ?? ?? ?? ?? // add eax, 345EBEC7h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 55DF93DEh\n 05 ?? ?? ?? ?? // add eax, 0FFDBE294h\n 05 ?? ?? ?? ?? // add eax, 4A3E96Eh\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 6287C4DEh\n 05 ?? ?? ?? ?? // add eax, 0EBFADE3Ch\n 05 ?? ?? ?? ?? // add eax, 0B0CEB73Fh\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 1A945A7Ch\n 05 ?? ?? ?? ?? // add eax, 15F126F7h\n 05 ?? ?? ?? ?? // add eax, 30D5D9B1h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 250A6C29h\n 05 ?? ?? ?? ?? // add eax, 0EA8097E5h\n 05 ?? ?? ?? ?? // add eax, 14B985C2h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 66ED345h\n 05 ?? ?? ?? ?? // add eax, 21FF634h\n 05 ?? ?? ?? ?? // add eax, 0F8FC3B12h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 1ED3D522h\n 05 ?? ?? ?? ?? // add eax, 0E7200687h\n 05 ?? ?? ?? ?? // add eax, 0CD0D40AFh\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 9B595944h\n 05 ?? ?? ?? ?? // add eax, 0FF4A1852h\n 05 ?? ?? ?? ?? // add eax, 0F0A79AF5h\n 50 // push eax\n 25 ?? ?? ?? ?? // and eax, 3358B290h\n 25 ?? ?? ?? ?? // and eax, 4C254803h\n 05 ?? ?? ?? ?? // add eax, 18846E25h\n 05 ?? ?? ?? ?? // add eax, 51AEBC88h\n 05 ?? ?? ?? ?? // add eax, 0FC9FD677h\n 50 // push eax\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_add_sub_5d870ac6959c" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_call4_dword_xor_216478652723_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578371Z", "creation_date": "2026-03-23T11:46:25.578373Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578379Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/call4_dword_xor.rb" ], "name": "meterpreter_encoder_call4_dword_xor_216478652723.yar", "content": "rule meterpreter_encoder_call4_dword_xor_216478652723 {\n meta:\n title = \"Meterpreter Call+4 Encoder (216478652723)\"\n id = \"f3fef967-f69a-498d-be00-216478652723\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the call+4 encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/call4_dword_xor.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n 83 E9 CF // sub ecx, 0FFFFFFCFh\n E8 FF FF FF // call $+4\n FF C0 // inc eax\n 5E // pop esi\n\n // loc_C:\n 81 76 0E ?? ?? ?? ?? // xor dword ptr [esi+0Eh], 0BF7F9AD5h\n 83 EE FC // sub esi, 0FFFFFFFCh\n E2 F4 // loop loc_C\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_call4_dword_xor_216478652723" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_context_cpuid_aae504e96cf6_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578401Z", "creation_date": "2026-03-23T11:46:25.578403Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578408Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/context_cpuid.rb" ], "name": "meterpreter_encoder_context_cpuid_aae504e96cf6.yar", "content": "rule meterpreter_encoder_context_cpuid_aae504e96cf6 {\n meta:\n title = \"Meterpreter Context Cpuid Encoder (aae504e96cf6)\"\n id = \"0855a61d-963d-4090-bf82-aae504e96cf6\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the cpuid based context keyed payload encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/context_cpuid.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n 31 F6 // xor esi, esi\n 31 FF // xor edi, edi\n\n // loc_4:\n 89 F8 // mov eax, edi\n 31 C9 // xor ecx, ecx\n 0F A2 // cpuid\n 31 C6 // xor esi, eax\n 39 F0 // cmp eax, esi\n 75 03 // jnz short loc_13\n 8D 78 01 // lea edi, [eax+1]\n\n // loc_13:\n 31 DE // xor esi, ebx\n 31 CE // xor esi, ecx\n 31 D6 // xor esi, edx\n 83 EF 01 // sub edi, 1\n 75 E6 // jnz short loc_4\n 89 F0 // mov eax, esi\n\n // Shikata block\n [20]\n E2 F5 // loop loc_33\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_context_cpuid_aae504e96cf6" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_context_stat_4c869cbec187_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578897Z", "creation_date": "2026-03-23T11:46:25.578900Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578905Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/context_stat.rb" ], "name": "meterpreter_encoder_context_stat_4c869cbec187.yar", "content": "rule meterpreter_encoder_context_stat_4c869cbec187 {\n meta:\n title = \"Meterpreter Context Stat Encoder (4c869cbec187)\"\n id = \"fd3a2b7b-3c50-43e2-abaf-4c869cbec187\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with stat based context keyed payload encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/context_stat.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n D9 EE // fldz\n D9 74 24 F4 // fnstenv byte ptr [esp-0Ch]\n 5B // pop ebx\n EB ?? // jmp short loc_10\n // STAT_FILE\n [6-20]\n\n // loc_10:\n 83 C3 09 // add ebx, 9\n 8D 53 ?? // lea edx, [ebx+7]\n 31 C0 // xor eax, eax\n 88 02 // mov [edx], al\n 8D 4C 24 A8 // lea ecx, [esp-58h]\n B0 C3 // mov al, 0C3h\n CD 80 // int 80h\n 8B 41 2C // mov eax, [ecx+2Ch]\n 33 41 48 // xor eax, [ecx+48h]\n\n // Shikata block\n [20]\n E2 F5 // loop loc_33\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_context_stat_4c869cbec187" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_context_time_11814857ad66_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578637Z", "creation_date": "2026-03-23T11:46:25.578639Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578644Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/context_time.rb" ], "name": "meterpreter_encoder_context_time_11814857ad66.yar", "content": "rule meterpreter_encoder_context_time_11814857ad66 {\n meta:\n title = \"Meterpreter Context Time Encoder (11814857ad66)\"\n id = \"1a0a2620-2da6-483d-abb5-11814857ad66\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the time based context keyed payload encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/context_time.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder1 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n D9 74 24 F4\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n (31 | 29 | 33 | 2B) C9\n B1 ?? // mov cl, 31h\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder2 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n D9 74 24 F4\n (31 | 29 | 33 | 2B) C9\n B1 ?? // mov cl, 31h\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder3 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n D9 74 24 F4\n (31 | 29 | 33 | 2B) C9\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n B1 ?? // mov cl, 31h\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder4 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n (31 | 29 | 33 | 2B) C9\n B1 ?? // mov cl, 31h\n D9 74 24 F4\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder5 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n (31 | 29 | 33 | 2B) C9\n D9 74 24 F4\n B1 ?? // mov cl, 31h\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder6 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n (31 | 29 | 33 | 2B) C9\n D9 74 24 F4\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n B1 ?? // mov cl, 31h\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder7 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (31 | 29 | 33 | 2B) C9\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n D9 74 24 F4\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n B1 ?? // mov cl, 31h\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder8 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (31 | 29 | 33 | 2B) C9\n B1 ?? // mov cl, 31h\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n D9 74 24 F4\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder9 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (31 | 29 | 33 | 2B) C9\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n B1 ?? // mov cl, 31h\n D9 74 24 F4\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n [9]\n E2 F5 // loop loc_15\n }\n\n $encoder10 = {\n 31 DB // xor ebx, ebx\n 8D 43 0D // lea eax, [ebx+0Dh]\n CD 80 // int 80h\n 66 31 C0 // xor ax, ax\n\n // Shikata block\n (31 | 29 | 33 | 2B) C9\n (\n D9 (E1 | E5 | E8 | E9 | EA | EB | EC | ED | EE | C? | F6 | F7 | D0) |\n DA (C? | D?) |\n DB (C? | D?) |\n DD (C0 | C1 | C2 | C3 | C4 | C5 | C6 | C7)\n )\n D9 74 24 F4\n B1 ?? // mov cl, 31h\n (58 | 59 | 5A | 5B | 5C | 5D | 5E | 5F)\n [9]\n E2 F5 // loop loc_15\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_context_time_11814857ad66" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_countdown_33338431bbd6_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584594Z", "creation_date": "2026-03-23T11:46:25.584596Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584601Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/countdown.rb" ], "name": "meterpreter_encoder_countdown_33338431bbd6.yar", "content": "rule meterpreter_encoder_countdown_33338431bbd6 {\n meta:\n title = \"Meterpreter Countdown Encoder (33338431bbd6)\"\n id = \"a6304511-c097-437e-99ef-33338431bbd6\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the single-byte xor countdown encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/countdown.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n E8 FF FF FF // call $+4\n FF C1 // inc ecx\n 5E // pop esi\n 30 4C 0E 07 // xor [esi+ecx+7], cl\n E2 FA // loop loc_B\n FD // std\n EA ?? 04 05 06 67 ?? // jmp far ptr 8167h:6050481h\n [3]\n 68 86 ?? 3F 9B // push 9B3F5C86h\n 43 // inc ebx\n 1E // push ds\n 98 // cwde\n 46 // inc esi\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_countdown_33338431bbd6" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_fnstenv_mov_0331f07ef8fc_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566833Z", "creation_date": "2026-03-23T11:46:25.566835Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566841Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/fnstenv_mov.rb" ], "name": "meterpreter_encoder_fnstenv_mov_0331f07ef8fc.yar", "content": "rule meterpreter_encoder_fnstenv_mov_0331f07ef8fc {\n meta:\n title = \"Meterpreter Fnstenv/Mov Encoder (0331f07ef8fc)\"\n id = \"95af0370-3b21-4ced-a861-0331f07ef8fc\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the variable-length mov equivalent instruction encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/fnstenv_mov.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder1 = {\n FC // cld\n E8 ?? ?? 00 00 // call loc_95\n 60 // pusha\n [10-12]\n (\n 89 E5 | // mov ebp, esp\n 31 ?? | // xor edx, edx\n 64 8B ?? 30 | // mov edx, fs:[edx+30h]\n 8B 52 0C | // mov edx, [edx+0Ch]\n 8B 52 14 // mov edx, [edx+14h]\n )\n\n // loc_15:\n [5-7]\n (\n 0F B7 4A 26 | // movzx ecx, word ptr [edx+26h]\n 8B 72 28 | // mov esi, [edx+28h]\n 31 FF // xor edi, edi\n )\n\n // loc_1E:\n (\n 31 C0 // xor eax, eax\n AC // lodsb\n |\n AC // lodsb\n )\n 3C ?? // cmp al, 61h ; 'a'\n 7C 02 // jl short loc_27\n 2C 20 // sub al, 20h ; ' '\n\n // loc_27:\n C1 CF 0D // ror edi, 0Dh\n 01 C7 // add edi, eax\n }\n\n $encoder2 = {\n 01 C7 // add edi, eax\n 38 E0 // cmp al, ah\n 75 ?? // jnz short loc_57\n 03 7D F8 // add edi, [ebp-8]\n 3B 7D 24 // cmp edi, [ebp+24h]\n 75 ?? // jnz short loc_4B\n 58 // pop eax\n 8B 58 24 // mov ebx, [eax+24h]\n 01 D3 // add ebx, edx\n 66 8B 0C 4B // mov cx, [ebx+ecx*2]\n 8B 58 1C // mov ebx, [eax+1Ch]\n 01 D3 // add ebx, edx\n 8B 04 8B // mov eax, [ebx+ecx*4]\n 01 D0 // add eax, edx\n 89 44 24 24 // mov [esp+24h], eax\n 5B // pop ebx\n 5B // pop ebx\n 61 // popa\n 59 // pop ecx\n 5A // pop edx\n 51 // push ecx\n FF E0 // jmp eax\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_fnstenv_mov_0331f07ef8fc" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_jmp_call_additive_4f491c649d47_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578814Z", "creation_date": "2026-03-23T11:46:25.578816Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578822Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/jmp_call_additive.rb" ], "name": "meterpreter_encoder_jmp_call_additive_4f491c649d47.yar", "content": "rule meterpreter_encoder_jmp_call_additive_4f491c649d47 {\n meta:\n title = \"Meterpreter Jump/Call Additive Encoder (4f491c649d47)\"\n id = \"fb98ece3-b4ec-4d18-83c5-4f491c649d47\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the Jump/Call Additive encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/jmp_call_additive.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n FC // cld\n BB ?? ?? ?? ?? // mov ebx, 2BAED514h\n EB 0C // jmp short loc_14\n\n // sub_8\n 5E // pop esi\n 56 // push esi\n\n // loc_A:\n 31 1E // xor [esi], ebx\n AD // lodsd\n 01 C3 // add ebx, eax\n 85 C0 // test eax, eax\n 75 F7 // jnz short loc_A\n C3 // retn\n\n // loc_14:\n E8 EF FF FF FF // call sub_8\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_jmp_call_additive_4f491c649d47" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_opt_sub_c2e4419d718b_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566913Z", "creation_date": "2026-03-23T11:46:25.566915Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566921Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/opt_sub.rb" ], "name": "meterpreter_encoder_opt_sub_c2e4419d718b.yar", "content": "rule meterpreter_encoder_opt_sub_c2e4419d718b {\n meta:\n title = \"Meterpreter Sub Encoder (c2e4419d718b)\"\n id = \"a93eb202-9a59-469f-b6c6-c2e4419d718b\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the Sub encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/opt_sub.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n 54 // push esp\n 58 // pop eax\n 2D ?? ?? ?? ?? // sub eax, 0FFFFFC0Fh\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 5C // pop esp\n 25 00 00 00 00 // and eax, 0\n 25 00 00 00 00 // and eax, 0\n 2D ?? ?? ?? ?? // sub eax, 0FF9A879Bh\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 2D ?? ?? ?? ?? // sub eax, 0D2020C04h\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 2D ?? ?? ?? ?? // sub eax, 0CA8D6D0Eh\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 2D ?? ?? ?? ?? // sub eax, 636B8FE1h\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 2D ?? ?? ?? ?? // sub eax, 0ED22B46Dh\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 2D ?? ?? ?? ?? // sub eax, 9D66BF85h\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 2D ?? ?? ?? ?? // sub eax, 6B64F544h\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 2D ?? ?? ?? ?? // sub eax, 347C687Fh\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n 50 // push eax\n 2D ?? ?? ?? ?? // sub eax, 40593567h\n 2D 00 00 00 00 // sub eax, 0\n 2D 00 00 00 00 // sub eax, 0\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_opt_sub_c2e4419d718b" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_single_static_84c990986117_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578489Z", "creation_date": "2026-03-23T11:46:25.578491Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578496Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/single_static_bit.rb" ], "name": "meterpreter_encoder_single_static_84c990986117.yar", "content": "rule meterpreter_encoder_single_static_84c990986117 {\n meta:\n title = \"Meterpreter Single Static Encoder (84c990986117)\"\n id = \"f0f2c453-83a1-4ea6-93ea-84c990986117\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the Single Static encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/single_static_bit.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n 5E // pop esi\n 31 ED // xor ebp, ebp\n 83 E1 01 // and ecx, 1\n 83 E3 01 // and ebx, 1\n 66 BB ?? ?? // mov bx, 137h\n 66 81 F3 ?? ?? // xor bx, 7Eh\n 89 F7 // mov edi, esi\n\n // loc_16:\n 83 E0 7F // and eax, 7Fh\n AC // lodsb\n B1 08 // mov cl, 8\n\n // loc_1C:\n 80 F9 ?? // cmp cl, 6\n 74 ?? // jz short loc_44\n 60 // pusha\n 83 E9 01 // sub ecx, 1\n 74 06 // jz short loc_2D\n B3 02 // mov bl, 2\n\n // loc_29:\n F6 F3 // div bl\n E2 ?? // loop loc_29\n\n // loc_2D:\n 83 E0 01 // and eax, 1\n 6B 2F 02 // imul ebp, [edi], 2\n 09 E8 // or eax, ebp\n AA // stosb\n 61 // popa\n 83 ED FF // sub ebp, 0FFFFFFFFh\n 83 FD 08 // cmp ebp, 8\n 75 ?? // jnz short loc_44\n 83 EF FF // sub edi, 0FFFFFFFFh\n 31 ED // xor ebp, ebp\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_single_static_84c990986117" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_xor_87ee7f97a9e3_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575475Z", "creation_date": "2026-03-23T11:46:25.575477Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575483Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x64/xor.rb" ], "name": "meterpreter_encoder_xor_87ee7f97a9e3.yar", "content": "rule meterpreter_encoder_xor_87ee7f97a9e3 {\n meta:\n title = \"Meterpreter XOR Encoder (87ee7f97a9e3)\"\n id = \"c1faa73c-c04c-411b-b67d-87ee7f97a9e3\"\n description = \"Detects the usage of Metasploit Meterpreter x64 with the XOR encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x64/xor.rb\"\n date = \"2023-11-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n 48 31 C9 // xor rcx, rcx\n 48 81 E9 ?? ?? ?? FF // sub ecx, block_count\n 48 8D 05 EF FF FF FF // lea rax, [rel 0x0]\n 48 BB ?? ?? ?? ?? ?? ?? ?? ?? // mov rbx, 0x????????????????\n 48 31 58 27 // xor [rax+0x27], rbx\n 48 2D F8 FF FF FF // sub rax, -8\n E2 F4 // loop 0x1B\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_xor_87ee7f97a9e3" ], "rule_creation_date": "2023-11-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_xor_context_0a1906b13aa9_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575414Z", "creation_date": "2026-03-23T11:46:25.575416Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575422Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x64/xor_context.rb" ], "name": "meterpreter_encoder_xor_context_0a1906b13aa9.yar", "content": "rule meterpreter_encoder_xor_context_0a1906b13aa9 {\n meta:\n title = \"Meterpreter XOR Context Encoder (0a1906b13aa9)\"\n id = \"7542a37c-97b2-4073-9771-0a1906b13aa9\"\n description = \"Detects the usage of Metasploit Meterpreter x64 with the hostname based context keyed payload encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x64/xor_context.rb\"\n date = \"2023-11-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n 6A 3F 58 // push 0x3f; pop rax\n 48 8D 3C 24 // lea rdi, [rsp]\n 0F 05 // syscall ; LINUX - sys_uname\n 48 8B 5F 41 // movq rbx, [rdi+0x41]; hostname\n 48 31 C9 // xor rcx, rcx\n 48 81 E9 ?? ?? ?? FF // sub ecx, block_count\n 48 8D 05 EF FF FF FF // lea rax, [rip - 0x01]\n 48 31 58 1D // xor [rax+0x1d], rbx\n 48 2D F8 FF FF FF // sub rax, -8\n E2 F4 // loop 0x1B\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_xor_context_0a1906b13aa9" ], "rule_creation_date": "2023-11-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_xor_dynamic_0415d4569d30_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566805Z", "creation_date": "2026-03-23T11:46:25.566807Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566812Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x64/xor_dynamic.rb" ], "name": "meterpreter_encoder_xor_dynamic_0415d4569d30.yar", "content": "rule meterpreter_encoder_xor_dynamic_0415d4569d30 {\n meta:\n title = \"Meterpreter XOR Dynamic Encoder (0415d4569d30)\"\n id = \"649213fd-1ba3-4d50-8481-0415d4569d30\"\n description = \"Detects the usage of Metasploit Meterpreter x64 with the Dynamic XOR encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x64/xor_dynamic.rb\"\n date = \"2023-11-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n EB 27 // jmp _call\n 5B // _ret: pop rbx\n 53 // push rbx\n 5F // pop rdi\n B0 ?? // mov al, 'A'\n FC // cld\n AE // _lp1: scas al, BYTE PTR es:[rdi]\n 75 FD // jne _lp1\n 57 // push rdi\n 59 // pop rcx\n 53 // _lp2: push rbx\n 5E // pop rsi\n 8A 06 // _lp3: mov al, BYTE PTR [rsi]\n 30 07 // xor BYTE PTR [rdi], al\n 48 FF C7 // inc rdi\n 48 FF C6 // inc rsi\n 66 81 3F ?? ?? // cmp WORD PTR [rdi], 'BB'\n 74 07 // je _jmp\n 80 3E ?? // cmp BYTE PTR [rsi], 'A'\n 75 EA // jne _lp3\n EB E6 // jmp _lp2\n FF E1 // _jmp: jmp rcx\n E8 D4 FF FF FF // _call: call _ret\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_xor_dynamic_0415d4569d30" ], "rule_creation_date": "2023-11-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_encoder_xor_dynamic_fc9edd17e906_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578579Z", "creation_date": "2026-03-23T11:46:25.578581Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578586Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/xor_dynamic.rb" ], "name": "meterpreter_encoder_xor_dynamic_fc9edd17e906.yar", "content": "rule meterpreter_encoder_xor_dynamic_fc9edd17e906 {\n meta:\n title = \"Meterpreter XOR Dynamic Encoder (fc9edd17e906)\"\n id = \"3706629a-f87d-4c61-9bbf-fc9edd17e906\"\n description = \"Detects the usage of the Metasploit meterpreter x86 with the XOR Dynamic encoder.\\nThis technique is commonly used to obfuscate shellcode to avoid signature-based detection mechanisms.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/xor_dynamic.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $encoder = {\n EB 23 // jmp _call\n 5B // _ret: pop rbx\n 89 DF // mov edi, ebx\n B0 ?? // mov al, 'A'\n FC // cld\n AE // _lp1: scas al, BYTE PTR es:[rdi]\n 75 FD // jne _lp1\n 89 F9 // mov ecx, edi\n 89 DE // _lp2: mov esi, ebx\n 8A 06 // _lp3: mov al, BYTE PTR [esi]\n 30 07 // xor BYTE PTR [edi], al\n 47 // inc edi\n 66 81 3F ?? ?? // cmp WORD PTR [edi], 'BB'\n 74 08 // je _jmp\n 46 // inc esi\n 80 3E ?? // cmp BYTE PTR [esi], 'A'\n 75 EE // jne _lp3\n EB EA // jmp _lp2\n FF E1 // _jmp: jmp ecx\n E8 D8 FF FF FF // _call: call _ret\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_encoder_xor_dynamic_fc9edd17e906" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_executable_staged_094ca5431e30_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578337Z", "creation_date": "2026-03-23T11:46:25.578340Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578349Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_executable_staged_094ca5431e30.yar", "content": "import \"pe\"\n\nrule meterpreter_executable_staged_094ca5431e30 {\n meta:\n title = \"Meterpreter Default Staged Executable (094ca5431e30)\"\n id = \"96996a17-6803-43a9-ac85-094ca5431e30\"\n description = \"Detects Meterpreter x86 default staged executable.\\nThis binary is typically used as a stage for establishing a reverse shell or further payload execution.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-12-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002;attack.t1071.001\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n // filesize is normally 73802; based on ab.exe (apache benchmark)\n // also matches whn using encoder such as shikata_ga_nai as the encoded part comes after\n\n strings:\n $pdb = \"C:\\\\local0\\\\asf\\\\release\\\\build-2.2.14\\\\support\\\\Release\\\\ab.pdb\" ascii\n\n $s1 = {64 8B 52 30 } // mov edx, fs:[edx+30h]\n $s2 = {8B 52 0C } // mov edx, [edx+0Ch]\n $s3 = {8B 52 14 } // mov edx, [edx+14h]\n $s4 = {8B 72 28 } // mov esi, [edx+28h]\n $s5 = {0F B7 4A 26 } // movzx ecx, word ptr [edx+26h]\n $s6 = {C1 CF 0D } // ror edi, 0Dh\n $s7 = {8B 52 10 } // mov edx, [edx+10h]\n $s8 = {8B 42 3C } // mov eax, [edx+3Ch]\n\n condition:\n uint16(0) == 0x5a4d and pe.imphash() == \"481f47bbb2c9c21e108d65f52b04c448\" and $pdb and (all of ($s*))\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_executable_staged_094ca5431e30" ], "rule_creation_date": "2020-12-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1071.001", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_executable_staged_422c0cc3d085_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566543Z", "creation_date": "2026-03-23T11:46:25.566546Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566551Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_executable_staged_422c0cc3d085.yar", "content": "import \"pe\"\n\nrule meterpreter_executable_staged_422c0cc3d085 {\n meta:\n title = \"Meterpreter Default Staged Executable (422c0cc3d085)\"\n id = \"c480c803-77f1-4346-99e7-422c0cc3d085\"\n description = \"Detects Meterpreter x64 default staged executable.\\nThis binary is typically used as a stage for establishing a reverse shell or further payload execution.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-12-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002;attack.t1071.001\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n condition:\n uint16(0) == 0x5a4d and pe.imphash() == \"b4c6fff030479aa3b12625be67bf4914\"\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_executable_staged_422c0cc3d085" ], "rule_creation_date": "2020-12-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1071.001", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_injected_DLL_1c60e167b02f_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.579175Z", "creation_date": "2026-03-23T11:46:25.579177Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.579183Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_injected_DLL_1c60e167b02f.yar", "content": "import \"pe\"\n\nrule meterpreter_injected_DLL_1c60e167b02f {\n meta:\n title = \"Meterpreter Injected DLL (1c60e167b02f)\"\n id = \"1d5ad497-133f-4b9f-86f9-1c60e167b02f\"\n description = \"Detects Meterpreter x86 injected DLL in memory.\\nThe DLL is injected into processes to establish persistence or execute malicious code.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-12-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = {\n 4D // dec ebp\n 5A // pop edx\n E8 00 00 00 00 // call $+5\n 5B // pop ebx\n 52 // push edx\n 45 // inc ebp\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 81 C3 ?? ?? ?? ?? // add ebx, ??????\n FF D3 // call ebx\n 81 C3 ?? ?? ?? ?? // add ebx, ???????\n 89 3B // mov [ebx], edi\n 53 // push ebx\n 6A 04 // push 4\n 50 // push eax\n FF D0 // call eax\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_injected_DLL_1c60e167b02f" ], "rule_creation_date": "2020-12-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_injected_DLL_a14543949a52_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.579139Z", "creation_date": "2026-03-23T11:46:25.579142Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.579151Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_injected_DLL_a14543949a52.yar", "content": "import \"pe\"\n\nrule meterpreter_injected_DLL_a14543949a52 {\n meta:\n title = \"Meterpreter Injected DLL (a14543949a52)\"\n id = \"9267318f-fce3-4ffd-a149-a14543949a52\"\n description = \"Detects Meterpreter x64 injected DLL in memory.\\nThe DLL is injected into processes to establish persistence or execute malicious code.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2020-12-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Found at start of reflective loading DLL\n $s1 = {\n 4D 5A // pop r10\n 41 52 // push r10\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 20 // sub rsp, 20h\n 48 83 E4 F0 // and rsp, 0FFFFFFFFFFFFFFF0h\n E8 00 00 00 00 // call $+5\n 5B // pop rbx\n 48 81 C3 ?? ?? ?? ?? // add rbx, ?????\n FF D3 // call rbx\n 48 81 C3 ?? ?? ?? ?? // add rbx, ??????\n 48 89 3B // mov [rbx], rdi\n 49 89 D8 // mov r8, rbx\n 6A 04 // push 4\n 5A // pop rdx\n FF D0 // call rax\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_injected_DLL_a14543949a52" ], "rule_creation_date": "2020-12-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_extapi_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578932Z", "creation_date": "2026-03-23T11:46:25.578935Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578944Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_extapi_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_extapi_dll {\n meta:\n title = \"Metasploit Extapi Extension DLL\"\n id = \"d1f0f28e-c54f-466b-b105-af302d271bee\"\n description = \"Detects Metasploit Extapi extension DLL in memory.\\nThe Extapi extension provides extended API access, including system service manipulation and file system operations.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/ext_server_extapi.x64.dll\n $s1 = \"extapi_service_\" ascii\n $s2 = \"extapi_clipboard_\" ascii\n $s3 = \"packet_add_\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_extapi_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_generic_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578666Z", "creation_date": "2026-03-23T11:46:25.578668Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578674Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_generic.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_generic {\n meta:\n title = \"Generic Metasploit Extension DLL\"\n id = \"ecc44d73-6192-4204-999a-1190c69b1c4c\"\n description = \"Detects a generic Metasploit extension DLL in memory.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/*\n $string1 = \"DeinitServerExtension\" ascii\n $string2 = \"GetExtensionName\" ascii\n $string3 = \"InitServerExtension\" ascii\n\n // Exclusion for McAfee\n $mcafee1 = \"Software\\\\McAfee\\\\SystemCore\" wide fullword\n $mcafee2 = \"McAfee On-Access Scanner service\" wide fullword\n $mcafee3 = \"SOFTWARE\\\\McAfee\\\\AVSolution\\\\Install_Reference\" wide fullword\n $mcafee4 = \"McAfee Scanner service\" wide fullword\n\n // Canary\n $canary = \"e0743c805cd51b2fd89ea0003eb1c5ed2aa5e116e465a294fee9154f22e3c1b6\" ascii\n\n condition:\n 2 of ($string*) and not (\n (\n 2 of ($mcafee*) and\n (\n filepath == \"C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\SystemCore\\\\mcshield.exe\" or\n filepath == \"C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\" or\n filepath == \"C:\\\\Program Files\\\\McAfee\\\\Endpoint Security\\\\Threat Prevention\\\\AMCore\\\\mfeamcin.exe\" or\n filepath == \"C:\\\\Program Files\\\\McAfee\\\\Endpoint Security\\\\Threat Prevention\\\\mfetp.exe\" or\n filepath == \"C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\Engine\\\\AMCoreUpdater\\\\amupdate.exe\"\n )\n ) or\n (\n filepath == \"C:\\\\Program Files\\\\Veeam\\\\Backup365\\\\Veeam.Archiver.Proxy.exe\"\n )\n ) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_generic" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_incognito_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.579263Z", "creation_date": "2026-03-23T11:46:25.579267Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.579275Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_incognito_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_incognito_dll {\n meta:\n title = \"Metasploit Incognito Extension DLL\"\n id = \"2470b1ff-223e-4f93-88cb-513be811a991\"\n description = \"Detects Metasploit Incognito extension DLL in memory.\\nThe Incognito extension is used for user impersonation by adding users to groups and accessing system resources under the context of another user.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/ext_server_incognito.x64.dll\n $s2 = \"incognito_add_\" ascii\n $s3 = \"[*] Attempting to add user %s to group %s on domain controller %s\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_incognito_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_kiwi_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578984Z", "creation_date": "2026-03-23T11:46:25.578986Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578992Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_kiwi_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_kiwi_dll {\n meta:\n title = \"Metasploit Kiwi Extension DLL\"\n id = \"78d54a1e-9d41-4776-8db9-e44d4e8a525e\"\n description = \"Detects Metasploit Kiwi extension DLL in memory.\\nThe Kiwi extension enables Windows authentication and allows interaction with the operating system's native authentication mechanisms, including Kerberos.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/ext_server_kiwi.x64.dll\n $s1 = {6B 69 77 69 5F 65 78 65 63 5F 63 6D 64} // 'kiwi _ exec _ cmd' without spaces\n $s2 = \"stdapi_fs_\" ascii\n $s3 = \"Kerberos\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_kiwi_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_mimikatz_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578548Z", "creation_date": "2026-03-23T11:46:25.578550Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578555Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_mimikatz_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_mimikatz_dll {\n meta:\n title = \"Metasploit Mimikatz Extension DLL\"\n id = \"adc49ce7-6bb2-41f7-9c40-2c201728a5cb\"\n description = \"Detects Metasploit Mimikatz extension DLL in memory.\\nThe Mimikatz extension is used to dump credentials and perform lateral movement.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002;attack.s0002;attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/ext_server_mimikatz.x64.dll\n $s1 = \"mimikatz_custom_command\" ascii\n $s2 = \"Le type retou\" ascii\n $s3 = \"KiwiAndPst\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_mimikatz_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003", "attack.t1055.002", "attack.t1550.003" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_peinjector_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.579092Z", "creation_date": "2026-03-23T11:46:25.579094Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.579100Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_peinjector_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_peinjector_dll {\n meta:\n title = \"Metasploit PEInjector Extension DLL\"\n id = \"c3c4eee3-d65b-45de-a84f-87c26b372d8b\"\n description = \"Detects Metasploit PEInjector extension DLL in memory.\\nThe PEInjector extension injects shellcode into processes to establish persistence.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/ext_server_peinjector.x64.dll\n $s1 = \"peinjector_inject_shellcode\" ascii\n $s2 = \"There was an error, shellcode not injected\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_peinjector_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_powershell_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578696Z", "creation_date": "2026-03-23T11:46:25.578698Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578704Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_powershell_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_powershell_dll {\n meta:\n title = \"Metasploit Powershell Extension DLL\"\n id = \"a867f7d0-4388-4f1e-a055-11a659a6f2aa\"\n description = \"Detects Metasploit Powershell extension DLL in memory.\\nThe Powershell extension uses PowerShell to execute commands and evade detection.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002;attack.t1059.001\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/ext_server_powershell.x64.dll\n $s1 = \"powershell_\" ascii\n $s2 = \"MSF.Powershell.\" ascii\n\n // Exclusion for Ivanti\n $ivanti = \"\\\\endpoint\\\\bin\\\\x64\\\\Release\\\\EPSecurityService.exe.pdb\" ascii\n\n condition:\n all of them and not ($ivanti and filepath == \"C:\\\\Program Files\\\\Ivanti\\\\Endpoint\\\\epsecurityservice.exe\")\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_powershell_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002", "attack.t1059.001" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_priv_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566863Z", "creation_date": "2026-03-23T11:46:25.566865Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566892Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_priv_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_priv_dll {\n meta:\n title = \"Metasploit Priv Extension DLL\"\n id = \"8afe9bbe-565c-41be-885e-7ab7b625743f\"\n description = \"Detects Metasploit Priv extension DLL in memory.\\nThe Priv extension is used for privilege escalation by exploiting misconfigured permissions.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/ext_server_priv.x64.dll\n $s1 = \"priv_elevate_getsystem\" ascii\n $s2 = \"priv_fs_\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_priv_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_extension_stdapi_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566749Z", "creation_date": "2026-03-23T11:46:25.566751Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566757Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_extension_stdapi_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_extension_stdapi_dll {\n meta:\n title = \"Metasploit Stdapi Extension DLL\"\n id = \"a599c92b-1eff-4271-a763-be1b566f5a24\"\n description = \"Detects Metasploit Stdapi extension DLL in memory.\\nThe Stdapi extension provides functions to interact with system processes, including system command execution and process injection.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // metasploit-payloads-1.3.70/data/meterpreter/ext_server_stdapi.x64.dll\n $s1 = {73 74 64 61 70 69 5F 72 65 67 69 73 74 72 79 5F} // 'stdapi _ registry _' without spaces\n $s2 = \"stdapi_sys_process_\" ascii\n $s3 = \"core_channel_open\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_extension_stdapi_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_memory_metsrv_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578608Z", "creation_date": "2026-03-23T11:46:25.578610Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578616Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "meterpreter_memory_metsrv_dll.yar", "content": "import \"pe\"\n\nrule meterpreter_memory_metsrv_dll {\n meta:\n title = \"Metasploit Metsrv DLL\"\n id = \"87449f66-794d-4701-883d-acc4225e9857\"\n description = \"Detects Metasploit's meterpreter private server extension in memory.\\nThe Metsrv extension allows attackers to establish a reverse TCP connection, enabling communication with a remote command and control server.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2019-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5cdd26ef5832da4e913a32ebce063b0ccb86410e669f073cb802f6d2c21330e7\n\n // metasploit-payloads-1.3.70/data/meterpreter/metsrv.x64.dll\n $s1 = {63 6F 72 65 5F 74 72 61 6E 73 70 6F 72 74 5F} // 'core _ transport _' without spaces\n $s2 = \"core_loadlib\" ascii\n $s3 = \"core_channel_\" ascii\n $s4 = \"packet_add_tlv\" ascii\n $s5 = \"packet_get_tlv\" ascii\n $s6 = \"packet_transmit\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_memory_metsrv_dll" ], "rule_creation_date": "2019-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_winexec_85b632bf8a3b_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575444Z", "creation_date": "2026-03-23T11:46:25.575446Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575452Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/exec_x64.rb" ], "name": "meterpreter_winexec_85b632bf8a3b.yar", "content": "rule meterpreter_winexec_85b632bf8a3b {\n meta:\n title = \"Meterpreter Execute Command (85b632bf8a3b)\"\n id = \"ce831d71-37e9-442a-9b77-85b632bf8a3b\"\n description = \"Detects the Metasploit meterpreter x64 execute command.\\nThis allows an attacker to execute an arbitrary command on the target system.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/exec_x64.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1027.007;attack.t1055\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $winexec1 = {\n 48 31 C0 // xor rax, rax\n AC // lodsb\n 41 C1 C9 0D // ror r9d, 0Dh\n 41 01 C1 // add r9d, eax\n 38 E0 // cmp al, ah\n 75 F1 // jnz short loc_75\n 4C 03 4C 24 08 // add r9, [rsp+8]\n 45 39 D1 // cmp r9d, r10d\n 75 D8 // jnz short loc_66\n 58 // pop rax\n 44 8B 40 24 // mov r8d, [rax+24h]\n 49 01 D0 // add r8, rdx\n 66 41 8B 0C 48 // mov cx, [r8+rcx*2]\n 44 8B 40 1C // mov r8d, [rax+1Ch]\n 49 01 D0 // add r8, rdx\n 41 8B 04 88 // mov eax, [r8+rcx*4]\n 48 01 D0 // add rax, rdx\n 41 58 // pop r8\n 41 58 // pop r8\n 5E // pop rsi\n 59 // pop rcx\n 5A // pop rdx\n 41 58 // pop r8\n 41 59 // pop r9\n 41 5A // pop r10\n 48 83 EC 20 // sub rsp, 20h\n 41 52 // push r10\n FF E0 // jmp rax\n }\n\n $winexec2 = {\n 5D // pop rbp\n 48 BA 01 00 00 00 00 00 00 00 // mov rdx, 1\n 48 8D 8D 01 01 00 00 // lea rcx, [rbp+101h]\n 41 BA 31 8B 6F 87 // mov r10d, 876F8B31h\n FF D5 // call rbp\n (\n BB AA C5 E2 5D | // mov ebx, 5DE2C5AAh (EXITFUNC=none)\n BB FE 0E 32 EA | // mov ebx, 0EA320EFEh (EXITFUNC=seh)\n BB E0 1D 2A 0A | // mov ebx, 0A2A1DE0h (EXITFUNC=thread)\n BB F0 B5 A2 56 // mov ebx, 56A2B5F0h (EXITFUNC=process)\n )\n 41 BA A6 95 BD 9D // mov r10d, 9DBD95A6h\n FF D5 // call rbp\n 48 83 C4 28 // add rsp, 28h\n 3C 06 // cmp al, 6\n 7C 0A // jl short loc_103\n 80 FB E0 // cmp bl, 0E0h\n 75 05 // jnz short loc_103\n BB 47 13 72 6F // mov ebx, 6F721347h\n }\n\n condition:\n 1 of ($winexec*)\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_winexec_85b632bf8a3b" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1027.007", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-meterpreter_winexec_bce7d7b9ac64_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.579215Z", "creation_date": "2026-03-23T11:46:25.579218Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.579226Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/exec.rb" ], "name": "meterpreter_winexec_bce7d7b9ac64.yar", "content": "rule meterpreter_winexec_bce7d7b9ac64 {\n meta:\n title = \"Meterpreter Execute Command (bce7d7b9ac64)\"\n id = \"b6d1b2fe-8e06-4793-b8fd-bce7d7b9ac64\"\n description = \"Detects the Metasploit meterpreter x86 execute command.\\nThis allows an attacker to execute an arbitrary command on the target system.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload/windows/exec.rb\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1027.007;attack.t1055\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $winexec1 = {\n AC // lodsb\n C1 CF 0D // ror edi, 0Dh\n 01 C7 // add edi, eax\n 38 E0 // cmp al, ah\n 75 F6 // jnz short loc_404ABD\n 03 7D F8 // add edi, [ebp-8]\n 3B 7D 24 // cmp edi, [ebp+24h]\n 75 E4 // jnz short loc_404AB3\n 58 // pop eax\n 8B 58 24 // mov ebx, [eax+24h]\n 01 D3 // add ebx, edx\n 66 8B 0C 4B // mov cx, [ebx+ecx*2]\n 8B 58 1C // mov ebx, [eax+1Ch]\n 01 D3 // add ebx, edx\n 8B 04 8B // mov eax, [ebx+ecx*4]\n 01 D0 // add eax, edx\n 89 44 24 24 // mov [esp+28h+var_4], eax\n 5B // pop ebx\n 5B // pop ebx\n 61 // popa\n 59 // pop ecx\n 5A // pop edx\n 51 // push ecx\n FF E0 // jmp eax\n }\n\n $winexec2 = {\n 5D // pop ebp\n 6A 01 // push 1\n 8D 85 B2 00 00 00 // lea eax, [ebp+0B2h]\n 50 // push eax\n 68 31 8B 6F 87 // push 876F8B31h\n FF D5 // call ebp\n (\n BB AA C5 E2 5D | // mov ebx, 5DE2C5AAh (EXITFUNC=none)\n BB FE 0E 32 EA | // mov ebx, 0EA320EFEh (EXITFUNC=seh)\n BB E0 1D 2A 0A | // mov ebx, 0A2A1DE0h (EXITFUNC=thread)\n BB F0 B5 A2 56 // mov ebx, 56A2B5F0h (EXITFUNC=process)\n )\n 68 A6 95 BD 9D // push 9DBD95A6h\n FF D5 // call ebp\n 3C 06 // cmp al, 6\n 7C 0A // jl short loc_404B21\n 80 FB E0 // cmp bl, 0E0h\n 75 05 // jnz short loc_404B21\n BB 47 13 72 6F // mov ebx, 6F721347h\n }\n\n condition:\n 1 of ($winexec*)\n}\n", "rule_count": 1, "rule_names": [ "meterpreter_winexec_bce7d7b9ac64" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1027.007", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mettle_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572156Z", "creation_date": "2026-03-23T11:46:25.572158Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572164Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/mettle/" ], "name": "mettle.yar", "content": "rule mettle_meterpreter {\n meta:\n title = \"Mettle Meterpreter\"\n id = \"fd149830-5f04-48be-b67b-a2b1402a0de0\"\n description = \"Detects the Mettle Meterpreter.\\nMettle is a native-code Meterpreter designed for embedded devices, allowing attackers to maintain persistence or execute commands on such devices.\\nIt is designed to operate in resource-constrained environments and provides a versatile framework for deploying and managing payloads on embedded systems.\"\n references = \"https://github.com/rapid7/mettle/\"\n date = \"2024-01-19\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Linux.Framework.Mettle\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 68ed53a469da89a164bcc3024823e2e4483100a94c7b4402798c70213e0c7605\n\n $fatal1 = \"/mettle/\" ascii\n $fatal2 = \".mshistory\" ascii\n\n $s1 = \"could not find handlers for channel type %s\" ascii\n $s2 = \"creating new channel of type %s\" ascii\n $s3 = \"No extension name specified\" ascii\n $s4 = \"TLV method request for command_id '%u' failed to locate an associated extension\" ascii\n $s5 = \"Registering command %u, cb %p, arg %p\" ascii\n $s6 = \"processing command: %u id: '%s'\" ascii\n $s7 = \"no handler found for command id: %u\" ascii\n $s8 = \"closing udp client channel: %p\" ascii\n $s9 = \"closing tcp client channel: %p\" ascii\n\n $config1 = \",LOOPBACK\" ascii fullword\n $config2 = \",POINTOPOINT\" ascii fullword\n $config3 = \",NOARP\" ascii fullword\n $config4 = \",BROADCAST\" ascii fullword\n $config5 = \",MULTICAST\" ascii fullword\n $config6 = \",UP\" ascii fullword\n\n condition:\n uint16(0) == 0x457f and filesize < 40MB and (any of ($fatal*) or all of ($s*) or all of ($config*))\n}\n", "rule_count": 1, "rule_names": [ "mettle_meterpreter" ], "rule_creation_date": "2024-01-19", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.Mettle" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mhydeath_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581822Z", "creation_date": "2026-03-23T11:46:25.581824Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581829Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/zer0condition/mhydeath\nhttps://www.loldrivers.io/drivers/7abc873d-9c28-44c2-8f60-701a8e26af29/" ], "name": "mhydeath.yar", "content": "rule mhydeath {\n meta:\n title = \"Mhydeath HackTool\"\n id = \"a6453f18-2643-40d0-a1a2-babd2342a8b5\"\n description = \"Detects mhydeath, a tool designed to kill running EDR processes using the mhyprotect.sys vulnerable driver.\\nMhydeath operates by creating a new service to load the mhyprotect driver, which it then exploits to gain kernel code execution and kill EDR processes.\\nIt is recommended to examine the context in which this tool is executed to determine whether its use is legitimate.\"\n references = \"https://github.com/zer0condition/mhydeath\\nhttps://www.loldrivers.io/drivers/7abc873d-9c28-44c2-8f60-701a8e26af29/\"\n date = \"2025-09-25\"\n modified = \"2025-10-14\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1574\"\n classification = \"Windows.HackTool.mhydeath\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 3c709493308c4744d182bd5beb81ef9aee8d05ba7571aacb91c33f989e2b8471\n\n $s1 = \"[!] failed to initialize vulnerable driver\" ascii fullword\n $s2 = \"[!] failed to initialize driver properly\" ascii fullword\n $s3 = \"Z:\\\\testthat\\\\mhydeath\\\\x64\\\\Release\\\\mhydeath64.pdb\" ascii fullword\n\n $f1 = \"mhyprot.sys\" ascii fullword\n $f2 = \"\\\\\\\\?\\\\\\\\mhyprotect\" ascii fullword\n $f3 = \"Failed to create %s service. (0x%lX)\" ascii fullword\n $f4 = \"Service already exists, open handle\" ascii fullword\n\n $edr1 = \"MsMpEng.exe\" wide fullword\n $edr2 = \"avast\" wide fullword\n $edr3 = \"carbonblack\" wide fullword\n $edr4 = \"carbon black\" wide fullword\n $edr5 = \"ciscoamp\" wide fullword\n $edr6 = \"cisco amp\" wide fullword\n $edr7 = \"crowdstrike\" wide fullword\n $edr8 = \"csagent\" wide fullword\n $edr9 = \"csfalcon\" wide fullword\n $edr10 = \"cybereason\" wide fullword\n $edr11 = \"cylance\" wide fullword\n $edr12 = \"darktrace\" wide fullword\n $edr13 = \"defender\" wide fullword\n $edr14 = \"endgame\" wide fullword\n $edr15 = \"f-secure\" wide fullword\n $edr16 = \"fireeye\" wide fullword\n $edr17 = \"kaspersky\" wide fullword\n $edr18 = \"mcafee\" wide fullword\n $edr19 = \"msmpeng\" wide fullword\n $edr20 = \"palo alto networks\" wide fullword\n $edr21 = \"qradar\" wide fullword\n $edr22 = \"secureworks\" wide fullword\n $edr23 = \"sentinel\" wide fullword\n $edr24 = \"sophos\" wide fullword\n $edr25 = \"splunk\" wide fullword\n $edr26 = \"symantec\" wide fullword\n $edr27 = \"tanium\" wide fullword\n $edr28 = \"vectra\" wide fullword\n $edr29 = \"wireshark\" wide fullword\n $edr30 = \"hurukai.exe\" wide fullword\n\n condition:\n 2 of ($s*) or (all of ($f*) and 5 of ($edr*))\n}\n", "rule_count": 1, "rule_names": [ "mhydeath" ], "rule_creation_date": "2025-09-25", "rule_modified_date": "2025-10-14", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.mhydeath" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1574" ], "rule_score": 100, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mimikatz_8a69b75ae84e_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563366Z", "creation_date": "2026-03-23T11:46:25.563369Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563379Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0002/\nhttps://github.com/gentilkiwi/mimikatz" ], "name": "mimikatz_8a69b75ae84e.yar", "content": "import \"pe\"\n\nrule mimikatz_8a69b75ae84e {\n meta:\n title = \"Mimikatz DLL (8a69b75ae84e)\"\n id = \"18cdda88-5836-48de-bc93-8a69b75ae84e\"\n description = \"Detects Mimikatz DLL in memory.\\nMimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. This rule detects its presence in memory through specific patterns related to its operations, such as credential extraction and lateral movement. It is often used in red teaming exercises to test network security.\\nIt is recommended to investigate for additional signs of malicious activity, such as network communication or file artifacts.\"\n references = \"https://attack.mitre.org/software/S0002/\\nhttps://github.com/gentilkiwi/mimikatz\"\n date = \"2020-10-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0002;attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.Tool.Mimikatz\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // ---------- start: kuhl_m_event ----------\n\n /*\n From mimikatz initial release: bb371c2acba397b4006a6cddc0f9ce2b5958017b\n */\n // Windows XP\n // NOTE: too small to be used for matching.\n //$WNT5_PerformWriteRequest = { 89 45 e4 8b 7d 08 89 7d }\n // Windows Vista\n $process_event_win60 = { 8b ff 55 8b ec 56 8b f1 8b 4d 08 e8 }\n // Windows 7\n $process_event_win61 = { 8b f1 8b 4d 08 e8 }\n // Windows 8\n $process_event_win62 = { 33 c4 50 8d 44 24 28 64 a3 00 00 00 00 8b 75 0c }\n // Windows 8.1 (Blue)\n $process_event_win63 = { 33 c4 50 8d 44 24 20 64 a3 00 00 00 00 8b f9 8b }\n\n /*\n From mimikatz commit: 5d191619fc8ffaf8cc2ba155114b33db39c824c2\n */\n // Windows 10 (build 1507)\n $process_event_win64 = { 33 c4 89 44 24 10 53 56 57 a1 }\n\n\n /*\n From mimikatz commit: cdd0722efa05ec0657bc90ee0d6e27df52557335\n */\n // Windows 10 (build 1607)\n $process_event_win10_1607 = { 8b d9 8b 4d 08 e8 }\n\n /*\n From mimikatz commit: 508b4aaf9e73f7ba45648c35cff632f10f38454b\n */\n // Windows 10 (build 1709)\n $process_event_win10_1709 = { 8b ff 55 8b ec 83 ec 0c 56 57 8b f9 8b 4d 08 e8 }\n\n /*\n From mimikatz commit: fe6a853ec3e7ff50d79dd608dbed5e05cfab3322\n */\n // Windows 10 (build 1803)\n $process_event_win10_1803 = { 8b f1 89 75 ec 8b 7d 08 8b cf e8 }\n\n /*\n From mimikatz commit: 2fd09bbef0754317cd97c01dbbf49698ae23d9d2\n */\n // Windows 10 (build 1809)\n $process_event_win10_1809 = { 8b f1 89 75 f0 8b 7d 08 8b cf e8 }\n\n /*\n From mimikatz commit: 4dd27c0a649e808c01c7ea308321ff3eb9e3d4d3\n */\n // Windows 10 (build 2004)\n $process_event_win10_2004 = { 8b d9 8b 7d 08 8b cf e8 }\n\n // ---------- end: kuhl_m_event ----------\n\n // ---------- start: kuhl_m_misc ----------\n\n /*\n From mimikatz initial release: bb371c2acba397b4006a6cddc0f9ce2b5958017b\n */\n // Windows XP\n // NOTE: too small to be used for matching.\n //$WALL_ncRouteMonitor = { 07 00 75 3a 68 }\n\n // ---------- end: kuhl_m_misc ----------\n\n // ---------- start: kuhl_m_sid ----------\n\n // NOTE: x86 currently not supported by this mimikatz module.\n\n // ---------- end: kuhl_m_sid ----------\n\n // ---------- start: kuhl_m_ts ----------\n\n /*\n From mimikatz commit: 5d191619fc8ffaf8cc2ba155114b33db39c824c2\n */\n // Windows XP\n // NOTE: too small to be used for matching.\n //$TestLicence_WIN5 = { 83 f8 02 7f }\n // Windows Vista\n $query_policy_win60 = { 3b 91 20 03 00 00 5e 0f 84 }\n // Windows 7\n $query_policy_win6x = { 3b 86 20 03 00 00 0f 84 }\n // Windows 8.1 (Blue)\n $query_policy_win81 = { 3b 81 20 03 00 00 0f 84 }\n\n // ---------- end: kuhl_m_ts ----------\n\n // ---------- start: kuhl_m_sekurlsa ----------\n\n /*\n From mimikatz commit: 83a8f4214dd2204a71ccc62fb90058d714a78ac4\n */\n // Windows XP\n $sec_data_win2003 = { 53 56 8d 45 98 50 b9 }\n // Windows Vista and later\n $sec_data_win2008 = { 8b 45 14 83 c0 18 50 b9 }\n\n // ---------- end: kuhl_m_sekurlsa ----------\n\n // Misc matching\n $drsuapi_ds_bind_guid = { 1A 20 4D E2 D6 4F D1 11 A3 DA 00 00 F8 75 AE 0D }\n\n // TODO: detect \"@lsadump::dcsync\", \"sekurlsa::logonpasswords\" and \"sekurlsa::pth\" for trimed down version of mimikatz (example in Cobalt Strike).\n\n condition:\n // kuhl_m_event\n 6 of ($process_event*)\n // kuhl_m_sekurlsa\n and 2 of ($sec_data_*)\n // misc guid\n and $drsuapi_ds_bind_guid\n // kuhl_m_ts\n or all of ($query_policy*)\n}\n", "rule_count": 1, "rule_names": [ "mimikatz_8a69b75ae84e" ], "rule_creation_date": "2020-10-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Mimikatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mimikatz_9e385b856412_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584980Z", "creation_date": "2026-03-23T11:46:25.584982Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584987Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0002/\nhttps://github.com/gentilkiwi/mimikatz" ], "name": "mimikatz_9e385b856412.yar", "content": "import \"pe\"\n\nrule mimikatz_9e385b856412 {\n meta:\n title = \"Mimikatz DLL (9e385b856412)\"\n id = \"224e7abf-a28e-4b8e-94c6-9e385b856412\"\n description = \"Detects Mimikatz DLL in memory.\\nMimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. This rule detects its presence in memory through specific patterns related to its operations, such as credential extraction and lateral movement. It is often used in red teaming exercises to test network security.\\nIt is recommended to investigate for additional signs of malicious activity, such as network communication or file artifacts.\"\n references = \"https://attack.mitre.org/software/S0002/\\nhttps://github.com/gentilkiwi/mimikatz\"\n date = \"2020-09-30\"\n modified = \"2025-03-20\"\n author = \"HarfangLab\"\n tags = \"attack.s0002;attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.Tool.Mimikatz\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n /*\n match on:\n mov dword ptr [r?x], 10000h\n <...Anything up to 14 bytes...>\n mov dword ptr [r?], 1\n */\n $dll_SpLsaModeInitialize = { c7 0? 00 00 01 00 [4-14] c7 0? 01 00 00 00 }\n\n /* match on:\n mov dword ptr [r?x], 210h\n mov [r?x], ax\n */\n $dll_kssp_SpGetInfo = { c7 0? 10 02 00 00 ?? 89 4? }\n condition:\n (all of ($dll_*) or pe.exports(\"powershell_reflective_mimikatz\")) and pe.characteristics & pe.DLL\n}\n", "rule_count": 1, "rule_names": [ "mimikatz_9e385b856412" ], "rule_creation_date": "2020-09-30", "rule_modified_date": "2025-03-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Mimikatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mimikatz_b8c25fc0ee35_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584657Z", "creation_date": "2026-03-23T11:46:25.584659Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584665Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0002/\nhttps://github.com/gentilkiwi/mimikatz" ], "name": "mimikatz_b8c25fc0ee35.yar", "content": "import \"pe\"\n\nrule mimikatz_b8c25fc0ee35 {\n meta:\n title = \"Mimikatz DLL (b8c25fc0ee35)\"\n id = \"c0ff0dd3-25b5-4b82-abb2-b8c25fc0ee35\"\n description = \"Detects Mimikatz DLL in memory.\\nMimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. This rule detects its presence in memory through specific patterns related to its operations, such as credential extraction and lateral movement. It is often used in red teaming exercises to test network security.\\nIt is recommended to investigate for additional signs of malicious activity, such as network communication or file artifacts.\"\n references = \"https://attack.mitre.org/software/S0002/\\nhttps://github.com/gentilkiwi/mimikatz\"\n date = \"2021-01-07\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0002;attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.Tool.Mimikatz\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Following are unique names that could be found in error messages of mimikatz (unstripped most of the time).\n $dpapi_oe_credential_add = \"dpapi_oe_credential_add\" wide\n $dpapi_oe_domainkey_add = \"dpapi_oe_domainkey_add\" wide\n $kerberos_ptt_data = \"kerberos_ptt_data\" wide\n $kerberos_golden = \"kerberos_golden\" wide\n $kerberos_hash_data_raw= \"kerberos_hash_data_raw\" wide\n $crypto_exportRawKeyToFile = \"crypto_exportRawKeyToFile\" wide\n $crypto_exportKeyToFile = \"crypto_exportKeyToFile\" wide\n $lsadump_dcsync = \"lsadump_dcsync\" wide\n $lsadump_dcsync_decrypt = \"lsadump_dcsync_decrypt\" wide\n $lsadump_dcsync_descrObject_csv = \"lsadump_dcsync_descrObject_csv\" wide\n $sekurlsa_acquireLSA = \"sekurlsa_acquireLSA\" wide\n $sekurlsa_pth = \"sekurlsa_pth\" wide\n $sekurlsa_pth_luid = \"sekurlsa_pth_luid\" wide\n $sekurlsa_genericCredsOutput = \"sekurlsa_genericCredsOutput\" wide\n $sekurlsa_trymarshal = \"sekurlsa_trymarshal\" wide\n $sekurlsa_sk_candidatekey_add = \"sekurlsa_sk_candidatekey_add\" wide\n $sekurlsa_sk_tryDecode = \"sekurlsa_sk_tryDecode\" wide\n $sekurlsa_enum_kerberos_callback_pth = \"sekurlsa_enum_kerberos_callback_pth\" wide\n $sekurlsa_msv_enum_cred_callback_pth = \"sekurlsa_msv_enum_cred_callback_pth\" wide\n $dpapi_unprotect_raw_or_blob = \"dpapi_unprotect_raw_or_blob\" wide\n $dpapi_oe_masterkey_add = \"dpapi_oe_masterkey_add\" wide\n $dpapi_chrome = \"dpapi_chrome\" wide\n $string_stringToHex = \"kull_m_string_stringToHex\" wide\n $dpapi_chrome_decrypt = \"dpapi_chrome_decrypt\" wide\n $dpapi_chrome_alg_key_from_raw = \"dpapi_chrome_alg_key_from_raw\" wide\n $dpapi_chrome_alg_key_from_b64 = \"dpapi_chrome_alg_key_from_b64\" wide\n $dpapi_chrome_alg_key_from_file = \"dpapi_chrome_alg_key_from_file\" wide\n $lsadump_dcshadow_encode_sensitive_value = \"lsadump_dcshadow_encode_sensitive_value\" wide\n condition:\n 5 of them\n}\n", "rule_count": 1, "rule_names": [ "mimikatz_b8c25fc0ee35" ], "rule_creation_date": "2021-01-07", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Mimikatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mimikatz_compressed_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571593Z", "creation_date": "2026-03-23T11:46:25.571595Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571600Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0002/\nhttps://github.com/gentilkiwi/mimikatz" ], "name": "mimikatz_compressed.yar", "content": "rule mimikatz_compressed_strings {\n meta:\n title = \"Mimikatz Compressed/Encoded Strings\"\n id = \"be9ea724-b0b6-416b-9e13-d5fe58e4910c\"\n description = \"Detects Mimikatz compressed/encoded strings, indicating potential embedding of Mimikatz.\\nMimikatz is a powerful credential dumping tool capable of extracting plaintext Windows account logins and passwords. It also provides various features for testing network security. This rule identifies files containing common compressed or encoded Mimikatz strings, which may indicate malicious activity attempting to compromise system credentials.\\nIt is recommended to conduct a thorough investigation to confirm the presence of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0002/\\nhttps://github.com/gentilkiwi/mimikatz\"\n date = \"2023-11-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0002;attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.Tool.Mimikatz\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $canary = \"3877a2df4d0a6638673372831bd44cbb2cba734aa7c0117115bab51c994acdf4\"\n\n // https://github.com/GhostPack/SafetyKatz\n $s0 = \"jkak8gTe9zGlT1tIE1gBOxP4J60gBk6QIv\" wide ascii\n $s1 = \"6J7ydtHPogjK24AFn3O6hyi6F6d7AGJ+zB\" wide ascii\n $s2 = \"qiFCmnbygFb8A0OsNd51UdzmrAInheugh5\" wide ascii\n\n // https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0 - Compressed Mimikatz inside of InstallUtil\n $s3 = \"vX7t+/RbsPZL+r2S0p/8z/30G1/StvYbqv\" wide ascii\n $s4 = \"9UgTyj33zJ5+x/DevXt6jTbeeHDnN/8Z9O\" wide ascii\n $s5 = \"CBMX9JNmNZrx0QzrVO4WOhl7SEI26yCMNx\" wide ascii\n\n // https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1\n $s6 = \"AUgBSAE8AUgAgAGsAdQBoAGwAXwBtAF8Aa\" wide ascii\n $s7 = \"ABEAG8AbQBhAGkAbgAgAG4AYQBtAGUAIAB\" wide ascii\n $s8 = \"aQBlAHMAWwAlAHUAXQAKAAAAAAAgACAAIA\" wide ascii\n\n // https://github.com/Flangvik/BetterSafetyKatz\n $b64_0 = \"Lists all available providers credentials\" base64 base64wide\n $b64_1 = \"Switch (or reinit) to LSASS process context\" base64 base64wide\n $b64_2 = \"Lists LiveSSP credentials\" base64 base64wide\n $b64_3 = \"gentilkiwi\" base64 base64wide\n $b64_4 = \"/sam or /sid to target the account is needed\" base64 base64wide\n $b64_5 = \"A La Vie, A L'Amour\" base64 base64wide\n\n condition:\n (2 of ($s*) or 2 of ($b64_*)) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "mimikatz_compressed_strings" ], "rule_creation_date": "2023-11-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Mimikatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mimikatz_ec4487866cd0_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563516Z", "creation_date": "2026-03-23T11:46:25.563520Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563528Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0002/\nhttps://github.com/gentilkiwi/mimikatz" ], "name": "mimikatz_ec4487866cd0.yar", "content": "import \"pe\"\n\nrule mimikatz_ec4487866cd0 {\n meta:\n title = \"Mimikatz DLL (ec4487866cd0)\"\n id = \"38ab3219-a747-4b8c-bc1f-ec4487866cd0\"\n description = \"Detects Mimikatz DLL in memory.\\nMimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. This rule detects its presence in memory through specific patterns related to its operations, such as credential extraction and lateral movement. It is often used in red teaming exercises to test network security.\\nIt is recommended to investigate for additional signs of malicious activity, such as network communication or file artifacts.\"\n references = \"https://attack.mitre.org/software/S0002/\\nhttps://github.com/gentilkiwi/mimikatz\"\n date = \"2020-10-01\"\n modified = \"2025-03-20\"\n author = \"HarfangLab\"\n tags = \"attack.s0002;attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.Tool.Mimikatz\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // ---------- start: kuhl_m_event ----------\n\n /*\n From mimikatz initial release: bb371c2acba397b4006a6cddc0f9ce2b5958017b\n */\n // Windows XP\n // NOTE: too small to be used for matching.\n //$PerformWriteRequest_winT5 = { 49 89 5b 10 49 89 73 18 }\n // Windows Vista\n $process_event_win60 = { 48 89 5c 24 08 57 48 83 ec 20 48 8b f9 48 8b ca 48 8b da e8}\n // Windows 7\n $process_event_win6 = { ff f7 48 83 ec 50 48 c7 44 24 20 fe ff ff ff 48 89 5c 24 60 48 8b da 48 8b f9 48 8b ca e8}\n\n /*\n From mimikatz commit: 5d191619fc8ffaf8cc2ba155114b33db39c824c2\n */\n // Windows 10 (build 1507)\n $process_event_win10 = { 48 8b c4 57 48 83 ec 50 48 c7 40 c8 fe ff ff ff 48 89 58 08 }\n\n /*\n From mimikatz commit: cdd0722efa05ec0657bc90ee0d6e27df52557335\n */\n // Windows 10 (build 1607)\n $process_event_win10_1607 = { 40 57 48 83 ec 40 48 c7 44 24 20 fe ff ff ff 48 89 5c 24 50 48 8b da 48 8b f9 48 8b ca e8 }\n\n /*\n From mimikatz commit: 508b4aaf9e73f7ba45648c35cff632f10f38454b\n */\n // Windows 10 (build 1709)\n $process_event_win10_1709 = { 48 89 5c 24 08 57 48 83 ec 40 48 8b f9 48 8b da 48 8b ca e8 }\n\n /*\n From mimikatz commit: fe6a853ec3e7ff50d79dd608dbed5e05cfab3322\n */\n // Windows 10 (build 1803)\n $process_event_win10_1803 = { 40 57 48 83 ec 40 48 c7 44 24 20 fe ff ff ff 48 89 5c 24 50 48 89 6c 24 58 48 89 74 24 60 }\n\n /*\n From mimikatz commit: 2fd09bbef0754317cd97c01dbbf49698ae23d9d2\n */\n // Windows 10 (build 1809)\n $process_event_win10_1809 = { 40 57 48 83 ec 40 48 c7 44 24 20 fe ff ff ff 48 89 5c 24 50 48 89 74 24 58 49 8b f0 48 8b fa 48 8b d9 48 8b ca e8 }\n\n /*\n From mimikatz commit: 4dd27c0a649e808c01c7ea308321ff3eb9e3d4d3\n */\n // Windows 10 (build 1909)\n $process_event_win10_1909 = { 40 57 48 83 ec 40 48 c7 44 24 20 fe ff ff ff 48 89 5c 24 50 48 89 74 24 58 49 8b 58 08 48 8b f2 48 8b f9 48 8b ca e8 }\n\n /*\n From mimikatz commit: 4dd27c0a649e808c01c7ea308321ff3eb9e3d4d3\n */\n // Windows 10 (build 2004)\n $process_event_win10_2004 = { 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 40 49 8b 58 08 48 8b f2 48 8b f9 48 8b ca e8 }\n\n // ---------- end: kuhl_m_event ----------\n\n // ---------- start: kuhl_m_misc ----------\n\n /*\n From mimikatz initial release: bb371c2acba397b4006a6cddc0f9ce2b5958017b\n */\n // Windows XP\n // NOTE: too small to be used for matching.\n //$WALL_ncRouteMonitor = { 07 00 75 3a 68 }\n\n // ---------- end: kuhl_m_misc ----------\n\n // ---------- start: kuhl_m_sid ----------\n\n /*\n From mimikatz commit: 81594553f72531aab2941267cfc6fc3392074efe\n */\n // Windows XP\n $loopback_check_win52 = { 48 8b d8 48 89 84 24 80 00 00 00 c7 07 01 00 00 00 83 }\n $sysmodresatt_win52 = { 0f b7 8c 24 c8 00 00 00 }\n // Windows 7\n $loopback_check_win61 = { 48 8b f8 48 89 84 24 88 00 00 00 41 be 01 00 00 00 44 89 33 33 db 39 }\n $sysmodresatt_win61 = { 0f b7 8c 24 78 01 00 00 4d 8b 6d 00 }\n // Windows 8.1 (Blue)\n $loopback_check_win81 = { 41 be 01 00 00 00 45 89 34 24 83 }\n $sysmodresatt_win81 = { 0f b7 8c 24 b8 00 00 00 }\n\n /*\n From mimikatz commit: cdd0722efa05ec0657bc90ee0d6e27df52557335\n */\n // Windows 10 (build 1607)\n $loopback_check_win10_1607 = { 44 8d 70 01 45 89 34 24 39 05 }\n $sysmodresatt_win10_1607 = { 8b bc 24 d8 00 00 00 41 b8 01 00 00 00 0f b7 8c 24 c8 00 00 00 }\n\n // ---------- end: kuhl_m_sid ----------\n\n // ---------- start: kuhl_m_ts ----------\n\n /*\n From mimikatz commit: 5d191619fc8ffaf8cc2ba155114b33db39c824c2\n */\n // Windows XP\n // NOTE: too small to be used for matching.\n //$TestLicence_WIN5 = { 83 f8 02 7f }\n // Windows Vista\n $query_policy_win60 = { 8b 81 38 06 00 00 39 81 3c 06 00 00 75 }\n // Windows 7\n $query_policy_win6x = { 39 87 3c 06 00 00 0f 84 }\n // Windows 8.1 (Blue)\n $query_policy_win81 = { 39 81 3c 06 00 00 0f 84 }\n\n /*\n From mimikatz commit: c0f05a5286a05cf69240d352f2bff51377e33acd\n */\n // Windows 10 (build 1803)\n $query_policy_W10_1803 = { 8b 99 3c 06 00 00 8b b9 38 06 00 00 3b df 0f 84 }\n\n /*\n From mimikatz commit: 2fd09bbef0754317cd97c01dbbf49698ae23d9d2\n */\n // Windows 10 (build 1809)\n $query_policy_W10_1809 = { 8b 81 38 06 00 00 39 81 3c 06 00 00 0f 84 }\n\n // ---------- end: kuhl_m_ts ----------\n\n // TODO: detect \"@lsadump::dcsync\", \"sekurlsa::logonpasswords\" and \"sekurlsa::pth\" for trimed down version of mimikatz (example in Cobalt Strike).\n\n condition:\n filesize < 30MB and\n // kuhl_m_event\n (5 of ($process_event*)\n // kuhl_m_sid\n or (2 of ($loopback_check_*) and 2 of ($sysmodresatt_*))\n // kuhl_m_ts\n or all of ($query_policy*))\n}\n", "rule_count": 1, "rule_names": [ "mimikatz_ec4487866cd0" ], "rule_creation_date": "2020-10-01", "rule_modified_date": "2025-03-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Mimikatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mirair_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572468Z", "creation_date": "2026-03-23T11:46:25.572470Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572476Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai" ], "name": "mirair.yar", "content": "rule mirai_variant {\n meta:\n title = \"Mirai Variant\"\n id = \"2d419987-a465-44d3-bbab-e6f3b8318861\"\n description = \"Detects a variant of Mirai, a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.\\nIt is recommended to investigate the detected binary to determine its legitimacy.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai\"\n date = \"2024-09-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1046;attack.credential_access;attack.t1110;attack.command_and_control;attack.t1071.001;attack.impact;attack.t1498\"\n classification = \"Linux.Malware.Mirai\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6a63d66955e7ff374778c33e9504d32315e5d1fd9c81724c6ffc2703d71d965a\n // 8749452ef33a3d99b8ec3f1cab28040872300870fce743ecfc4f78239a555bba\n // a0a60a6d7225fccd6dc6fb22675a92e6ddac07f4fbec69f1d2984a4e174ec4d2\n // a93392bcf8fec68d4ac7c5dcb2ab2827d9eceb6e3eb1f9f416832b1e5d05f838\n\n $s1 = \"/bin/busybox telentd\" ascii fullword\n $s2 = \"who doesn't love a femboy?\" ascii fullword\n $s3 = \"/dev/FTWDT101_watchdog\" ascii fullword\n $s4 = \"someoffdeeznuts\" ascii fullword\n $s5 = \"bad auth_len gid %d str %d auth %d\" ascii fullword\n\n $x = {\n 48 89 D0 // mov rax, rdx\n 48 03 06 // add rax, [rsi]\n 44 30 10 // xor [rax], r10b\n 48 89 D0 // mov rax, rdx\n 48 03 06 // add rax, [rsi]\n 44 30 08 // xor [rax], r9b\n 48 89 D0 // mov rax, rdx\n 48 03 06 // add rax, [rsi]\n 44 30 00 // xor [rax], r8b\n 48 89 D0 // mov rax, rdx\n 48 03 06 // add rax, [rsi]\n 40 30 38 // xor [rax], dil\n 8D 42 01 // lea eax, [rdx+1]\n 48 FF C2 // inc rdx\n 0F B7 4E 08 // movzx ecx, word ptr [rsi+8]\n 39 C8 // cmp eax, ecx\n 7C ?? // jl short loc_405480\n }\n\n condition:\n all of ($s*) or $x\n}\n", "rule_count": 1, "rule_names": [ "mirai_variant" ], "rule_creation_date": "2024-09-13", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Malware.Mirai" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.discovery", "attack.impact" ], "rule_technique_tags": [ "attack.t1046", "attack.t1071.001", "attack.t1498", "attack.t1110" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mirrordump_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581571Z", "creation_date": "2026-03-23T11:46:25.581573Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581579Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/001/\nhttps://github.com/CCob/MirrorDump/" ], "name": "mirrordump.yar", "content": "rule mirrordump {\n meta:\n title = \"MirrorDump HackTool\"\n id = \"3409c2cb-473a-47cd-a8c8-c22e40a95317\"\n description = \"Detects MirrorDump, a LSASS memory dumper that uses an LSA plugin and API hooking.\\nMirrorDump is a tool designed to extract LSASS process memory, often used for credential dumping. It hooks the LSA (Local Security Authority) subsystem and creates a memory dump of the LSASS process, which can then be analyzed for sensitive information such as credentials.\\nIt is recommended to analyze the LSASS process for any unauthorized memory dumping activities.\"\n references = \"https://attack.mitre.org/techniques/T1003/001/\\nhttps://github.com/CCob/MirrorDump/\"\n date = \"2024-01-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.MirrorDump\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 2e936549ff8d2f667d1914748c379beac1d040e35b39a6cb9ad48c9a81862931\n\n // ascii\n $m1 = \"import MirrorDump\" fullword ascii\n $m2 = \"MiniDumpToMemSharp\" fullword ascii\n $m3 = \"SharpDisasm.Disassembler\" fullword ascii\n\n // wide\n $s1 = \"[!] Failed to query handle information with error 0x{0:x}\" fullword wide\n $s2 = \"{0}.dmp\" fullword wide\n $s3 = \"[!] Failed to fake NtOpenProcess on LSASS PID\" fullword wide\n $s4 = \"[!] Failed to parse arguments: {0}\" fullword wide\n $s5 = \"[+] Generating new LSA DLL {0} targeting PID {1}.....\" fullword wide\n $s6 = \"[+] LSA security package loaded, searching current process for duplicated LSASS handle\" fullword wide\n $s7 = \"[+] Found duplicated LSASS process handle 0x{0:x}\" fullword wide\n $s8 = \"[!] Failed to get LSASS handle, bailing!\" fullword wide\n $s9 = \"[=] Dumping LSASS memory\" fullword wide\n $s10 = \"[!] Minidump memory limit reached, could not create dump\" fullword wide\n $s11 = \"[!] Minidump generation failed with error 0x{0:x}\" fullword wide\n $s12 = \"[+] Minidump successfully saved to memory, size {0}MB\" fullword wide\n $s13 = \"[+] Minidump compressed and saved to \" fullword wide\n\n condition:\n all of ($m*) or 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "mirrordump" ], "rule_creation_date": "2024-01-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.MirrorDump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mov_ss_single_step_check_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571914Z", "creation_date": "2026-03-23T11:46:25.571916Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571922Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.triplefault.io/2017/08/detecting-debuggers-by-abusing-bad.html\nhttps://github.com/HackOvert/AntiDBG" ], "name": "mov_ss_single_step_check.yar", "content": "rule mov_ss_single_step_x86 {\n meta:\n title = \"Anti-Debug Check via Stack Segment\"\n id = \"418d5692-89bb-4466-af13-8bc63656688a\"\n description = \"Detects anti-debugging code using the MOV SS/POP SS technique.\\nThis technique creates a single-instruction window where certain debug exceptions are deferred. Malware often follows this with a test of stack memory, typically checking for a PSAPI_WORKING_SET_EX_BLOCK structure to detect debuggers.\\nIt is recommended to analyze the process and look for signs of malicious activity.\"\n references = \"https://www.triplefault.io/2017/08/detecting-debuggers-by-abusing-bad.html\\nhttps://github.com/HackOvert/AntiDBG\"\n date = \"2024-09-25\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1622\"\n classification = \"Windows.Generic.AntiDebug\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 945ae2b6c0570efaedaeeaefcb70a1560a8e1a29a392869c9305b6755ba7a951\n // 1cad451cedeb9967c790c1671cd2e3482de87e3e802953f28e426642894ceb7b\n // 78077f5fc2ec9260787857325abafdf84e2773843d8a804ac7cf8bde33172268\n\n $push_pop_ss = {\n c7??????????00000000 // mov dword [ebp-0x254 {var_264}], 0x0\n 16 // push ss {var_5c4_33}\n 17 // pop ss {var_5c4_33}\n 9c // pushfd {var_5c8_17+0x2}\n f6??????01 // test byte [esp+0x1 {var_5c8_17+0x3}], 0x1 (check _PSAPI_WORKING_SET_EX_BLOCK)\n (74|75) // jne 0x40198f\n }\n\n condition:\n $push_pop_ss\n}\n", "rule_count": 1, "rule_names": [ "mov_ss_single_step_x86" ], "rule_creation_date": "2024-09-25", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.AntiDebug" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1622" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-multidump_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582005Z", "creation_date": "2026-03-23T11:46:25.582007Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582013Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Xre0uS/MultiDump" ], "name": "multidump.yar", "content": "rule multidump {\n meta:\n title = \"MultiDump Hacktool\"\n id = \"455dc511-9e94-45fe-b39d-0d01ddb4d406\"\n description = \"Detects MultiDump, a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly via ProcDump.exe or Comsvcs.dll's minidump.\\nIt avoids AV detection by spoofing process arguments and removing magic bytes from the dump, and includes a Python handler for decrypting and exfiltrating the dump over the network.\\nIt is recommended to investigate actions around this alert and to start memory forensics to determine stolen credentials.\"\n references = \"https://github.com/Xre0uS/MultiDump\"\n date = \"2024-09-13\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.MultiDump\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 797b34f77293b13703b622585e10f04640e063348ddc36d7c4e3176c6460c731\n\n $s1 = \"[!] Dumping LSASS Requires Elevated Privileges!\" ascii fullword\n $s2 = \"[!] Failed to Create Process to Dump LSASS!\" ascii fullword\n $s3 = \"[+] SYSTEM Save Read: %.2f MB\" ascii fullword\n $s4 = \"[i] Sending Encrypted SECURITY Save...\" ascii fullword\n $s5 = \"[i]Thread %lu resumed successfully.\" ascii fullword\n $s6 = \"[i] Writing \\\"%s\\\" As The Process Argument At : 0x%p ...\" wide fullword\n $s7 = \"![!] Cound Not Get %s's PID\" wide fullword\n $s8 = \"[+] Found \\\"%s\\\" - Of PID : %d\" wide fullword\n $s9 = \"debug_file_process_info_%Y%m%d_%H%M%S.dmp\" wide fullword\n $s10 = \"[i] Real Reg Commands: %s\" wide fullword\n\n condition:\n 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "multidump" ], "rule_creation_date": "2024-09-13", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.MultiDump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mutationgate_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571812Z", "creation_date": "2026-03-23T11:46:25.571815Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571820Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/senzee1984/MutationGate" ], "name": "mutationgate.yar", "content": "rule mutationgate {\n meta:\n title = \"Mutation Gate\"\n id = \"c943547c-adc7-467f-ad5e-76a27b912179\"\n description = \"Detects the Mutation Gate technique, a stealth-based method designed to bypass user-mode hooking.\\nMutation Gate is a sophisticated technique that serves as a variation of HellsGate. It is specifically designed to circumvent user-mode hooking mechanisms employed by security tools such as EDRs (Endpoint Detection and Response) by leveraging direct system calls and hardware breakpoints.\\nThrough the strategic use of these mechanisms, Mutation Gate can effectively hide its presence and activities from traditional hook-based detection methods, enabling persistence and execution on targeted systems.\\nIt is recommended to analyze the process for potential malicious activities and review the system's hooking mechanisms for any signs of tampering.\"\n references = \"https://github.com/senzee1984/MutationGate\"\n date = \"2024-02-28\"\n modified = \"2025-03-13\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.execution;attack.t1106\"\n classification = \"Windows.Generic.MutationGate\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 728302174869a95e2929472946b3448a67a176106445db8358c3425acfa1c438\n\n $s_hash_ntdraw = { 65 02 92 A1 }\n $s_winapi00 = \"AddVectoredExceptionHandler\" ascii wide\n $s_winapi01 = \"GetThreadContext\" ascii wide\n $s_winapi02 = \"SetThreadContext\" ascii wide\n $s_dllload = \"C:\\\\Windows\\\\System32\\\\ntdll.dll\" ascii wide\n\n $stub_check_exception = {\n 8B 00 // mov rax, [rax]\n 8B 00 // mov eax, [rax]\n 3D 04 00 00 80 // cmp eax, 80000004h\n }\n\n $stub_getmod = {\n 65 48 8b 00 // mov rax, [gs:rax]\n [12-16] // Place holder\n 48 8b ?? 18 // mov rax, [rax+0x18]\n [4-8] // Place holder\n 48 8b ?? 30 // mov rax, [rax+0x30]\n [41-48] // Place holder\n 48 8b ?? 10 // mov rdx, [rax+0x10]\n }\n\n $stub_getproc = {\n 48 8b ?? 28 // mov rcx, qword [rax+0x28]\n 48 8b ?? 30 // mov rbx, qword [rax+0x30]\n [4-8]\n 48 8b ?? 38 // mov rcx, qword [rax+0x38]\n 48 8b ?? 40 // mov rbx, qword [rax+0x40]\n [4-8]\n 48 8b ?? 48 // mov rcx, qword [rax+0x48]\n 48 8b ?? 50 // mov rbx, qword [rax+0x50]\n [4-8]\n 48 8b ?? 58 // mov rcx, qword [rax+0x58]\n 48 8b ?? 60 // mov rbx, qword [rax+0x60]\n [4-8]\n 48 8b ?? 68 // mov rcx, qword [rax+0x68]\n 48 8b ?? 70 // mov rbx, qword [rax+0x70]\n [4-8]\n 48 8b ?? 78 // mov rcx, qword [rax+0x78]\n 48 8b ?? 80 00 00 00 // mov rbx, qword [rax+0x80]\n [4-8]\n 48 8b ?? 88 00 00 00 // mov rcx, qword [rax+0x88]\n 48 8b ?? 90 00 00 00 // mov rbx, qword [rax+0x90]\n [4-8]\n 48 8b ?? 98 00 00 00 // mov rcx, qword [rax+0x98]\n 48 8b ?? a0 00 00 00 // mov rbx, qword [rax+0xa0]\n [4-8]\n 48 8b ?? a8 00 00 00 // mov rcx, qword [rax+0xa8]\n 48 8b ?? b0 00 00 00 // mov rbx, qword [rax+0xb0]\n [4-8]\n 48 8b ?? b8 00 00 00 // mov rcx, qword [rax+0xb8]\n 48 8b ?? c0 00 00 00 // mov rbx, qword [rax+0xc0]\n [4-8]\n 48 8b ?? c8 00 00 00 // mov rcx, qword [rax+0xc8]\n 48 8b ?? d0 00 00 00 // mov rbx, qword [rax+0xd0]\n [4-8]\n 48 8b ?? d8 00 00 00 // mov rcx, qword [rax+0xd8]\n 48 8b ?? e0 00 00 00 // mov rbx, qword [rax+0xe0]\n [4-8]\n 48 8b ?? e8 00 00 00 // mov rcx, qword [rax+0xe8]\n 48 8b ?? f0 00 00 00 // mov rbx, qword [rax+0xf0]\n [4-8]\n 48 8b ?? 00 01 00 00 // mov rdx, qword [rax+0x100]\n 48 8b ?? f8 00 00 00 // mov rax, qword [rax+0xf8]\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "mutationgate" ], "rule_creation_date": "2024-02-28", "rule_modified_date": "2025-03-13", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.MutationGate" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mythic_apollo_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582884Z", "creation_date": "2026-03-23T11:46:25.582886Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582892Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/MythicAgents/Apollo\nhttps://attack.mitre.org/software/S0699/" ], "name": "mythic_apollo.yar", "content": "rule mythic_apollo {\n meta:\n title = \"Mythic Apollo Agent\"\n id = \"aed8442c-a1f5-460b-88c7-b94331c80d96\"\n description = \"Detects the Mythic Apollo agent.\\nMythic Apollo is a Windows-based C2 (Command and Control) framework designed for use in offensive security training exercises. It is implemented in C# and integrates with the Mythic post-exploitation framework.\\nIt is recommended to isolate the affected system and analyze network traffic for potential C2 communication as well as to look for further signs of malicious activities on the host.\"\n references = \"https://github.com/MythicAgents/Apollo\\nhttps://attack.mitre.org/software/S0699/\"\n date = \"2024-02-28\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.s0699;attack.execution;attack.defense_evasion;attack.t1055;attack.t1059;attack.command_and_control;attack.t1071;attack.t1572\"\n classification = \"Windows.Trojan.MythicApollo\"\n context = \"process,memory,thread,file.pe\"\n arch = \"x86,x64\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 61aa6d9ef73ded773041b54ea9fe44587b46b612abe1700026a3e6a2b737f536\n\n $s1 = \"Failed to open thread token and have unhandled error. dwError: {0}\" wide fullword\n $s2 = \"Unsupported C2 Profile type:\" wide fullword\n $s3 = \"No egress profiles specified.\" wide fullword\n $s4 = \"apollointerop\" wide fullword\n $s5 = \"Apollo.Management.C2\" ascii fullword\n $s6 = \"Apollo.Peers.SMB\" ascii fullword\n $s7 = \"GetMythicUUID\" ascii fullword\n $s8 = \"MessageStore_ChunkAdd\" ascii fullword\n $s9 = \"k__BackingField\" ascii fullword\n\n condition:\n 6 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "mythic_apollo" ], "rule_creation_date": "2024-02-28", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.MythicApollo" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1071", "attack.t1059", "attack.t1055", "attack.t1572" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mythic_athena_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588316Z", "creation_date": "2026-03-23T11:46:25.588318Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588324Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/MythicAgents/Athena\nhttps://attack.mitre.org/software/S0699/" ], "name": "mythic_athena.yar", "content": "rule mythic_athena {\n meta:\n title = \"Mythic Athena Agent\"\n id = \"f8d9dc5d-81f5-41dd-be10-635a4513108e\"\n description = \"Detects the Mythic Athena agent.\\nAthena is a cross-platform .NET-based agent deployed by the Mythic framework for post-exploitation activities. It enables attackers to perform various tasks such as process manipulation, privilege escalation, and data exfiltration.\\nThis rule identifies the presence of Athena components and associated .NET runtime indicators.\\nIt is recommended to investigate process and network activity surrounding this alert to determine the Mythic C2 IP and process.\"\n references = \"https://github.com/MythicAgents/Athena\\nhttps://attack.mitre.org/software/S0699/\"\n date = \"2024-02-27\"\n modified = \"2025-11-24\"\n author = \"HarfangLab\"\n tags = \"attack.s0699;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Trojan.MythicAthena\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6e63864d2a8dab5d73f95fee4fe1358685c6aaf6e15df740dd692c13ff03652d\n // e9781da55c4c30e7f5e182894f93fb26b88969fd8cde747a53ffd9882ca19462\n // da8067b3cac9197712a41a1a1524aad0aba336921b64d3e914cbafe5d9c15446\n // a269f238a9f973d983dedd1d172df39db844cc9e3b5e3527280fa41f8250e3c0\n // 8876d8ae5c39b7e86e3602b4be53ccedf091cf3776962945a032599deb5baa86\n // 375367274cf5ec2a759e8b43f79c0cec546751f9f68c4cb8ea2006a29bf10e52\n // 2f5d06f444d2ad8d49653cb8d940ea65647562b163c873c3d7cd3dbedd3d5815\n // 195161dd8441abca4850da96d26c2ec796eb03cd967453e6791e1053ec0ab477\n // a3b5c0e9d2dfa7d9dc2f18a44a2e6396e7c1a0edcdaf512847d8bccc0fb779f7\n // f625920322e534ffa0e563b179f8610ec8c34294ebad7f89c1e16eacd953b33e\n // 276bcbbe863d630bd922a2d4e032c4ec0f7ff51fd1bcf769b8748c932d7a845f\n\n $s1 = \"\\\"Athena.Handler.\" ascii\n\n $module1 = \"caffeinate.dll\" ascii fullword\n $module2 = \"cursed.dll\" ascii fullword\n $module3 = \"exec.dll\" ascii fullword\n $module4 = \"execute-assembly.dll\" ascii fullword\n $module5 = \"farmer.dll\" ascii fullword\n $module6 = \"get-clipboard.dll\" ascii fullword\n $module7 = \"keylogger.dll\" ascii fullword\n $module8 = \"get-localgroup.dll\" ascii fullword\n $module9 = \"shellcode.dll\" ascii fullword\n $module10 = \"smb.dll\" ascii fullword\n\n $dotnet1 = \"DOTNET_RUNTIME_ID\" wide fullword\n $dotnet2 = \"You must install .NET Desktop Runtime to run this application.\" wide fullword\n $dotnet3 = \"Microsoft-Windows-DotNETRuntime\" wide fullword\n\n $canary = \"978c439693654084087fe4dd8483eeb8c215d69807533ba823db28bd2bec1df2\" ascii\n\n condition:\n (#s1 >= 4 or 3 of ($module*)) and 1 of ($dotnet*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "mythic_athena" ], "rule_creation_date": "2024-02-27", "rule_modified_date": "2025-11-24", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Trojan.MythicAthena" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mythic_freyja_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586812Z", "creation_date": "2026-03-23T11:46:25.586815Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586820Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/MythicAgents/freyja\nhttps://attack.mitre.org/software/S0699/" ], "name": "mythic_freyja.yar", "content": "rule mythic_freyja {\n meta:\n title = \"Mythic Freyja Agent\"\n id = \"dd008043-a3ae-471d-9651-4c91a18000f4\"\n description = \"Detects the Mythic Freyja Agent.\\nFreyja is a Golang-based Purple Team agent designed for integration with Mythic, enabling the execution of commands on target systems across Windows, Linux, and macOS x64 platforms.\"\n references = \"https://github.com/MythicAgents/freyja\\nhttps://attack.mitre.org/software/S0699/\"\n date = \"2024-02-28\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.s0699;attack.execution;attack.t1059;attack.command_and_control;attack.t1071;attack.t1572\"\n classification = \"Trojan.MythicFreyja\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a95e377b2d24a21ef2349fe21d9c25c3921b75852297f20cb100dd843275282c\n // fc649b268d26eca6b7007eb0712a3a63937d512364ede2857a791b56a9e56ae1\n // 3ce2e443727b6abd32fb7b6de296a7de157653871d349b59e484abb9e9be53aa\n\n $s1 = \"Sent kill signal to Job ID: %s\" ascii\n $s2 = \"RemoveInternalTCPConnectionChannel\" ascii\n $s3 = \"freyja_tcp\" ascii\n $s4 = \"C2ProfileName\" ascii\n $s5 = \"File %s already exists. Reupload with the overwrite parameter, or remove the file before uploading again.\" ascii\n $s6 = \"Uploaded %d bytes to %s\" ascii\n $s7 = \"main.sendFileToMythic\" ascii fullword\n $s8 = \"main.handleMythicMessageResponse\"\n\n condition:\n 6 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "mythic_freyja" ], "rule_creation_date": "2024-02-28", "rule_modified_date": "2025-02-27", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Trojan.MythicFreyja" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.execution" ], "rule_technique_tags": [ "attack.t1071", "attack.t1059", "attack.t1572" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mythic_kharon_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566719Z", "creation_date": "2026-03-23T11:46:25.566721Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566726Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/MythicAgents/Kharon\nhttps://attack.mitre.org/software/S0699/" ], "name": "mythic_kharon.yar", "content": "rule mythic_kharon {\n meta:\n title = \"Mythic Kharon Agent\"\n id = \"10befdb8-9f0d-4740-95a3-eab238084130\"\n description = \"Detects the Mythic Kharon agent.\\nMythic Kharon is a Windows-based C2 (Command and Control) framework designed for use in offensive security training exercises. It is implemented in C/C++ in full Position Independant Code and integrates with the Mythic post-exploitation framework.\\nIt is recommended to isolate the affected system and analyze network traffic for potential C2 communication as well as to look for further signs of malicious activities on the host.\"\n references = \"https://github.com/MythicAgents/Kharon\\nhttps://attack.mitre.org/software/S0699/\"\n date = \"2025-08-18\"\n modified = \"2025-09-04\"\n author = \"HarfangLab\"\n tags = \"attack.s0699;attack.execution;attack.defense_evasion;attack.t1055;attack.t1059;attack.command_and_control;attack.t1071;attack.t1572\"\n classification = \"Windows.Trojan.MythicKharon\"\n context = \"process,memory,thread,file.pe\"\n arch = \"x86,x64\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5a0b49bd056eba4c537ae93198bf568a535427d722ef9c8b31f4f2526769a805\n\n $obv1 = \"\\\\\\\\.\\\\pipe\\\\kharon_pipe\" ascii fullword\n $obv2 = \"Failed to inject into remote process\" ascii fullword\n $obv3 = \"Failed to inject post-ex module\" ascii fullword\n\n $dim1 = \"Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\" wide fullword\n $dim2 = \"Failed to create pipe\" ascii fullword\n $dim3 = \"SeDebugPrivilege\" ascii fullword\n $dim4 = \"????????-????-????-????-????????????\" ascii fullword\n $dim5 = \"sending to target\" ascii fullword\n $dim6 = \"Failed to write chunk to file\" ascii fullword\n $dim7 = \"Failed to create/open file\" ascii fullword\n $dim8 = \"HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\0\" ascii fullword\n $dim9 = \"C:\\\\Windows\\\\System32\\\\*.dll\"\n\n $initial_load = {\n e8 ?? ?? ?? ?? // call LdrLoad_Module\n bf a9 b3 5a c0 // mov edi, 0xc05ab3a9 // ntdll hash\n ba a9 b3 5a c0 // mov edx, 0xc05ab3a9\n 48 89 c1 // mov rcx, rax\n e8 ?? ?? ?? ?? // call LdrLoad_Api\n 48 89 c6 // mov rsi, rax\n b9 26 79 5a ff // mov ecx, 0xff5a7926 // RtlAllocateHeap hash\n e8 ?? ?? ?? ?? // call LdrLoad_Module\n 48 81 c7 81 2d b3 1d // add rdi, 0x1db32d81 // RtlCreateHeap hash\n 48 89 c1 // mov rcx, rax\n 48 89 fa // mov rdx, rdi {0xde0de12a}\n e8 ?? ?? ?? ?? // call LdrLoad_Api\n }\n\n condition:\n any of ($obv*) or\n 8 of ($dim*) or\n $initial_load\n}\n", "rule_count": 1, "rule_names": [ "mythic_kharon" ], "rule_creation_date": "2025-08-18", "rule_modified_date": "2025-09-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.MythicKharon" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1071", "attack.t1059", "attack.t1055", "attack.t1572" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mythic_loki_agent_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568844Z", "creation_date": "2026-03-23T11:46:25.568846Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568851Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securelist.com/loki-agent-for-mythic/113596/\nhttps://attack.mitre.org/software/S0699/" ], "name": "mythic_loki_agent.yar", "content": "rule mythic_loki_agent {\n meta:\n title = \"Mythic Loki Agent\"\n id = \"436c34c2-7413-4f58-ac5e-86629c75a75a\"\n description = \"Detects the Mythic Loki Agent.\\nLoki is a private agent of the Mythic Framework, an open-source cross-platform post-exploitation framework designed for red teaming and security testing.\\nIt is recommended to investigate parent processes or initial access vectors on the machine and to look for further signs of malicious actions on the host.\"\n references = \"https://securelist.com/loki-agent-for-mythic/113596/\\nhttps://attack.mitre.org/software/S0699/\"\n date = \"2024-09-09\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.s0699;attack.execution;attack.defense_evasion;attack.t1055;attack.t1059;attack.command_and_control;attack.t1071;attack.t1572\"\n classification = \"Windows.Trojan.MythicLoki\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // aa544118deb7cb64ded9fdd9455a277d0608c6985e45152a3cbb7422bd9dc916\n\n $s1 = \"Terminating Loki... Remember, I'll be back!\" ascii fullword\n $s2 = \"Terminating... Remember, I'll be back!\" ascii fullword\n\n $djb2_custom_m = {\n ??b7080000 // mov ecx, 0x8b7\n 662e0f1f840000000000 // nop word [rax+rax]\n ??01 // cmp al, 0x1\n ?????? // movzx eax, al\n 4?????00 // adc rdx, 0x0\n ?????? // mov r9, rdx\n 8??? // mov edx, ecx\n c1??05 // shl edx, 0x5\n 0??? // add edx, ecx\n [12-15] // lea ecx, [rax+rdx]\n // lea rdx, [r9+0x1]\n // movzx eax, byte [r9+0x1]\n // mov r9, rdx\n 4d2??? // sub r9, r11\n 4?????0b // cmp r9d, 0xb\n }\n\n condition:\n 1 of ($s*) or $djb2_custom_m\n}\n", "rule_count": 1, "rule_names": [ "mythic_loki_agent" ], "rule_creation_date": "2024-09-09", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.MythicLoki" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1071", "attack.t1059", "attack.t1055", "attack.t1572" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mythic_medusa_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573146Z", "creation_date": "2026-03-23T11:46:25.573148Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573154Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/MythicAgents/Medusa\nhttps://attack.mitre.org/software/S0699/" ], "name": "mythic_medusa.yar", "content": "rule mythic_medusa {\n meta:\n title = \"Mythic Medusa Agent\"\n id = \"20ed9add-b4c6-4e02-ba89-e2e584d9d2fa\"\n description = \"Detects the Medusa agent.\\nMedusa is a cross-platform agent compatible with both Python 3.8 and Python 2.7, designed to be used within the Mythic framework for post exploitation activities.\\nIt enables various operations across different operating systems.\"\n references = \"https://github.com/MythicAgents/Medusa\\nhttps://attack.mitre.org/software/S0699/\"\n date = \"2024-02-27\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.s0699;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Trojan.MythicMedusa\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = \".ps..create_drive_mapping..\" ascii\n $s2 = \".list_dlls..ProcessInformation._query_info\" ascii\n $s3 = \".socks..get_running_socks_thread\" ascii\n $s4 = \".postMessageAndRetrieveResponse\" ascii\n $s5 = \".sendTaskOutputUpdate\" ascii\n $s6 = \".socks..sendSocksPacket\" ascii\n $s7 = \"KillDate\" ascii fullword\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "mythic_medusa" ], "rule_creation_date": "2024-02-27", "rule_modified_date": "2025-02-27", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Trojan.MythicMedusa" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-mythic_thanatos_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572882Z", "creation_date": "2026-03-23T11:46:25.572884Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572890Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/MythicAgents/thanatos\nhttps://attack.mitre.org/software/S0699/" ], "name": "mythic_thanatos.yar", "content": "rule mythic_thanatos {\n meta:\n title = \"Mythic Thanatos Agent\"\n id = \"fd23fe61-b9d4-41e2-98df-aa2b032d49c1\"\n description = \"Detects the Mythic Thanatos C2 agent.\\nThanatos is a cross-platform C2 (command and control) agent designed for post-exploitation activities, supporting both Windows and Linux systems. It is written in Rust and is deployed through the Mythic framework, which is an open-source post-exploitation framework. Thanatos enables attackers to maintain persistence, exfiltrate data, and perform various malicious activities within the targeted environment.\"\n references = \"https://github.com/MythicAgents/thanatos\\nhttps://attack.mitre.org/software/S0699/\"\n date = \"2024-02-27\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.s0699;attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Trojan.MythicThanatos\"\n context = \"process,memory,thread,file.pe,file.elf\"\n os = \"Windows,Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // fa250b4eb5f01facea781e5c03840e918caf323bcd72b6a4cfd2ebbfa9af5647\n // c08d2e7d839c13c85b0fbcebd8bc667d76cce9a46db5a90d9fcdb0a07ed8fc9f\n\n $s1 = \"Uploading chunk /\" ascii\n $s2 = \"cmd.exe/cCommand status:\" ascii\n $s3 = \"Command '' not found or implemented\" ascii\n $s4 = \"Set new sleep interval to second(s) with a jitter of %\" ascii\n $s5 = \"Changed working hours to\" ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "mythic_thanatos" ], "rule_creation_date": "2024-02-27", "rule_modified_date": "2025-02-27", "rule_os": [ "windows", "linux" ], "rule_classifications": [ "Trojan.MythicThanatos" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1569.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nanodump_ad22c0346270_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584828Z", "creation_date": "2026-03-23T11:46:25.584830Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584835Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/" ], "name": "nanodump_ad22c0346270.yar", "content": "rule nanodump_ad22c0346270 {\n meta:\n title = \"NanoDump Hacktool (ad22c0346270)\"\n id = \"173a65a2-dde8-419a-afb5-ad22c0346270\"\n description = \"Detects NanoDump tool, a Windows-based process memory dump utility.\\nNanoDump is primarily used by adversaries to extract sensitive information from LSASS process memory, such as credentials and session tokens.\\nIt is recommended to investigate for any LSASS process access on the affected system.\"\n references = \"https://attack.mitre.org/techniques/T1003/\"\n date = \"2021-12-01\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003\"\n classification = \"Windows.HackTool.NanoDump\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $clear_string_logic_important_modules1 = \"lsasrv.dll\" wide\n $clear_string_logic_important_modules2 = \"samsrv.dll\" wide\n $clear_string_logic_important_modules3 = \"lsadb.dll\" wide\n $clear_string_logic_important_modules4 = \"livessp.dll\" wide\n $clear_string_logic_important_modules5 = \"wdigest.dll\" wide\n $clear_string_logic_important_modules6 = \"kerberos.dll\" wide\n\n $SW2_HashSyscall_x86 = {\n 55 // push rbp\n 89 E5 // mov ebp, esp\n 83 EC 10 // sub esp, 0x10\n C7 45 FC 00 00 00 00 // mov dword ptr [rbp - 4], 0\n C7 45 F8 ?? ?? ?? ?? // mov dword ptr [rbp - 8], HASH\n EB 24 // jmp loc_3a\n 8B 45 FC // mov eax, dword ptr [rbp - 4]\n // loc_16:\n 8D 50 01 // lea edx, [rax + 1]\n 89 55 FC // mov dword ptr [rbp - 4], edx\n 8B 55 08 // mov edx, dword ptr [rbp + 8]\n 01 D0 // add eax, edx\n 0F B7 00 // movzx eax, word ptr [rax]\n 66 89 45 F6 // mov word ptr [rbp - 0xa], ax\n 0F B7 55 F6 // movzx edx, word ptr [rbp - 0xa]\n 8B 45 F8 // mov eax, dword ptr [rbp - 8]\n C1 C8 08 // ror eax, 8\n 01 D0 // add eax, edx\n 31 45 F8 // xor dword ptr [rbp - 8], eax\n // loc_3a:\n 8B 55 08 // mov edx, dword ptr [rbp + 8]\n 8B 45 FC // mov eax, dword ptr [rbp - 4]\n 01 D0 // add eax, edx\n 0F B6 00 // movzx eax, byte ptr [rax]\n 84 C0 // test al, al\n 75 CD // jne loc_16\n 8B 45 F8 // mov eax, dword ptr [rbp - 8]\n C9 // leave\n C3 // ret\n }\n\n condition:\n filesize < 200KB and $SW2_HashSyscall_x86 and (all of ($clear_string_logic_important_modules*))\n}\n", "rule_count": 1, "rule_names": [ "nanodump_ad22c0346270" ], "rule_creation_date": "2021-12-01", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.NanoDump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nanodump_b91882a92c30_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584451Z", "creation_date": "2026-03-23T11:46:25.584454Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584459Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/" ], "name": "nanodump_b91882a92c30.yar", "content": "rule nanodump_b91882a92c30 {\n meta:\n title = \"NanoDump Hacktool (b91882a92c30)\"\n id = \"316844b5-18dc-4661-b212-b91882a92c30\"\n description = \"Detects NanoDump tool, a Windows-based process memory dump utility.\\nNanoDump is primarily used by adversaries to extract sensitive information from LSASS process memory, such as credentials and session tokens.\\nIt is recommended to investigate for any LSASS process access on the affected system.\"\n references = \"https://attack.mitre.org/techniques/T1003/\"\n date = \"2021-12-01\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003\"\n classification = \"Windows.HackTool.NanoDump\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $clear_string_logic_important_modules1 = \"lsasrv.dll\" wide\n $clear_string_logic_important_modules2 = \"samsrv.dll\" wide\n $clear_string_logic_important_modules3 = \"lsadb.dll\" wide\n $clear_string_logic_important_modules4 = \"livessp.dll\" wide\n $clear_string_logic_important_modules5 = \"wdigest.dll\" wide\n $clear_string_logic_important_modules6 = \"kerberos.dll\" wide\n\n $SW2_HashSyscall_x64 = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 10 // sub rsp, 0x10\n 48 89 4D 10 // mov qword ptr [rbp + 0x10], rcx\n C7 45 FC 00 00 00 00 // mov dword ptr [rbp - 4], 0\n C7 45 F8 ?? ?? ?? ?? // mov dword ptr [rbp - 8], HASH\n EB 28 // jmp loc_2a\n\n // loc_1c:\n 8B 45 FC // mov eax, dword ptr [rbp - 4]\n 8D 50 01 // lea edx, [rax + 1]\n 89 55 FC // mov dword ptr [rbp - 4], edx\n 89 C2 // mov edx, eax\n 48 8B 45 10 // mov rax, qword ptr [rbp + 0x10]\n 48 01 D0 // add rax, rdx\n 0F B7 00 // movzx eax, word ptr [rax]\n 66 89 45 F6 // mov word ptr [rbp - 0xa], ax\n 0F B7 55 F6 // movzx edx, word ptr [rbp - 0xa]\n 8B 45 F8 // mov eax, dword ptr [rbp - 8]\n C1 C8 08 // ror eax, 8\n 01 D0 // add eax, edx\n 31 45 F8 // xor dword ptr [rbp - 8], eax\n // loc_2a:\n 8B 55 FC // mov edx, dword ptr [rbp - 4]\n 48 8B 45 10 // mov rax, qword ptr [rbp + 0x10]\n 48 01 D0 // add rax, rdx\n 0F B6 00 // movzx eax, byte ptr [rax]\n 84 C0 // test al, al\n 75 C7 // jne loc_1c\n 8B 45 F8 // mov eax, dword ptr [rbp - 8]\n 48 83 C4 10 // add rsp, 0x10\n 5D // pop rbp\n C3 // ret\n }\n\n condition:\n filesize < 200KB and $SW2_HashSyscall_x64 and (all of ($clear_string_logic_important_modules*))\n}\n", "rule_count": 1, "rule_names": [ "nanodump_b91882a92c30" ], "rule_creation_date": "2021-12-01", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.NanoDump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nanodump_generic_94e2a9e9667f_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585224Z", "creation_date": "2026-03-23T11:46:25.585226Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585231Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1003/" ], "name": "nanodump_generic_94e2a9e9667f.yar", "content": "rule nanodump_generic_94e2a9e9667f {\n meta:\n title = \"NanoDump Hacktool (94e2a9e9667f)\"\n id = \"ecdc6818-a658-42e5-b4f5-94e2a9e9667f\"\n description = \"Detects NanoDump tool, a Windows-based process memory dump utility.\\nNanoDump is primarily used by adversaries to extract sensitive information from LSASS process memory, such as credentials and session tokens. This activity is commonly associated with credential access techniques (MITRE ATT&CK T1003). The rule identifies NanoDump by detecting specific error strings related to LSASS dumping operations, such as errors when the LSASS process is not found or when the dump size is too large.\\nIt is recommended to investigate for any LSASS process access on the affected system.\"\n references = \"https://attack.mitre.org/techniques/T1003/\"\n date = \"2021-11-30\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003\"\n classification = \"Windows.HackTool.NanoDump\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $clear_string_marker_error_sw2_syscall = \"SW2_PopulateSyscallList failed\" ascii\n $clear_string_marker_error_sw2_syscall_not_found = \"syscall with hash 0x%lx not found\" ascii\n $clear_string_marker_error_dump_too_big = \"The dump is too big, please increase DUMP_MAX_SIZE.\" ascii\n $clear_string_marker_error_too_many_processes = \"Too many processes, please increase MAX_PROCESSES\" ascii\n $clear_string_marker_error_lsass_not_found = \"The LSASS process was not found.\" ascii\n $clear_string_marker_error_no_lsass = \"This selected process is not LSASS.\" ascii\n $clear_string_marker_error_wrong_combinaison = \"Can't set both --dup and --fork\" ascii\n $clear_string_marker_lsass_handle_found = \"Found LSASS handle: 0x%x, on process: %ld\" ascii\n $clear_string_marker_lsass_no_handle = \"No handle to the LSASS process was found\" ascii\n $clear_string_marker_usage = \"usage: %s --write C:\\\\Windows\\\\Temp\\\\doc.docx [--valid] [--fork] [--dup] [--pid 1234] [--help]\" ascii\n $clear_string_marker_lsass_usage_pid = \"the PID of LSASS (required if --fork or --dup are used)\" ascii\n $clear_string_marker_invalid_sig1 = \"The minidump has an invalid signature, restore it running:\" ascii\n $clear_string_marker_invalid_sig2 = \"bash restore_signature.sh %s\" ascii\n $clear_string_marker_scretsz1 = \"Done, to get the secretz run:\" ascii\n $clear_string_marker_secretz2 = \"python3 -m pypykatz lsa minidump %s\" ascii\n\n condition:\n filesize < 200KB and 7 of ($clear_string_marker_*)\n}\n", "rule_count": 1, "rule_names": [ "nanodump_generic_94e2a9e9667f" ], "rule_creation_date": "2021-11-30", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.NanoDump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nbtscan_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584716Z", "creation_date": "2026-03-23T11:46:25.584718Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584723Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0590/" ], "name": "nbtscan.yar", "content": "rule nbtscan {\n meta:\n title = \"NBTScan Tool\"\n id = \"4fc49563-efb0-4709-b6d5-45956e0f9371\"\n description = \"Detects the NBTScan tool, a command-line utility used for scanning open NETBIOS name servers.\\nNBTScan is often used during the early stages of an attack for network discovery and lateral movement. It can identify active NETBIOS servers and shares on a network, which can be indicative of reconnaissance or unauthorized access attempts.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine if the usage of this tool is legitimate.\"\n references = \"https://attack.mitre.org/software/S0590/\"\n date = \"2021-07-06\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0590;attack.discovery;attack.t1046;attack.t1018;attack.t1016.001\"\n classification = \"Windows.Tool.NBTScan\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // http://www.unixwiz.net/tools/nbtscan.html\n // nbtscan 1.0.35 - 2008-04-08 - http://www.unixwiz.net/tools/\n $nbtscan1_s1 = \"-range-\" ascii\n $nbtscan1_s2 = \"DUMP OF PACKET\" ascii\n $nbtscan1_s3 = \"Dr. Solomon AV Management\" ascii\n $nbtscan1_s4 = \"MLI_GROUP_BRAD\" ascii\n $nbtscan1_s5 = \"-no name-\" ascii\n\n // https://inetcat.org/software/nbtscan.html\n // NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.\n $nbtscan2_s1 = \"Packet dump for Host %s:\" ascii\n $nbtscan2_s2 = \"NetBIOS Name Table for Host %s:\" ascii\n $nbtscan2_s3 = \"Bad bandwidth value, ignoring it\" ascii\n $nbtscan2_s4 = \"parse_response returned NULL\" ascii\n $nbtscan2_s5 = \"DCA IrmaLan Gateway Server Service\" ascii\n\n condition:\n uint16(0) == 0x5a4d and filesize < 200KB and (\n (all of ($nbtscan1_*)) or\n (all of ($nbtscan2_*))\n )\n and not filepath matches /C:\\\\Program Files (x86)\\\\Spiceworks\\\\pkg\\\\gems\\\\spiceworks_common-*\\\\nbtscan\\\\spiceworks_netbios_scanner.exe/\n}\n", "rule_count": 1, "rule_names": [ "nbtscan" ], "rule_creation_date": "2021-07-06", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.NBTScan" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1046", "attack.t1018", "attack.t1016.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-netloader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568544Z", "creation_date": "2026-03-23T11:46:25.568546Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568552Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Flangvik/NetLoader" ], "name": "netloader.yar", "content": "rule netloader {\n meta:\n title = \"NetLoader Loader\"\n id = \"e9329aeb-83cc-4d98-ad17-867a2d0f0f46\"\n description = \"Detects NetLoader, a generic .NET loader that loads any .NET binary from filepath or URL.\\nIt employs several techniques to evade detection, including patching AMSI (Anti-Malware Scan Interface) to prevent it from detecting malicious code and unhooking ETW (Event Tracing for Windows) to hide its activities.\"\n references = \"https://github.com/Flangvik/NetLoader\"\n date = \"2023-11-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007;attack.t1140;attack.t1562.001;attack.t1620;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Loader.NetLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 76fe53df3a9befcbe5687e77010eb6a3276081e1da09ab08fb50aa13c32a08d3\n\n $canary = \"80a527b1477265728b8452bbecb40ef18b4ce228e29da6ea7398b1f4d56a05f6\"\n\n $s1 = \"UrethralgiaOrc\" ascii fullword\n $s2 = \"YohimbinizationUninscribed\" ascii fullword\n $s3 = \"HypostomousBuried\" ascii fullword\n $s4 = \"GhostwritingNard\" ascii fullword\n $s5 = \"SecurityProtocolType\" ascii fullword\n\n condition:\n all of ($s*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "netloader" ], "rule_creation_date": "2023-11-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.NetLoader" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027.007", "attack.t1071", "attack.t1562.001", "attack.t1620" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nglite_2bb30fc78e49_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563159Z", "creation_date": "2026-03-23T11:46:25.563163Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563172Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a" ], "name": "nglite_2bb30fc78e49.yar", "content": "rule nglite_2bb30fc78e49 {\n meta:\n title = \"NGLite Backdoor (2bb30fc78e49)\"\n id = \"9a85777a-2527-4721-a2a9-2bb30fc78e49\"\n description = \"Detects the NGLite backdoor that uses New Kind of Network (NKN) infrastructure for its command and control (C2) communications.\\nNGLite is a backdoor that leverages obfuscated communication channels and encrypted command execution. This rule detects the presence of specific strings and patterns indicative of the NGLite backdoor's operation, including its use of AES-CBC encryption with a default initialization vector (IV) and command execution markers.\\nIt is recommended to dump the affected process and investigate network traffic for potential C2 communication.\"\n references = \"https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\"\n date = \"2022-03-02\"\n modified = \"2025-03-20\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1027;attack.t1573.001;attack.t1573.002\"\n classification = \"Windows.Backdoor.NGLite\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples :\n // 3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd\n // 5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755\n // c1483179bb71b3e6ca9e7186638773dcd75430f7c1684b7d063c7d9ca7a77609\n // 7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72\n\n $nglite_string_marker_s1 = \"default\" ascii\n $nglite_string_marker_s2 = \"group\" ascii\n // Default AES-CBC IV for NGLite\n $nglite_string_marker_s4 = \"Kasy65xGUhjbzg5f\" ascii\n $nglite_string_marker_s5 = \"cmd\" ascii\n $nglite_string_marker_s6 = \"/c\" ascii\n\n $nglite_runcommand_variant1 = {\n // __golang main_Runcommand:\n 65 48 8b 0c 25 28 00 00 00 // mov rcx, qword ptr gs:[0x28]\n 48 8b 89 00 00 00 00 // mov rcx, qword ptr [rcx]\n 48 3b 61 10 // cmp rsp, qword ptr [rcx + 0x10]\n 0f 86 ?? ?? ?? ?? // jbe go_internal_grow_stack\n\n 48 83 ec ?? // sub rsp, 0xXX\n 48 89 6c 24 ?? // mov qword ptr [rsp + 0xXX], rbp\n 48 8d 6c 24 ?? // lea rbp, [rsp + 0xXX]\n 90 // nop\n 48 8d ?? ?? ?? ?? ?? // lea rax, Commander_type_ptr // Commander type info\n 48 89 04 24 // mov qword ptr [rsp], rax\n e8 ?? ?? ?? ?? // call runtime.newobject // tmp_command = command.NewCommand() (type Commander)\n 48 8b 7c 24 08 // mov rdi, qword ptr [rsp + 8]\n 48 8b 44 24 60 // mov rax, qword ptr [rsp + 0x60]\n 48 89 47 08 // mov qword ptr [rdi + 8], rax\n\n 83 3d ?? ?? ?? ?? ?? // cmp cs:runtime.writeBarrier , 0\n 75 ?? // jne go_internal_wait_runtime_barrier\n 48 8b 44 24 58 // mov rax, qword ptr [rsp + 0x58]\n 48 89 07 // mov qword ptr [rdi], rax\n // write_barrier_aquired:\n 48 8d 05 ?? ?? ?? ?? // lea rax, go.itab._ng.com_module_command.WindowsCommand_ng.com_module_command.Commander\n 84 00 // testbyte ptr [rax], al\n 48 8b 05 ?? ?? ?? ?? // mov rax, cs:ng.com_module_command.(_ptr_WindowsCommand).Exec\n 48 8d 0d ?? ?? ?? ?? // lea rcx, runtime.zerobase\n // NOTE: argument offset guarranty by golang calling convention.\n 48 89 0c 24 // mov qword ptr [rsp], rcx // runtime.zerobase\n 48 89 7c 24 08 // mov qword ptr [rsp + 8], rdi // args ptr\n 48 c7 44 24 10 01 00 00 00 // mov qword ptr [rsp + 0x10], 1 // args len\n 48 c7 44 24 18 01 00 00 00 // mov qword ptr [rsp + 0x18], 1 // unknown\n ff d0 // call rax // _, output = tmp_command.Exec(argument)\n 48 8b 44 24 28 // mov rax, qword ptr [rsp + 0x28]\n 48 8b 4c 24 30 // mov rcx, qword ptr [rsp + 0x30]\n 48 89 44 24 68 // mov qword ptr [rsp + 0x68], rax\n 48 89 4c 24 70 // mov qword ptr [rsp + 0x70], rcx\n 48 8b 6c 24 48 // mov rbp, qword ptr [rsp + 0x48]\n 48 83 c4 ?? // add rsp, 0xXX\n c3 // ret\n\n // go_internal_wait_runtime_barrier:\n 48 8b 44 24 ?? // mov rax, qword ptr [rsp + 0xXX]\n e8 ?? ?? ?? ?? // call runtime.gcWriteBarrier\n eb ?? // jmp write_barrier_aquired\n // go_internal_grow_stack:\n e8 ?? ?? ?? ?? // call runtime.morestack_noctxt\n e9 ?? ?? ?? ?? // jmp main_Runcommand\n }\n\n $nglite_runcommand_variant2 = {\n // __golang main_Runcommand:\n 65 48 8b 0c 25 28 00 00 00 // mov rcx, qword ptr gs:[0x28]\n 48 8b 89 00 00 00 00 // mov rcx, qword ptr [rcx]\n 48 3b 61 10 // cmp rsp, qword ptr [rcx + 0x10]\n 0f 86 ?? ?? ?? ?? // jbe go_internal_grow_stack\n\n 48 83 ec ?? // sub rsp, 0xXX\n 48 89 6c 24 ?? // mov qword ptr [rsp + 0xXX], rbp\n 48 8d 6c 24 ?? // lea rbp, [rsp + 0xXX]\n 90 // nop\n 48 8d ?? ?? ?? ?? ?? // lea rax, Commander_type_ptr // Commander type info\n 48 89 04 24 // mov qword ptr [rsp], rax\n e8 ?? ?? ?? ?? // call runtime.newobject // tmp_command = command.NewCommand() (type Commander)\n 48 8b 7c 24 08 // mov rdi, qword ptr [rsp + 8]\n 48 8b 44 24 60 // mov rax, qword ptr [rsp + 0x60]\n 48 89 47 08 // mov qword ptr [rdi + 8], rax\n\n 83 3d ?? ?? ?? ?? ?? // cmp cs:runtime.writeBarrier , 0\n 75 ?? // jne go_internal_wait_runtime_barrier\n 48 8b 44 24 58 // mov rax, qword ptr [rsp + 0x58]\n 48 89 07 // mov qword ptr [rdi], rax\n // write_barrier_aquired:\n 48 8d 05 ?? ?? ?? ?? // lea rax, go.itab._ng.com_module_command.WindowsCommand_ng.com_module_command.Commander\n 84 00 // testbyte ptr [rax], al\n 48 8d 05 ?? ?? ?? ?? // lea rax, ng.com_module_command.(_ptr_WindowsCommand).Exec\n // NOTE: argument offset guarranty by golang calling convention.\n 48 89 04 24 // mov qword ptr [rsp], rax // runtime.zerobase\n 48 89 7c 24 08 // mov qword ptr [rsp + 8], rdi // args ptr\n 48 c7 44 24 10 01 00 00 00 // mov qword ptr [rsp + 0x10], 1 // args len\n 48 c7 44 24 18 01 00 00 00 // mov qword ptr [rsp + 0x18], 1 // unknown\n e8 ?? ?? ?? ?? // call runtime.morestack_noctxt // _, output = tmp_command.Exec(argument)\n 48 8b 44 24 28 // mov rax, qword ptr [rsp + 0x28]\n 48 8b 4c 24 30 // mov rcx, qword ptr [rsp + 0x30]\n 48 89 44 24 68 // mov qword ptr [rsp + 0x68], rax\n 48 89 4c 24 70 // mov qword ptr [rsp + 0x70], rcx\n 48 8b 6c 24 48 // mov rbp, qword ptr [rsp + 0x48]\n 48 83 c4 ?? // add rsp, 0xXX\n c3 // ret\n\n // go_internal_wait_runtime_barrier:\n 48 8b 44 24 ?? // mov rax, qword ptr [rsp + 0xXX]\n e8 ?? ?? ?? ?? // call runtime.gcWriteBarrier\n eb ?? // jmp write_barrier_aquired\n // go_internal_grow_stack:\n e8 ?? ?? ?? ?? // call runtime.morestack_noctxt\n e9 ?? ?? ?? ?? // jmp main_Runcommand\n }\n\n $nglite_aesdecode_variant1 = {\n 48 81 EC ?? 00 00 00 // sub rsp, 0xXX\n 48 89 AC 24 ?? 00 00 00 // mov qword ptr [rsp + 0xXX], rbp\n 48 8D AC 24 ?? 00 00 00 // lea rbp, [rsp + 0xXX]\n 48 C7 04 24 00 00 00 00 // mov qword ptr [rsp], 0\n 48 8B 84 24 ?? 00 00 00 // mov rax, qword ptr [rsp + 0xXX]\n 48 89 44 24 08 // mov qword ptr [rsp + 8], rax\n 48 8B 84 24 ?? 00 00 00 // mov rax, qword ptr [rsp + 0xXX]\n 48 89 44 24 10 // mov qword ptr [rsp + 0x10], rax\n E8 ?? ?? ?? ?? // call runtime.stringtoslicebyte\n 48 8B 44 24 20 // mov rax, qword ptr [rsp + 0x20]\n 48 8B 4C 24 18 // mov rcx, qword ptr [rsp + 0x18]\n 48 8B 54 24 28 // mov rdx, qword ptr [rsp + 0x28]\n 0F 10 05 2C 1A 11 00 // movups xmm0, xmmword ptr [rip + 0x111a2c]\n 0F 11 44 24 70 // movups xmmword ptr [rsp + 0x70], xmm0\n 48 89 0C 24 // mov qword ptr [rsp], rcx\n 48 89 44 24 08 // mov qword ptr [rsp + 8], rax\n 48 89 54 24 10 // mov qword ptr [rsp + 0x10], rdx\n 48 8D 44 24 ?? // lea rax, [rsp + 0xXX]\n // NOTE: argument offset guarranty by golang calling convention.\n 48 89 44 24 18 // mov qword ptr [rsp + 0x18], rax\n 48 C7 44 24 20 10 00 00 00 // mov qword ptr [rsp + 0x20], 0x10\n 48 C7 44 24 28 10 00 00 00 // mov qword ptr [rsp + 0x28], 0x10\n 48 C7 44 24 30 00 00 00 00 // mov qword ptr [rsp + 0x30], 0\n 0F 57 C0 // xorps xmm0, xmm0\n 0F 11 44 24 38 // movups xmmword ptr [rsp + 0x38], xmm0\n E8 ?? ?? ?? ?? // call ng.com_module_cipher.AesCbcDecrypt\n }\n\n $nglite_aesdecode_variant2 = {\n 48 81 EC ?? 00 00 00 // sub rsp, 0xXX\n 48 89 AC 24 ?? 00 00 00 // mov qword ptr [rsp + 0xXX], rbp\n 48 8D AC 24 ?? 00 00 00 // lea rbp, [rsp + 0xXX]\n 48 C7 04 24 00 00 00 00 // mov qword ptr [rsp], 0\n 48 8B 84 24 ?? 00 00 00 // mov rax, qword ptr [rsp + 0xXX]\n 48 89 44 24 08 // mov qword ptr [rsp + 8], rax\n 48 8B 84 24 ?? 00 00 00 // mov rax, qword ptr [rsp + 0xXX]\n 48 89 44 24 10 // mov qword ptr [rsp + 0x10], rax\n E8 ?? ?? ?? ?? // call runtime.stringtoslicebyte\n 48 8B 44 24 18 // mov rax, qword ptr [rsp + 0x18]\n 48 8B 4C 24 20 // mov rcx, qword ptr [rsp + 0x20]\n 48 8B 54 24 28 // mov rdx, qword ptr [rsp + 0x28]\n 48 BB 77 68 61 74 73 77 72 6F // movabs rbx, 0x6f72777374616877\n 48 89 5C 24 70 // mov qword ptr [rsp + 0x70], rbx\n 48 BB 6E 67 77 69 74 68 55 75 // movabs rbx, 0x755568746977676e\n 48 89 5C 24 78 // mov qword ptr [rsp + 0x78], rbx\n 48 89 04 24 // mov qword ptr [rsp], rax\n 48 89 4C 24 08 // mov qword ptr [rsp + 8], rcx\n 48 89 54 24 10 // mov qword ptr [rsp + 0x10], rdx\n 48 8D 44 24 70 // lea rax, [rsp + 0x70]\n 48 89 44 24 18 // mov qword ptr [rsp + 0x18], rax\n 48 C7 44 24 20 10 00 00 00 // mov qword ptr [rsp + 0x20], 0x10\n 48 C7 44 24 28 10 00 00 00 // mov qword ptr [rsp + 0x28], 0x10\n 48 C7 44 24 30 00 00 00 00 // mov qword ptr [rsp + 0x30], 0\n 0F 57 C0 // xorps xmm0, xmm0\n 0F 11 44 24 38 // movups xmmword ptr [rsp + 0x38], xmm0\n E8 ?? ?? ?? ?? // call ng.com_module_cipher.AesCbcDecrypt\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 20MB and 4 of ($nglite_string_marker_s*) and 1 of ($nglite_runcommand_variant*) and 1 of ($nglite_aesdecode_variant*)\n}\n", "rule_count": 1, "rule_names": [ "nglite_2bb30fc78e49" ], "rule_creation_date": "2022-03-02", "rule_modified_date": "2025-03-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.NGLite" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1573.001", "attack.t1573.002", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nglite_f5e8d60b230c_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573786Z", "creation_date": "2026-03-23T11:46:25.573790Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573799Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a" ], "name": "nglite_f5e8d60b230c.yar", "content": "rule nglite_f5e8d60b230c {\n meta:\n title = \"NGLite Backdoor (f5e8d60b230c)\"\n id = \"4838a9cf-cbb7-4225-aa50-f5e8d60b230c\"\n description = \"Detects the NGLite backdoor that uses New Kind of Network (NKN) infrastructure for its command and control (C2) communications.\\nNGLite is a backdoor that leverages obfuscated communication channels and encrypted command execution. This rule detects the presence of specific strings and patterns indicative of the NGLite backdoor's operation, including its use of AES-CBC encryption with a default initialization vector (IV) and command execution markers.\\nIt is recommended to isolate the affected process and investigate network traffic for potential C2 communication.\"\n references = \"https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\"\n date = \"2022-03-04\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1027;attack.t1573.001;attack.t1573.002\"\n classification = \"Windows.Backdoor.NGLite\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples :\n // 805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f\n // 3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d\n // 342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae\n\n $nglite_string_marker_s1 = \"default\" ascii\n $nglite_string_marker_s2 = \"group\" ascii\n // Default AES-CBC IV for NGLite\n $nglite_string_marker_s4 = \"Kasy65xGUhjbzg5f\" ascii\n $nglite_string_marker_s5 = \"cmd\" ascii\n $nglite_string_marker_s6 = \"/c\" ascii\n\n $nglite_runcommand_variant1 = {\n // __golang main_Runcommand:\n 64 8B 0D 14 00 00 00 // mov ecx, dword ptr fs:[0x14]\n 8B 89 00 00 00 00 // mov ecx, dword ptr [ecx]\n 3B 61 08 // cmp esp, dword ptr [ecx + 8]\n 76 ?? // jbe go_internal_grow_stack\n\n 83 EC ?? // sub esp, 0xXX\n 90 // nop\n 8D 05 ?? ?? ?? ?? // lea eax, [0xXX] // Commander_type_ptr // Commander type info\n 89 04 24 // mov dword ptr [esp], eax\n E8 ?? ?? ?? ?? // call runtime.newobject // tmp_command = command.NewCommand() (type Commander)\n 8B 7C 24 04 // mov edi, dword ptr [esp + 4]\n 8B 44 24 2C // mov eax, dword ptr [esp + 0x2c]\n 89 47 04 // mov dword ptr [edi + 4], eax\n 8B 05 ?? ?? ?? ?? // mov eax, dword ptr [runtime.writeBarrier]\n 85 C0 // test eax, eax\n 75 ?? // jne go_internal_wait_runtime_barrier\n 8B 44 24 28 // mov eax, dword ptr [esp + 0x28]\n 89 07 // mov dword ptr [edi], eax\n\n // write_barrier_aquired:\n 8D 05 ?? ?? ?? ?? // lea eax, [go.itab._ng.com_module_command.WindowsCommand_ng.com_module_command.Commander]\n 84 00 // test byte ptr [eax], al\n 8B 05 ?? ?? ?? ?? // mov eax, dword ptr [ng.com_module_command.(_ptr_WindowsCommand).Exec]\n 8D 0D ?? ?? ?? ?? // lea ecx, [runtime.zerobase]\n\n // NOTE: argument offset guarranty by golang calling convention.\n 89 0C 24 // mov dword ptr [esp], ecx // runtime.zerobase\n 89 7C 24 04 // mov dword ptr [esp + 4], edi // args ptr\n C7 44 24 08 01 00 00 00 // mov dword ptr [esp + 8], 1 // args len\n C7 44 24 0C 01 00 00 00 // mov dword ptr [esp + 0xc], 1 // unknown\n FF D0 // call eax // _, output = tmp_command.Exec(argument)\n 8B 44 24 14 // mov eax, dword ptr [esp + 0x14]\n 8B 4C 24 18 // mov ecx, dword ptr [esp + 0x18]\n 89 44 24 30 // mov dword ptr [esp + 0x30], eax\n 89 4C 24 34 // mov dword ptr [esp + 0x34], ecx\n 83 C4 ?? // add esp, 0xXX\n C3 // ret\n\n // go_internal_wait_runtime_barrier:\n 8B 44 24 ?? // mov eax, dword ptr [esp + 0xXX]\n E8 ?? ?? ?? ?? // call runtime.gcWriteBarrier\n EB ?? // jmp write_barrier_aquired\n E8 ?? ?? ?? ?? // call runtime.morestack_noctxt\n E9 ?? ?? ?? ?? // jmp main_Runcommand\n }\n\n $nglite_runcommand_variant2 = {\n // __golang main_Runcommand:\n 64 8B 0D 14 00 00 00 // mov ecx, dword ptr fs:[0x14]\n 8B 89 00 00 00 00 // mov ecx, dword ptr [ecx]\n 3B 61 08 // cmp esp, dword ptr [ecx + 8]\n 76 ?? // jbe go_internal_grow_stack\n\n 83 EC ?? // sub esp, 0xXX\n 90 // nop\n 8D 05 ?? ?? ?? ?? // lea eax, [0xXX] // Commander_type_ptr // Commander type info\n 89 04 24 // mov dword ptr [esp], eax\n E8 ?? ?? ?? ?? // call runtime.newobject // tmp_command = command.NewCommand() (type Commander)\n 8B 7C 24 04 // mov edi, dword ptr [esp + 4]\n 8B 44 24 2C // mov eax, dword ptr [esp + 0x2c]\n 89 47 04 // mov dword ptr [edi + 4], eax\n 8B 05 ?? ?? ?? ?? // mov eax, dword ptr [runtime.writeBarrier]\n 85 C0 // test eax, eax\n 75 ?? // jne go_internal_wait_runtime_barrier\n 8B 44 24 28 // mov eax, dword ptr [esp + 0x28]\n 89 07 // mov dword ptr [edi], eax\n\n // write_barrier_aquired:\n 8D 05 ?? ?? ?? ?? // lea eax, [go.itab._ng.com_module_command.WindowsCommand_ng.com_module_command.Commander]\n 84 00 // test byte ptr [eax], al\n 8D 05 ?? ?? ?? ?? // lea eax, dword ptr [ng.com_module_command.(_ptr_WindowsCommand).Exec]\n\n // NOTE: argument offset guarranty by golang calling convention.\n 89 04 24 // mov dword ptr [rsp], ecx // runtime.zerobase\n 89 7C 24 04 // mov dword ptr [esp + 4], edi // args ptr\n C7 44 24 08 01 00 00 00 // mov dword ptr [esp + 8], 1 // args len\n C7 44 24 0C 01 00 00 00 // mov dword ptr [esp + 0xc], 1 // unknown\n E8 ?? ?? ?? ?? // call NGLite_module_command.(_ptr_WindowsCommand).Exec // _, output = tmp_command.Exec(argument)\n 8B 44 24 14 // mov eax, dword ptr [esp + 0x14]\n 8B 4C 24 18 // mov ecx, dword ptr [esp + 0x18]\n 89 44 24 30 // mov dword ptr [esp + 0x30], eax\n 89 4C 24 34 // mov dword ptr [esp + 0x34], ecx\n 83 C4 ?? // add esp, 0xXX\n C3 // ret\n\n // go_internal_wait_runtime_barrier:\n 8B 44 24 ?? // mov eax, dword ptr [esp + 0xXX]\n E8 ?? ?? ?? ?? // call runtime.gcWriteBarrier\n EB ?? // jmp write_barrier_aquired\n E8 ?? ?? ?? ?? // call runtime.morestack_noctxt\n E9 ?? ?? ?? ?? // jmp main_Runcommand\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 15MB and 4 of ($nglite_string_marker_s*) and 1 of ($nglite_runcommand_variant*)\n}\n", "rule_count": 1, "rule_names": [ "nglite_f5e8d60b230c" ], "rule_creation_date": "2022-03-04", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.NGLite" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1573.001", "attack.t1573.002", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ngrok_tunneling_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "medium", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584920Z", "creation_date": "2026-03-23T11:46:25.584922Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584928Z", "rule_level": "medium", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0508/\nhttps://github.com/inconshreveable/ngrok\nhttps://securelist.com/loki-agent-for-mythic/113596/" ], "name": "ngrok_tunneling.yar", "content": "rule ngrok_tunneling_application {\n meta:\n title = \"Ngrok Tool\"\n id = \"df65b294-725a-4b7b-a151-ae408f04cdc8\"\n description = \"Detects Ngrok, a tunneling application used to establish unauthorized connections.\\nNgrok is often employed by attackers to exfiltrate data or gain remote access by creating tunnels through legitimate-looking domains. Recently observed in mid-2024 in conjunction with Mythic Loki campaigns, it poses a significant risk to network security.\\nIt is recommended to determine if this binary is expected in your environment.\"\n references = \"https://attack.mitre.org/software/S0508/\\nhttps://github.com/inconshreveable/ngrok\\nhttps://securelist.com/loki-agent-for-mythic/113596/\"\n date = \"2020-12-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0508;attack.t1572;attack.t1090;attack.t1102;attack.t1567;attack.t1568.002\"\n classification = \"Windows.Tool.Ngrok\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 50\n confidence = \"moderate\"\n\n strings:\n // Detection for these samples:\n // 53cfaee549713fc5da29cea9c0994294c97208ee1866a1d56c54408165a63ca7\n // 65f2bf2bf25524b4b9c41e4ff55ede002cc527aab0840c5bcbeb06f7c245227f\n // 3e625e20d7f00b6d5121bb0a71cfa61f92d658bcd61af2cf5397e0ae28f4ba56\n // 96aa98acfc7b20f08b3fad53f7e3c7ce3d8463d3376e1cc76949b20aa265c403\n // 6c83fe473de9c0e8c571a75f304ca9a2fa8ea4af5d15dfbb9f5d0679ecc3a327\n // 5f8e9fe5156d14ab236213ad6ffe972e484880f8fce9382d28669f254e71c4c7\n\n $s1 = \"go.ngrok.com\" ascii\n $s2 = \".ngrok.com:443\" ascii\n $s3 = \"go.ngrok.com/cmd/ngrok/main.go\" ascii fullword\n\n condition:\n filesize > 1MB and 2 of them\n}\n", "rule_count": 1, "rule_names": [ "ngrok_tunneling_application" ], "rule_creation_date": "2020-12-11", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Ngrok" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1567", "attack.t1090", "attack.t1572", "attack.t1102", "attack.t1568.002" ], "rule_score": 50, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nidhogg_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578097Z", "creation_date": "2026-03-23T11:46:25.578099Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578105Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Idov31/Nidhogg" ], "name": "nidhogg_driver.yar", "content": "rule nidhogg_driver {\n meta:\n title = \"NidHogg Windows Driver\"\n id = \"2f1ad6b5-60fc-4ad4-b3a5-637c2f2775d2\"\n description = \"Detects the Nidhogg rootkit driver.\\nThe Nidhogg rootkit driver is designed to hide, protect, and elevate processes and files. It performs malicious registry operations and employs defense evasion techniques such as AMSI bypass and ETW patching.\"\n references = \"https://github.com/Idov31/Nidhogg\"\n date = \"2022-10-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1014\"\n classification = \"Windows.Rootkit.Nidhogg\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 2c3ca9d0baf3b3b9d41ee59b107b55ea8c8f85f850b8f695cead21ba50b786d5\n\n $s1 = \"\\\\Device\\\\Nidhogg\" fullword wide\n $s2 = \"31122.6172\" fullword wide\n $s3 = \"31105.6171\" fullword wide\n\n // Windows version comparison\n $op1 = {\n 81 ?? ?? ?? AB 3F 00 00 // cmp [rsp+178h+var_158], 3FABh\n 77 ?? // ja short loc_140002CAD\n 81 ?? ?? ?? AB 3F 00 00 // cmp [rsp+178h+var_158], 3FABh\n 74 ?? // jz short loc_140002CE2\n 81 ?? ?? ?? 00 28 00 00 // cmp [rsp+178h+var_158], 2800h\n 74 ?? // jz short loc_140002CE2\n 81 ?? ?? ?? 5A 29 00 00 // cmp [rsp+178h+var_158], 295Ah\n 74 ?? // jz short loc_140002CE2\n 81 ?? ?? ?? 39 38 00 00 // cmp [rsp+178h+var_158], 3839h\n 74 ?? // jz short loc_140002CE2\n 81 ?? ?? ?? D7 3A 00 00 // cmp [rsp+178h+var_158], 3AD7h\n }\n\n // Windows version comparison variant\n $op2 = {\n 2D 00 28 00 00 // sub eax, 2800h\n 74 ?? // jz short loc_140001E0E\n 2D 5A 01 00 00 // sub eax, 15Ah\n 74 ?? // jz short loc_140001E0E\n 2D DF 0E 00 00 // sub eax, 0EDFh\n 74 ?? // jz short loc_140001E0E\n 2D 9E 02 00 00 // sub eax, 29Eh\n 74 ?? // jz short loc_140001E0E\n 2D D4 04 00 00 // sub eax, 4D4h\n 74 ?? // jz short loc_140001E0E\n 2D 43 03 00 00 // sub eax, 343h\n 74 ?? // jz short loc_140001E0E\n 2D 75 02 00 00 // sub eax, 275h\n 74 ?? // jz short loc_140001E0E\n 2D 57 02 00 00 // sub eax, 257h\n 74 ?? // jz short loc_140001E07\n }\n\n // Dynamic function address finder\n $op3 = {\n B9 F0 00 00 00 // mov ecx, 0F0h ; 'ð'\n F3 A4 // rep movsb\n B8 08 00 00 00 // mov eax, 8\n 48 6B C0 00 // imul rax, 0\n 83 ?? ?? ?? 00 00 00 00 // cmp [rsp+rax+178h+var_A8], 0\n 75 ?? // jnz short loc_1400027B0\n 48 8D 0D ?? ?? ?? ?? // lea rcx, aNidhoggThereAr ; \"Nidhogg: There are no exports.\\n\"\n E8 ?? ?? ?? ?? // call DbgPrint_0\n 48 ?? ?? ?? ?? // mov rax, [rsp+178h+var_150]\n E9 ?? ?? ?? ?? // jmp loc_1400028AB\n B8 08 00 00 00 // mov eax, 8\n 48 6B C0 00 // imul rax, 0\n }\n\n // Dynamic function address finder variant\n $op4 = {\n 48 81 EC 10 01 00 00 // sub rsp, 110h\n 33 FF // xor edi, edi\n B8 4D 5A 00 00 // mov eax, 5A4Dh\n 48 8B D9 // mov rbx, rcx\n 66 39 01 // cmp [rcx], ax\n 0F 85 ?? ?? ?? ?? // jnz loc_140001BFE\n 48 63 41 3C // movsxd rax, dword ptr [rcx+3Ch]\n 48 03 C1 // add rax, rcx\n 81 38 50 45 00 00 // cmp dword ptr [rax], 4550h\n 0F 85 ?? ?? ?? ?? // jnz loc_140001BFE\n 0F 10 48 28 // movups xmm1, xmmword ptr [rax+28h]\n 48 83 C0 18 // add rax, 18h\n 48 ?? ?? ?? ?? // lea rcx, [rsp+138h+var_118]\n 41 B8 80 00 00 00 // mov r8d, 80h ; '€'\n }\n condition:\n uint16(0) == 0x5a4d and filesize < 1MB and 2 of ($s*) and 1 of ($op*)\n}\n", "rule_count": 1, "rule_names": [ "nidhogg_driver" ], "rule_creation_date": "2022-10-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Rootkit.Nidhogg" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1014" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nighthawk_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581403Z", "creation_date": "2026-03-23T11:46:25.581407Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581416Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice" ], "name": "nighthawk_loader.yar", "content": "import \"pe\"\n\nrule nighthawk_loader {\n meta:\n title = \"Nighthawk C2 Loader\"\n id = \"43664410-0082-4f97-b016-fbf106b01c7c\"\n description = \"Detects the Nighthawk Loader.\\nNighthawk is an advanced C2 (Command and Control) framework designed for Red Team operations. It is known for its sophisticated capabilities, including extensive defense evasion techniques and the ability to establish persistent communication channels.\\nThe loader is responsible for initializing the C2 client and establishing a connection with the server, often using HTTP or WebSocket protocols for communication. It is commonly used in Red Team exercises to execute malicious payloads and exfiltrate data.\\nIt is recommended to isolate the affected endpoint and perform a detailed network investigation to identify potential C2 infrastructure.\"\n references = \"https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice\"\n date = \"2022-11-24\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1573.001;attack.defense_evasion;attack.t1562.001;attack.t1140;attack.t1027.002;attack.t1027.009\"\n classification = \"Windows.Framework.Nighthawk\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94\n\n $loader_find_main = {\n 48 8D 0D ?? ?? ?? ?? // lea rcx, start\n 51 // push rcx\n 5A // pop rdx\n 48 81 C1 ?? ?? ?? ?? // add rcx, 4E20h\n 48 81 C2 ?? ?? ?? ?? // add rdx, 2764h\n FF E2 // jmp rdx\n }\n\n condition:\n // This sample contains a packed .text section and .uxgbxcl is not a known section name.\n // Since there is no sign of encryption in this sample, this might indicate that Nighthawk\n // may assign a random section name. More investigaton is required but we're limited in samples.\n uint16(0) == 0x5a4d and ($loader_find_main and pe.section_index(\".uxgbxcl\"))\n}\n", "rule_count": 1, "rule_names": [ "nighthawk_loader" ], "rule_creation_date": "2022-11-24", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Nighthawk" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1562.001", "attack.t1027.009", "attack.t1573.001", "attack.t1027.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nighthawk_payload_obfs_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581358Z", "creation_date": "2026-03-23T11:46:25.581361Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581370Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice" ], "name": "nighthawk_payload_obfs.yar", "content": "import \"pe\"\n\nrule nighthawk_payload_obfs {\n meta:\n title = \"Obfuscated Nighthawk C2 Payload\"\n id = \"a607161c-9934-42e9-934d-a6b057451bb9\"\n description = \"Detects obfuscated Nighthawk C2 payloads.\\nNighthawk is an advanced C2 framework commonly used in Red Team operations. It employs various obfuscation techniques to establish command and control communication while avoiding detection. This rule identifies characteristics of its obfuscated payloads, such as specific API calls and junk code commonly found in its samples.\"\n references = \"https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice\"\n date = \"2022-11-28\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1573.001;attack.defense_evasion;attack.t1562.001;attack.t1140;attack.t1027.002;attack.t1027.009\"\n classification = \"Windows.Framework.Nighthawk\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // ea7a1363c5f304c206bc8450ed1d4b14d76eb492a1011b8f2c1d2f218de8c770\n\n $nop_function = {\n 48 89 44 ?? ?? // mov [rsp+38h+hHandle], rax\n 48 8B 4C ?? ?? // mov rcx, [rsp+38h+hHandle] ; hHandle\n BA FF FF FF FF // mov edx, 0FFFFFFFFh ; dwMilliseconds\n FF ?? ?? ?? ?? ?? // call cs:__imp_WaitForSingleObject\n 31 D2 // xor edx, edx\n 89 44 ?? ?? // mov [rsp+38h+var_C], eax\n 89 D0 // mov eax, edx\n 48 83 C4 38 // add rsp, 38h\n }\n\n $junk_code_1 = {\n 41 80 CF 00 // or r15b, 0\n }\n\n $junk_code_2 = {\n 83 C0 00 // add eax, 0\n }\n\n condition:\n uint16(0) == 0x5a4d and (\n all of ($junk_code_*)\n and $nop_function\n and pe.exports(\"nop\")\n )\n}\n", "rule_count": 1, "rule_names": [ "nighthawk_payload_obfs" ], "rule_creation_date": "2022-11-28", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Nighthawk" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1562.001", "attack.t1027.009", "attack.t1573.001", "attack.t1027.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nighthawk_payload_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581328Z", "creation_date": "2026-03-23T11:46:25.581330Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581336Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice\nhttps://github.com/JLeow00/malwarebytes-crackme-3" ], "name": "nighthawk_payload.yar", "content": "import \"pe\"\n\nrule nighthawk_payload {\n meta:\n title = \"Nighthawk C2 Payload\"\n id = \"35dfe321-5583-4b0d-b40c-d1340dec3adf\"\n description = \"Detects the Nighthawk C2 Payload.\\nNighthawk is an advanced C2 framework commonly used in red teaming operations. It features robust defense evasion techniques and is detected through its specific section structure and use of the Detours library for hooking. The detection focuses on the presence of the .detourc and .profile sections, which are indicative of Nighthawk's unique configuration and execution mechanisms.\"\n references = \"https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice\\nhttps://github.com/JLeow00/malwarebytes-crackme-3\"\n date = \"2022-11-28\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1573.001;attack.defense_evasion;attack.t1562.001;attack.t1140;attack.t1027.002;attack.t1027.009\"\n classification = \"Windows.Framework.Nighthawk\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8\n // 0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988\n\n $hash_func = {\n 66 D1 E9 // shr cx, 1\n 66 C1 E0 05 // shl ax, 5\n 66 33 D0 // xor dx, ax\n 66 C1 E2 0A // shl dx, 0Ah\n 66 0B D1 // or dx, cx\n 0F B7 D2 // movzx edx, dx\n 8B CA // mov ecx, edx\n 0F B7 C2 // movzx eax, dx\n C1 E9 02 // shr ecx, 2\n 33 CA // xor ecx, edx\n }\n\n condition:\n // The .profile section contains a configuration profile for the C2\n // that may or may not be prepended with an AES 128bit key.\n\n // The .detourc and .detourd sections are indicative of a Microsoft\n // library called Detours, used in this case for inline hooking.\n\n // This is used to create proxy functions for execution and obfuscation.\n // This technique has been seen in a CrackMe from a MalwareBytes CTF in 2021. See references for details.\n uint16(0) == 0x5a4d and (\n $hash_func\n and pe.section_index(\".detourc\")\n and pe.section_index(\".profile\")\n )\n}\n", "rule_count": 1, "rule_names": [ "nighthawk_payload" ], "rule_creation_date": "2022-11-28", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Nighthawk" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1562.001", "attack.t1027.009", "attack.t1573.001", "attack.t1027.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nighthawk_pe_embed_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581299Z", "creation_date": "2026-03-23T11:46:25.581301Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581307Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice" ], "name": "nighthawk_pe_embed.yar", "content": "import \"pe\"\n\nrule nighthawk_pe_embed {\n meta:\n title = \"Nighthawk C2 Embedded PE Payload\"\n id = \"fb08cda4-c5a2-4de8-9880-98036f738148\"\n description = \"Detects the Nighthawk C2 embedded PE payload within a host file.\\nThe Nighthawk C2 framework uses embedded segments such as .profile and .detourc to store its configuration and Detours inline hooking structures. This pattern is often used to establish communication between the C2 server and the compromised system. The detection also looks for VirtualAlloc function calls which are commonly used by shellcode to allocate memory for execution.\"\n references = \"https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice\"\n date = \"2022-11-28\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1573.001;attack.defense_evasion;attack.t1562.001;attack.t1140;attack.t1027.002;attack.t1027.009\"\n classification = \"Windows.Framework.Nighthawk\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e\n\n // Segment names of the embedded binary indicating the C2 profile and Detours inline hooking.\n $embedded_segment_1 = \".profile\" ascii\n $embedded_segment_2 = \".detourc\" ascii\n\n $virtual_alloc = {\n C7 45 ?? 00 00 00 00 // mov [rbp+flOldProtect], 0\n 48 C7 ?? ?? 00 00 00 00 // mov [rbp+var_8], 0\n 8B 05 ?? ?? ?? ?? // mov eax, cs:shellcode_len\n 89 C0 // mov eax, eax\n 41 B9 04 00 00 00 // mov r9d, 4 ; flProtect\n 41 B8 00 30 00 00 // mov r8d, 3000h ; flAllocationType\n 48 89 C2 // mov rdx, rax ; dwSize\n B9 00 00 00 00 // mov ecx, 0 ; lpAddress\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:__imp_VirtualAlloc\n FF D0 // call rax ; __imp_VirtualAlloc\n }\n\n $pe_header = { 4D 5A 90 00 03 00 00 00 }\n\n condition:\n uint16(0) == 0x5a4d and (\n #pe_header > 1\n and $virtual_alloc\n and all of ($embedded_segment_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "nighthawk_pe_embed" ], "rule_creation_date": "2022-11-28", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Nighthawk" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1562.001", "attack.t1027.009", "attack.t1573.001", "attack.t1027.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nimgrabber_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568007Z", "creation_date": "2026-03-23T11:46:25.568009Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568015Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/NullCode1337/NimGrabber/\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" ], "name": "nimgrabber.yar", "content": "rule nimgrabber {\n meta:\n title = \"NimGrabber HackTool\"\n id = \"a5f9d6a4-87ac-40bd-9d77-b66569aa0216\"\n description = \"Detects NimGrabber, a Discord token grabber written in Nim.\\nNimGrabber is designed to steal Discord tokens stored in web browsers such as Microsoft Edge or Chrome.\\nThe tool operates by hooking into the browser's process to extract authentication tokens and can send them to Discord's API for unauthorized access.\\nIt is recommended to analyze actions around the usage of this tool to look for other malicious actions on the host.\"\n references = \"https://github.com/NullCode1337/NimGrabber/\\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\"\n date = \"2024-03-25\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.t1005;attack.exfiltration;attack.t1567\"\n classification = \"Windows.HackTool.NimGrabber\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 8ec44187e50c15a7c4c89af4a1e99c63c855539101ec1ef4588d2e12e05f7d2b\n // bc74f22b5407ac67b8d7dcb05262bee0dc9581620448c2b6514ed519ab7f6bd2\n\n $s1 = \"fatal.nim\" ascii fullword\n\n $s2 = \"@POST\" ascii fullword\n $s3 = \"@content\" ascii fullword\n $s4 = \"@No tokens found!\" ascii fullword\n $s5 = \"@username\" ascii fullword\n $s6 = \"@localappdata\" ascii fullword\n $s7= \"@https://discord.com/api/\" ascii\n\n // **__Tokens grabbed by NimGrabber__**\n $nimgrabber1 = {\n C7 40 04 2A 2A 5F 5F // mov dword ptr [eax+4], 5F5F2A2Ah\n C7 40 08 54 6F 6B 65 // mov dword ptr [eax+8], 656B6F54h\n C7 40 0C 6E 73 20 67 // mov dword ptr [eax+0Ch], 6720736Eh\n C7 40 10 72 61 62 62 // mov dword ptr [eax+10h], 62626172h\n C7 40 14 65 64 20 62 // mov dword ptr [eax+14h], 62206465h\n C7 40 18 79 20 4E 69 // mov dword ptr [eax+18h], 694E2079h\n C7 40 1C 6D 47 72 61 // mov dword ptr [eax+1Ch], 6172476Dh\n C7 40 20 62 62 65 72 // mov dword ptr [eax+20h], 72656262h\n C7 40 24 5F 5F 2A 2A // mov dword ptr [eax+24h], 2A2A5F5Fh\n }\n\n $nimgrabber2 = {\n C7 00 3E 0A 2A 2A // mov dword ptr [eax], 2A2A0A3Eh\n C7 40 04 5F 5F 54 6F // mov dword ptr [eax+4], 6F545F5Fh\n C7 40 08 6B 65 6E 73 // mov dword ptr [eax+8], 736E656Bh\n C7 40 0C 20 67 72 61 // mov dword ptr [eax+0Ch], 61726720h\n C7 40 10 62 62 65 64 // mov dword ptr [eax+10h], 64656262h\n C7 40 14 20 62 79 20 // mov dword ptr [eax+14h], 20796220h\n C7 40 18 4E 69 6D 47 // mov dword ptr [eax+18h], 476D694Eh\n C7 40 1C 72 61 62 62 // mov dword ptr [eax+1Ch], 62626172h\n C7 40 20 65 72 5F 5F // mov dword ptr [eax+20h], 5F5F7265h\n C7 40 24 2A 2A 3A 20 // mov dword ptr [eax+24h], 203A2A2Ah\n }\n\n condition:\n (all of ($s*)) or\n ($s1 and 1 of ($nimgrabber*))\n}\n", "rule_count": 1, "rule_names": [ "nimgrabber" ], "rule_creation_date": "2024-03-25", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.NimGrabber" ], "rule_tactic_tags": [ "attack.collection", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1567", "attack.t1005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_injectedthread_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585576Z", "creation_date": "2026-03-23T11:46:25.585579Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585588Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/adamsvoboda/nim-loader" ], "name": "nim_injectedthread.yar", "content": "rule nim_injectedthread {\n meta:\n title = \"Nim InjectedThread\"\n id = \"d69dbb0f-2efd-4d51-8c5e-4bd6b5282ad1\"\n description = \"Detects malicious code written in the Nim programming language that can inject threads.\\nThread Execution Hijacking is often employed by attackers to bypass process-based security measures and evade detection. The technique allows the injected code to execute in the context of a legitimate process, making it harder to identify and block.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/adamsvoboda/nim-loader\"\n date = \"2023-08-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055.003\"\n classification = \"Windows.Generic.SuspiciousNim\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 08da5891d1fc0a0ef45cf8076d7fa780b780a253cbf3fdbfff76b6495fc4e7fa\n // 9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a\n\n $s1 = \"fatal.nim\" ascii fullword\n\n // https://github.com/nim-lang/Nim/blob/devel/lib/pure/osproc.nim\n // strings related to startProcess() usage\n $s2 = \"@Requested command not found: '$1'. OS error:\" ascii fullword\n $s3 = \"@\\\\\\\\.\\\\pipe\\\\stdin\" ascii fullword\n $s4 = \"@\\\\\\\\.\\\\pipe\\\\stdout\" ascii fullword\n\n $s5 = \"CreateProcessW\" ascii fullword\n $s6 = \"SuspendThread\" ascii fullword\n\n condition:\n uint16(0) == 0x5a4d and all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "nim_injectedthread" ], "rule_creation_date": "2023-08-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.SuspiciousNim" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055.003" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_loader_632d32916eb0_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573075Z", "creation_date": "2026-03-23T11:46:25.573077Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573083Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/" ], "name": "nim_loader_632d32916eb0.yar", "content": "rule nim_loader_632d32916eb0 {\n meta:\n title = \"Malicious Nim Loader (632d32916eb0)\"\n id = \"d4b74817-196a-4203-9a94-632d32916eb0\"\n description = \"Detects a malicious Nim loader.\\nThis loader is designed to execute malicious payloads and often employs advanced evasion techniques to avoid detection by security products. Nim's unique features make it a preferred choice for attackers due to its ability to generate lightweight and fast-executing binaries that can bypass common detection mechanisms.\"\n references = \"https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/\"\n date = \"2023-03-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Loader.UnknownNim\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 2b55d1723b53afae60b5a9a45084ba5e2f9e4e5b77d3371ec640284024546f2c\n // 66eb7870aa93ccacb2468a89585f6f2549973e98911e7b96b81cf3c498f2aba3\n // 21805ccaf3bb9903956a39ecca033c1f8d1345f5dca938e50930e03547cf89e8\n // 62d54d9c5070f3e38f4ecfa093c46973abae1b762274a4ed972cd0e38ba5343e\n // b4113afcc409f7d8f905594ee39e1b6b9279f96b7b8011b2f2d39ce2ca03bb4e\n\n $s1 = \" failed to reset memory back to it's orignal protections:\" ascii\n $s2 = \" failed to write bytes to target address:\" ascii\n $s3 = \" failed to modify memory permissions:\" ascii\n $s4 = \"@[!] Failed to Get Syscall Stub:\" ascii fullword\n $s5 = \"@[*] Found Syscall Stub:\" ascii fullword\n $s6 = \"@TnRXYWl0Rm9yU2luZ2xlT2JqZWN0\" ascii fullword\n $s7 = \"@TnRBbGVydFJlc3VtZVRocmVhZA==\" ascii fullword\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "nim_loader_632d32916eb0" ], "rule_creation_date": "2023-03-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.UnknownNim" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_loader_b49415641661_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568607Z", "creation_date": "2026-03-23T11:46:25.568609Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568615Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/" ], "name": "nim_loader_b49415641661.yar", "content": "rule nim_loader_b49415641661 {\n meta:\n title = \"Malicious Nim Loader (b49415641661)\"\n id = \"1f877329-2498-467b-9924-b49415641661\"\n description = \"Detects an unknown Nim loader.\\nNim is a programming language frequently used by attackers to develop custom loaders that can evade detection by EDR and antivirus solutions.\\nThese loaders are often designed to execute malicious payloads while avoiding analysis and can implement various anti-debugging and anti-unsigned scanning techniques.\"\n references = \"https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/\"\n date = \"2023-08-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Loader.UnknownNim\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 917f15d198b4b8da90a959120e932ce64479e03c3c689ac61b89d59c70846d66\n // dae46d1d01ffd12787afd64bb06a6749584ce3b1f116a7965af97261a6dfda77\n // d40aa50a41da5abb7d0d9bcae0da06df028fdf8da5ee1171f0f0b5203259f018\n\n $s1 = \"fatal.nim\" ascii fullword\n\n // sub_140007AF9\n $dynamic1 = {\n 53 // push rbx\n 48 83 EC 20 // sub rsp, 20h\n 48 89 D3 // mov rbx, rdx\n E8 ?? ?? FF FF // call sub_14000577D\n 45 31 C0 // xor r8d, r8d\n 48 85 C0 // test rax, rax\n 74 03 // jz short loc_140007B11\n 4C 8B 00 // mov r8, [rax]\n\n // loc_140007B11:\n 49 89 DA // mov r10, rbx\n 0F B6 D7 // movzx edx, bh\n 49 89 D9 // mov r9, rbx\n 49 C1 FA 10 // sar r10, 10h\n 49 C1 F9 18 // sar r9, 18h\n 31 C9 // xor ecx, ecx\n 44 31 D2 // xor edx, r10d\n 31 DA // xor edx, ebx\n 44 31 CA // xor edx, r9d\n\n // loc_140007B2C:\n 4C 39 C1 // cmp rcx, r8\n 7D 09 // jge short loc_140007B3A\n 30 54 08 10 // xor [rax+rcx+10h], dl\n 48 FF C1 // inc rcx\n EB F2 // jmp short loc_140007B2C\n\n // loc_140007B3A:\n 48 83 C4 20 // add rsp, 20h\n 5B // pop rbx\n C3 // retn\n }\n\n // sub_140007AA5\n $dynamic2 = {\n 8D 14 0B // lea edx, [rbx+rcx]\n 32 54 08 10 // xor dl, [rax+rcx+10h]\n 4D 89 C2 // mov r10, r8\n 49 C1 FA 08 // sar r10, 8\n 44 31 D2 // xor edx, r10d\n 4D 89 C2 // mov r10, r8\n 49 C1 F8 18 // sar r8, 18h\n 49 C1 FA 10 // sar r10, 10h\n 44 31 D2 // xor edx, r10d\n 44 31 C2 // xor edx, r8d\n 88 54 08 10 // mov [rax+rcx+10h], dl\n 48 FF C1 // inc rcx\n EB CC // jmp short loc_140007ABF\n }\n\n condition:\n uint16(0) == 0x5a4d and $s1 and 1 of ($dynamic*)\n}\n", "rule_count": 1, "rule_names": [ "nim_loader_b49415641661" ], "rule_creation_date": "2023-08-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.UnknownNim" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_loader_plugx_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564898Z", "creation_date": "2026-03-23T11:46:25.564900Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564906Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/" ], "name": "nim_loader_plugx.yar", "content": "rule nim_loader_plugx {\n meta:\n title = \"PlugX Nim Loader\"\n id = \"e43e1580-2a4a-4e25-b59c-4fcdba5f757d\"\n description = \"Detects the PlugX Nim loader used in campaigns by threat actors Mustang Panda and Red Delta.\\nPlugX is a known malware family that employs Nim-based loaders to evade detection mechanisms.\\nThis loader was observed in 2023/2024 campaigns and is designed to execute malicious activities on Windows and Linux systems.\"\n references = \"https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\"\n date = \"2024-09-25\"\n modified = \"2025-05-13\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1027\"\n classification = \"Loader.PlugxNimLoader\"\n context = \"process,memory,thread,file.pe,file.elf\"\n os = \"Windows,Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1bde2b050117d7f27e55a71b4795476decace1850587a17d6cf6fd3fc030ff1a\n // 83946986b28fd8d04d59bab994cd2dc48e83b9711a8f453d8364c2ad27ea0254\n // c25b3a3d7779cb89772454a756ce48ed3744cf233564d309b6f8d19bd8e26fa4\n // 77bf6981bcce892d9c3e7a7dc30f85437fd93791074e17f2b8e3fb34b7a6abcd\n // b46c3eb310330fe9f4e56102ef6a7c6d897d93d4d441d5e0fd9840881dcb37bf\n // a3917b4f8f172c8915d124b8bdf33ad60a5c07b88c736867584f0623bee28d5e\n // 288e79407daae7ae9483ef789d035d464cf878a611db453675ba1a2f6beb1a03\n // b4cdff82abbe24dcd123525ca2c6aae86bb39c2ff6914f0e539a3d00f47f82fc\n // 711d1e6a3045d7c81cd9e9b005e5571f4f3e31c1a7d387634b6826372fbdde75\n // 65f4208e7335b4a3c5f091a7801420b3e7b3fe5d774357dec2198200f369bc2a\n // ee9c935adae0d830cdc0fccd12b19c32be4f15dffcf454a9d807016ce59ff9a9\n\n $s_api_hashing_V1 = {\n 31 D2 // xor edx, edx\n 6A 00 // push 0\n (68 ED AD 31 0A|68 F0 9E 3A 23|68 7D B7 18 0C|68 A5 F0 55 65|68 25 F6 10 53|68 A5 EA 5E 50|68 61 64 DA 13|68 50 94 2A 71|68 77 A3 35 5E|68 07 99 C5 20|68 22 94 39 07|68 33 97 27 75|68 60 99 7D 23|68 31 AF 18 3D|68 0F 91 39 3C|68 21 A3 3D 3F)\n E8 [2] FF FF // call api_hashing\n 80 7D 00 00 // cmp byte ptr [ebp+0], 0\n 0F 85 // jnz loc_1000F24D\n }\n\n $s_api_hashing_V2 = {\n 6A 00 // push 0\n (68 ED AD 31 0A|68 F0 9E 3A 23|68 7D B7 18 0C|68 A5 F0 55 65|68 25 F6 10 53|68 A5 EA 5E 50|68 61 64 DA 13|68 50 94 2A 71|68 77 A3 35 5E|68 07 99 C5 20|68 22 94 39 07|68 33 97 27 75|68 60 99 7D 23|68 31 AF 18 3D|68 0F 91 39 3C|68 21 A3 3D 3F)\n 33 D2 // xor edx, edx\n A3 [1] 43 02 10 // mov dword_100243CC, eax\n 8B CF // mov ecx, edi\n E8 [2] FF FF // call sub_10007E36\n 80 3E 00 // cmp byte ptr [esi], 0\n 75 // jnz short loc_100086E9\n }\n\n $s_api_hashing_V3 = {\n 55 // push ebp\n (68 ED AD 31 0A|68 F0 9E 3A 23|68 7D B7 18 0C|68 A5 F0 55 65|68 25 F6 10 53|68 A5 EA 5E 50|68 61 64 DA 13|68 50 94 2A 71|68 77 A3 35 5E|68 07 99 C5 20|68 22 94 39 07|68 33 97 27 75|68 60 99 7D 23|68 31 AF 18 3D|68 0F 91 39 3C|68 21 A3 3D 3F)\n 33 D2 // xor edx, edx\n A3 [1] 16 02 10 // mov dword_100216E8, eax\n 8B CE // mov ecx, esi\n E8 [2] FF FF // call sub_10005CD4\n 55 // push ebp\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "nim_loader_plugx" ], "rule_creation_date": "2024-09-25", "rule_modified_date": "2025-05-13", "rule_os": [ "windows", "linux" ], "rule_classifications": [ "Loader.PlugxNimLoader" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_patchamsi_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576663Z", "creation_date": "2026-03-23T11:46:25.576665Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576671Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/adamsvoboda/nim-loader\nhttps://github.com/maninwire/nimLoader/blob/main/nimLoader.nim" ], "name": "nim_patchamsi.yar", "content": "rule nim_patchamsi {\n meta:\n title = \"Nim patchAMSI\"\n id = \"4e0c8bae-ceaf-404a-b0b8-e96bcb1aca41\"\n description = \"Detects suspicious code written in the Nim programming language that can patch the AMSI (Antimalware Scan Interface).\\nAMSI is a security feature that allows applications and services to integrate with security products, widely used by EDR solutions.\\nAttackers often attempt to disable AMSI to hide malicious activities.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/adamsvoboda/nim-loader\\nhttps://github.com/maninwire/nimLoader/blob/main/nimLoader.nim\"\n date = \"2023-08-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1562.006\"\n classification = \"Windows.Generic.NimAMSIBypass\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 01d14c58acdc8a46a28f4cff81589ff50b8a1843bfef8174fc4f7e734df5a190\n // 6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794\n\n $s1 = \"fatal.nim\" ascii fullword\n $s2 = \"AmsiScanBuffer\" ascii fullword\n $s3 = \"@amsi\" ascii fullword\n\n $loadlib = {\n 4C 8D ?? ?? ?? ?? 00 // lea r8, unk_14000F740\n 48 85 C9 // test rcx, rcx\n 74 0A // jz short loc_140005286\n 48 83 39 00 // cmp qword ptr [rcx], 0\n 74 04 // jz short loc_140005286\n 4C 8D 41 10 // lea r8, [rcx+10h]\n\n // loc_140005286:\n 4C 89 C1 // mov rcx, r8\n 48 FF 25 ?? ?? ?? 00 // jmp cs:__imp_LoadLibraryA\n }\n\n $patch1 = {\n 41 C7 ?? ?? B8 57 00 07 // mov dword ptr [r12], 70057B8h\n 4C 8D 4C 24 2C // lea r9, [rsp+48h+var_1C]\n 44 8B 44 24 28 // mov r8d, [rsp+48h+var_20]\n 4C 89 ?? // mov rcx, r12\n 66 41 C7 [1-2] ?? 80 C3 // mov word ptr [r12+4], 0C380h\n BA 06 00 00 00 // mov edx, 6\n FF 13 // call qword ptr [rbx] (VirtualProtect)\n }\n\n $patch2 = {\n C7 44 ?? ?? B8 57 00 07 // mov [rsp+88h+var_46], 70057B8h\n 66 C7 ?? ?? ?? 80 C3 // mov [rsp+88h+var_42], 0C380h\n E8 ?? ?? ?? ?? // call sub_1400083B0\n }\n\n condition:\n (uint16(0) == 0x5a4d and all of ($s*)) or\n (all of ($s*) and $loadlib and 1 of ($patch*))\n}\n", "rule_count": 1, "rule_names": [ "nim_patchamsi" ], "rule_creation_date": "2023-08-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.NimAMSIBypass" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1562.006" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_patchetw_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572009Z", "creation_date": "2026-03-23T11:46:25.572013Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572022Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/adamsvoboda/nim-loader\nhttps://github.com/maninwire/nimLoader/blob/main/nimLoader.nim" ], "name": "nim_patchetw.yar", "content": "rule nim_patchetw {\n meta:\n title = \"Nim patchETW\"\n id = \"aadf076f-afab-4476-a791-7bd9fe4b28bb\"\n description = \"Detects suspicious code using Nim programming language that can patch ETWs (Event Tracing for Windows).\\nETW is a feature that provides telemetry data from kernel and user space and is widely used by EDR (Endpoint Detection & Response) solutions.\\nAttackers often disable host-based sensors like ETWs to hide their malicious activities.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/adamsvoboda/nim-loader\\nhttps://github.com/maninwire/nimLoader/blob/main/nimLoader.nim\"\n date = \"2023-08-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.006\"\n classification = \"Windows.Generic.NimETWBypass\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 2a1cddb87aae7ef1561f5fd99ec558c1bf2db6988bc3621aa386845186bc9350\n\n $s1 = \"fatal.nim\" ascii fullword\n $s2 = \"@ntdll\" ascii fullword\n\n $f1 = \"NtTraceEvent\" ascii fullword\n $f2 = \"EtwEventWrite\" ascii fullword\n\n $loadlib = {\n 4C 8D ?? ?? ?? ?? 00 // lea r8, unk_14000F740\n 48 85 C9 // test rcx, rcx\n 74 0A // jz short loc_140005286\n 48 83 39 00 // cmp qword ptr [rcx], 0\n 74 04 // jz short loc_140005286\n 4C 8D 41 10 // lea r8, [rcx+10h]\n\n // loc_140005286:\n 4C 89 C1 // mov rcx, r8\n 48 FF 25 ?? ?? ?? 00 // jmp cs:__imp_LoadLibraryA\n }\n\n $patch_nttraceevent = {\n 66 41 C7 04 24 C3 90 // mov word ptr [r12], 90C3h\n 4C 8D 4C 24 2C // lea r9, [rsp+48h+var_1C]\n BA 03 00 00 00 // mov edx, 3\n 4C 89 E1 // mov rcx, r12\n 41 C6 44 24 02 90 // mov byte ptr [r12+2], 90h\n 44 8B 44 24 28 // mov r8d, [rsp+48h+var_20]\n FF 13 // call qword ptr [rbx] (VirtualProtect)\n }\n\n $patch_etweventwrite1 = {\n 41 C6 45 00 C3 // mov byte ptr [r13+0], 0C3h\n 4C 8D 4C 24 2C // lea r9, [rsp+48h+var_1C]\n 44 8B 44 24 28 // mov r8d, [rsp+48h+var_20]\n 4C 89 ?? // mov rcx, r13\n BA 01 00 00 00 // mov edx, 1\n FF 13 // call qword ptr [rbx] (VirtualProtect)\n }\n\n $patch_etweventwrite2 = {\n 41 B9 01 00 00 00 // mov r9d, 1\n 4C 8D ?? ?? ?? 00 00 // lea r8, unk_14001E008\n 48 89 C1 // mov rcx, rax\n 48 8D 44 24 48 // lea rax, [rsp+68h+var_20]\n 48 89 44 24 20 // mov [rsp+68h+var_48], rax\n E8 ?? ?? ?? ?? // call sub_140012045\n }\n\n condition:\n (uint16(0) == 0x5a4d and all of ($s*) and 1 of ($f*)) or\n (all of ($s*) and 1 of ($f*) and $loadlib and 1 of ($patch_*))\n}\n", "rule_count": 1, "rule_names": [ "nim_patchetw" ], "rule_creation_date": "2023-08-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.NimETWBypass" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.006" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nimplant_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573522Z", "creation_date": "2026-03-23T11:46:25.573524Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573530Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/chvancooten/NimPlant" ], "name": "nimplant.yar", "content": "rule nimplant {\n meta:\n title = \"NimPlant\"\n id = \"2ed64efb-f61a-46ce-b8aa-8261a4ca0599\"\n description = \"Detects lightweight first-stage C2 implant of NimPlant.\\nNimPlant has been adopted by red team operations and security researchers for stealth command and control activities.\\nNimPlant follows the philosophy of \\\"evasion through benign functionality\\\" and is designed to blend in with legitimate traffic.\\nThis implant has been observed in penetration testing engagements and was highlighted as a preferred choice by prominent security researchers since 2021.\\nNimPlant implements encrypted HTTPS communication and can deploy additional payloads via dynamic invocation.\"\n references = \"https://github.com/chvancooten/NimPlant\"\n date = \"2025-03-28\"\n modified = \"2025-05-09\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Trojan.NimImplant\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b8a49d5a3669a344760d3314c10285d77925edf9c3c5ad3b811d58b206836a85\n // e192e15e0b9ba7633b75cc999b34f2767fa0c104863a988f089f4439dfc12aa6\n // ca14c9e2ea339dbf54c66f453cbe5c6a6a1d39df53f658fbd9b3dba16d95809a\n // 6bea235ca0425778f4ed3dbdd180b79598829e010e4897d0f4fde9166b35e185\n // 03ac041a85be1856f8d886e396474fbe669292c338616f1d47e3f8ce8385a8d9\n // a0fd909ac4bee33ba5f243dfbdef41bd72407fdd066669f9368a55eb846da49c\n // 1e7ce4a0923b5d2b5a45f9a999e0ba52e6b809dd3271a4cc9ca96a07d5c94f81\n // db115c247367b8a7eb88310edcc097c6f60e82350c15122947cdff56b2c12003\n\n $nim1 = \"fatal.nim\" ascii fullword\n $nim2 = \"NimMain\" ascii fullword\n\n $s_nim1 = \"getAv\" ascii fullword\n $s_nim2 = \"getLocalAdm\" ascii fullword\n $s_nim3 = \"@NimPlant v\" ascii fullword\n $s_nim4 = \"@X-Identifier\" ascii fullword\n $s_nim5 = \"adler32_simd.nim\" ascii fullword\n $s_nim6 = \"zippy.nim\" ascii fullword\n $s_nim7 = \"puppy.nim\" ascii fullword\n\n $listener1 = \"killDate\" ascii\n $listener2 = \"userAgent\" ascii\n $listener3 = \"listenerType\" ascii\n $listener4 = \"listenerRegPath\" ascii\n $listener5 = \"listenerTaskPath\" ascii\n\n $config1 = \"# NIMPLANT CONFIGURATION\" ascii\n $config2 = \"# Enable Ekko sleep mask instead of a regular sleep() call\" ascii\n $config3 = \"# Configure the kill date for Nimplants (format: yyyy-MM-dd)\" ascii\n $config4 = \"# Configure the user-agent that NimPlants use to connect\" ascii\n\n $x1 = {\n 48 89 DA // mov rdx, rbx\n 48 83 C3 01 // add rbx, 1\n 48 C1 FA 18 // sar rdx, 18h\n 42 30 54 20 08 // xor [rax+r12+8], dl\n 49 83 C4 01 // add r12, 1\n 0F ?? ?? FF FF FF // jno loc_38FABA865\n }\n\n $x2 = {\n 48 89 DA // mov rdx, rbx\n 48 C1 FA 10 // sar rdx, 10h\n 42 30 54 20 08 // xor [rax+r12+8], dl\n 48 8B 44 24 48 // mov rax, qword ptr [rsp+78h+var_38+8]\n 48 85 C0 // test rax, rax\n 0F ?? ?? FF FF FF // jnz loc_38FABA907\n }\n\n $s_rust1 = \"%Y-%m-%d %H:%M[FILE][DIR]\"\n $s_rust2 = \"%Y-%m-%d %H:%Msrc/app/commands/\" ascii\n $s_rust3 = \"HKEY_CURRENT_CONFIGadddeleteunknown1cmd/CSystem.Reflection.AssemblySystem.Reflection.Assembly\" ascii\n $s_rust4 = \"System.Management.Automation.Runspaces.Runspace CreateRunspace()DisposeOpenCommands\"\n $s_rust5 = \"X-IdentifierX-Unique-IDContent-Typeapplication/jsonapplication/octet-stream\" ascii\n $s_rust6 = \"__imp____imp_ntdll.dllNtOpenProcessNtAllocateVirtualMemoryNtWriteVirtualMemoryNtProtectVirtualMemoryNtCreateThreadExNimPlant v\"\n $s_rust7 = \"src\\\\app\\\\commands\\\\execute_assembly.rs\" ascii\n\n condition:\n (\n 1 of ($nim*) and\n (\n uint16(0) == 0x5a4d and\n 4 of ($s_nim*)\n )\n or\n (\n all of ($x*)\n )\n or\n (\n 3 of ($listener*) and\n 1 of ($config*)\n )\n )\n or\n (\n 2 of ($s_rust*)\n )\n}\n", "rule_count": 1, "rule_names": [ "nimplant" ], "rule_creation_date": "2025-03-28", "rule_modified_date": "2025-05-09", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.NimImplant" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nimshellcodeloader_59dbafdddef1_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573026Z", "creation_date": "2026-03-23T11:46:25.573030Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573039Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/aeverj/NimShellCodeLoader\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" ], "name": "nimshellcodeloader_59dbafdddef1.yar", "content": "rule nimshellcodeloader_59dbafdddef1 {\n meta:\n title = \"NimShellCodeLoader (59dbafdddef1)\"\n id = \"07c710c6-f7c4-424a-93b5-59dbafdddef1\"\n description = \"Detects NimShellCodeLoader, a shellcode loader for Windows.\\nIt uses various system functions to locate and inject shellcode into target processes, enabling persistence and privilege escalation.\\nThe rule identifies patterns associated with its memory allocation and injection techniques, including the use of functions like VirtualAlloc and memmove to prepare and execute shellcode payloads.\"\n references = \"https://github.com/aeverj/NimShellCodeLoader\\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\"\n date = \"2024-03-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.t1005;attack.exfiltration;attack.t1567\"\n classification = \"Windows.Loader.NimShellCodeLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // d34bc5060dd7e433bd11f16fb7f2ef289511476a2ba32721078483fbc0372024\n // 41f40f8bbaeaeb811e5a9f8ba7870e6165fc749fe1121d09da30b127291ef351\n // 40f8ca4c9f19d0330e42c98b9d0396b9f0caf191c6a544df4e4edb6837ed542c\n // ff261192a1defd66fcd5924e04c04cf255859beda3a02bb58dfe6d3e211d9c04\n\n // EnumChildWindows.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumChildWindows.nim\n $enum_child_windows_s1 = \"parseHexStr\" ascii fullword\n $enum_child_windows_s2 = \"EnumChildWindows\" ascii fullword\n\n $enum_child_windows_x1 ={\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F0E\n\n // sub_140006F36\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $enum_child_windows_x2 ={\n 48 83 EC 28 // sub rsp, 28h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D3 // mov rbx, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 D8 // mov r8, rbx ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? 00 // call memmove\n 45 31 C0 // xor r8d, r8d ; lParam\n 31 C9 // xor ecx, ecx ; hWndParent\n 48 89 C2 // mov rdx, rax ; lpEnumFunc\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumChildWindows\n 90 // nop\n }\n\n // EnumDesktopW.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumDesktopW.nim\n $enum_desktopw_s1 = \"parseHexStr\" ascii fullword\n $enum_desktopw_s2 = \"EnumDesktopsW\" ascii fullword\n\n $enum_desktopw_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F0E\n\n // sub_140006F36\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $enum_desktopw_x2 = {\n 48 83 EC 20 // sub rsp, 20h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D3 // mov rbx, rdx\n 49 89 CD // mov r13, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 D8 // mov r8, rbx ; Size\n 4C 89 EA // mov rdx, r13 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n 49 89 C4 // mov r12, rax\n E8 ?? ?? ?? 00 // call memmove\n FF 15 ?? ?? ?? 00 // call cs:__imp_GetProcessWindowStation\n 45 31 C0 // xor r8d, r8d ; lParam\n 4C 89 E2 // mov rdx, r12 ; lpEnumFunc\n 48 89 C1 // mov rcx, rax ; hwinsta\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumDesktopsW\n 90 // nop\n }\n\n // EnumDesktopWindows.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumDesktopWindows.nim\n $enum_desktop_windows_s1 = \"parseHexStr\" ascii fullword\n $enum_desktop_windows_s2 = \"EnumDesktopWindows\" ascii fullword\n\n $enum_desktop_windows_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F0E\n\n // sub_140006F36\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $enum_desktop_windows_x2 = {\n 48 83 EC 20 // sub rsp, 20h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D3 // mov rbx, rdx\n 49 89 CD // mov r13, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 D8 // mov r8, rbx ; Size\n 4C 89 EA // mov rdx, r13 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n 49 89 C4 // mov r12, rax\n E8 ?? ?? ?? 00 // call memmove\n FF 15 ?? ?? ?? 00 // call cs:__imp_GetCurrentThreadId\n 89 C1 // mov ecx, eax ; dwThreadId\n FF 15 ?? ?? ?? 00 // call cs:__imp_GetThreadDesktop\n 45 31 C0 // xor r8d, r8d ; lParam\n 4C 89 E2 // mov rdx, r12 ; lpfn\n 48 89 C1 // mov rcx, rax ; hDesktop\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumDesktopWindows\n 90 // nop\n }\n\n // EnumDirTreeW.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumDirTreeW.nim\n $enum_dir_tree_s1 = \"parseHexStr\" ascii fullword\n $enum_dir_tree_s2 = \"EnumDirTreeW\" ascii fullword\n\n $enum_dir_tree_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F0E\n\n // sub_140006F36\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $enum_dir_tree_x2 = {\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 48 89 F2 // mov rdx, rsi ; dwSize\n 31 C9 // xor ecx, ecx ; lpAddress\n 49 89 C4 // mov r12, rax\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 F0 // mov r8, rsi ; Size\n 4C 89 EA // mov rdx, r13 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n 48 89 C3 // mov rbx, rax\n E8 ?? ?? ?? 00 // call memmove\n 48 8B 35 ?? ?? ?? 00 // mov rsi, cs:__imp_GetCurrentProcess\n FF D6 // call rsi ; __imp_GetCurrentProcess\n 41 B8 01 00 00 00 // mov r8d, 1\n 31 D2 // xor edx, edx\n 48 89 C1 // mov rcx, rax\n 41 FF D4 // call r12\n FF D6 // call rsi ; __imp_GetCurrentProcess\n 48 89 5C 24 20 // mov [rsp+478h+var_458], rbx\n 4C 8D 4C 24 3C // lea r9, [rsp+478h+var_43C]\n 4C 8D 05 ?? ?? ?? 00 // lea r8, aLog ; \"*.log\"\n 48 C7 44 24 28 00 00 00 00 // mov [rsp+478h+var_450], 0\n 48 89 C1 // mov rcx, rax\n 48 8D 15 ?? ?? ?? 00 // lea rdx, aCWindows ; \"C:\\\\Windows\"\n FF D7 // call rdi\n 90 // nop\n }\n\n // EnumDisplayMonitors.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumDisplayMonitors.nim\n $enum_display_monitors_s1 = \"parseHexStr\" ascii fullword\n $enum_display_monitors_s2 = \"EnumDisplayMonitors\" ascii fullword\n\n $enum_display_monitors_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F0E\n\n // sub_140006F36\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $enum_display_monitors_x2 = {\n 48 83 EC 28 // sub rsp, 28h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D3 // mov rbx, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 D8 // mov r8, rbx ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? 00 // call memmove\n 45 31 C9 // xor r9d, r9d ; dwData\n 31 D2 // xor edx, edx ; lprcClip\n 31 C9 // xor ecx, ecx ; hdc\n 49 89 C0 // mov r8, rax ; lpfnEnum\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumDisplayMonitors\n 90 // nop\n }\n\n // EnumFontFamiliesExW.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumFontFamiliesExW.nim\n $enum_font_familiesex_s1 = \"parseHexStr\" ascii fullword\n $enum_font_familiesex_s2 = \"EnumFontFamiliesExW\" ascii fullword\n\n $enum_font_familiesex_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F0E\n\n // sub_140006F36\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $enum_font_familiesex_x2 = {\n 48 81 EC 98 00 00 00 // sub rsp, 98h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D6 // mov rsi, rdx\n 49 89 CC // mov r12, rcx\n 48 8D 7C 24 34 // lea rdi, [rsp+0B8h+Logfont]\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 F0 // mov r8, rsi ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n 48 89 C3 // mov rbx, rax\n E8 ?? ?? ?? 00 // call memmove\n 31 C0 // xor eax, eax\n B9 17 00 00 00 // mov ecx, 17h ; hWnd\n F3 AB // rep stosd\n C6 44 24 4B 01 // mov [rsp+0B8h+Logfont.lfCharSet], 1\n FF 15 ?? ?? ?? 00 // call cs:__imp_GetDC\n 48 8D 54 24 34 // lea rdx, [rsp+0B8h+Logfont] ; lpLogfont\n 45 31 C9 // xor r9d, r9d ; lParam\n 49 89 D8 // mov r8, rbx ; lpProc\n C7 44 24 20 00 00 00 00 // mov [rsp+0B8h+dwFlags], 0 ; dwFlags\n 48 89 C1 // mov rcx, rax ; hdc\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumFontFamiliesExW\n 90 // nop\n }\n\n // EnumFontFamiliesW.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumFontFamiliesW.nim\n $enum_font_familiesw_s1 = \"parseHexStr\" ascii fullword\n $enum_font_familiesw_s2 = \"EnumFontFamiliesW\" ascii fullword\n\n $enum_font_familiesw_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F27\n\n // sub_140006F4F\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E9 ?? ?? FF FF // jmp sub_140006ED0\n\n // sub_140006F68\n EB E5 // jmp short sub_140006F4F\n }\n\n $enum_font_familiesw_x2 = {\n 48 83 EC 20 // sub rsp, 20h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D6 // mov rsi, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 F0 // mov r8, rsi ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n 48 89 C3 // mov rbx, rax\n E8 ?? ?? ?? 00 // call memmove\n 31 C9 // xor ecx, ecx ; hWnd\n FF 15 ?? ?? ?? 00 // call cs:__imp_GetDC\n 45 31 C9 // xor r9d, r9d ; lParam\n 49 89 D8 // mov r8, rbx ; lpProc\n 31 D2 // xor edx, edx ; lpLogfont\n 48 89 C1 // mov rcx, rax ; hdc\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumFontFamiliesW\n 31 C0 // xor eax, eax\n 48 83 C4 20 // add rsp, 20h\n 5B // pop rbx\n 5E // pop rsi\n 41 5C // pop r12\n C3 // retn\n }\n\n // EnumFontsW.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumFontsW.nim\n $enum_fontsw_s1 = \"parseHexStr\" ascii fullword\n $enum_fontsw_s2 = \"EnumFontsW\" ascii fullword\n\n $enum_fontsw_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F27\n\n // sub_140006F4F\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E9 ?? ?? FF FF // jmp sub_140006ED0\n\n // sub_140006F68\n EB E5 // jmp short sub_140006F4F\n }\n\n $enum_fontsw_x2 = {\n 48 83 EC 20 // sub rsp, 20h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D6 // mov rsi, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 F0 // mov r8, rsi ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n 48 89 C3 // mov rbx, rax\n E8 ?? ?? ?? 00 // call memmove\n 31 C9 // xor ecx, ecx ; hWnd\n FF 15 ?? ?? ?? 00 // call cs:__imp_GetDC\n 45 31 C9 // xor r9d, r9d ; lParam\n 49 89 D8 // mov r8, rbx ; lpProc\n 31 D2 // xor edx, edx ; lpLogfont\n 48 89 C1 // mov rcx, rax ; hdc\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumFontsW\n 31 C0 // xor eax, eax\n 48 83 C4 20 // add rsp, 20h\n 5B // pop rbx\n 5E // pop rsi\n 41 5C // pop r12\n C3 // retn\n }\n\n // EnumLanguageGroupLocalesW.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumLanguageGroupLocalesW.nim\n $enum_language_group_localesw_s1 = \"parseHexStr\" ascii fullword\n $enum_language_group_localesw_s2 = \"EnumLanguageGroupLocalesW\" ascii fullword\n\n $enum_language_group_localesw_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F0E\n\n // sub_140006F36\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $enum_language_group_localesw_x2 = {\n 48 83 EC 28 // sub rsp, 28h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D3 // mov rbx, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 D8 // mov r8, rbx ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? 00 // call memmove\n 45 31 C9 // xor r9d, r9d ; lParam\n 45 31 C0 // xor r8d, r8d ; dwFlags\n BA 0D 00 00 00 // mov edx, 0Dh ; LanguageGroup\n 48 89 C1 // mov rcx, rax ; lpLangGroupLocaleEnumProc\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumLanguageGroupLocalesW\n 90 // nop\n }\n\n // EnumObjects.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/EnumObjects.nim\n $enum_objects_s1 = \"parseHexStr\" ascii fullword\n $enum_objects_s2 = \"EnumObjects\" ascii fullword\n\n $enum_objects_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F0E\n\n // sub_140006F36\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $enum_objects_x2 = {\n 48 83 EC 20 // sub rsp, 20h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D6 // mov rsi, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 F0 // mov r8, rsi ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n 48 89 C3 // mov rbx, rax\n E8 ?? ?? ?? 00 // call memmove\n 31 C9 // xor ecx, ecx ; hWnd\n FF 15 ?? ?? ?? 00 // call cs:__imp_GetDC\n 45 31 C9 // xor r9d, r9d ; lParam\n 49 89 D8 // mov r8, rbx ; lpFunc\n BA 02 00 00 00 // mov edx, 2 ; nType\n 48 89 C1 // mov rcx, rax ; hdc\n FF 15 ?? ?? ?? 00 // call cs:__imp_EnumObjects\n 90 // nop\n }\n\n condition:\n (all of ($enum_child_windows_s*) and 1 of ($enum_child_windows_x*)) or\n (all of ($enum_desktopw_s*) and 1 of ($enum_desktopw_x*)) or\n (all of ($enum_desktop_windows_s*) and 1 of ($enum_desktop_windows_x*)) or\n (all of ($enum_dir_tree_s*) and 1 of ($enum_dir_tree_x*)) or\n (all of ($enum_display_monitors_s*) and 1 of ($enum_display_monitors_x*)) or\n (all of ($enum_font_familiesex_s*) and 1 of ($enum_font_familiesex_x*)) or\n (all of ($enum_font_familiesw_s*) and 1 of ($enum_font_familiesw_x*)) or\n (all of ($enum_fontsw_s*) and 1 of ($enum_fontsw_x*)) or\n (all of ($enum_language_group_localesw_s*) and 1 of ($enum_language_group_localesw_x*)) or\n (all of ($enum_objects_s*) and 1 of ($enum_objects_x*))\n}\n", "rule_count": 1, "rule_names": [ "nimshellcodeloader_59dbafdddef1" ], "rule_creation_date": "2024-03-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.NimShellCodeLoader" ], "rule_tactic_tags": [ "attack.collection", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1567", "attack.t1005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nimshellcodeloader_be89caf9af0f_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582692Z", "creation_date": "2026-03-23T11:46:25.582695Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582704Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/aeverj/NimShellCodeLoader\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671" ], "name": "nimshellcodeloader_be89caf9af0f.yar", "content": "rule nimshellcodeloader_be89caf9af0f {\n meta:\n title = \"NimShellCodeLoader (be89caf9af0f)\"\n id = \"44251f54-5e87-46c0-b7bd-be89caf9af0f\"\n description = \"Detects NimShellCodeLoader, a shellcode loader for Windows.\\nNimShellCodeLoader is a sophisticated malware tool designed to inject and execute shellcode within processes on Windows systems.\\nIt employs various techniques including timer queue timers, thread injection, APC injection, and event-driven mechanisms to establish persistence and execute malicious payloads.\\nThe tool is often used in attacks to bypass process integrity checks and maintain stealth.\"\n references = \"https://github.com/aeverj/NimShellCodeLoader\\nhttps://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671\"\n date = \"2024-03-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.t1005;attack.exfiltration;attack.t1567\"\n classification = \"Windows.Loader.NimShellCodeLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // d34bc5060dd7e433bd11f16fb7f2ef289511476a2ba32721078483fbc0372024\n // 41f40f8bbaeaeb811e5a9f8ba7870e6165fc749fe1121d09da30b127291ef351\n // 40f8ca4c9f19d0330e42c98b9d0396b9f0caf191c6a544df4e4edb6837ed542c\n // ff261192a1defd66fcd5924e04c04cf255859beda3a02bb58dfe6d3e211d9c04\n\n // CreateTimerQueueTimer_Tech.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/CreateTimerQueueTimer_Tech.nim\n $create_timer_queue_timer_tech_s1 = \"parseHexStr\" ascii fullword\n $create_timer_queue_timer_tech_s2 = \"WaitForSingleObject failed (%d)\\n\" ascii fullword\n\n $create_timer_queue_timer_tech_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB ?? // jmp short sub_140006F81\n\n // sub_140006FA9\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14002C580\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14002C570\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $create_timer_queue_timer_tech_x2 = {\n 48 83 EC ?? // sub rsp, 50h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n [6]\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n [6]\n 48 89 C1 // mov rcx, rax ; void *\n 48 89 C3 // mov rbx, rax\n E8 ?? ?? ?? 00 // call memmove\n FF 15 ?? ?? ?? 00 // call cs:__imp_CreateTimerQueue\n 45 31 C9 // xor r9d, r9d ; lpName\n 45 31 C0 // xor r8d, r8d ; bInitialState\n 31 C9 // xor ecx, ecx ; lpEventAttributes\n [3]\n BA 01 00 00 00 // mov edx, 1 ; bManualReset\n FF 15 ?? ?? ?? 00 // call cs:__imp_CreateEventA\n [25]\n C7 44 24 28 00 00 00 00 // mov [rsp+68h+Period], 0 ; Period\n C7 44 24 20 64 00 00 00 // mov [rsp+68h+DueTime], 64h ; 'd' ; DueTime\n FF 15 ?? ?? ?? 00 // call cs:__imp_CreateTimerQueueTimer\n 85 C0 // test eax, eax\n 75 0C // jnz short loc_40807D\n 48 8D 0D ?? ?? ?? 00 // lea rcx, aFail ; \"Fail\"\n E8 ?? ?? ?? 00 // call sub_41D100\n }\n\n // OEP_Hiijack_Inject_Load.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/OEP_Hiijack_Inject_Load.nim\n $oep_hiijack_inject_load_s1 = \"parseHexStr\" ascii fullword\n $oep_hiijack_inject_load_s2 = \"ResumeThread\" ascii fullword\n\n $oep_hiijack_inject_load_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140007057\n\n // sub_14000707F\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_14002C560\n 48 63 10 // movsxd rdx, dword ptr [rax]\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_14002C550\n 48 8B 08 // mov rcx, [rax]\n E9 ?? ?? FF FF // jmp sub_140006ED0\n\n // sub_140007098\n EB E5 // jmp short sub_14000707F\n }\n\n $oep_hiijack_inject_load_x2 = {\n 48 8D 44 24 60 // lea rax, [rsp+28h+ProcessInformation]\n 48 C7 44 24 38 00 00 00 00 // mov [rsp+28h+lpCurrentDirectory], 0 ; lpCurrentDirectory\n 48 8D BC 24 20 01 00 00 // lea rdi, [rsp+28h+arg_F0]\n 48 89 44 24 48 // mov [rsp+28h+lpProcessInformation], rax ; lpProcessInformation\n 48 8D 84 24 A8 00 00 00 // lea rax, [rsp+28h+StartupInfo]\n 48 89 44 24 40 // mov [rsp+28h+lpStartupInfo], rax ; lpStartupInfo\n 48 C7 44 24 30 00 00 00 00 // mov [rsp+28h+lpEnvironment], 0 ; lpEnvironment\n C7 44 24 28 04 00 00 00 // mov dword ptr [rsp+28h], 4 ; dwCreationFlags\n C7 44 24 20 00 00 00 00 // mov [rsp+28h+bInheritHandles], 0 ; bInheritHandles\n FF 15 ?? ?? ?? 00 // call cs:__imp_CreateProcessA\n 48 8D 44 24 54 // lea rax, [rsp+28h+ReturnLength]\n 48 8B 4C 24 60 // mov rcx, [rsp+28h+ProcessInformation.hProcess] ; ProcessHandle\n 31 D2 // xor edx, edx ; ProcessInformationClass\n 48 89 44 24 20 // mov qword ptr [rsp+28h+bInheritHandles], rax ; ReturnLength\n 4C 8D 44 24 78 // lea r8, [rsp+28h+arg_48] ; ProcessInformation\n 41 B9 30 00 00 00 // mov r9d, 30h ; '0' ; ProcessInformationLength\n E8 ?? ?? ?? 00 // call NtQueryInformationProcess\n 48 8B 4C 24 60 // mov rcx, [rsp+28h+ProcessInformation.hProcess] ; hProcess\n 4C 8D 44 24 58 // lea r8, [rsp+28h+Buffer] ; lpBuffer\n 48 8B 84 24 80 00 00 00 // mov rax, [rsp+28h+arg_50]\n 4C 8B 25 ?? ?? ?? 00 // mov r12, cs:__imp_ReadProcessMemory\n 41 B9 08 00 00 00 // mov r9d, 8 ; nSize\n 48 C7 44 24 58 00 00 00 00 // mov [rsp+28h+Buffer], 0\n 48 C7 44 24 20 00 00 00 00 // mov qword ptr [rsp+28h+bInheritHandles], 0 ; lpNumberOfBytesRead\n 48 8D 50 10 // lea rdx, [rax+10h] ; lpBaseAddress\n 41 FF D4 // call r12 ; __imp_ReadProcessMemory\n 89 D8 // mov eax, ebx\n B9 FC 03 00 00 // mov ecx, 3FCh\n 48 8B 54 24 58 // mov rdx, [rsp+28h+Buffer] ; lpBaseAddress\n F3 AB // rep stosd\n 4C 8D 84 24 10 01 00 00 // lea r8, [rsp+28h+arg_E0] ; lpBuffer\n 48 8B 4C 24 60 // mov rcx, [rsp+28h+ProcessInformation.hProcess] ; hProcess\n 48 C7 84 24 10 01 00 00 00 00 00 00 // mov [rsp+28h+arg_E0], 0\n 48 C7 44 24 20 00 00 00 00 // mov qword ptr [rsp+28h+bInheritHandles], 0 ; lpNumberOfBytesRead\n 41 B9 00 10 00 00 // mov r9d, 1000h ; nSize\n 48 C7 84 24 18 01 00 00 00 00 00 00 // mov [rsp+28h+arg_E8], 0\n 41 FF D4 // call r12 ; __imp_ReadProcessMemory\n 48 8B 4C 24 60 // mov rcx, [rsp+28h+ProcessInformation.hProcess] ; hProcess\n 49 89 E9 // mov r9, rbp ; nSize\n 49 89 F0 // mov r8, rsi ; lpBuffer\n 48 63 84 24 4C 01 00 00 // movsxd rax, [rsp+28h+arg_11C]\n 8B 94 04 38 01 00 00 // mov edx, [rsp+rax+28h+arg_108]\n 48 03 54 24 58 // add rdx, [rsp+28h+Buffer] ; lpBaseAddress\n 48 C7 44 24 20 00 00 00 00 // mov qword ptr [rsp+28h+bInheritHandles], 0 ; lpNumberOfBytesWritten\n FF 15 ?? ?? ?? 00 // call cs:__imp_WriteProcessMemory\n 48 8B 4C 24 68 // mov rcx, [rsp+28h+ProcessInformation.hThread] ; hThread\n FF 15 ?? ?? ?? 00 // call cs:__imp_ResumeThread\n 31 C0 // xor eax, eax\n 48 81 C4 10 11 00 00 // add rsp, 1110h\n }\n\n // Thread_Hiijack_Inject_Load.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/Thread_Hiijack_Inject_Load.nim\n $thread_hiijack_inject_load_s1 = \"parseHexStr\" ascii fullword\n $thread_hiijack_inject_load_s2 = \"Thread32First\" ascii fullword\n\n $thread_hiijack_inject_load_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140007057\n\n // sub_14000707F\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_14002C560\n 48 63 10 // movsxd rdx, dword ptr [rax]\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_14002C550\n 48 8B 08 // mov rcx, [rax]\n E9 ?? ?? FF FF // jmp sub_140006ED0\n\n // sub_140007098\n EB E5 // jmp short sub_14000707F\n }\n\n $thread_hiijack_inject_load_x2 = {\n 8B 7C 24 58 // mov edi, [rsp+688h+pe.th32ProcessID]\n 31 D2 // xor edx, edx ; bInheritHandle\n C7 84 24 B0 01 00 00 0B 00 10 00 // mov [rsp+688h+Context.ContextFlags], 10000Bh\n B9 FF 0F 1F 00 // mov ecx, 1F0FFFh ; dwDesiredAccess\n C7 44 24 34 1C 00 00 00 // mov [rsp+688h+te.dwSize], 1Ch\n 41 89 F8 // mov r8d, edi ; dwProcessId\n FF 15 ?? ?? ?? 00 // call cs:__imp_OpenProcess\n 49 89 F0 // mov r8, rsi ; dwSize\n 31 D2 // xor edx, edx ; lpAddress\n 41 B9 00 30 00 00 // mov r9d, 3000h ; flAllocationType\n 49 89 C5 // mov r13, rax\n C7 44 24 20 40 00 00 00 // mov [rsp+688h+flProtect], 40h ; '@' ; flProtect\n 48 89 C1 // mov rcx, rax ; hProcess\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAllocEx\n 49 89 F1 // mov r9, rsi ; nSize\n 48 8D 74 24 34 // lea rsi, [rsp+688h+te]\n 4C 89 E9 // mov rcx, r13 ; hProcess\n 48 C7 44 24 20 00 00 00 00 // mov qword ptr [rsp+688h+flProtect], 0 ; lpNumberOfBytesWritten\n 48 89 C3 // mov rbx, rax\n 49 89 E8 // mov r8, rbp ; lpBuffer\n 48 89 C2 // mov rdx, rax ; lpBaseAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_WriteProcessMemory\n 48 89 F2 // mov rdx, rsi ; lpte\n 4C 89 E1 // mov rcx, r12 ; hSnapshot\n E8 ?? ?? ?? 00 // call Thread32First\n EB 20 // jmp short loc_140006FC0\n }\n\n // APC_Ijnect_Load.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/APC_Ijnect_Load.nim\n $apc_inject_load_s1 = \"parseHexStr\" ascii fullword\n $apc_inject_load_s2 = \"QueueUserAPC\" ascii fullword\n\n $apc_inject_load_x1 = {\n 48 8D 4C 24 38 // lea rcx, [rsp+1D8h+var_1A0]\n E8 ?? ?? ?? 00 // call sub_14002B080\n 31 C0 // xor eax, eax\n 48 81 C4 A0 01 00 00 // add rsp, 1A0h\n 5B // pop rbx\n 5E // pop rsi\n 5F // pop rdi\n 5D // pop rbp\n 41 5C // pop r12\n 41 5D // pop r13\n 41 5E // pop r14\n C3 // retn\n\n // sub_1400070D3\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_140036C70\n 48 63 10 // movsxd rdx, dword ptr [rax] ; nSize\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_140036C60\n 48 8B 08 // mov rcx, [rax] ; lpBuffer\n E9 ?? ?? FF FF // jmp sub_140006EF8\n\n // sub_1400070EC\n EB E5 // jmp short sub_1400070D3\n }\n\n $apc_inject_load_x2 = {\n // loc_140007072\n 48 39 DF // cmp rdi, rbx\n 74 3E // jz short loc_1400070B5\n 44 8B 03 // mov r8d, [rbx] ; dwThreadId\n BA 01 00 00 00 // mov edx, 1 ; bInheritHandle\n B9 FF 03 1F 00 // mov ecx, 1F03FFh ; dwDesiredAccess\n FF D5 // call rbp ; __imp_OpenThread\n 48 89 C2 // mov rdx, rax ; hThread\n 45 31 C0 // xor r8d, r8d ; dwData\n 48 89 F1 // mov rcx, rsi ; pfnAPC\n 41 FF D4 // call r12 ; __imp_QueueUserAPC\n B9 D0 07 00 00 // mov ecx, 7D0h ; dwMilliseconds\n 41 FF D5 // call r13 ; __imp_Sleep\n 48 83 C3 04 // add rbx, 4\n EB D2 // jmp short loc_140007072\n }\n\n // Early_Bird_APC_Injetc_Load.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/Early_Bird_APC_Injetc_Load.nim\n $early_bird_apc_injetc_load_s1 = \"parseHexStr\" ascii fullword\n $early_bird_apc_injetc_load_s2 = \"QueueUserAPC\" ascii fullword\n\n $early_bird_apc_injetc_load_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140007057\n\n // sub_14000707F\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_14002C560\n 48 63 10 // movsxd rdx, dword ptr [rax]\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_14002C550\n 48 8B 08 // mov rcx, [rax]\n E9 ?? ?? FF FF // jmp sub_140006ED0\n\n // sub_140007098\n EB E5 // jmp short sub_14000707F\n }\n\n $early_bird_apc_injetc_load_x2 = {\n 48 C7 44 24 38 00 00 00 00 // mov [rsp+108h+lpCurrentDirectory], 0 ; lpCurrentDirectory\n 48 89 44 24 48 // mov [rsp+108h+lpProcessInformation], rax ; lpProcessInformation\n 48 8D 44 24 68 // lea rax, [rsp+108h+StartupInfo]\n 48 89 44 24 40 // mov [rsp+108h+lpStartupInfo], rax ; lpStartupInfo\n 48 C7 44 24 30 00 00 00 00 // mov [rsp+108h+lpEnvironment], 0 ; lpEnvironment\n C7 44 24 28 04 00 00 00 // mov [rsp+108h+dwCreationFlags], 4 ; dwCreationFlags\n C7 44 24 20 00 00 00 00 // mov [rsp+108h+bInheritHandles], 0 ; bInheritHandles\n FF 15 ?? ?? ?? 00 // call cs:__imp_CreateProcessA\n 4C 8B 74 24 50 // mov r14, [rsp+108h+ProcessInformation.hProcess]\n 49 89 D8 // mov r8, rbx ; dwSize\n 31 D2 // xor edx, edx ; lpAddress\n 4C 8B 6C 24 58 // mov r13, [rsp+108h+ProcessInformation.hThread]\n C7 44 24 20 40 00 00 00 // mov [rsp+108h+bInheritHandles], 40h ; '@' ; flProtect\n 41 B9 00 10 00 00 // mov r9d, 1000h ; flAllocationType\n 4C 89 F1 // mov rcx, r14 ; hProcess\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAllocEx\n 49 89 D9 // mov r9, rbx ; nSize\n 49 89 F0 // mov r8, rsi ; lpBuffer\n 4C 89 F1 // mov rcx, r14 ; hProcess\n 48 C7 44 24 20 00 00 00 00 // mov qword ptr [rsp+108h+bInheritHandles], 0 ; lpNumberOfBytesWritten\n 49 89 C4 // mov r12, rax\n 48 89 C2 // mov rdx, rax ; lpBaseAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_WriteProcessMemory\n 45 31 C0 // xor r8d, r8d ; dwData\n 4C 89 EA // mov rdx, r13 ; hThread\n 4C 89 E1 // mov rcx, r12 ; pfnAPC\n FF 15 ?? ?? ?? 00 // call cs:__imp_QueueUserAPC\n 4C 89 E9 // mov rcx, r13 ; hThread\n FF 15 ?? ?? ?? 00 // call cs:__imp_ResumeThread\n 31 C0 // xor eax, eax\n 48 81 C4 D8 00 00 00 // add rsp, 0D8h\n }\n\n // Direct_Load.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/Direct_Load.nim\n $direct_load_s1 = \"parseHexStr\" ascii fullword\n\n $direct_load_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140001B58\n E8 ?? ?? FF FF // call sub_1400056FD\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_1400063F3\n\n // sub_14000641B\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_1400CC780\n 48 63 10 // movsxd rdx, dword ptr [rax]\n 48 8B ?? ?? ?? ?? 00 // mov rax, cs:off_1400CC770\n 48 8B 08 // mov rcx, [rax]\n EB 8B // jmp short sub_1400063BC\n\n // sub_140006431\n EB E8 // jmp short sub_14000641B\n }\n\n $direct_load_x2 = {\n 41 54 // push r12\n 57 // push rdi\n 56 // push rsi\n 48 83 EC 20 // sub rsp, 20h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 30 00 00 // mov r8d, 3000h ; flAllocationType\n 49 89 D4 // mov r12, rdx\n 48 89 CE // mov rsi, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 4C 89 E1 // mov rcx, r12\n 48 89 C7 // mov rdi, rax\n F3 A4 // rep movsb\n FF D0 // call rax\n 31 C0 // xor eax, eax\n 48 83 C4 20 // add rsp, 20h\n 5E // pop rsi\n 5F // pop rdi\n 41 5C // pop r12\n C3 // retn\n }\n\n // Thread_Pool_Wait.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/Thread_Pool_Wait.nim\n $thread_pool_wait_s1 = \"parseHexStr\" ascii fullword\n $thread_pool_wait_s2 = \"CreateThreadpoolWait\" ascii fullword\n $thread_pool_wait_s3 = \"SetThreadpoolWait\" ascii fullword\n\n $thread_pool_wait_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140006063\n E8 ?? ?? FF FF // call sub_140006420\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_1400068DF\n\n // sub_140006907\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14001D8C0\n 8B 10 // mov edx, [rax] ; argv\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14001D8B0\n 48 8B 08 // mov rcx, [rax] ; argc\n E8 ?? ?? FF FF // call main\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n E9 ?? ?? FF FF // jmp sub_140006014\n }\n\n $thread_pool_wait_x2 = {\n 89 D9 // mov ecx, ebx\n 48 89 C7 // mov rdi, rax\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14001D660\n 45 31 C9 // xor r9d, r9d\n F3 A4 // rep movsb\n 31 D2 // xor edx, edx\n 41 B8 01 00 00 00 // mov r8d, 1\n FF 10 // call qword ptr [rax] ; CreateEventW\n 45 31 C0 // xor r8d, r8d\n 31 D2 // xor edx, edx\n 4C 89 E1 // mov rcx, r12\n 49 89 C5 // mov r13, rax\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14001D640\n FF 10 // call qword ptr [rax] ; CreateThreadPoolWait\n 4C 89 EA // mov rdx, r13\n 45 31 C0 // xor r8d, r8d\n 48 89 C1 // mov rcx, rax\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14001D650\n FF 10 // call qword ptr [rax] ; SetThreadpoolWait\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14001D630\n 83 CA FF // or edx, 0FFFFFFFFh\n 4C 89 E9 // mov rcx, r13\n 48 8B 00 // mov rax, [rax]\n 48 83 C4 20 // add rsp, 20h\n 5B // pop rbx\n 5E // pop rsi\n 5F // pop rdi\n 41 5C // pop r12\n 41 5D // pop r13\n 48 FF E0 // jmp rax ; WaitForSingleObject\n }\n\n // Fiber_Load.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/Fiber_Load.ni\n $fiber_load_s1 = \"parseHexStr\" ascii fullword\n $fiber_load_s2 = \"ConvertThreadToFiber\" ascii fullword\n $fiber_load_s3 = \"SwitchToFiber\" ascii fullword\n\n $fiber_load_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_14000521B\n E8 ?? ?? FF FF // call sub_1400055E0\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140005CBF\n\n // sub_140005CE7\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14005CA00\n 8B 10 // mov edx, [rax] ; argv\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14005C9F0\n 48 8B 08 // mov rcx, [rax] ; argc\n E8 ?? ?? FF FF // call main\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n E9 ?? ?? FF FF // jmp sub_1400051CC\n }\n\n $fiber_load_x2 = {\n 89 D9 // mov ecx, ebx\n 48 89 C7 // mov rdi, rax\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14005C790\n F3 A4 // rep movsb\n FF 10 // call qword ptr [rax] ; ConvertThreadToFiber\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14005C770\n 4C 89 E2 // mov rdx, r12\n 45 31 C0 // xor r8d, r8d\n 4C 89 E9 // mov rcx, r13\n FF 10 // call qword ptr [rax] ; CreateFiber\n 49 89 C4 // mov r12, rax\n 48 89 C1 // mov rcx, rax\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14005C7A0\n FF 10 // call qword ptr [rax] ; SwitchToFiber\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14005C780\n 4C 89 E1 // mov rcx, r12\n 48 8B 00 // mov rax, [rax]\n 48 83 C4 20 // add rsp, 20h\n 5B // pop rbx\n 5E // pop rsi\n 5F // pop rdi\n 41 5C // pop r12\n 41 5D // pop r13\n 48 FF E0 // jmp rax ; DeleteFiber\n }\n\n // CertEnumSystemStore.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/CertEnumSystemStore.nim\n $cert_enum_system_store_s1 = \"parseHexStr\" ascii fullword\n $cert_enum_system_store_s2 = \"CertEnumSystemStore\" ascii fullword\n\n $cert_enum_system_store_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F13\n\n // sub_140006F3B\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $cert_enum_system_store_x2 = {\n 41 54 // push r12\n 53 // push rbx\n 48 83 EC 28 // sub rsp, 28h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D3 // mov rbx, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 D8 // mov r8, rbx ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? 00 // call memmove\n 45 31 C0 // xor r8d, r8d ; pvArg\n 31 D2 // xor edx, edx ; pvSystemStoreLocationPara\n B9 00 00 01 00 // mov ecx, 10000h ; dwFlags\n 49 89 C1 // mov r9, rax ; pfnEnum\n FF 15 ?? ?? ?? 00 // call cs:__imp_CertEnumSystemStore\n 90 // nop\n }\n\n // CertEnumSystemStoreLocation.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/CertEnumSystemStoreLocation.nim\n $cert_enum_system_store_location_s1 = \"parseHexStr\" ascii fullword\n $cert_enum_system_store_location_s2 = \"CertEnumSystemStoreLocation\" ascii fullword\n\n $cert_enum_system_store_location_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140001B58\n E8 ?? ?? FF FF // call sub_1400056FD\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_1400063ED\n\n // sub_140006415\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006B660\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006B650\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_1400063B0\n 90 // nop\n }\n\n $cert_enum_system_store_location_x2 = {\n 41 54 // push r12\n 53 // push rbx\n 48 83 EC 28 // sub rsp, 28h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D3 // mov rbx, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 D8 // mov r8, rbx ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? 00 // call memmove\n 31 D2 // xor edx, edx ; pvArg\n 31 C9 // xor ecx, ecx ; dwFlags\n 49 89 C0 // mov r8, rax ; pfnEnum\n FF 15 ?? ?? ?? 00 // call cs:__imp_CertEnumSystemStoreLocation\n 90 // nop\n }\n\n // CopyFile2.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/CopyFile2.nim\n $copy_file2_s1 = \"parseHexStr\" ascii fullword\n $copy_file2_s2 = \"DeleteFileW\" ascii fullword\n $copy_file2_s3 = \"CopyFile2\" ascii fullword\n\n $copy_file2_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F4D\n\n // sub_140006F75\n 48 83 EC 28 // sub rsp, 28h\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D280\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D270\n 48 8B 08 // mov rcx, [rax] ; Src\n E8 ?? ?? FF FF // call sub_140006ED0\n 90 // nop\n }\n\n $copy_file2_x2 = {\n 48 83 EC 48 // sub rsp, 48h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 49 89 CC // mov r12, rcx\n 48 89 D3 // mov rbx, rdx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 4C 89 E2 // mov rdx, r12 ; Src\n 49 89 D8 // mov r8, rbx ; Size\n 4C 8D 25 ?? ?? ?? 00 // lea r12, pwszNewFileName ; \"C:\\\\Windows\\\\Temp\\\\backup.log\"\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? 00 // call memmove\n 4C 89 E1 // mov rcx, r12 ; lpFileName\n 48 C7 ?? ?? ?? 00 00 00 00 // mov [rsp+58h+pExtendedParameters.pfCancel], 0\n 48 C7 ?? ?? ?? 00 00 00 00 // mov [rsp+58h+pExtendedParameters.pvCallbackContext], 0\n 49 89 C1 // mov r9, rax\n B8 01 00 00 08 // mov eax, 8000001h\n 48 C1 E0 05 // shl rax, 5\n 4C 89 4C 24 30 // mov [rsp+58h+pExtendedParameters.pProgressRoutine], r9\n 48 89 44 24 20 // mov qword ptr [rsp+58h+pExtendedParameters.dwSize], rax\n FF 15 ?? ?? ?? 00 // call cs:__imp_DeleteFileW\n 4C 8D 44 24 20 // lea r8, [rsp+58h+pExtendedParameters] ; pExtendedParameters\n 4C 89 E2 // mov rdx, r12 ; pwszNewFileName\n 48 8D 0D ?? ?? ?? 00 // lea rcx, pwszExistingFileName ; \"C\"\n FF 15 ?? ?? ?? 00 // call cs:__imp_CopyFile2\n 90 // nop\n }\n\n // CopyFileEx.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/CopyFileEx.nim\n $copy_fileex_s1 = \"parseHexStr\" ascii fullword\n $copy_fileex_s2 = \"DeleteFileW\" ascii fullword\n $copy_fileex_s3 = \"CopyFileExW\" ascii fullword\n\n $copy_fileex_x1 = {\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140001B58\n E8 ?? ?? FF FF // call sub_1400056FD\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006428\n\n // sub_140006450\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006B6E0\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006B6D0\n 48 8B 08 // mov rcx, [rax] ; Src\n E9 ?? ?? FF FF // jmp sub_1400063B0\n }\n\n $copy_fileex_x2 = {\n 48 83 EC 30 // sub rsp, 30h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D6 // mov rsi, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 F0 // mov r8, rsi ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 4C 8D 25 ?? ?? ?? 00 // lea r12, NewFileName ; \"C:\\\\Windows\\\\Temp\\\\backup.log\"\n 48 89 C3 // mov rbx, rax\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? 00 // call memmove\n 4C 89 E1 // mov rcx, r12 ; lpFileName\n FF 15 ?? ?? ?? 00 // call cs:__imp_DeleteFileW\n 45 31 C9 // xor r9d, r9d ; lpData\n 49 89 D8 // mov r8, rbx ; lpProgressRoutine\n 4C 89 E2 // mov rdx, r12 ; lpNewFileName\n C7 44 24 28 01 00 00 00 // mov [rsp+48h+dwCopyFlags], 1 ; dwCopyFlags\n 48 8D 0D ?? ?? ?? 00 // lea rcx, ExistingFileName ; \"C\"\n 48 C7 44 24 20 00 00 00 00 // mov [rsp+48h+pbCancel], 0 ; pbCancel\n FF 15 ?? ?? ?? 00 // call cs:__imp_CopyFileExW\n B8 01 00 00 00 // mov eax, 1\n }\n\n // CryptEnumOIDInfo.nim\n // https://github.com/aeverj/NimShellCodeLoader/blob/master/CryptEnumOIDInfo.nim\n $crypt_enum_oid_s1 = \"parseHexStr\" ascii fullword\n $crypt_enum_oid_s2 = \"CryptEnumOIDInfo\" ascii fullword\n\n $crypt_enum_oid_x1 ={\n 48 83 EC 28 // sub rsp, 28h\n E8 ?? ?? FF FF // call sub_140002A38\n E8 ?? ?? FF FF // call sub_14000655E\n 90 // nop\n 48 83 C4 28 // add rsp, 28h\n EB D8 // jmp short sub_140006F19\n\n // sub_140006F41\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D200\n 48 63 10 // movsxd rdx, dword ptr [rax] ; Size\n 48 8B 05 ?? ?? ?? 00 // mov rax, cs:off_14006D1F0\n 48 8B 08 // mov rcx, [rax] ; Src\n E9 ?? ?? FF FF // jmp sub_140006ED0\n }\n\n $crypt_enum_oid_x2 ={\n 48 83 EC 28 // sub rsp, 28h\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 D3 // mov rbx, rdx\n 49 89 CC // mov r12, rcx\n 31 C9 // xor ecx, ecx ; lpAddress\n FF 15 ?? ?? ?? 00 // call cs:__imp_VirtualAlloc\n 49 89 D8 // mov r8, rbx ; Size\n 4C 89 E2 // mov rdx, r12 ; Src\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? 00 // call memmove\n 45 31 C0 // xor r8d, r8d ; pvArg\n 31 D2 // xor edx, edx ; dwFlags\n 31 C9 // xor ecx, ecx ; dwGroupId\n 49 89 C1 // mov r9, rax ; pfnEnumOIDInfo\n FF 15 ?? ?? ?? 00 // call cs:__imp_CryptEnumOIDInfo\n 31 C0 // xor eax, eax\n }\n\n condition:\n (all of ($create_timer_queue_timer_tech_s*) and 1 of ($create_timer_queue_timer_tech_x*)) or\n (all of ($oep_hiijack_inject_load_s*) and 1 of ($oep_hiijack_inject_load_x*)) or\n (all of ($thread_hiijack_inject_load_s*) and 1 of ($thread_hiijack_inject_load_x*)) or\n (all of ($apc_inject_load_s*) and 1 of ($apc_inject_load_x*)) or\n (all of ($early_bird_apc_injetc_load_s*) and 1 of ($early_bird_apc_injetc_load_x*)) or\n (all of ($direct_load_s*) and 1 of ($direct_load_x*)) or\n (all of ($thread_pool_wait_s*) and 1 of ($thread_pool_wait_x*)) or\n (all of ($fiber_load_s*) and 1 of ($fiber_load_x*)) or\n (all of ($cert_enum_system_store_s*) and 1 of ($cert_enum_system_store_x*)) or\n (all of ($cert_enum_system_store_location_s*) and 1 of ($cert_enum_system_store_location_x*)) or\n (all of ($copy_file2_s*) and 1 of ($copy_file2_x*)) or\n (all of ($copy_fileex_s*) and 1 of ($copy_fileex_x*)) or\n (all of ($crypt_enum_oid_s*) and 1 of ($crypt_enum_oid_x*))\n}\n", "rule_count": 1, "rule_names": [ "nimshellcodeloader_be89caf9af0f" ], "rule_creation_date": "2024-03-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.NimShellCodeLoader" ], "rule_tactic_tags": [ "attack.collection", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1567", "attack.t1005" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_suspended_thread_injection_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563590Z", "creation_date": "2026-03-23T11:46:25.563593Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563598Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/suspended_thread_injection.nim\nhttps://ajpc500.github.io/nim/Shellcode-Injection-using-Nim-and-Syscalls/" ], "name": "nim_suspended_thread_injection.yar", "content": "rule nim_suspended_thread_injection {\n meta:\n title = \"Nim Suspended Thread Injection\"\n id = \"8dcdbe16-9397-4282-8a19-70a6fc54c91e\"\n description = \"Detects malicious code written in the Nim programming language that uses the CreateRemoteThread injection technique to execute a shellcode.\\nThis technique involves injecting malicious code into a target process by creating a suspended thread, which is then resumed to execute the injected shellcode.\\nThis method is commonly used to evade process-based detection mechanisms and execute arbitrary code in the context of a legitimate process.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/suspended_thread_injection.nim\\nhttps://ajpc500.github.io/nim/Shellcode-Injection-using-Nim-and-Syscalls/\"\n date = \"2023-08-30\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055.003\"\n classification = \"Windows.Generic.NimThreadInjection\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a\n\n $s1 = \"fatal.nim\" ascii fullword\n\n $s2 = \"@[*] Target Process:\" ascii fullword\n $s3 = \"@[*] pHandle:\" ascii fullword\n $s4 = \"@[+] Injected\" ascii fullword\n $s5 = \"injectCreateRemoteThread\" ascii fullword\n\n $NimMainModule = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 50 // sub rsp, 50h\n 48 8D 05 ?? ?? ?? ?? // lea rax, aCsRemoteInject\n 48 89 45 D8 // mov [rbp+var_28], rax\n 48 8D 05 ?? ?? ?? ?? // lea rax, aMntHgfsHackFra_0\n 48 89 45 E8 // mov [rbp+var_18], rax\n 48 C7 45 E0 00 00 00 00 // mov [rbp+var_20], 0\n 66 C7 45 F0 00 00 // mov [rbp+var_10], 0\n 48 8D 45 D0 // lea rax, [rbp+var_30]\n 48 89 C1 // mov rcx, rax\n E8 ?? ?? ?? ?? // call nimFrame_9\n 48 C7 45 E0 ?? ?? 00 00 // mov [rbp+var_20], 4026h\n 48 8D 05 ?? ?? ?? ?? // lea rax, aMntHgfsHackFra_0\n 48 89 45 E8 // mov [rbp+var_18], rax\n 48 8D 0D ?? ?? ?? ?? // lea rcx, shellcode__nC7AhFRV8w0B9aln5m39cX0A\n E8 ?? ?? ?? ?? // call injectCreateRemoteThread__jg7gJ2nISpQOlCvAz9bnGUQ\n E8 ?? ?? ?? ?? // call popFrame_9\n 90 // nop\n 48 83 C4 50 // add rsp, 50h\n 5D // pop rbp\n C3 // retn\n }\n\n $injectCreateRemoteThread = {\n 48 8D 0D ?? ?? ?? ?? // lea rcx, TM__RHIc7C9cgCxy024IyLWcgug_2\n E8 ?? ?? ?? ?? // call nospstartProcess\n 48 89 45 F8 // mov [rbp+var_8], rax\n 48 C7 85 ?? ?? FF FF ?? 00 00 00 // mov [rbp+var_1E0], 0Eh\n 48 8D 05 ?? ?? ?? ?? // lea rax, aMntHgfsHackFra_0\n 48 89 85 ?? ?? ?? ?? // mov [rbp+var_1D8], rax\n 48 8B 45 F8 // mov rax, [rbp+var_8]\n 48 89 C1 // mov rcx, rax\n E8 ?? ?? FF FF // call nospsuspend\n 48 C7 85 ?? ?? FF FF ?? 00 00 00 // mov [rbp+var_1E0], 0Fh\n 48 8D 05 ?? ?? ?? ?? // lea rax, aMntHgfsHackFra_0\n 48 89 85 ?? ?? FF FF // mov [rbp+var_1D8], rax\n 48 8D 85 ?? ?? FF FF // lea rax, [rbp+var_150]\n 48 89 C1 // mov rcx, rax\n E8 ?? ?? ?? ?? // call pushSafePoint_0\n 48 89 EA // mov rdx, rbp\n 48 8D 85 ?? ?? FF FF // lea rax, [rbp+var_150]\n 48 83 C0 10 // add rax, 10h\n 48 89 C1 // mov rcx, rax\n E8 ?? ?? ?? ?? // call _setjmp\n 48 98 // cdqe\n 48 89 85 ?? ?? FF FF // mov [rbp+var_148], rax\n 48 8B 85 ?? ?? FF FF // mov rax, [rbp+var_148]\n 48 85 C0 // test rax, rax\n 0F 85 ?? ?? ?? ?? // jnz loc_41CC46\n }\n\n condition:\n all of ($s*) or\n ($s1 and $NimMainModule and $injectCreateRemoteThread)\n}\n", "rule_count": 1, "rule_names": [ "nim_suspended_thread_injection" ], "rule_creation_date": "2023-08-30", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.NimThreadInjection" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055.003" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_syswhispers2_3_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572562Z", "creation_date": "2026-03-23T11:46:25.572565Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572570Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ajpc500/NimlineWhispers2\nhttps://github.com/klezVirus/NimlineWhispers3" ], "name": "nim_syswhispers2_3.yar", "content": "rule nim_syswhispers2_3 {\n meta:\n title = \"Nim Direct Syscall via SysWhispers2/3\"\n id = \"e8b54c4c-a049-40db-acda-210b55de16a9\"\n description = \"Detects suspicious Nim code featuring SysWhispers2/3 patterns.\\nSysWhispers2 and 3 are projects that help attackers evade detection by generating header/ASM files that can be used to make direct system calls on Windows.\\nNim is a programming language that can be used to create such direct system calls, which can be employed for malicious purposes such as persistence, privilege escalation, or data exfiltration. These techniques can be used for both legitimate and malicious activities, making detection challenging.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/ajpc500/NimlineWhispers2\\nhttps://github.com/klezVirus/NimlineWhispers3\"\n date = \"2023-08-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Generic.NimDirectSyscall\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b107545a730cd8a999d58daac31c59e20c12219c7d999ad05987c5cae0602851\n // bce472d73b05a851ec801c46954122c56fdb3db930964ed7dc5107533d9e2cec\n\n $nim1 = \"fatal.nim\" ascii fullword\n $nim2 = \"NimMain\" ascii fullword\n\n $s1 = \"SW2_PopulateSyscallList\" ascii fullword\n $s2 = \"SW2_HashSyscall\" ascii fullword\n $s3 = \"SW2_GetSyscallNumber\" ascii fullword\n $s4 = \"SW3_GetSyscallAddress\" ascii fullword\n $s5 = \"SW3_GetSyscallNumber\" ascii fullword\n $s6 = \"SW3_HashSyscall\" ascii fullword\n $s7 = \"SW3_SyscallList\" ascii fullword\n\n $PopulateSyscallList = {\n 20 20 20 20 // or r8d, 20202020h\n [1-3] 6E 74 64 6C // cmp r8d, 6C64746Eh\n 75 ?? // jnz short loc_408F91\n [3-10] // mov edx, [rdx+4]\n [1-2] 20 20 20 20 // or edx, 20202020h\n [1-2] 6C 2E 64 6C // cmp edx, 6C642E6Ch\n 74 ?? // jz short loc_408FA8\n }\n\n $syscall = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n B9 ?? ?? ?? ?? // mov ecx, 667614E0h\n E8 ?? ?? ?? ?? // call sub_14000FF0F\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n 49 89 CA // mov r10, rcx\n (\n 90 0F 05 | // nop + syscall\n 0F 05 // syscall\n )\n C3 // retn\n }\n\n condition:\n 1 of ($nim*) and\n (\n 1 of ($s*) or\n $PopulateSyscallList or\n $syscall\n )\n}\n", "rule_count": 1, "rule_names": [ "nim_syswhispers2_3" ], "rule_creation_date": "2023-08-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.NimDirectSyscall" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nim_syswhispers_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573253Z", "creation_date": "2026-03-23T11:46:25.573255Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573261Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ajpc500/NimlineWhispers\nhttps://github.com/jthuraisamy/SysWhispers" ], "name": "nim_syswhispers.yar", "content": "rule nim_syswhispers {\n meta:\n title = \"Nim Direct Syscall via SysWhispers\"\n id = \"533dbdf1-73b4-40c0-a08c-d558e50273b3\"\n description = \"Detects the Nim SysWhispers malware.\\nSysWhispers is a project designed to help malware evade detection by generating header/ASM files that can be used to make direct system calls on Windows.\\nThis rule detects the presence of Nim code that uses SysWhispers to perform direct system calls which can be indicative of malicious activity.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/ajpc500/NimlineWhispers\\nhttps://github.com/jthuraisamy/SysWhispers\"\n date = \"2023-08-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Generic.NimDirectSyscall\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9127f4731cb668c005941f22e29406e5973f97a54faa0ea3d8b91b163e37b19a\n\n $s1 = \"fatal.nim\" ascii fullword\n\n $NtOpenProcess = {\n 65 48 8B 04 25 60 00 00 00 // mov rax, gs:60h\n\n // NtOpenProcess_Check _X_X_XXXX:\n 83 B8 18 01 00 00 06 // cmp dword ptr [rax+118h], 6\n 74 0E // jz short NtOpenProcess_Check_6_X_XXXX\n 83 B8 18 01 00 00 0A // cmp dword ptr [rax+118h], 0Ah\n 74 50 // jz short NtOpenProcess_Check_10_0_XXXX\n E9 3F 01 00 00 // jmp NtOpenProcess_SystemCall_Unknown\n\n\n // NtOpenProcess_Check _6_X_XXXX:\n 83 B8 1C 01 00 00 01 // cmp dword ptr [rax+11Ch], 1\n 74 1F // jz short NtOpenProcess_Check_6_1_XXXX\n 83 B8 1C 01 00 00 02 // cmp dword ptr [rax+11Ch], 2\n 0F 84 CE 00 00 00 // jz NtOpenProcess_SystemCall_6_2_XXXX\n 83 B8 1C 01 00 00 03 // cmp dword ptr [rax+11Ch], 3\n 0F 84 C8 00 00 00 // jz NtOpenProcess_SystemCall_6_3_XXXX\n E9 17 01 00 00 // jmp NtOpenProcess_SystemCall_Unknown\n\n\n // NtOpenProcess_Check _6_1_XXXX:\n 66 81 B8 20 01 00 00 B0 1D // cmp word ptr [rax+120h], 1DB0h\n 0F 84 9F 00 00 00 // jz NtOpenProcess_SystemCall_6_1_7600\n 66 81 B8 20 01 00 00 B1 1D // cmp word ptr [rax+120h], 1DB1h\n 0F 84 97 00 00 00 // jz NtOpenProcess_SystemCall_6_1_7601\n E9 F4 00 00 00 // jmp NtOpenProcess_SystemCall_Unknown\n\n\n // NtOpenProcess_Check _10_0_XXXX:\n 66 81 B8 20 01 00 00 00 28 // cmp word ptr [rax+120h], 2800h\n 0F 84 98 00 00 00 // jz NtOpenProcess_SystemCall_10_0_10240\n 66 81 B8 20 01 00 00 5A 29 // cmp word ptr [rax+120h], 295Ah\n 0F 84 90 00 00 00 // jz NtOpenProcess_SystemCall_10_0_10586\n 66 81 B8 20 01 00 00 39 38 // cmp word ptr [rax+120h], 3839h\n 0F 84 88 00 00 00 // jz NtOpenProcess_SystemCall_10_0_14393\n 66 81 B8 20 01 00 00 D7 3A // cmp word ptr [rax+120h], 3AD7h\n 0F 84 80 00 00 00 // jz NtOpenProcess_SystemCall_10_0_15063\n 66 81 B8 20 01 00 00 AB 3F // cmp word ptr [rax+120h], 3FABh\n 74 7C // jz short NtOpenProcess_SystemCall_10_0_16299\n 66 81 B8 20 01 00 00 EE 42 // cmp word ptr [rax+120h], 42EEh\n 74 78 // jz short NtOpenProcess_SystemCall_10_0_17134\n 66 81 B8 20 01 00 00 63 45 // cmp word ptr [rax+120h], 4563h\n 74 74 // jz short NtOpenProcess_SystemCall_10_0_17763\n 66 81 B8 20 01 00 00 BA 47 // cmp word ptr [rax+120h], 47BAh\n 74 70 // jz short NtOpenProcess_SystemCall_10_0_18362\n 66 81 B8 20 01 00 00 BB 47 // cmp word ptr [rax+120h], 47BBh\n 74 6C // jz short NtOpenProcess_SystemCall_10_0_18363\n 66 81 B8 20 01 00 00 61 4A // cmp word ptr [rax+120h], 4A61h\n 74 68 // jz short NtOpenProcess_SystemCall_10_0_19041\n 66 81 B8 20 01 00 00 62 4A // cmp word ptr [rax+120h], 4A62h\n 74 64 // jz short NtOpenProcess_SystemCall_10_0_19042\n EB 69 // jmp short NtOpenProcess_SystemCall_Unknown\n\n // NtOpenProcess_SystemCall_6_1_7600:\n B8 23 00 00 00 // mov eax, 23h\n EB 63 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_6_1_7601:\n B8 23 00 00 00 // mov eax, 23h\n EB 5C // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_6_2_XXXX:\n B8 24 00 00 00 // mov eax, 24h\n EB 55 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_6_3_XXXX:\n B8 25 00 00 00 // mov eax, 25h\n EB 4E // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_10240:\n B8 26 00 00 00 // mov eax, 26h\n EB 47 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_10586:\n B8 26 00 00 00 // mov eax, 26h\n EB 40 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_14393:\n B8 26 00 00 00 // mov eax, 26h\n EB 39 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_15063:\n B8 26 00 00 00 // mov eax, 26h\n EB 32 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_16299:\n B8 26 00 00 00 // mov eax, 26h\n EB 2B // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_17134:\n B8 26 00 00 00 // mov eax, 26h\n EB 24 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_17763:\n B8 26 00 00 00 // mov eax, 26h\n EB 1D // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_18362:\n B8 26 00 00 00 // mov eax, 26h\n EB 16 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_18363:\n B8 26 00 00 00 // mov eax, 26h\n EB 0F // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_19041:\n B8 26 00 00 00 // mov eax, 26h\n EB 08 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_10_0_19042:\n B8 26 00 00 00 // mov eax, 26h\n EB 01 // jmp short NtOpenProcess_Epilogue\n\n // NtOpenProcess_SystemCall_Unknown:\n C3 // retn\n\n // NtOpenProcess_Epilogue:\n 49 89 CA // mov r10, rcx\n 0F 05 // syscall\n C3 // retn\n }\n\n $NtAllocateVirtualMemory = {\n 65 48 8B 04 25 60 00 00 00 // mov rax, gs:60h\n\n // NtAllocateVirtualMemory_Check_X_X_XXXX:\n 83 B8 18 01 00 00 06 // cmp dword ptr [rax+118h], 6\n 74 0E // jz short NtAllocateVirtualMemory_Check_6_X_XXXX\n 83 B8 18 01 00 00 0A // cmp dword ptr [rax+118h], 0Ah\n 74 50 // jz short NtAllocateVirtualMemory_Check_10_0_XXXX\n E9 3F 01 00 00 // jmp NtAllocateVirtualMemory_SystemCall_Unknown\n\n // NtAllocateVirtualMemory_Check_6_X_XXXX:\n 83 B8 1C 01 00 00 01 // cmp dword ptr [rax+11Ch], 1\n 74 1F // jz short NtAllocateVirtualMemory_Check_6_1_XXXX\n 83 B8 1C 01 00 00 02 // cmp dword ptr [rax+11Ch], 2\n 0F 84 CE 00 00 00 // jz NtAllocateVirtualMemory_SystemCall_6_2_XXXX\n 83 B8 1C 01 00 00 03 // cmp dword ptr [rax+11Ch], 3\n 0F 84 C8 00 00 00 // jz NtAllocateVirtualMemory_SystemCall_6_3_XXXX\n E9 17 01 00 00 // jmp NtAllocateVirtualMemory_SystemCall_Unknown\n\n // NtAllocateVirtualMemory_Check_6_1_XXXX:\n 66 81 B8 20 01 00 00 B0 1D // cmp word ptr [rax+120h], 1DB0h\n 0F 84 9F 00 00 00 // jz NtAllocateVirtualMemory_SystemCall_6_1_7600\n 66 81 B8 20 01 00 00 B1 1D // cmp word ptr [rax+120h], 1DB1h\n 0F 84 97 00 00 00 // jz NtAllocateVirtualMemory_SystemCall_6_1_7601\n E9 F4 00 00 00 // jmp NtAllocateVirtualMemory_SystemCall_Unknown\n\n // NtAllocateVirtualMemory_Check_10_0_XXXX:\n 66 81 B8 20 01 00 00 00 28 // cmp word ptr [rax+120h], 2800h\n 0F 84 98 00 00 00 // jz NtAllocateVirtualMemory_SystemCall_10_0_10240\n 66 81 B8 20 01 00 00 5A 29 // cmp word ptr [rax+120h], 295Ah\n 0F 84 90 00 00 00 // jz NtAllocateVirtualMemory_SystemCall_10_0_10586\n 66 81 B8 20 01 00 00 39 38 // cmp word ptr [rax+120h], 3839h\n 0F 84 88 00 00 00 // jz NtAllocateVirtualMemory_SystemCall_10_0_14393\n 66 81 B8 20 01 00 00 D7 3A // cmp word ptr [rax+120h], 3AD7h\n 0F 84 80 00 00 00 // jz NtAllocateVirtualMemory_SystemCall_10_0_15063\n 66 81 B8 20 01 00 00 AB 3F // cmp word ptr [rax+120h], 3FABh\n 74 7C // jz short NtAllocateVirtualMemory_SystemCall_10_0_16299\n 66 81 B8 20 01 00 00 EE 42 // cmp word ptr [rax+120h], 42EEh\n 74 78 // jz short NtAllocateVirtualMemory_SystemCall_10_0_17134\n 66 81 B8 20 01 00 00 63 45 // cmp word ptr [rax+120h], 4563h\n 74 74 // jz short NtAllocateVirtualMemory_SystemCall_10_0_17763\n 66 81 B8 20 01 00 00 BA 47 // cmp word ptr [rax+120h], 47BAh\n 74 70 // jz short NtAllocateVirtualMemory_SystemCall_10_0_18362\n 66 81 B8 20 01 00 00 BB 47 // cmp word ptr [rax+120h], 47BBh\n 74 6C // jz short NtAllocateVirtualMemory_SystemCall_10_0_18363\n 66 81 B8 20 01 00 00 61 4A // cmp word ptr [rax+120h], 4A61h\n 74 68 // jz short NtAllocateVirtualMemory_SystemCall_10_0_19041\n 66 81 B8 20 01 00 00 62 4A // cmp word ptr [rax+120h], 4A62h\n 74 64 // jz short NtAllocateVirtualMemory_SystemCall_10_0_19042\n EB 69 // jmp short NtAllocateVirtualMemory_SystemCall_Unknown\n\n // NtAllocateVirtualMemory_SystemCall_6_1_7600:\n B8 15 00 00 00 // mov eax, 15h\n EB 63 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_6_1_7601:\n B8 15 00 00 00 // mov eax, 15h\n EB 5C // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_6_2_XXXX:\n B8 16 00 00 00 // mov eax, 16h\n EB 55 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_6_3_XXXX:\n B8 17 00 00 00 // mov eax, 17h\n EB 4E // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_10240:\n B8 18 00 00 00 // mov eax, 18h\n EB 47 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_10586:\n B8 18 00 00 00 // mov eax, 18h\n EB 40 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_14393:\n B8 18 00 00 00 // mov eax, 18h\n EB 39 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_15063:\n B8 18 00 00 00 // mov eax, 18h\n EB 32 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_16299:\n B8 18 00 00 00 // mov eax, 18h\n EB 2B // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_17134:\n B8 18 00 00 00 // mov eax, 18h\n EB 24 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_17763:\n B8 18 00 00 00 // mov eax, 18h\n EB 1D // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_18362:\n B8 18 00 00 00 // mov eax, 18h\n EB 16 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_18363:\n B8 18 00 00 00 // mov eax, 18h\n EB 0F // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_19041:\n B8 18 00 00 00 // mov eax, 18h\n EB 08 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_10_0_19042:\n B8 18 00 00 00 // mov eax, 18h\n EB 01 // jmp short NtAllocateVirtualMemory_Epilogue\n\n // NtAllocateVirtualMemory_SystemCall_Unknown:\n C3 // retn\n\n // NtAllocateVirtualMemory_Epilogue:\n 49 89 CA // mov r10, rcx\n 0F 05 // syscall\n C3 // retn\n }\n\n $NtWriteVirtualMemory = {\n 65 48 8B 04 25 60 00 00 00 // mov rax, gs:60h\n\n // NtWriteVirtualMemory_Check_X_X_XXXX:\n 83 B8 18 01 00 00 06 // cmp dword ptr [rax+118h], 6\n 74 0E // jz short NtWriteVirtualMemory_Check_6_X_XXXX\n 83 B8 18 01 00 00 0A // cmp dword ptr [rax+118h], 0Ah\n 74 50 // jz short NtWriteVirtualMemory_Check_10_0_XXXX\n E9 3F 01 00 00 // jmp NtWriteVirtualMemory_SystemCall_Unknown\n\n // NtWriteVirtualMemory_Check_6_X_XXXX:\n 83 B8 1C 01 00 00 01 // cmp dword ptr [rax+11Ch], 1\n 74 1F // jz short NtWriteVirtualMemory_Check_6_1_XXXX\n 83 B8 1C 01 00 00 02 // cmp dword ptr [rax+11Ch], 2\n 0F 84 CE 00 00 00 // jz NtWriteVirtualMemory_SystemCall_6_2_XXXX\n 83 B8 1C 01 00 00 03 // cmp dword ptr [rax+11Ch], 3\n 0F 84 C8 00 00 00 // jz NtWriteVirtualMemory_SystemCall_6_3_XXXX\n E9 17 01 00 00 // jmp NtWriteVirtualMemory_SystemCall_Unknown\n\n // NtWriteVirtualMemory_Check_6_1_XXXX:\n 66 81 B8 20 01 00 00 B0 1D // cmp word ptr [rax+120h], 1DB0h\n 0F 84 9F 00 00 00 // jz NtWriteVirtualMemory_SystemCall_6_1_7600\n 66 81 B8 20 01 00 00 B1 1D // cmp word ptr [rax+120h], 1DB1h\n 0F 84 97 00 00 00 // jz NtWriteVirtualMemory_SystemCall_6_1_7601\n E9 F4 00 00 00 // jmp NtWriteVirtualMemory_SystemCall_Unknown\n\n // NtWriteVirtualMemory_Check_10_0_XXXX:\n 66 81 B8 20 01 00 00 00 28 // cmp word ptr [rax+120h], 2800h\n 0F 84 98 00 00 00 // jz NtWriteVirtualMemory_SystemCall_10_0_10240\n 66 81 B8 20 01 00 00 5A 29 // cmp word ptr [rax+120h], 295Ah\n 0F 84 90 00 00 00 // jz NtWriteVirtualMemory_SystemCall_10_0_10586\n 66 81 B8 20 01 00 00 39 38 // cmp word ptr [rax+120h], 3839h\n 0F 84 88 00 00 00 // jz NtWriteVirtualMemory_SystemCall_10_0_14393\n 66 81 B8 20 01 00 00 D7 3A // cmp word ptr [rax+120h], 3AD7h\n 0F 84 80 00 00 00 // jz NtWriteVirtualMemory_SystemCall_10_0_15063\n 66 81 B8 20 01 00 00 AB 3F // cmp word ptr [rax+120h], 3FABh\n 74 7C // jz short NtWriteVirtualMemory_SystemCall_10_0_16299\n 66 81 B8 20 01 00 00 EE 42 // cmp word ptr [rax+120h], 42EEh\n 74 78 // jz short NtWriteVirtualMemory_SystemCall_10_0_17134\n 66 81 B8 20 01 00 00 63 45 // cmp word ptr [rax+120h], 4563h\n 74 74 // jz short NtWriteVirtualMemory_SystemCall_10_0_17763\n 66 81 B8 20 01 00 00 BA 47 // cmp word ptr [rax+120h], 47BAh\n 74 70 // jz short NtWriteVirtualMemory_SystemCall_10_0_18362\n 66 81 B8 20 01 00 00 BB 47 // cmp word ptr [rax+120h], 47BBh\n 74 6C // jz short NtWriteVirtualMemory_SystemCall_10_0_18363\n 66 81 B8 20 01 00 00 61 4A // cmp word ptr [rax+120h], 4A61h\n 74 68 // jz short NtWriteVirtualMemory_SystemCall_10_0_19041\n 66 81 B8 20 01 00 00 62 4A // cmp word ptr [rax+120h], 4A62h\n 74 64 // jz short NtWriteVirtualMemory_SystemCall_10_0_19042\n EB 69 // jmp short NtWriteVirtualMemory_SystemCall_Unknown\n\n // NtWriteVirtualMemory_SystemCall_6_1_7600:\n B8 37 00 00 00 // mov eax, 37h\n EB 63 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_6_1_7601:\n B8 37 00 00 00 // mov eax, 37h\n EB 5C // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_6_2_XXXX:\n B8 38 00 00 00 // mov eax, 38h\n EB 55 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_6_3_XXXX:\n B8 39 00 00 00 // mov eax, 39h\n EB 4E // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_10240:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 47 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_10586:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 40 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_14393:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 39 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_15063:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 32 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_16299:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 2B // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_17134:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 24 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_17763:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 1D // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_18362:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 16 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_18363:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 0F // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_19041:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 08 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_10_0_19042:\n B8 3A 00 00 00 // mov eax, 3Ah\n EB 01 // jmp short NtWriteVirtualMemory_Epilogue\n\n // NtWriteVirtualMemory_SystemCall_Unknown:\n C3 // retn\n\n // NtWriteVirtualMemory_Epilogue:\n 49 89 CA // mov r10, rcx\n 0F 05 // syscall\n C3 // retn\n }\n\n $NtCreateThreadEx = {\n 65 48 8B 04 25 60 00 00 00 // mov rax, gs:60h\n\n // NtCreateThreadEx_Check_X_X_XXXX:\n 83 B8 18 01 00 00 06 // cmp dword ptr [rax+118h], 6\n 74 0E // jz short NtCreateThreadEx_Check_6_X_XXXX\n 83 B8 18 01 00 00 0A // cmp dword ptr [rax+118h], 0Ah\n 74 50 // jz short NtCreateThreadEx_Check_10_0_XXXX\n E9 3F 01 00 00 // jmp NtCreateThreadEx_SystemCall_Unknown\n\n // NtCreateThreaEx_Check_6_X_XXXX:\n 83 B8 1C 01 00 00 01 // cmp dword ptr [rax+11Ch], 1\n 74 1F // jz short NtCreateThreadEx_Check_6_1_XXXX\n 83 B8 1C 01 00 00 02 // cmp dword ptr [rax+11Ch], 2\n 0F 84 CE 00 00 00 // jz NtCreateThreadEx_SystemCall_6_2_XXXX\n 83 B8 1C 01 00 00 03 // cmp dword ptr [rax+11Ch], 3\n 0F 84 C8 00 00 00 // jz NtCreateThreadEx_SystemCall_6_3_XXXX\n E9 17 01 00 00 // jmp NtCreateThreadEx_SystemCall_Unknown\n\n // NtCreateThreadx_Check_6_1_XXXX:\n 66 81 B8 20 01 00 00 B0 1D // cmp word ptr [rax+120h], 1DB0\n 0F 84 9F 00 00 00 // jz NtCreateThreadEx_SystemCall_6_1_7600\n 66 81 B8 20 01 00 00 B1 1D // cmp word ptr [rax+120h], 1DB1h\n 0F 84 97 00 00 00 // jz NtCreateThreadEx_SystemCall_6_1_7601\n E9 F4 00 00 00 // jmp NtCreateThreadEx_SystemCall_Unknown\n\n // NtCreateThreadEx_Check_10_0_XXXX:\n 66 81 B8 20 01 00 00 00 28 // cmp word ptr [rax+120h], 2800h\n 0F 84 98 00 00 00 // jz NtCreateThreadEx_SystemCall_10_0_10240\n 66 81 B8 20 01 00 00 5A 29 // cmp word ptr [rax+120h], 295Ah\n 0F 84 90 00 00 00 // jz NtCreateThreadEx_SystemCall_10_0_10586\n 66 81 B8 20 01 00 00 39 38 // cmp word ptr [rax+120h], 3839h\n 0F 84 88 00 00 00 // jz NtCreateThreadEx_SystemCall_10_0_14393\n 66 81 B8 20 01 00 00 D7 3A // cmp word ptr [rax+120h], 3AD7h\n 0F 84 80 00 00 00 // jz NtCreateThreadEx_SystemCall_10_0_15063\n 66 81 B8 20 01 00 00 AB 3F // cmp word ptr [rax+120h], 3FABh\n 74 7C // jz short NtCreateThreadEx_SystemCall_10_0_16299\n 66 81 B8 20 01 00 00 EE 42 // cmp word ptr [rax+120h], 42EEh\n 74 78 // jz short NtCreateThreadEx_SystemCall_10_0_17134\n 66 81 B8 20 01 00 00 63 45 // cmp word ptr [rax+120h], 4563h\n 74 74 // jz short NtCreateThreadEx_SystemCall_10_0_17763\n 66 81 B8 20 01 00 00 BA 47 // cmp word ptr [rax+120h], 47BAh\n 74 70 // jz short NtCreateThreadEx_SystemCall_10_0_18362\n 66 81 B8 20 01 00 00 BB 47 // cmp word ptr [rax+120h], 47BBh\n 74 6C // jz short NtCreateThreadEx_SystemCall_10_0_18363\n 66 81 B8 20 01 00 00 61 4A // cmp word ptr [rax+120h], 4A61h\n 74 68 // jz short NtCreateThreadEx_SystemCall_10_0_19041\n 66 81 B8 20 01 00 00 62 4A // cmp word ptr [rax+120h], 4A62h\n 74 64 // jz short NtCreateThreadEx_SystemCall_10_0_19042\n EB 69 // jmp short NtCreateThreadEx_SystemCall_Unknown\n\n // NtCreateThreadEx_SystemCall_6_1_7600:\n B8 A5 00 00 00 // mov eax, 0A5h\n EB 63 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_6_1_7601:\n B8 A5 00 00 00 // mov eax, 0A5h\n EB 5C // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_6_2_XXXX:\n B8 AF 00 00 00 // mov eax, 0AFh\n EB 55 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_6_3_XXXX:\n B8 B0 00 00 00 // mov eax, 0B0h\n EB 4E // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_10240:\n B8 B3 00 00 00 // mov eax, 0B3h\n EB 47 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_10586:\n B8 B4 00 00 00 // mov eax, 0B4h\n EB 40 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_14393:\n B8 B6 00 00 00 // mov eax, 0B6h\n EB 39 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_15063:\n B8 B9 00 00 00 // mov eax, 0B9h\n EB 32 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_16299:\n B8 BA 00 00 00 // mov eax, 0BAh\n EB 2B // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_17134:\n B8 BB 00 00 00 // mov eax, 0BBh\n EB 24 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_17763:\n B8 BC 00 00 00 // mov eax, 0BCh\n EB 1D // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_18362:\n B8 BD 00 00 00 // mov eax, 0BDh\n EB 16 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_18363:\n B8 BD 00 00 00 // mov eax, 0BDh\n EB 0F // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_19041:\n B8 C1 00 00 00 // mov eax, 0C1h\n EB 08 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_10_0_19042:\n B8 C1 00 00 00 // mov eax, 0C1h\n EB 01 // jmp short NtCreateThreadEx_Epilogue\n\n // NtCreateThreadEx_SystemCall_Unknown:\n C3 // retn\n\n // NtCreateThreadEx_Epilogue:\n 49 89 CA // mov r10, rcx\n 0F 05 // syscall\n C3 // retn\n }\n\n $NtClose = {\n 65 48 8B 04 25 60 00 00 00 // mov rax, gs:60h\n\n // NtClose_Check_X_X_XXXX:\n 83 B8 18 01 00 00 06 // cmp dword ptr [rax+118h], 6\n 74 0E // jz short NtClose_Check_6_X_XXXX\n 83 B8 18 01 00 00 0A // cmp dword ptr [rax+118h], 0Ah\n 74 50 // jz short NtClose_Check_10_0_XXXX\n E9 3F 01 00 00 // jmp NtClose_SystemCall_Unknown\n\n // NtClose_Check_6_X_XXXX:\n 83 B8 1C 01 00 00 01 // cmp dword ptr [rax+11Ch], 1\n 74 1F // jz short NtClose_Check_6_1_XXXX\n 83 B8 1C 01 00 00 02 // cmp dword ptr [rax+11Ch], 2\n 0F 84 CE 00 00 00 // jz NtClose_SystemCall_6_2_XXXX\n 83 B8 1C 01 00 00 03 // cmp dword ptr [rax+11Ch], 3\n 0F 84 C8 00 00 00 // jz NtClose_SystemCall_6_3_XXXX\n E9 17 01 00 00 // jmp NtClose_SystemCall_Unknown\n\n // NtClose_Check_6_1_XXXX:\n 66 81 B8 20 01 00 00 B0 1D // cmp word ptr [rax+120h], 1DB0h\n 0F 84 9F 00 00 00 // jz NtClose_SystemCall_6_1_7600\n 66 81 B8 20 01 00 00 B1 1D // cmp word ptr [rax+120h], 1DB1h\n 0F 84 97 00 00 00 // jz NtClose_SystemCall_6_1_7601\n E9 F4 00 00 00 // jmp NtClose_SystemCall_Unknown\n\n // NtClose_Check_10_0_XXXX:\n 66 81 B8 20 01 00 00 00 28 // cmp word ptr [rax+120h], 2800h\n 0F 84 98 00 00 00 // jz NtClose_SystemCall_10_0_10240\n 66 81 B8 20 01 00 00 5A 29 // cmp word ptr [rax+120h], 295Ah\n 0F 84 90 00 00 00 // jz NtClose_SystemCall_10_0_10586\n 66 81 B8 20 01 00 00 39 38 // cmp word ptr [rax+120h], 3839h\n 0F 84 88 00 00 00 // jz NtClose_SystemCall_10_0_14393\n 66 81 B8 20 01 00 00 D7 3A // cmp word ptr [rax+120h], 3AD7h\n 0F 84 80 00 00 00 // jz NtClose_SystemCall_10_0_15063\n 66 81 B8 20 01 00 00 AB 3F // cmp word ptr [rax+120h], 3FABh\n 74 7C // jz short NtClose_SystemCall_10_0_16299\n 66 81 B8 20 01 00 00 EE 42 // cmp word ptr [rax+120h], 42EEh\n 74 78 // jz short NtClose_SystemCall_10_0_17134\n 66 81 B8 20 01 00 00 63 45 // cmp word ptr [rax+120h], 4563h\n 74 74 // jz short NtClose_SystemCall_10_0_17763\n 66 81 B8 20 01 00 00 BA 47 // cmp word ptr [rax+120h], 47BAh\n 74 70 // jz short NtClose_SystemCall_10_0_18362\n 66 81 B8 20 01 00 00 BB 47 // cmp word ptr [rax+120h], 47BBh\n 74 6C // jz short NtClose_SystemCall_10_0_18363\n 66 81 B8 20 01 00 00 61 4A // cmp word ptr [rax+120h], 4A61h\n 74 68 // jz short NtClose_SystemCall_10_0_19041\n 66 81 B8 20 01 00 00 62 4A // cmp word ptr [rax+120h], 4A62h\n 74 64 // jz short NtClose_SystemCall_10_0_19042\n EB 69 // jmp short NtClose_SystemCall_Unknown\n\n // NtClose_SystemCall_6_1_7600:\n B8 0C 00 00 00 // mov eax, 0Ch\n EB 63 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_6_1_7601:\n B8 0C 00 00 00 // mov eax, 0Ch\n EB 5C // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_6_2_XXXX:\n B8 0D 00 00 00 // mov eax, 0Dh\n EB 55 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_6_3_XXXX:\n B8 0E 00 00 00 // mov eax, 0Eh\n EB 4E // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_10240:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 47 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_10586:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 40 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_14393:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 39 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_15063:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 32 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_16299:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 2B // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_17134:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 24 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_17763:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 1D // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_18362:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 16 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_18363:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 0F // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_19041:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 08 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_10_0_19042:\n B8 0F 00 00 00 // mov eax, 0Fh\n EB 01 // jmp short NtClose_Epilogue\n\n // NtClose_SystemCall_Unknown:\n C3 // retn\n\n // NtClose_Epilogue:\n 49 89 CA // mov r10, rcx\n 0F 05 // syscall\n C3 // retn\n }\n\n condition:\n $s1 and 2 of ($Nt*)\n}\n", "rule_count": 1, "rule_names": [ "nim_syswhispers" ], "rule_creation_date": "2023-08-29", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.NimDirectSyscall" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-njrat_0bf99e5c7a1e_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583914Z", "creation_date": "2026-03-23T11:46:25.583916Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583922Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://en.wikipedia.org/wiki/NjRAT\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/\nhttps://isc.sans.edu/diary/Njrat+Campaign+Using+Microsoft+Dev+Tunnels/31724/" ], "name": "njrat_0bf99e5c7a1e.yar", "content": "rule njrat_0bf99e5c7a1e {\n meta:\n title = \"njRAT (0bf99e5c7a1e)\"\n id = \"eeef972d-cbf9-4e81-ac88-0bf99e5c7a1e\"\n description = \"Detects njRAT, a commercial Remote Access Tool (RAT), also known as Bladabindi. This tool is used to remotely control computers through a reverse backdoor and has been widely used in malicious campaigns since 2012.\\nnjRAT provides attackers with various features including process enumeration, file manipulation, and network communication. The tool can establish persistence on infected systems and is known for its modular architecture that allows for different functionalities to be added as needed.\\nIt is recommended to analyze the samples in a controlled environment and to monitor for any unauthorized access or data exfiltration activities.\"\n references = \"https://en.wikipedia.org/wiki/NjRAT\\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/\\nhttps://isc.sans.edu/diary/Njrat+Campaign+Using+Microsoft+Dev+Tunnels/31724/\"\n date = \"2025-03-13\"\n modified = \"2025-05-09\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1010;attack.privilege_escalation;attack.defense_evasion;attack.t1548.002;attack.collection;attack.credential_access;attack.t1056.001;attack.command_and_control;attack.t1573.001\"\n classification = \"Windows.Trojan.njRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 0b0c8fb59db1c32ed9d435abb0f7e2e8c3365325d59b1f3feeba62b7dc0143ee\n // 0e5f577fc2bd76fa5f1240ea68425ee979a034aa3b5b71cd7b1f910f2acef93c\n // 454f6cd43c8d29947da959aad765ab999644b773622c0d9db95c21346de854b6\n // d213bb87ba3fd77dbc8513b1398cec070df6b898c7813af3685f4c7546dd2b9d\n // 0e5f577fc2bd76fa5f1240ea68425ee979a034aa3b5b71cd7b1f910f2acef93c\n\n $s1 = \"shutdown -s -t 00\" wide fullword\n $s2 = \"set CDAudio door open\" wide fullword\n $s3 = \"taskkill /F /IM PING.EXE\" wide fullword\n $s4 = \"netsh firewall delete allowedprogram \\\"\" wide fullword\n $s5 = \"cmd.exe /k ping 0 & del \\\"\" wide fullword\n\n $plugin = {\n 11 ?? // IL_0031: ldloc.s V_4\n 11 ?? // IL_0033: ldloc.s V_5\n 9A // IL_0035: ldelem.ref\n 13 ?? // IL_0036: stloc.s V_6\n 11 ?? // IL_0038: ldloc.s V_6\n 6F [4] // IL_003A: callvirt instance string [mscorlib]System.Type::get_FullName()\n 72 [4] // IL_003F: ldstr \".\"\n 03 // IL_0044: ldarg.1\n 28 [4] // IL_0045: call string [mscorlib]System.String::Concat(string, string)\n 6F [4] // IL_004A: callvirt instance bool [mscorlib]System.String::EndsWith(string)\n 13 ?? // IL_004F: stloc.s V_9\n 11 ?? // IL_0051: ldloc.s V_9\n 2C ?? // IL_0053: brfalse.s IL_0\n 09 // IL_0055: ldloc.3\n 6F [4] // IL_0056: callvirt instance class [mscorlib]System.Reflection.Assembly [mscorlib]System.Reflection.Module::get_Assembly()\n 11 ?? // IL_005B: ldloc.s V_6\n 6F [4] // IL_005D: callvirt instance string [mscorlib]System.Type::get_FullName()\n 6F [4] // IL_0062: callvirt instance object [mscorlib]System.Reflection.Assembly::CreateInstance(string)\n 0B // IL_0067: stloc.1\n 2B ?? // IL_0068: br.s IL_0\n 00 // IL_006A: nop\n 00 // IL_006B: nop\n 11 ?? // IL_006C: ldloc.s V_5\n 17 // IL_006E: ldc.i4.1\n D6 // IL_006F: add.ovf\n 13 ?? // IL_0070: stloc.s\n 11 ?? // IL_0072: ldloc.s V_5\n 11 ?? // IL_0074: ldloc.s V_8\n 13 ?? // IL_0076: stloc.s V_10\n 11 ?? // IL_0078: ldloc.s V_10\n 31 // IL_007A: ble.s IL_0031\n }\n\n condition:\n all of ($s*) or $plugin\n}\n", "rule_count": 1, "rule_names": [ "njrat_0bf99e5c7a1e" ], "rule_creation_date": "2025-03-13", "rule_modified_date": "2025-05-09", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.njRAT" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.defense_evasion", "attack.discovery", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1010", "attack.t1056.001", "attack.t1548.002", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-njrat_72cf47cf0332_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575000Z", "creation_date": "2026-03-23T11:46:25.575002Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575008Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://en.wikipedia.org/wiki/NjRAT\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/" ], "name": "njrat_72cf47cf0332.yar", "content": "rule njrat_72cf47cf0332 {\n meta:\n title = \"njRAT (72cf47cf0332)\"\n id = \"8bfc8014-5fcd-4ede-9188-72cf47cf0332\"\n description = \"Detects njRAT, a commercial Remote Access Tool (RAT), also known as Bladabindi. This tool is used to remotely control computers through a reverse backdoor and has been widely used in malicious campaigns since 2012.\\nnjRAT provides attackers with various features including process enumeration, file manipulation, and network communication. The tool can establish persistence on infected systems and is known for its modular architecture that allows for different functionalities to be added as needed.\\nIt is recommended to analyze the samples in a controlled environment and to monitor for any unauthorized access or data exfiltration activities.\"\n references = \"https://en.wikipedia.org/wiki/NjRAT\\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/\"\n date = \"2024-03-15\"\n modified = \"2025-05-09\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1010;attack.privilege_escalation;attack.defense_evasion;attack.t1548.002;attack.collection;attack.credential_access;attack.t1056.001;attack.command_and_control;attack.t1573.001\"\n classification = \"Windows.Trojan.njRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $cmd_rat = \"cmd.exe /c ping 0 -n 2 & del \\\"\" wide fullword\n $cmd_del = \"cmd.exe /C Y /N /D Y /T 1 & Del \\\"\" wide fullword\n\n $nyan_cat = \"TllBTiBDQVQ=\" wide fullword // 'NYAN CAT' in b64 from \"fun module\"\n\n $av1 = \"Select * From AntiVirusProduct\" wide fullword\n $av2 = \"GetAntiVirus\" wide fullword\n $av3 = \"No Antivirus\" wide fullword\n\n $bysomeone1 = \"By Hassan Amiri\" ascii wide\n $bysomeone2 = \"By Qasim Haxor\" ascii wide\n $bysomeone3 = \"By Fransesco Ctraik\" ascii wide\n $bysomeone4 = \"By HiDDen PerSOn\" ascii wide\n $bysomeone5 = \"Viral - Rat By Sameed\" ascii wide\n $bysomeone6 = \"By X-Slayer(Iheb Briki)\" ascii wide\n $bysomeone7 = \"RAT - [ By LordF\" ascii wide\n $bysomeone8 = \"By Th3 Exploiter\" ascii wide // not NjRAT but common exploit attached\n\n $njrat1 = \"RAT.njRAT\" ascii wide\n $njrat2 = \"Edition.NJRAT\" ascii wide\n $njrat3 = \"NjRat-0.\" ascii wide\n $njrat4 = \"NjRat 0.\" ascii wide\n $njrat5 = \"njRAT v0.\" ascii wide\n $njrat6 = \"NjRAT 0.\" ascii wide\n $njrat7 = \"njRAT_0.\" ascii wide\n $njrat8 = \"njRAT_v\" ascii wide\n $njrat9 = \"NjRat Lime Edition\" ascii wide\n $njrat10 = \"NjRat Ghost Edition\" ascii wide\n $njrat11 = \"NJRAT 7\" ascii wide\n $njrat12 = \"njwormcontrolcentre\" ascii wide\n $njrat14 = \"njw0rm.My.Resources\" ascii wide\n $njrat15 = \"RAT.NJRAT\" ascii wide\n $njrat16 = \"RAT.njRAT\" ascii wide\n $njrat17 = \"njRat v0.7d\" ascii wide\n $njrat18 = \"LeGend Rat\" ascii wide\n $njrat19 = \"Ant-njRAT\" ascii wide\n $njrat20 = \"ZikuRAT VIP\" ascii wide\n\n $canary = \"064541d2211e79384b76a1057b3fdb2c61b45b25a659aa5981dd3d54e9aa75d6\"\n\n condition:\n (\n ($cmd_rat) or\n (1 of ($cmd*) and (1 of ($nyan_cat*) or 1 of ($av*))) or\n (for any of ($njrat*) : (# > 3)) or\n (1 of ($bysomeone*))\n )\n and not $canary\n}\n", "rule_count": 1, "rule_names": [ "njrat_72cf47cf0332" ], "rule_creation_date": "2024-03-15", "rule_modified_date": "2025-05-09", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.njRAT" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.defense_evasion", "attack.discovery", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1010", "attack.t1056.001", "attack.t1548.002", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nobelium_dropbox_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577885Z", "creation_date": "2026-03-23T11:46:25.577887Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577893Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md" ], "name": "nobelium_dropbox_loader.yar", "content": "rule nobelium_dropbox_loader {\n meta:\n title = \"Nobelium Dropbox Loader\"\n id = \"2962b71c-59e7-43a4-a6c9-d3d1bf042969\"\n description = \"Detects the Nobelium Dropbox Loader.\\nNobelium is a sophisticated malware known for its advanced anti-debugging, anti-VM, and anti-antivirus techniques. It uses DLL hijacking and direct syscalls to load a malicious payload hosted on a Dropbox server. The malware employs various persistence mechanisms and is designed to evade detection while establishing command and control communication.\\nIt is recommended to dump the affected process and investigate network traffic for any suspicious communication with Dropbox servers.\"\n references = \"https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md\"\n date = \"2022-05-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1622;attack.t1574;attack.t1497;attack.persistence;attack.t1547;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Loader.Dropbox\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6618a8b55181b1309dc897d57f9c7264e0c07398615a46c2d901dd1aa6b9a6d6\n // 6fc54151607a82d5f4fae661ef0b7b0767d325f5935ed6139f8932bc27309202\n // 23a09b74498aea166470ea2b569d42fd661c440f3f3014636879bd012600ed68\n\n $filename1 = \"AcroSup.dll\" ascii fullword\n $filename2 = \"AcroSup64.dll\" wide fullword\n $filename3 = \"AcroSup.dll\" wide fullword\n $filename4 = \"AcroSup\" wide fullword\n $filename5 = \"vcruntime140.dll\" ascii fullword\n $filename6 = \"NV.exe\" ascii fullword\n $filename7 = \"blank.pdf\" ascii\n\n $direct_syscall = {\n B9 56 D2 A8 B4 // mov ecx, 0B4A8D256h <-- hash of NtCreateThreadEx syscall number\n E8 ?? ?? ?? ?? // call get_syscall_number\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 ?? // mov rcx, [rsp+arg_0]\n 48 8B 54 24 ?? // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 ?? // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 ?? // mov r9, [rsp+arg_18]\n 4C 8B D1 // mov r10, rcx\n 0F 05 // syscall ; Low latency system cal\n }\n\n $registry_persistence = {\n 48 8D 44 24 50 // lea rax, [rsp+650h+phkResult]\n 41 B9 06 00 02 00 // mov r9d, 20006h ; samDesired\n ?? ?? ?? // xor r8d, r8d ; ulOptions\n 48 89 44 24 20 // mov [rsp+650h+pszPath], rax ; phkResult\n 49 8B D2 // mov rdx, r10 ; lpSubKey\n 48 C7 C1 01 00 00 80 // mov rcx, 0FFFFFFFF80000001h ; hKey\n FF 15 ?? ?? ?? ?? // call cs:RegOpenKeyExA\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 300KB and 4 of ($filename*) and $direct_syscall and $registry_persistence\n}\n", "rule_count": 1, "rule_names": [ "nobelium_dropbox_loader" ], "rule_creation_date": "2022-05-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.Dropbox" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1497", "attack.t1071.001", "attack.t1547", "attack.t1574", "attack.t1622" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nobelium_graphicalneutrino_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583457Z", "creation_date": "2026-03-23T11:46:25.583459Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583464Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf" ], "name": "nobelium_graphicalneutrino.yar", "content": "rule nobelium_graphicalneutrino {\n meta:\n title = \"Nobelium GraphicalNeutrino\"\n id = \"c0f4a0b8-69a9-4070-b038-8d728755e3bf\"\n description = \"Detects the Nobelium GraphicalNeutrino, a malicious DLL that functions as a loader with basic command-and-control (C2) capabilities.\\nThis DLL implements a variety of anti-analysis techniques to evade detection, including API unhooking, dynamic API resolution, string encryption, and sandbox evasion. These techniques allow the malware to maintain persistence and avoid analysis by security tools.\\nIt is recommended to analyze it in a controlled environment to identify and remove any malicious components.\"\n references = \"https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf\"\n date = \"2023-03-07\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1204.002;attack.defense_evasion;attack.t1027.006;attack.t1027.007;attack.t1562.001;attack.command_and_control;attack.t1071.001;attack.t1102.002\"\n classification = \"Windows.Malware.GraphicalNeutrino\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4\n // 381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c\n // e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98\n\n $decrypt_string = {\n 48 89 C8 // mov rax, rcx\n 31 D2 // xor edx, edx\n 4C 8B ?? ?? ?? // mov r9, [rsp+578h+var_528]\n 48 F7 ?? ?? ?? // div [rsp+578h+var_520]\n 49 8B 45 ?? // mov rax, [r13+0]\n 41 8A 14 11 // mov dl, [r9+rdx]\n 32 54 08 ?? // xor dl, [rax+rcx+10h]\n 89 C8 // mov eax, ecx\n 41 0F AF C0 // imul eax, r8d\n 31 C2 // xor edx, eax\n 88 14 0B // mov [rbx+rcx], dl\n 48 FF C1 // inc rcx\n EB ?? // jmp short loc_6BB81DC8\n }\n\n $user_agent = {\n 48 8D ?? ?? ?? ?? 00 // lea rsi, szAgent\n 8A 05 ?? ?? ?? 00 // mov al, cs:byte_6BBC3940\n 84 C0 // test al, al\n 75 ?? // jnz short loc_6BB81979\n 48 8D ?? ?? ?? ?? 00 // lea rcx, byte_6BBC3940\n E8 ?? ?? ?? 00 // call sub_6BBB2210\n 85 C0 // test eax, eax\n 74 ?? // jz short loc_6BB81979\n C6 05 ?? ?? ?? 00 01 // mov cs:byte_6BBC39CE, 1\n 31 C0 // xor eax, eax\n\n // loc_6BB81951:\n 8A 54 05 00 // mov dl, [rbp+rax+0]\n 88 14 06 // mov [rsi+rax], dl\n 48 FF C0 // inc rax\n 48 83 F8 ?? // cmp rax, 6Eh ; 'n'\n 75 ?? // jnz short loc_6BB81951\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "nobelium_graphicalneutrino" ], "rule_creation_date": "2023-03-07", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.GraphicalNeutrino" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1027.007", "attack.t1071.001", "attack.t1027.006", "attack.t1562.001", "attack.t1102.002", "attack.t1204.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nobelium_nativezone_0e9f286c92dc_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583428Z", "creation_date": "2026-03-23T11:46:25.583430Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583436Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0637/" ], "name": "nobelium_nativezone_0e9f286c92dc.yar", "content": "rule nobelium_nativezone_0e9f286c92dc {\n meta:\n title = \"Nobelium NativeZone (0e9f286c92dc)\"\n id = \"caedf7d0-3540-4cde-9ad9-0e9f286c92dc\"\n description = \"Detects the Nobelium NativeZone x86 payload.\\nNativeZone is the name given to Cobalt Strike loaders used by APT29 since at least 2021.\\nThis payload uses VirtualAlloc and VirtualProtect to decode and execute the next stage payload.\\nIt is recommended to isolate the affected system and monitor network traffic for suspicious activity.\"\n references = \"https://attack.mitre.org/software/S0637/\"\n date = \"2021-06-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.g0016;attack.s0637;attack.t1027.001;attack.t1027.002\"\n classification = \"Windows.Malware.NativeZone\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // This payload use those APIs to load the decoded payload\n $api_used_s1 = \"VirtualAlloc\" ascii\n $api_used_s2 = \"CreateThreadpoolWait\" ascii\n $api_used_s3 = \"SetThreadpoolWait\" ascii\n\n // The decryption algorithm used to decoded Cobalt Strike.\n $nobelium_nativezone_decode_next_payload = {\n 8B C6 // mov eax, esi\n 83 E0 1F // and eax, 0x1f\n [0-5] // NOTE: there is some random instruction noise here if build with -O0 because of unused stuffs, skip it.\n 8A 4? ?5 ?? // mov al, byte ptr [ebp + register Y + optional imediate]\n 32 86 ?? ?? ?? ?? // xor al, byte ptr [esi + 0xXXXXXXXX]\n 88 84 35 ?? ?? ?? ?? // mov byte ptr [ebp + esi + 0xXXXXXXXX], al\n [0-5] // NOTE: there is some random instruction noise here if build with -O0 because of unused stuffs, skip it.\n 46 // inc esi\n 83 C4 04 // add esp, 4\n 81 FE ?? ?? ?? ?? // cmp esi, 0xXXXXXXXX // payload size\n 7C ?? // jl 0xXX\n 6A 40 // push 0x40 // PAGE_EXECUTE_READWRITE\n 68 00 10 00 00 // push 0x1000 // MEM_COMMIT\n 68 ?? ?? ?? ?? // push 0xXXXXXXXX // payload size\n 6A 00 // push 0 // lpAddress\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // VirtualAlloc\n 8B F0 // mov esi, eax\n 8D 85 ?? ?? ?? ?? // lea eax, [ebp + 0xXXXXXXXX]\n 68 ?? ?? ?? ?? // push 0xXXXXXXXX // payload size\n 50 // push eax // decoded_payload_address\n 56 // push esi // virtual_alloc_address\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX // memmove\n 83 C4 0C // add esp, 0xc\n 6A 00 // push 0 // pcbe\n 6A 00 // push 0 // pv\n 56 // push esi // pfnwa\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // CreateThreadpoolWait\n 6A 00 // push 0 // pftTimeout\n 57 // push edi // handle\n 50 // push eax // pwa\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // SetThreadpoolWait\n }\n\n condition:\n filesize < 2MB and all of them\n}\n", "rule_count": 1, "rule_names": [ "nobelium_nativezone_0e9f286c92dc" ], "rule_creation_date": "2021-06-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.NativeZone" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1027.002", "attack.t1027.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nobelium_nativezone_5b820e216090_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569111Z", "creation_date": "2026-03-23T11:46:25.569113Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569126Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0637/" ], "name": "nobelium_nativezone_5b820e216090.yar", "content": "rule nobelium_nativezone_5b820e216090 {\n meta:\n title = \"Nobelium NativeZone\"\n id = \"4056699f-370a-4b2e-b245-5b820e216090\"\n description = \"Detects the Nobelium NativeZone x86 payload.\\nNativeZone is the name given to Cobalt Strike loaders used by APT29 since at least 2021.\\nThis payload uses VirtualAlloc and VirtualProtect to decode and execute the next stage payload.\\nIt is recommended to isolate the affected system and monitor network traffic for suspicious activity.\"\n references = \"https://attack.mitre.org/software/S0637/\"\n date = \"2021-06-07\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.g0016;attack.s0637;attack.t1027.001;attack.t1027.002\"\n classification = \"Windows.Malware.NativeZone\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // This payload use those APIs to execute handle execution of next stage\n $api_used_s1 = \"SHGetFolderPathW\" ascii\n $api_used_s2 = \"GetFileAttributesA\" ascii\n $api_used_s3 = \"CreateProcessA\" ascii\n\n // Clear strings present in the binary\n $clear_s1 = \"\\\\SystemCertificates\\\\Lib\\\\CertPKIProvider.dll\" ascii\n $clear_s2 = \"rundll32.exe %s %s\" ascii\n $clear_s3 = \"eglGetConfigs\" ascii\n $clear_s4 = \"_configNativeCache\" ascii\n\n condition:\n filesize < 100KB and all of ($api_used_s*) and all of ($clear_s*)\n}\n", "rule_count": 1, "rule_names": [ "nobelium_nativezone_5b820e216090" ], "rule_creation_date": "2021-06-07", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.NativeZone" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1027.002", "attack.t1027.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nobelium_nativezone_7748e19e79dc_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.587772Z", "creation_date": "2026-03-23T11:46:25.587774Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.587781Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0637/" ], "name": "nobelium_nativezone_7748e19e79dc.yar", "content": "rule nobelium_nativezone_7748e19e79dc {\n meta:\n title = \"Nobelium NativeZone (7748e19e79dc)\"\n id = \"e4384636-2afc-4ae5-a2c7-7748e19e79dc\"\n description = \"Detects the Nobelium NativeZone x64 payload.\\nNativeZone is the name given to Cobalt Strike loaders used by APT29 since at least 2021.\\nThis payload uses VirtualAlloc and VirtualProtect to decode and execute the next stage payload.\\nIt is recommended to isolate the affected system and monitor network traffic for suspicious activity.\"\n references = \"https://attack.mitre.org/software/S0637/\"\n date = \"2021-06-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.g0016;attack.s0637;attack.t1027.001;attack.t1027.002\"\n classification = \"Windows.Malware.NativeZone\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // This payload use those APIs to load the decoded payload\n $api_used_s1 = \"VirtualAlloc\" ascii\n $api_used_s2 = \"VirtualProtect\" ascii\n\n // The decryption algorithm used to decoded Cobalt Strike.\n $nobelium_nativezone_decode_next_payload = {\n 41 B9 04 00 00 00 // mov r9d, 4 // PAGE_READWRITE\n 41 B8 00 30 00 00 // mov r8d, 3000 // MEM_COMMIT | MEM_RESERVE\n 48 8B D0 // mov rdx, rax // dwSize\n 33 C9 // xor ecx, ecx // lpAddress\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // VirtualAlloc\n\n (\n 48 89 84 24 ?? 00 00 00 | // mov qword ptr [rsp + 0xXX], rax\n 48 89 44 24 ?? // mov qword ptr [rsp + 0xXX], rax (second variant)\n )\n C7 44 24 ?? 00 00 00 00 // mov dword ptr [rsp + 0xXX], 0\n EB ?? // jump decode_start\n\n // nobelium_nativezone_decode_loop:\n 8B 44 24 ?? // mov eax, dword ptr [rsp + 0xXX]\n 83 C0 02 // add eax, 2\n 89 44 24 ?? // mov dword ptr [rsp + 0xXX], eax\n\n // nobelium_nativezone_decode_start:\n 8B 44 24 ?? // mov eax, dword ptr [rsp + 0xXX]\n 39 44 24 ?? // cmp dword ptr [rsp + 0xXX], eax\n 7D ?? // jge nobelium_nativezone_decode_finished\n 8B 44 24 ?? // mov eax, dword ptr [rsp + 0xXX]\n FF C0 // inc eax\n 48 98 // cdqe\n 48 8D 0D ?? ?? ?? ?? // lea rcx, [rip + 0xXXXXXXXX]\n 48 63 54 24 ?? // movsxd rdx, dword ptr [rsp + 0xXX]\n (\n 48 8B 9C 24 ?? 00 00 00 | // mov rbx, qword ptr [rsp + 0xXX]\n 4C 8B 44 24 ?? // mov r8, qword ptr [rsp + 0xXX] (second variant)\n )\n 0F B6 04 01 // movzx eax, byte ptr [rcx + rax]\n (\n 88 04 13 | // mov byte ptr [rbx + rdx], al\n 41 88 04 10 // mov byte ptr [r8 + rdx], al\n )\n 48 63 44 24 ?? // movsxd rax, dword ptr [rsp + 0xXX]\n 48 8D 0D ?? ?? ?? ?? // lea rcx, [rip + 0xXXXXXXXX]\n 8B 54 24 ?? // mov edx, dword ptr [rsp + 0xXX]\n FF C2 // inc edx\n 48 63 D2 // movsxd rdx, edx\n (\n 48 8B 9C 24 ?? 00 00 00 | // mov rbx, qword ptr [rsp + 0xXX]\n 4C 8B 44 24 ?? // mov r8, qword ptr [rsp + 0xXX] (second variant)\n )\n 0F B6 04 01 // movzx eax, byte ptr [rcx + rax]\n (\n 88 04 13 | // mov byte ptr [rbx + rdx], al\n 41 88 04 10 // mov byte ptr [r8 + rdx], al\n )\n EB ?? // jump nobelium_nativezone_decode_loop\n\n [0-20] // NOTE: there is some random instruction noise here if build with -O0 because of unused stuffs, skip it.\n\n // nobelium_nativezone_decode_finished:\n (\n 4C 8D 8C 24 ?? ?? ?? ?? | // lea r9, [rsp + 0xXXX] // lpflOldProtect\n 4C 8D 4C 24 ?? // lea r9, [rsp + 0xXXX] // lpflOldProtect (second variant)\n )\n 41 B8 20 00 00 00 // mov r8d, 0x20 // PAGE_READEXECUTE\n 48 8B D0 // mov rdx, rax // dwSize\n (\n 48 8B 8C 24 ?? 00 00 00 | // mov rcx, qword ptr [rsp + 0xXX] // lpAddress\n 48 8B 4C 24 ?? // mov rcx, qword ptr [rsp + 0xXX] // lpAddress (second variant)\n )\n FF 15 ?? ?? ?? ?? // call dword ptr [0xXX] // VirtualProtect\n }\n\n condition:\n filesize < 2MB and all of them\n}\n", "rule_count": 1, "rule_names": [ "nobelium_nativezone_7748e19e79dc" ], "rule_creation_date": "2021-06-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.NativeZone" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1027.002", "attack.t1027.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nobelium_vm_detection_11d77b26d53c_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574585Z", "creation_date": "2026-03-23T11:46:25.574588Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574593Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0637/" ], "name": "nobelium_vm_detection_11d77b26d53c.yar", "content": "rule nobelium_vm_detection_11d77b26d53c {\n meta:\n title = \"Nobelium VM Detection\"\n id = \"9516af5b-34ed-4e7e-a0ca-11d77b26d53c\"\n description = \"Detects the Nobelium VM detection mechanism used by the NativeZone component.\\nNativeZone is the name given to Cobalt Strike loaders used by APT29 since at least 2021.\\nThis rule identifies the presence of code that uses CPUID to extract processor information and compares it against known hypervisor manufacturer strings to determine if the system is running in a virtual environment.\\nIt is recommended to isolate the system and perform a detailed investigation to identify any unauthorized driver activity.\"\n references = \"https://attack.mitre.org/software/S0637/\"\n date = \"2021-06-07\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.g0016;attack.s0637;attack.t1027.001;attack.t1027.002\"\n classification = \"Windows.Malware.NativeZone\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $cpuid_extract_manifacturer_id = {\n 33 C0 // xor eax, eax\n 33 C9 // xor ecx, ecx\n 0F A2 // cpuid\n 4C 8D 84 24 ?? ?? ?? ?? // lea r8, [rsp + 0xXXXX]\n 41 89 00 // mov dword ptr [r8], eax\n 41 89 58 04 // mov dword ptr [r8 + 4], ebx\n 41 89 48 08 // mov dword ptr [r8 + 8], ecx\n 41 89 50 0C // mov dword ptr [r8 + 0xc], edx\n }\n\n // This is a stack copy of the following:\n // strcpy(array[0], \"Microsoft Hv\");\n // strcpy(array[1], \"VMwareVMware\");\n // strcpy(array[2], \"XenVMMXenVMM\");\n // strcpy(array[3], \"VBoxVBoxVBox\");\n // strcpy(array[4], \"TCGTCGTCGTCG\");\n // strcpy(array[5], \"VirtualApple\");\n $vendor_list_on_stack = {\n C6 84 24 ?? 02 00 00 4D // mov byte ptr [rsp + 0x218], 0x4d\n C6 84 24 ?? 02 00 00 69 // mov byte ptr [rsp + 0x219], 0x69\n C6 84 24 ?? 02 00 00 63 // mov byte ptr [rsp + 0x21a], 0x63\n C6 84 24 ?? 02 00 00 72 // mov byte ptr [rsp + 0x21b], 0x72\n C6 84 24 ?? 02 00 00 6F // mov byte ptr [rsp + 0x21c], 0x6f\n C6 84 24 ?? 02 00 00 73 // mov byte ptr [rsp + 0x21d], 0x73\n C6 84 24 ?? 02 00 00 6F // mov byte ptr [rsp + 0x21e], 0x6f\n C6 84 24 ?? 02 00 00 66 // mov byte ptr [rsp + 0x21f], 0x66\n C6 84 24 ?? 02 00 00 74 // mov byte ptr [rsp + 0x220], 0x74\n C6 84 24 ?? 02 00 00 20 // mov byte ptr [rsp + 0x221], 0x20\n C6 84 24 ?? 02 00 00 48 // mov byte ptr [rsp + 0x222], 0x48\n C6 84 24 ?? 02 00 00 76 // mov byte ptr [rsp + 0x223], 0x76\n C6 84 24 ?? 02 00 00 00 // mov byte ptr [rsp + 0x224], 0x00\n C6 84 24 ?? 02 00 00 56 // mov byte ptr [rsp + 0x228], 0x56\n C6 84 24 ?? 02 00 00 4D // mov byte ptr [rsp + 0x229], 0x4d\n C6 84 24 ?? 02 00 00 77 // mov byte ptr [rsp + 0x22a], 0x77\n C6 84 24 ?? 02 00 00 61 // mov byte ptr [rsp + 0x22b], 0x61\n C6 84 24 ?? 02 00 00 72 // mov byte ptr [rsp + 0x22c], 0x72\n C6 84 24 ?? 02 00 00 65 // mov byte ptr [rsp + 0x22d], 0x65\n C6 84 24 ?? 02 00 00 56 // mov byte ptr [rsp + 0x22e], 0x56\n C6 84 24 ?? 02 00 00 4D // mov byte ptr [rsp + 0x22f], 0x4d\n C6 84 24 ?? 02 00 00 77 // mov byte ptr [rsp + 0x230], 0x77\n C6 84 24 ?? 02 00 00 61 // mov byte ptr [rsp + 0x231], 0x61\n C6 84 24 ?? 02 00 00 72 // mov byte ptr [rsp + 0x232], 0x72\n C6 84 24 ?? 02 00 00 65 // mov byte ptr [rsp + 0x233], 0x65\n C6 84 24 ?? 02 00 00 00 // mov byte ptr [rsp + 0x234], 0x00\n C6 84 24 ?? 02 00 00 58 // mov byte ptr [rsp + 0x238], 0x58\n C6 84 24 ?? 02 00 00 65 // mov byte ptr [rsp + 0x239], 0x65\n C6 84 24 ?? 02 00 00 6E // mov byte ptr [rsp + 0x23a], 0x6e\n C6 84 24 ?? 02 00 00 56 // mov byte ptr [rsp + 0x23b], 0x56\n C6 84 24 ?? 02 00 00 4D // mov byte ptr [rsp + 0x23c], 0x4d\n C6 84 24 ?? 02 00 00 4D // mov byte ptr [rsp + 0x23d], 0x4d\n C6 84 24 ?? 02 00 00 58 // mov byte ptr [rsp + 0x23e], 0x58\n C6 84 24 ?? 02 00 00 65 // mov byte ptr [rsp + 0x23f], 0x65\n C6 84 24 ?? 02 00 00 6E // mov byte ptr [rsp + 0x240], 0x6e\n C6 84 24 ?? 02 00 00 56 // mov byte ptr [rsp + 0x241], 0x56\n C6 84 24 ?? 02 00 00 4D // mov byte ptr [rsp + 0x242], 0x4d\n C6 84 24 ?? 02 00 00 4D // mov byte ptr [rsp + 0x243], 0x4d\n C6 84 24 ?? 02 00 00 00 // mov byte ptr [rsp + 0x244], 0x00\n C6 84 24 ?? 02 00 00 56 // mov byte ptr [rsp + 0x248], 0x56\n C6 84 24 ?? 02 00 00 42 // mov byte ptr [rsp + 0x249], 0x42\n C6 84 24 ?? 02 00 00 6F // mov byte ptr [rsp + 0x24a], 0x6f\n C6 84 24 ?? 02 00 00 78 // mov byte ptr [rsp + 0x24b], 0x78\n C6 84 24 ?? 02 00 00 56 // mov byte ptr [rsp + 0x24c], 0x56\n C6 84 24 ?? 02 00 00 42 // mov byte ptr [rsp + 0x24d], 0x42\n C6 84 24 ?? 02 00 00 6F // mov byte ptr [rsp + 0x24e], 0x6f\n C6 84 24 ?? 02 00 00 78 // mov byte ptr [rsp + 0x24f], 0x78\n C6 84 24 ?? 02 00 00 56 // mov byte ptr [rsp + 0x250], 0x56\n C6 84 24 ?? 02 00 00 42 // mov byte ptr [rsp + 0x251], 0x42\n C6 84 24 ?? 02 00 00 6F // mov byte ptr [rsp + 0x252], 0x6f\n C6 84 24 ?? 02 00 00 78 // mov byte ptr [rsp + 0x253], 0x78\n C6 84 24 ?? 02 00 00 00 // mov byte ptr [rsp + 0x254], 0x00\n C6 84 24 ?? 02 00 00 54 // mov byte ptr [rsp + 0x258], 0x54\n C6 84 24 ?? 02 00 00 43 // mov byte ptr [rsp + 0x259], 0x43\n C6 84 24 ?? 02 00 00 47 // mov byte ptr [rsp + 0x25a], 0x47\n C6 84 24 ?? 02 00 00 54 // mov byte ptr [rsp + 0x25b], 0x54\n C6 84 24 ?? 02 00 00 43 // mov byte ptr [rsp + 0x25c], 0x43\n C6 84 24 ?? 02 00 00 47 // mov byte ptr [rsp + 0x25d], 0x47\n C6 84 24 ?? 02 00 00 54 // mov byte ptr [rsp + 0x25e], 0x54\n C6 84 24 ?? 02 00 00 43 // mov byte ptr [rsp + 0x25f], 0x43\n C6 84 24 ?? 02 00 00 47 // mov byte ptr [rsp + 0x260], 0x47\n C6 84 24 ?? 02 00 00 54 // mov byte ptr [rsp + 0x261], 0x54\n C6 84 24 ?? 02 00 00 43 // mov byte ptr [rsp + 0x262], 0x43\n C6 84 24 ?? 02 00 00 47 // mov byte ptr [rsp + 0x263], 0x47\n C6 84 24 ?? 02 00 00 00 // mov byte ptr [rsp + 0x264], 0x00\n C6 84 24 ?? 02 00 00 56 // mov byte ptr [rsp + 0x208], 0x56\n C6 84 24 ?? 02 00 00 69 // mov byte ptr [rsp + 0x209], 0x69\n C6 84 24 ?? 02 00 00 72 // mov byte ptr [rsp + 0x20a], 0x72\n C6 84 24 ?? 02 00 00 74 // mov byte ptr [rsp + 0x20b], 0x74\n C6 84 24 ?? 02 00 00 75 // mov byte ptr [rsp + 0x20c], 0x75\n C6 84 24 ?? 02 00 00 61 // mov byte ptr [rsp + 0x20d], 0x61\n C6 84 24 ?? 02 00 00 6C // mov byte ptr [rsp + 0x20e], 0x6c\n C6 84 24 ?? 02 00 00 41 // mov byte ptr [rsp + 0x20f], 0x41\n C6 84 24 ?? 02 00 00 70 // mov byte ptr [rsp + 0x210], 0x70\n C6 84 24 ?? 02 00 00 70 // mov byte ptr [rsp + 0x211], 0x70\n C6 84 24 ?? 02 00 00 6C // mov byte ptr [rsp + 0x212], 0x6c\n C6 84 24 ?? 02 00 00 65 // mov byte ptr [rsp + 0x213], 0x65\n C6 84 24 ?? 02 00 00 00 // mov byte ptr [rsp + 0x214], 0x00\n }\n\n condition:\n filesize < 2MB and all of them\n}\n", "rule_count": 1, "rule_names": [ "nobelium_vm_detection_11d77b26d53c" ], "rule_creation_date": "2021-06-07", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.NativeZone" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1027.002", "attack.t1027.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nps_tunneling_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577009Z", "creation_date": "2026-03-23T11:46:25.577011Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577017Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ehang-io/nps" ], "name": "nps_tunneling.yar", "content": "rule nps_hacktool {\n meta:\n title = \"NPS HackTool\"\n id = \"3f0f24a6-4eb3-4d4a-8559-569d0b31cacb\"\n description = \"Detects the NPS tunneling hacktool.\\nNPS is an open-source lightweight proxy server.\\nIt can be used by adversaries to tunnel traffic into internal networks from an initial foothold.\\nIt is recommended to verify if the usage of this tool is legitimate.\"\n references = \"https://github.com/ehang-io/nps\"\n date = \"2025-03-28\"\n modified = \"2025-05-09\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071;attack.t1572\"\n classification = \"HackTool.NPSTunneling\"\n context = \"process,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // cab0376ec4e149f5242729bb3b5702772456bed3a601ce57bf0511196f5a5c6f\n // 5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856\n // 2ccd01d09af66cbba97176953ee9a853a5651e09c019c96a273e0d69bb80baa2\n // eb555c0e2772e1346738b9fd4c2027b993651f3b0b3a0cb0f8e5c65cb5816e27\n // 4714e8ad9c625070ca0a151ffc98d87d8e5da7c8ef42037ca5f43baede6cfac1\n\n $go_binary = \"Go buildinf:\" ascii fullword\n\n $a1 = \"main.(*npc).Start\" ascii fullword\n $a2 = \"main.(*npc).run.func1\" ascii fullword\n $a3 = \"ehang.io/nps/lib/crypt.GetRandomString\" ascii fullword\n $a4 = \"ehang.io/nps/lib/common.ReadUDPDatagram\" ascii fullword\n $a5 = \"ehang.io/nps/lib/rate.(*Rate).ReturnBucket\" ascii fullword\n $a6 = \"ehang.io/nps/lib/file.NewJsonDb\" ascii fullword\n\n $b1 = \"Accept server data error %s, end this service\" ascii\n $b2 = \"http request, method %s, host %s, url %s, remote address %s\" ascii\n $b3 = \"npc: panic serving %v: %v\" ascii\n $b4 = \"the version of client is %s, the core version of client is %s\" ascii\n $b5 = \"new %s connection with the goal of %s, remote address:%s\" ascii\n $b6 = \"https://api.github.com/repos/ehang-io/nps/releases/latest\" ascii\n\n condition:\n (\n uint16(0) == 0x5a4d or // Windows\n uint16(0) == 0x457f or // Linux\n (\n // MacOS\n uint32(0) == 0xfeedface or\n uint32(0) == 0xcefaedfe or\n uint32(0) == 0xfeedfacf or\n uint32(0) == 0xcffaedfe or\n uint32(0) == 0xcafebabe or\n uint32(0) == 0xbebafeca\n )\n )\n and $go_binary\n and\n (\n 2 of ($a*) or\n 4 of ($b*)\n )\n}\n", "rule_count": 1, "rule_names": [ "nps_hacktool" ], "rule_creation_date": "2025-03-28", "rule_modified_date": "2025-05-09", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.NPSTunneling" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071", "attack.t1572" ], "rule_score": 70, "rule_context": [ "file.elf", "file.pe", "file.macho", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ntdsdumpex_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563299Z", "creation_date": "2026-03-23T11:46:25.563303Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563310Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\nhttps://github.com/zcgonvh/NTDSDumpEx" ], "name": "ntdsdumpex.yar", "content": "rule ntdsdumpex {\n meta:\n title = \"NTDSDumpEx Tool\"\n id = \"a0e5111e-1928-41d5-a87f-52ea32eefd82\"\n description = \"Detects the NTDSDumpEx tool, an offline utility designed to dump NTDS.dit files.\\nNTDSDumpEx is used to extract data from Active Directory database files, often for unauthorized access or data extraction. This rule identifies the tool's activity, which was observed in an industrial espionage incident reported by BitDefender in 2022.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine if the usage of this tool is legitimate.\"\n references = \"https://www.bitdefender.com/files/News/CaseStudies/study/421/Bitdefender-PR-Whitepaper-IndEs-creat6269-en-EN.pdf\\nhttps://github.com/zcgonvh/NTDSDumpEx\"\n date = \"2022-09-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.003\"\n classification = \"Windows.Tool.NTDSDumpEx\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96\n\n $critical_str_1 = \"ntdsdumpex.exe\" ascii\n $critical_str_2 = \"-d path of ntds.dit database\" fullword ascii\n $critical_str_3 = \"Example : ntdsdumpex.exe -r\" fullword ascii\n $critical_str_4 = \"ntdsdump_0_3\" fullword ascii\n $critical_str_5 = \"[+]total %d entries dumped,%d normal accounts,%d machines,%d histories.\" fullword ascii\n\n $s1 = \"\\\\ControlSet001\\\\Control\\\\Lsa\\\\\" fullword ascii\n $s2 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\\" fullword ascii\n $s3 = \"[x]hive key: %s not found\" fullword ascii\n $s4 = \"[x]no SYSKEY set\" fullword ascii\n $s5 = \"[+]dump completed in %.3f seconds.\" fullword ascii\n\n // formatting info dumped from ntds.dit\n $op1 = {\n 8D 46 E8 // lea eax, [esi-18h]\n 8B CB // mov ecx, ebx ; int\n C1 E8 04 // shr eax, 4\n 89 85 ?? ?? FF FF // mov [ebp+var_990], eax\n E8 CB F8 FF FF // call sub_402050\n FF B5 ?? ?? FF FF // push [ebp+Size] ; int\n 8B CB // mov ecx, ebx ; int\n FF B5 ?? ?? FF FF // push [ebp+var_94C] ; int\n E8 ?? ?? ?? ?? // call sub_402050\n 8B 85 ?? ?? FF FF // mov eax, [ebp+pcbActual]\n 33 F6 // xor esi, esi\n C1 E8 04 // shr eax, 4\n }\n\n // inline string checking\n $op2 = {\n 89 46 ?? // mov [esi+10h], eax\n 85 C0 // test eax, eax\n 75 ?? // jnz short loc_4018A1\n 80 7D ?? 41 // cmp [ebp+pvData], 41h ; 'A'\n 75 45 // jnz short loc_4018A1\n 80 7D ?? 54 // cmp [ebp+var_4F], 54h ; 'T'\n 75 3F // jnz short loc_4018A1\n 80 7D ?? 54 // cmp [ebp+var_4E], 54h ; 'T'\n 75 ?? // jnz short loc_4018A1\n 50 // push eax ; pretinfo\n 50 // push eax ; grbit\n 50 // push eax ; pcbActual\n 6A 04 // push 4 ; cbData\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 300KB and (2 of ($critical_str_*) or (3 of ($s*) and 1 of ($op*)))\n}\n", "rule_count": 1, "rule_names": [ "ntdsdumpex" ], "rule_creation_date": "2022-09-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.NTDSDumpEx" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ntfs_parser_lib_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590205Z", "creation_date": "2026-03-23T11:46:25.590207Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590213Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.codeproject.com/articles/An-NTFS-Parser-Lib\nhttps://attack.mitre.org/techniques/T1006/" ], "name": "ntfs_parser_lib.yar", "content": "rule ntfs_parser_lib {\n meta:\n title = \"NTFS Parser Lib Tool\"\n id = \"b4d61e1c-e1df-46ab-8425-a5d8501de96d\"\n description = \"Detects NTFS Parser Lib, a library that directly parses raw NTFS disk structures such as MFT records, attributes, indexes, and clusters to extract low-level filesystem data.\\nAttackers may use it to read raw NTFS data and access files without relying on normal system protections.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://www.codeproject.com/articles/An-NTFS-Parser-Lib\\nhttps://attack.mitre.org/techniques/T1006/\"\n date = \"2025-11-21\"\n modified = \"2025-12-29\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1006\"\n classification = \"Windows.Tool.NTFSParserLib\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // fc8c3078c79cd5f8708ba30fac967006721e56ca581fe121e936998b107c9017\n\n $strings1 = \"Unrecognized File Name or FileName buffer too small\" ascii fullword\n $strings2 = \"CAttr_VolName deleted\" ascii fullword\n $strings3 = \"Points to sub-node\" ascii fullword\n $strings4 = \"CIndexEntry deleted\" ascii fullword\n $strings5 = \"Index Allocation DataRun parse error\" ascii fullword\n $strings6 = \"Index Block parse error: Magic mismatch\" ascii fullword\n\n // __inline void CNTFSVolume::ClearAttrRawCB()\n $clear_attr_raw_cb = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 10 // sub rsp, 10h\n 48 89 4D 10 // mov [rbp+arg_0], rcx\n C7 45 FC 00 00 00 00 // mov [rbp+var_4], 0\n EB 1A // jmp short loc_14001AE0F\n\n // loc_14001ADF5:\n 48 8B 45 10 // mov rax, [rbp+arg_0]\n 8B 55 FC // mov edx, [rbp+var_4]\n 48 63 D2 // movsxd rdx, edx\n 48 83 C2 06 // add rdx, 6\n 48 C7 04 D0 00 00 00 00 // mov qword ptr [rax+rdx*8], 0\n 83 45 FC 01 // add [rbp+var_4], 1\n\n // loc_14001AE0F:\n 83 7D FC 0F // cmp [rbp+var_4], 0Fh\n 7E E0 // jle short loc_14001ADF5\n 90 // nop\n 90 // nop\n 48 83 C4 10 // add rsp, 10h\n 5D // pop rbp\n C3 // retn\n }\n\n // BOOL CNTFSVolume::OpenVolume(_TCHAR volume)\n $openvolume1 = \"Volume name error, should be like 'C', 'D'\" ascii fullword\n $openvolume2 = \"\\\\\\\\.\\\\%c:\" ascii fullword\n $openvolume3 = \"NTFS \" ascii fullword\n\n // BOOL CAttr_IndexAlloc::PatchUS(WORD* sector, int sectors, WORD usn, WORD* usarray)\n // if (fr->Magic == FILE_RECORD_MAGIC)\n $magic = { 46 49 4C 45 } // cmp eax, 454C4946h\n\n $patchus = {\n 48 8B 45 10 // mov rax, [rbp+arg_0]\n 48 8B 40 08 // mov rax, [rax+8]\n 0F B7 40 08 // movzx eax, word ptr [rax+8]\n 66 D1 E8 // shr ax, 1\n 0F B7 C0 // movzx eax, ax\n 48 01 C0 // add rax, rax\n 48 83 E8 02 // sub rax, 2\n 48 01 45 18 // add [rbp+arg_8], rax\n 48 8B 45 18 // mov rax, [rbp+arg_8]\n 0F B7 00 // movzx eax, word ptr [rax]\n 66 39 45 28 // cmp [rbp+arg_18], ax\n 74 ?? // jz short loc_140003409\n B8 00 00 00 00 // mov eax, 0\n EB ?? // jmp short loc_140003439\n\n // loc_140003409:\n 8B 45 FC // mov eax, [rbp+var_4]\n 48 98 // cdqe\n 48 8D 14 00 // lea rdx, [rax+rax]\n 48 8B 45 30 // mov rax, [rbp+arg_20]\n 48 01 D0 // add rax, rdx\n 0F B7 10 // movzx edx, word ptr [rax]\n 48 8B 45 18 // mov rax, [rbp+arg_8]\n 66 89 10 // mov [rax], dx\n 48 83 45 18 02 // add [rbp+arg_8], 2\n 83 45 FC 01 // add [rbp+var_4], 1\n }\n\n // 8a140c2f7522529fbce554cb151e03048825d1da96255a481a7ddc40e2cd44ce\n $filter01 = \"Advanced System Repair Pro\" wide fullword\n $filter02 = \"totalsystemcare\" wide\n // 71bc6d75d0f0c1e16d9914757b1a57da768168254503c9565b0b815d6718d25c\n $filter03 = \"avtar.exe\" ascii fullword\n $filter04 = \"Reading avtar %s file %s\" ascii fullword\n\n condition:\n (\n 5 of ($strings*) or\n $clear_attr_raw_cb or\n (all of ($openvolume*) and $magic) or\n $patchus\n ) and not 2 of ($filter*)\n}\n", "rule_count": 1, "rule_names": [ "ntfs_parser_lib" ], "rule_creation_date": "2025-11-21", "rule_modified_date": "2025-12-29", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.NTFSParserLib" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1006" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nt_global_check_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572085Z", "creation_date": "2026-03-23T11:46:25.572088Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572094Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mahaloz/ctf-wiki-en/blob/master/docs/reverse/windows/anti-debug/ntglobalflag.md\nhttps://github.com/HackOvert/AntiDBG" ], "name": "nt_global_check.yar", "content": "rule nt_global_flag_check {\n meta:\n title = \"NtGlobalFlag Anti-Debug Check\"\n id = \"1aa5d56a-bed0-45d6-9643-1b25cd18e2ed\"\n description = \"Detects anti-debugging checks targeting the NtGlobalFlag.\\nThe NtGlobalFlag is a system flag that is set when the system is being debugged.\\nThis rule identifies code snippets that check the NtGlobalFlag value, which is often used by malicious actors to trigger defensive mechanisms when debuggers are present.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/mahaloz/ctf-wiki-en/blob/master/docs/reverse/windows/anti-debug/ntglobalflag.md\\nhttps://github.com/HackOvert/AntiDBG\"\n date = \"2024-09-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1622\"\n classification = \"Windows.Generic.AntiDebug\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $nt_global_check_x86_64 = {\n // All r?x registers\n 6548???42560000000 // mov rax, qword [gs:0x60]\n 488???bc000000 // mov rax, qword [rax+0xbc {_PEB::NtGlobalFlag}] {_PEB::CriticalSectionTimeout.d}\n 4883??70 // and rax, 0x70\n }\n\n $nt_global_check_x86 = {\n // All r?x registers\n 64??30000000 // mov eax, dword [fs:0x30]\n 8b??68 // mov eax, dword [eax+0x68 {_PEB::NtGlobalFlag}]\n 83??70 // and eax, 0x70\n 89?????????? // mov dword [ebp-0x254 {var_264}], eax\n 83bd????????00 // cmp dword [ebp-0x254 {var_264}], 0x0\n (74|75) // je 0x4014e9\n }\n\n condition:\n 1 of ($nt_global_check_x86*)\n}\n", "rule_count": 1, "rule_names": [ "nt_global_flag_check" ], "rule_creation_date": "2024-09-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.AntiDebug" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1622" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nukesped_linux_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575887Z", "creation_date": "2026-03-23T11:46:25.575891Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575900Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar21-048d\nhttps://www.verfassungsschutz.de/SharedDocs/publikationen/EN/cyber/2024-02-19-joint-cyber-security-advisory.pdf\nhttps://twitter.com/BaoshengbinCumt/status/1764464669899588016" ], "name": "nukesped_linux.yar", "content": "rule nukesped_232111452ee0 {\n meta:\n title = \"NukeSped Trojan (232111452ee0)\"\n id = \"2d7fd57a-5ef1-422d-aa5e-232111452ee0\"\n description = \"Detects NukeSped, a remote access trojan (RAT) attributed to the state-sponsored Lazarus APT actor.\\nNukeSped is designed to provide remote control capabilities to attackers, including file and process manipulation, and can execute arbitrary commands on an infected system. The malware establishes communication with its command-and-control (C2) server to receive instructions and exfiltrate data.\\nIt is recommended to isolate the system and perform a thorough investigation and remove all malicious components.\"\n references = \"https://www.cisa.gov/news-events/analysis-reports/ar21-048d\\nhttps://www.verfassungsschutz.de/SharedDocs/publikationen/EN/cyber/2024-02-19-joint-cyber-security-advisory.pdf\\nhttps://twitter.com/BaoshengbinCumt/status/1764464669899588016\"\n date = \"2024-03-15\"\n modified = \"2025-03-12\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Linux.Trojan.NukeSped\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c\n\n $s1 = \"https://%s%s\" ascii fullword\n $s2 = \"%s >/dev/null 2>&1 &\" ascii fullword\n $s3 = \"%s 2>&1 &\" ascii fullword\n $s4 = \"Content-Type: application/x-www-form-urlencoded\" ascii fullword\n $s5 = \"curl_easy_perform() failed: %s\" ascii fullword\n\n $f1 = \"_Z13FConnectProxyv\" ascii fullword\n $f2 = \"_Z14DecryptPayloadPhjS_Pj\" ascii fullword\n $f3 = \"_Z12CryptPayloadPhjS_Pj\" ascii fullword\n $f4 = \"_Z11RecvPayloadPhPj\" ascii fullword\n $f5 = \"_Z11SendPayloadPhj\" ascii fullword\n $f6 = \"_Z8SendPostP11_POST_PARAMPhPjS2\" ascii fullword\n\n $tuid = {\n 8B 74 24 08 // mov esi, [rsp+18h+var_10]\n 8B 0C 24 // mov ecx, [rsp+18h+var_18]\n 41 B8 01 00 00 00 // mov r8d, 1\n 89 C7 // mov edi, eax\n 44 89 C0 // mov eax, r8d\n D3 E0 // shl eax, cl\n 89 F2 // mov edx, esi\n 89 C1 // mov ecx, eax\n C1 FA 1F // sar edx, 1Fh\n 89 F0 // mov eax, esi\n F7 F9 // idiv ecx\n 89 D9 // mov ecx, ebx\n 89 F8 // mov eax, edi\n 31 DB // xor ebx, ebx\n 41 D3 E0 // shl r8d, cl\n 89 D6 // mov esi, edx\n 89 FA // mov edx, edi\n C1 FA 1F // sar edx, 1Fh\n D3 E6 // shl esi, cl\n 41 F7 F8 // idiv r8d\n 09 D6 // or esi, edx\n }\n\n $crypt_payload = {\n // loc_403630:\n 48 89 C2 // mov rdx, rax\n 83 E2 1F // and edx, 1Fh\n 0F B6 54 14 D8 // movzx edx, [rsp+rdx+var_28]\n\n // loc_40363B:\n 83 C0 01 // add eax, 1\n 30 17 // xor [rdi], dl\n 48 83 C7 01 // add rdi, 1\n 39 C6 // cmp esi, eax\n 77 E8 // ja short loc_403630\n\n // locret_403648:\n F3 C3 // rep retn\n }\n\n condition:\n 5 of ($s*) or\n 5 of ($f*) or\n $tuid or\n $crypt_payload\n}\n", "rule_count": 1, "rule_names": [ "nukesped_232111452ee0" ], "rule_creation_date": "2024-03-15", "rule_modified_date": "2025-03-12", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Trojan.NukeSped" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nukesped_macos_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575322Z", "creation_date": "2026-03-23T11:46:25.575324Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575330Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cisa.gov/news-events/analysis-reports/ar21-048d\nhttps://twitter.com/BaoshengbinCumt/status/1764464876083188156" ], "name": "nukesped_macos.yar", "content": "rule nukesped_e68ed9f26ff8 {\n meta:\n title = \"NukeSped Trojan (e68ed9f26ff8)\"\n id = \"3b484b16-f7c9-4424-a1a2-e68ed9f26ff8\"\n description = \"Detects NukeSped, a remote access trojan (RAT) attributed to the state-sponsored Lazarus APT actor.\\nNukeSped is designed to provide remote control capabilities and facilitate data exfiltration on macOS systems. The malware establishes persistence and communicates with its command and control (C2) server to carry out malicious activities.\\nIt is recommended to isolate the system and perform a thorough investigation and remove all malicious components.\"\n references = \"https://www.cisa.gov/news-events/analysis-reports/ar21-048d\\nhttps://twitter.com/BaoshengbinCumt/status/1764464876083188156\"\n date = \"2024-03-15\"\n modified = \"2025-03-12\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"MacOS.Trojan.NukeSped\"\n context = \"process,memory,thread,file.macho\"\n os = \"MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b\n // 0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7\n // 3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e\n\n $s1 = \"https://%s%s\" ascii fullword\n $s2 = \"%s >/dev/null 2>&1 &\" ascii fullword\n $s3 = \"%s 2>&1 &\" ascii fullword\n $s4 = \"setHTTPShouldHandleCookies:\" ascii fullword\n $s5 = \"setValue:forHTTPHeaderField:\" ascii fullword\n\n $f1 = \"__Z13FConnectProxyv\" ascii fullword\n $f2 = \"__Z14DecryptPayloadPhjS_Pj\" ascii fullword\n $f3 = \"__Z12CryptPayloadPhjS_Pj\" ascii fullword\n $f4 = \"__Z11RecvPayloadPhPj\" ascii fullword\n $f5 = \"__Z11SendPayloadPhj\" ascii fullword\n $f6 = \"__Z8SendPostP11_POST_PARAMPhPjS2\" ascii fullword\n\n $crypt_payload_x86 = {\n 31 C0 // xor eax, eax\n 48 85 FF // test rdi, rdi\n 74 ?? // jz short loc_1000015E2\n 49 89 D7 // mov r15, rdx\n 48 85 D2 // test rdx, rdx\n 74 ?? // jz short loc_1000015E2\n 49 89 CE // mov r14, rcx\n 48 85 C9 // test rcx, rcx\n 74 ?? // jz short loc_1000015E2\n 41 89 F4 // mov r12d, esi\n 48 89 FB // mov rbx, rdi\n 85 F6 // test esi, esi\n 74 ?? // jz short loc_1000015A0\n 44 89 E0 // mov eax, r12d\n 31 C9 // xor ecx, ecx\n 48 8D 3D ?? ?? 00 00 // lea rdi, byte_100003740\n\n // loc_10000158D:\n 89 CE // mov esi, ecx\n 83 E6 1F // and esi, 1Fh\n 8A 14 3E // mov dl, [rsi+rdi]\n 30 14 0B // xor [rbx+rcx], dl\n 48 FF C1 // inc rcx\n 48 39 C8 // cmp rax, rcx\n 75 ED // jnz short loc_10000158D\n }\n\n $crypt_payload_arm = {\n 00 00 80 52 // MOV W0, #0\n ?? ?? 00 B4 // CBZ X22, loc_1000050F0\n F4 03 02 AA // MOV X20, X2\n ?? ?? 00 B4 // CBZ X2, loc_1000050F0\n F3 03 03 AA // MOV X19, X3\n ?? ?? 00 B4 // CBZ X3, loc_1000050F0\n F5 03 01 AA // MOV X21, X1\n ?? ?? 00 34 // CBZ W1, loc_1000050AC\n 08 00 80 D2 // MOV X8, #0\n E9 03 15 2A // MOV W9, W21\n ?? ?? 01 10 // ADR X10, unk_100007770\n 1F 20 03 D5 // NOP\n\n // loc_10000508C\n CB 6A 68 38 // LDRB W11, [X22,X8]\n 0C 11 40 92 // AND X12, X8, #0x1F\n 4C 69 6C 38 // LDRB W12, [X10,X12]\n 8B 01 0B 4A // EOR W11, W12, W11\n CB 6A 28 38 // STRB W11, [X22,X8]\n 08 05 00 91 // ADD X8, X8, #1\n 3F 01 08 EB // CMP X9, X8\n 21 FF FF 54 // B.NE loc_10000508C\n }\n\n condition:\n 5 of ($s*) or\n 5 of ($f*) or\n 1 of ($crypt_payload_*)\n}\n", "rule_count": 1, "rule_names": [ "nukesped_e68ed9f26ff8" ], "rule_creation_date": "2024-03-15", "rule_modified_date": "2025-03-12", "rule_os": [ "macos" ], "rule_classifications": [ "MacOS.Trojan.NukeSped" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.macho", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-nukesped_windows_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576372Z", "creation_date": "2026-03-23T11:46:25.576376Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576385Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/cyber/2024-02-19-joint-cyber-security-advisory.pdf" ], "name": "nukesped_windows.yar", "content": "rule nukesped_windows {\n meta:\n title = \"NukeSped Trojan (Windows)\"\n id = \"1301117a-6636-4dca-8ca3-b157cec75687\"\n description = \"Detects NukeSped, a remote access trojan (RAT) attributed to the state-sponsored Lazarus APT.\\nNukeSped is known for its information stealing capabilities and is often used for lateral movement within infected networks.\\nIt is recommended to perform a thorough investigation of network traffic and file artifacts and to look for further signs of malicious actions on the host.\"\n references = \"https://www.verfassungsschutz.de/SharedDocs/publikationen/EN/cyber/2024-02-19-joint-cyber-security-advisory.pdf\"\n date = \"2024-02-26\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.execution;attack.t1129\"\n classification = \"Windows.Trojan.NukeSped\"\n context = \"process,memory,thread,file.pe\"\n arch = \"x64\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 7a10c12b381b0e85d621700cfded5dc213b2b517915e2ab688831fd4f2d1a724\n\n $loadlibrary = {\n 41 0F BE 09 // movsx ecx, byte ptr [r9]\n 4D 8D 49 01 // lea r9, [r9+1]\n 8B D1 // mov edx, ecx\n 80 E9 41 // sub cl, 41h ; 'A'\n 8B C2 // mov eax, edx\n 83 C8 20 // or eax, 20h\n 80 F9 19 // cmp cl, 19h\n 0F 47 C2 // cmova eax, edx\n 48 98 // cdqe\n 4C 33 C0 // xor r8, rax\n 4D 0F AF ?? // imul r8, r14\n 49 83 EA 01 // sub r10, 1\n 75 D9 // jnz short loc_140010BB\n }\n\n condition:\n #loadlibrary > 10\n}\n", "rule_count": 1, "rule_names": [ "nukesped_windows" ], "rule_creation_date": "2024-02-26", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.NukeSped" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1129", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-overlord_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581479Z", "creation_date": "2026-03-23T11:46:25.581482Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581491Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ZeroMemoryEx/Overlord/\nhttps://www.loldrivers.io/drivers/edd29861-6984-4dbe-8e7c-22e9b6cf68d0/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "overlord.yar", "content": "rule overlord {\n meta:\n title = \"Overlord HackTool\"\n id = \"4bfdab47-31ac-42b4-b04f-3ef07fd71771\"\n description = \"Detects Overlord, a tool that leverages the KProcessHacker.sys driver to kill protected processes.\\nOverlord is a malicious tool designed to defeat process protection mechanisms.\\nIt achieves this by loading the KProcessHacker.sys driver into the system and using it to terminate specified processes.\\nThe tool is often used to bypass process protection and gain persistence by targeting security-related processes.\\nIt is recommended to isolate the affected system, scan for and remove the malicious driver, and monitor for any signs of further unauthorized process termination activity.\"\n references = \"https://github.com/ZeroMemoryEx/Overlord/\\nhttps://www.loldrivers.io/drivers/edd29861-6984-4dbe-8e7c-22e9b6cf68d0/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n classification = \"Windows.HackTool.Overlord\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b5a574df70e37c7867d83504c670829272a58c0a7cecf1f713f2e031947bcc60\n\n $s_device = \"\\\\\\\\.\\\\GlobalRoot\\\\Device\\\\KProcessHacker2\" wide ascii\n $s_winapi_01 = \"CreateFile\" wide ascii\n $s_winapi_02 = \"DeviceIoControl\" wide ascii\n $s_winapi_03 = \"OpenProcessToken\" wide ascii\n $s_winapi_04 = \"GetCurrentProcess\" wide ascii\n $s_winapi_05 = \"LookupPrivilegeValue\" wide ascii\n $s_winapi_06 = \"SeDebugPrivilege\" wide ascii\n $s_winapi_07 = \"AdjustTokenPrivileges\" wide ascii\n $ioctl_kill = { (99 99 20 df|df 20 99 99) }\n $ioctl_suspend = { (99 99 20 d7|d7 20 99 99) }\n\n condition:\n 1 of ($ioctl_*)\n and all of ($s_*)\n}\n", "rule_count": 1, "rule_names": [ "overlord" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Overlord" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-packer_fin7_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571750Z", "creation_date": "2026-03-23T11:46:25.571753Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571758Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/" ], "name": "packer_fin7.yar", "content": "rule packer_fin7 {\n meta:\n title = \"FIN7 Packer\"\n id = \"e6096aae-4138-49d3-b411-cfad5dec2a33\"\n description = \"Detects the FIN7 homemade packer.\\nThe FIN7 APT developed its own packer in order to protect their code from static analysis.\\nIt is recommended to perform a detailed static analysis of the file and to look for suspicious actions on the host around this alert or by the related process.\"\n references = \"https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/\"\n date = \"2024-07-23\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.HackTool.PackerFIN7\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 146c68ca89b8b0378c2c6fb978892aace0235c7038879e85b3764556b0dbf2a5\n // 0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44\n\n $packer_xor = {\n 4? 63 [3] // movsxd rax, dword [rsp+0x50 {var_78}]\n 4? 8b [2-6] // mov rcx, qword [rsp+0xd0 {arg_8}]\n 4? 8b [2-6] // mov rcx, qword [rcx+0x8]\n 4? 0? [2] // add rax, qword [rcx+0x50]\n 4? 8d [5] // lea rcx, [rel data_140003020]\n 0f (b6|b7) [1-5] // movzx eax, byte [rcx+rax]\n 0f (b6|b7) [1-5] // movzx ecx, byte [rel data_14002399c]\n 4? 8b [2-6] // mov rdx, qword [rsp+0xd0 {arg_8}]\n 4? 8b [2-6] // mov rdx, qword [rdx+0x8]\n 4? 0? [2] // add rcx, qword [rdx+0x68]\n 0f (b6|b7) [1-5] // movzx ecx, cl\n 33 ?? // xor eax, ecx\n 4? 63 [3] // movsxd rcx, dword [rsp+0x50 {var_78}]\n 4? 8b [2-6] // mov rdx, qword [rsp+0xd0 {arg_8}]\n 4? 8b [2-6] // mov rdx, qword [rdx+0x8]\n 4? 0? [2] // add rcx, qword [rdx+0x48]\n 4? 8d [5] // lea rdx, [rel data_140003020]\n 88 04 0a // mov byte [rdx+rcx], al\n 0f (b6|b7) // movzx eax, byte [rel data_14000301e]\n }\n $packer_decrypt_conf = {\n 8b [1-3] // mov eax, dword [rsp+0x4 {i}]\n ff ?? // inc eax\n 89 [1-3] // mov dword [rsp+0x4 {i}], eax\n 0f b6 [1-3] // movzx eax, byte [rsp {var_128}]\n 39 [1-3] // cmp dword [rsp+0x4 {i}], eax\n 73 ?? // jae 0x140001d59\n 8b [1-3] // mov eax, dword [rsp+0x4 {i}]\n 83 ?? 05 // add eax, 0x5\n 8b ?? // mov eax, eax\n 4? 8b [2-6] // mov rcx, qword [rsp+0x130 {arg_8}]\n 0f be [1-3] // movsx eax, byte [rcx+rax]\n 85 ?? // test eax, eax\n 74 ?? // je 0x140001d40\n 0f b6 [1-3] // movzx eax, byte [rsp+0x2 {var_126}]\n 8b [3] // mov ecx, dword [rsp+0x4 {i}]\n 83 ?? 05 // add ecx, 0x5\n 8b ?? // mov ecx, ecx\n 4? 8b [4-6] // mov rdx, qword [rsp+0x130 {arg_8}]\n 0f (be|bf) [1-3] // movsx ecx, byte [rdx+rcx]\n 33 ?? // xor eax, ecx\n 2b [1-3] // sub eax, dword [rsp+0x4 {i}]\n ff ?? // dec eax\n 8b [1-3] // mov ecx, dword [rsp+0x4 {i}]\n 88 [1-3] // mov byte [rsp+rcx+0x20 {var_108}], al\n eb ?? // jmp 0x140001d57\n b8 01 00 00 00 // mov eax, 0x1\n 4? 6b ?? 00 // imul rax, rax, 0x0\n 4? 8b [4-6] // mov rcx, qword [rsp+0x130 {arg_8}]\n c6 [1-3] 00 // mov byte [rcx+rax], 0x0\n eb ?? // jmp 0x140001d59\n eb // jmp 0x140001ce7\n }\n $packer_find_entry_point = {\n 4? 63 [1-4] // movsxd rax, dword [rsp {var_38_1}]\n 4? 3b [1-4] // cmp rax, qword [rsp+0x20 {var_18_1}]\n 73 ?? // jae 0x140001c7f\n 48 8b [1-4] // mov rax, qword [rsp+0x10 {var_28_1}]\n 0f b7 [1-4] // movzx eax, word [rax]\n c1 ?? 0c // sar eax, 0xc\n 83 ?? 0a // cmp eax, 0xa\n 75 ?? // jne 0x140001c7d\n 4? 8b [1-4] // mov rax, qword [rsp+0x8 {var_30}]\n 8b [1-4] // mov eax, dword [rax]\n 4? 03 [1-4] // add rax, qword [rsp+0x40 {arg_8}]\n 4? 8b [1-4] // mov rcx, qword [rsp+0x10 {var_28_1}]\n 0f b7 [1-4] // movzx ecx, word [rcx]\n 81 ?? ff 0f 00 00 // and ecx, 0xfff\n 4? 63 [1-4] // movsxd rcx, ecx\n 4? 03 [1-4] // add rax, rcx\n 4? 89 [1-4] // mov qword [rsp+0x18 {var_20_1}], rax\n 4? 8b [1-4] // mov rax, qword [rsp+0x18 {var_20_1}]\n 4? 8b [1-4] // mov rax, qword [rax]\n 4? 03 [1-4] // add rax, qword [rsp+0x50 {arg_18}]\n 4? 8b [1-4] // mov rcx, qword [rsp+0x18 {var_20_1}]\n 4? 89 [1-4] // mov qword [rcx], rax\n eb 93 // jmp 0x140001c12\n }\n $packer_find_entry_point_rtlcreateuserthtread = {\n 4? 8b [1-4] // mov rax, qword [rsp+0x70 {var_58_1}]\n 8b [1-4] // mov eax, dword [rax+0x28]\n 4? 03 [1-4] // add rax, qword [rsp+0x68 {var_60_1}]\n 4? 89 [2-6] // mov qword [rsp+0x88 {var_40_1}], rax\n ff [2-6] // call qword [rsp+0x88 {var_40_1}]\n 4? 8d [2-6] // lea rax, [rsp+0x9c {var_2c}]\n 4? 89 [1-4] // mov qword [rsp+0x48 {var_80_1}], rax {var_2c}\n 4? 8d [2-6] // lea rax, [rsp+0xb8 {var_10}]\n 4? 89 [1-4] // mov qword [rsp+0x40 {var_88_1}], rax {var_10}\n 4? c7 [3-7] // mov qword [rsp+0x38 {var_90}], 0x0\n 4? 8b [2-6] // mov rax, qword [rsp+0x88 {var_40_1}]\n 4? 89 [1-4] // mov qword [rsp+0x30 {var_98_1}], rax\n 4? c7 [3-7] // mov qword [rsp+0x28 {var_a0}], 0x0\n 4? c7 [3-7 ] // mov qword [rsp+0x20 {var_a8}], 0x0\n 4? 33 ?? // xor r9d, r9d {0x0}\n 4? ?? 01 // mov r8b, 0x1\n 33 ?? // xor edx, edx {0x0}\n 4? c? ?? ff ff ff ff // mov rcx, 0xffffffffffffffff\n ff // call qword [rsp+0xa0 {var_28_1}]\n }\n\n condition:\n 2 of ($packer*)\n}\n", "rule_count": 1, "rule_names": [ "packer_fin7" ], "rule_creation_date": "2024-07-23", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.PackerFIN7" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pageguard_hooking_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571882Z", "creation_date": "2026-03-23T11:46:25.571884Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571890Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/hoangprod/LeoSpecial-VEH-Hook" ], "name": "pageguard_hooking.yar", "content": "rule generic_pageguard_hooking {\n meta:\n title = \"PageGuard Hooking\"\n id = \"a5f4010d-01c1-4864-ae57-eedc68e63469\"\n description = \"Detects binaries containing the PageGuard hooking technique.\\nPageGuard hooking sets a Page Guard protection on a specific function to trigger an exception on function call.\\nThe exception is caught by a Vectored Exception Handler (VEH), making it difficult to debug.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/hoangprod/LeoSpecial-VEH-Hook\"\n date = \"2024-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1574\"\n classification = \"Windows.Generic.PageGuardHooking\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 28d6dcf1e204cda21e9111fae9a01dd0225b5371df9f9a9fe1f0a797da035217\n\n $api = \"AddVectoredExceptionHandler\" wide ascii\n\n $stub_00 = {\n 4? 8b ?? // mov rax, qword [rax]\n 8b ?? // mov eax, dword [rax]\n 3? 01 00 00 80 // cmp eax, 0x80000001\n 7? // jne 0x1400016d7\n }\n\n $stub_01 = {\n 4? 8b ?? ?? // mov rax, qword [rbp+0x10 {arg_8}]\n 4? 8b ?? 08 // mov rax, qword [rax+0x8]\n 8b ?? 44 // mov edx, dword [rax+0x44]\n 4? 8b ?? ?? // mov rax, qword [rbp+0x10 {arg_8}]\n 4? 8b ?? 08 // mov rax, qword [rax+0x8]\n 8? ?? 01 // or dh, 0x1\n [2-8] // mov dword [rax+0x44], edx\n b? ff ff ff ff // mov eax, 0xffffffff\n }\n\n $stub_02 = {\n 4? 8b ?? ?? // mov rax, qword [rbp+0x10 {arg_8}]\n 4? 8b ?? // mov rax, qword [rax]\n 8b ?? // mov eax, dword [rax]\n 3? 04 00 00 80 // cmp eax, 0x80000004\n 7? // jne 0x140001713\n }\n\n condition:\n // Usually we can find the string AddVectoredExceptionHandler 5 times in any program (because of the import/export table of ntdll, kernelbase, kernel32)\n #api != 5\n and all of ($stub_*)\n}\n", "rule_count": 1, "rule_names": [ "generic_pageguard_hooking" ], "rule_creation_date": "2024-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.PageGuardHooking" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1574" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-patchamsi_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584536Z", "creation_date": "2026-03-23T11:46:25.584538Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584544Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/D1rkMtr/PatchAMSI\nhttps://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/" ], "name": "patchamsi.yar", "content": "rule patchamsi {\n meta:\n title = \"PatchAMSI HackTool\"\n id = \"48926071-dd02-42f0-b93f-315c7bde61dd\"\n description = \"Detects the PatchAMSI tool.\\nPatchAMSI is used to modify the AmsiScanBuffer function, a key component of Windows' AMSI (Anti-Malware Scan Interface), which scans files and scripts for malicious content.\\nThe tool is often used by malicious actors to prevent AMSI-based detection mechanisms from identifying their code.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate.\"\n references = \"https://github.com/D1rkMtr/PatchAMSI\\nhttps://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/\"\n date = \"2022-10-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1562.006\"\n classification = \"Windows.HackTool.PatchAMSI\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5fa9f8a2dd7bf3a9f13bef972f6f294077a13f2637d4039e38d0d29e87195ac1\n\n $s1 = \"AmsiScanBuffer\" fullword ascii\n $s2 = \"amsi.dll\" fullword ascii\n $s3 = \"[!] Failed in NtProtectVirtualMemory1 (%u)\" fullword ascii\n $s4 = \"[+] AmsiScanBuffer is Patched!\" fullword ascii\n\n // AmsiScanBuffer patches\n $op1 = { B8 57 00 07 80 C3 00 00 }\n $op2 = { 31 C0 C3 00 00 00 00 00 }\n $op3 = { 48 C7 C0 00 00 00 00 C3 }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 100KB and 3 of ($s*) and 2 of ($op*)\n}\n", "rule_count": 1, "rule_names": [ "patchamsi" ], "rule_creation_date": "2022-10-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.PatchAMSI" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1562.006" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-peb_beingdebugged_check_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585612Z", "creation_date": "2026-03-23T11:46:25.585614Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585620Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/killswitch-GUI/IsDebuggerPresent\nhttps://github.com/HackOvert/AntiDBG\nhttps://attack.mitre.org/techniques/T1622/" ], "name": "peb_beingdebugged_check.yar", "content": "rule peb_being_debugged_check {\n meta:\n title = \"PEB BeingDebugged Flag Check\"\n id = \"ec6c246c-24db-4075-9918-767cd220798c\"\n description = \"Detects common anti-debugging code snippets that check the BeingDebugged flag in the Process Environment Block (PEB).\\nThis rule identifies malware accessing the PEB structure at [fs:0x30] (x86) to check or modify the BeingDebugged (PEB + 0x2) flag, a technique used to determine if the process is being debugged.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://github.com/killswitch-GUI/IsDebuggerPresent\\nhttps://github.com/HackOvert/AntiDBG\\nhttps://attack.mitre.org/techniques/T1622/\"\n date = \"2024-07-24\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1622\"\n classification = \"Windows.Generic.AntiDebug\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // abdf9cc38c6ecc9620c811205f8247167fc1653b57405c3cfd33c6079e5a6161\n // d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8\n // 22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114\n\n $eax = {\n 64A118000000 // mov eax, dword [fs:0x18]\n 8B4030 // mov eax, dword [eax+0x30]\n 0FB64002 // movzx eax, byte [eax+0x2]\n 83F801 // cmp eax, 0x1\n }\n\n $ebx = {\n 648B1D18000000 // mov ebx, dword [fs:0x18]\n 8B5B30 // mov ebx, dword [ebx+0x30]\n 0FB65B02 // movzx ebx, byte [ebx+0x2]\n 83FB01 // cmp ebx, 0x1\n }\n\n $ecx = {\n 648B0D18000000 // mov ecx, dword [fs:0x18]\n 8B4930 // mov ecx, dword [ecx+0x30]\n 0FB64902 // movzx ecx, byte [ecx+0x2]\n 83F901 // cmp ecx, 0x1\n }\n\n $edx = {\n 648B1518000000 // mov edx, dword [fs:0x18]\n 8B5230 // mov edx, dword [edx+0x30]\n 0FB67F02 // movzx edi, byte [edi+0x2]\n 83FF01 // cmp edi, 0x1\n }\n\n $esi = {\n 648B3518000000 // mov esi, dword [fs:0x18]\n 8B7630 // mov esi, dword [esi+0x30]\n 0FB67602 // movzx esi, byte [esi+0x2]\n 83FE01 // cmp esi, 0x1\n }\n\n condition:\n 1 of ($e*)\n}\n", "rule_count": 1, "rule_names": [ "peb_being_debugged_check" ], "rule_creation_date": "2024-07-24", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.AntiDebug" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1622" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-perfusion_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582179Z", "creation_date": "2026-03-23T11:46:25.582181Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582186Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/itm4n/Perfusion/tree/master\nhttps://twitter.com/xorJosh/status/1634597343273054210" ], "name": "perfusion.yar", "content": "rule perfusion {\n meta:\n title = \"Perfusion HackTool\"\n id = \"167644a3-733f-40ee-8e15-e8ce4bfbb93a\"\n description = \"Detects the Perfusion HackTool.\\nPerfusion is a tool designed to exploit a registry permission vulnerability in the RpcEptMapper and DnsCache performance counters.\\nThis exploit enables attackers to steal SYSTEM tokens and gain local administrative privileges.\\nIt is recommended to investigate for any signs of token misuse or unauthorized access.\"\n references = \"https://github.com/itm4n/Perfusion/tree/master\\nhttps://twitter.com/xorJosh/status/1634597343273054210\"\n date = \"2023-09-05\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1112;attack.persistence;attack.t1574.011\"\n classification = \"Windows.HackTool.Perfusion\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9bd4dd6d747e6d669627f45176cb01d29c9ce381aa6a44d5d453bb9588975934\n\n $s1 = \"@itm4n\" fullword wide\n $s2 = \" -c Command - Execute the specified command line\" fullword wide\n $s3 = \" -i Interactive - Interact with the process (default: non-interactive)\" fullword wide\n $s4 = \" -d Desktop - Spawn a new process on your desktop (default: hidden)\" fullword wide\n $s5 = \" -k Key - Either '%ws' or '%ws' (default: '%ws')\" fullword wide\n $s6 = \" -h Help - That's me :)\" fullword wide\n $s7 = \"[*] Created Performance DLL: %ws\" fullword wide\n $s8 = \"[*] Created Performance registry key.\" fullword wide\n $s9 = \"[*] Triggered Performance data collection.\" fullword wide\n $s10 = \"[+] Exploit completed. Got a SYSTEM token! :)\" fullword wide\n $s11 = \"[-] Exploit completed but no SYSTEM Token. :/\" fullword wide\n $s12 = \"[-] Control Thread timeout.\" fullword wide\n $s13 = \"[*] Waiting for the Trigger Thread to terminate... \" fullword wide\n $s14 = \"[!] Failed to delete Performance registry key.\" fullword wide\n $s15 = \"[*] Deleted Performance registry key.\" fullword wide\n $s16 = \"[-] Failed to delete Performance DLL.\" fullword wide\n $s17 = \"[*] Deleted Performance DLL.\" fullword wide\n $s18 = \"[-] ResumeThread() with error code %d\" fullword wide\n\n condition:\n 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "perfusion" ], "rule_creation_date": "2023-09-05", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Perfusion" ], "rule_tactic_tags": [ "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1112", "attack.t1574.011" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-petitpotam_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585332Z", "creation_date": "2026-03-23T11:46:25.585334Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585339Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/topotam/PetitPotam" ], "name": "petitpotam.yar", "content": "rule petitpotam {\n meta:\n title = \"PetitPotam HackTool\"\n id = \"39f4c613-fc5a-481a-ba81-dc5c986f798e\"\n description = \"Detects the usage of PetitPotam.\\nPetitPotam is a tool that enables NTLM relay attacks via the Encrypting File System Remote (EFSRPC) Protocol, allowing attackers to perform credential dumping or lateral movement.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate.\"\n references = \"https://github.com/topotam/PetitPotam\"\n date = \"2021-07-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1552.001\"\n classification = \"Windows.HackTool.Petitpotam\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $clear_string_marker_pdb = \"PetitPotam.pdb\" ascii\n $clear_string_marker_usage = \"Usage: PetitPotam.exe \" wide\n $clear_string_marker_error_code = \"Error Code %d - %s\" wide\n $clear_string_marker_error_rpc_string_binding_composew = \"Error in RpcStringBindingComposeW\" wide\n $clear_string_marker_error_rpc_string_freew = \"Error in RpcStringFreeW\" wide\n\n condition:\n filesize < 1MB and 3 of ($clear_string_marker_*)\n}\n", "rule_count": 1, "rule_names": [ "petitpotam" ], "rule_creation_date": "2021-07-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Petitpotam" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1552.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-petitpotato_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565546Z", "creation_date": "2026-03-23T11:46:25.565548Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565554Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/wh0amitz/PetitPotato" ], "name": "petitpotato.yar", "content": "rule petitpotato {\n meta:\n title = \"PetitPotato HackTool\"\n id = \"f59fe827-f3ad-4415-b5aa-602f0bc5d62b\"\n description = \"Detects the PetitPotato HackTool.\\nPetitPotato is a known hacktool used to perform local privilege escalation by abusing the MS-EFSR protocol.\\nIt creates malicious named pipes and attempts to invoke specific EfsRpc functions to achieve unauthorized access and privileges on the system.\\nIt is recommended to investigate for additional signs of privilege escalation or related malicious activities.\"\n references = \"https://github.com/wh0amitz/PetitPotato\"\n date = \"2023-09-04\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.HackTool.PetitPotato\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9da438cf29567dd2fc6a4ba427856a76bedd3750d0c8c2e0e403a0f709ddd46b\n\n $s1 = \"[+] Invoking EfsRpcOpenFileRaw with target path: %ws.\" fullword wide\n $s2 = \"[+] Invoking EfsRpcSetEncryptedFileMetadata with target path: %ws.\" fullword wide\n $s3 = \"[+] Invoking EfsRpcEncryptFileSrv with target path: %ws.\" fullword wide\n $s4 = \"[+] Invoking EfsRpcAddUsersToFileEx with target path: %ws.\" fullword wide\n $s5 = \"[+] Invoking EfsRpcFileKeyInfoEx with target path: %ws.\" fullword wide\n $s6 = \"[+] Invoking EfsRpcGetEncryptedFileMetadata with target path: %ws.\" fullword wide\n $s7 = \"[+] Malicious named pipe running on %S.\" fullword ascii\n $s8 = \" [0] EfsRpcOpenFileRaw\" fullword ascii\n $s9 = \" [1] EfsRpcEncryptFileSrv\" fullword ascii\n $s10 = \" [2] EfsRpcDecryptFileSrv\" fullword ascii\n $s11 = \" [9] EfsRpcAddUsersToFileEx\" fullword ascii\n $s12 = \" [10] EfsRpcFileKeyInfoEx (Failed)\" fullword ascii\n $s13 = \" [11] EfsRpcGetEncryptedFileMetadata (Failed)\" fullword ascii\n $s14 = \" [12] EfsRpcSetEncryptedFileMetadata (Failed)\" fullword ascii\n\n condition:\n 5 of them\n}\n", "rule_count": 1, "rule_names": [ "petitpotato" ], "rule_creation_date": "2023-09-04", "rule_modified_date": "2025-03-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.PetitPotato" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-phant0m_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585304Z", "creation_date": "2026-03-23T11:46:25.585306Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585311Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/hlldz/Phant0m" ], "name": "phant0m.yar", "content": "rule phant0m_clear_strings_markers {\n meta:\n title = \"Phant0m HackTool\"\n id = \"2666afec-2b7c-4be1-9dbc-669df8043a2c\"\n description = \"Detects the Phant0m tool.\\nPhant0m primarily focuses on suspending Windows Event Log Service threads to prevent accurate logging in the Windows Event Logger.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate.\"\n references = \"https://github.com/hlldz/Phant0m\"\n date = \"2021-06-22\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1070.001\"\n classification = \"Windows.HackTool.Phant0m\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $ascii_art_01 = \"\t ___ _ _ _ _ _ _____ __ __ __ \" ascii\n $ascii_art_02 = \"\t| _ \\\\ || | /_\\\\ | \\\\| |_ _/ \\\\| \\\\/ |\" ascii\n $ascii_art_03 = \"\t| _/ __ |/ _ \\\\| .` | | || () | |\\\\/| |\" ascii\n $ascii_art_04 = \"\t|_| |_||_/_/ \\\\_\\\\_|\\\\_| |_| \\\\__/|_| |_|\" ascii\n\n $log_01 = \"[+] SeDebugPrivilege is enable, continuing...\" ascii\n $log_02 = \"[!] SeDebugPrivilege is not enabled, trying to enable...\" ascii\n $log_03 = \"[+] SeDebugPrivilege is enabled, continuing...\" ascii\n $log_04 = \"[*] Attempting to detect PID from Service Manager...\" ascii\n $log_05 = \"[*] Attempting to detect PID from WMI....\" ascii\n $log_06 = \"[!] SCM: OpenSCManager failed (%d)\" ascii\n $log_07 = \"[!] SCM: OpenService failed (%d)\" ascii\n $log_08 = \"[!] SCM: QueryServiceStatusEx failed (%d)\" ascii\n $log_09 = \"[!] WMI: Failed to initialize COM library.\" ascii\n $log_10 = \"[!] WMI: Failed to initialize security.\" ascii\n $log_11 = \"[!] WMI: Failed to create IWbemLocator object.\" ascii\n $log_12 = \"[!] WMI: Could not connect.\" ascii\n $log_13 = \"[!] WMI: Could not set proxy blanket.\" ascii\n $log_14 = \"[!] WMI: Query failed.\" ascii\n $log_15 = \"[*] Using Technique-1 for killing threads...\" ascii\n $log_16 = \"[*] Using Technique-2 for killing threads...\" ascii\n $log_17 = \"[!] Thread %d is detected but kill failed. Error code is: %d\" ascii\n $log_18 = \"[+] Thread %d is detected and successfully killed.\" ascii\n $log_19 = \"[+] Process Integrity Level is high, continuing...\" ascii\n $log_20 = \"[+] Event Log service PID detected as %d.\" ascii\n $log_21 = \"[!] SeDebugPrivilege cannot enabled. Exiting...\" ascii\n $log_22 = \"[*] All done.\" ascii\n\n condition:\n all of ($ascii_art_*) or\n 6 of ($log_*)\n}\n", "rule_count": 1, "rule_names": [ "phant0m_clear_strings_markers" ], "rule_creation_date": "2021-06-22", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Phant0m" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1070.001" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-phemedrone_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589664Z", "creation_date": "2026-03-23T11:46:25.589666Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589672Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://spycloud.com/blog/phemedrone-stealer/\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\n" ], "name": "phemedrone.yar", "content": "rule phemedrone {\n meta:\n title = \"Phemedrone Stealer\"\n id = \"9e6ae402-c31f-4c00-8487-7a55388ac364\"\n description = \"Detects Phemedrone Stealer, an emerging C# information-stealing malware designed to harvest credentials (FTP, Steam, Discord, Telegram, VPN), browser data and cryptocurrency wallets.\\nIt features anti-analysis techniques such as anti-debugging and VM detection and the ability to exfiltrate data through Telegram.\\nIt is recommended to investigate the context around this alert to identify potential data theft, persistence mechanisms, and additional malicious activity.\"\n references = \"https://spycloud.com/blog/phemedrone-stealer/\\nhttps://www.splunk.com/en_us/blog/security/unveiling-phemedrone-stealer-threat-analysis-and-detections.html\\n\"\n date = \"2025-12-01\"\n modified = \"2025-12-11\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1622;attack.t1497;attack.discovery;attack.t1083;attack.credential_access;attack.t1555;attack.t1555.003;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Stealer.Phemedrone\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // eebb47c48137f331e9e7e203763300c343a3643f88c60318667b5d525c40a058\n // a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38\n // a636706ceed3032a0b2ccab47dad288f9e1d02c01b4fb7a8529291fc32736776\n\n $report_00 = \"*Phemedrone Stealer Report*\" wide\n $report_01 = \"by @reyvortex & @TheDyer\" wide\n $report_02 = \"https://github\\\\.com/REvorker1/Phemedrone\\\\-Stealer\" wide\n $report_03 = \"-Phemedrone-Report.zip\" wide\n\n $url_00 = \"http://ip-api.com/json/?fields=11827\" wide\n $url_01 = \"https://api.telegram.org/bot{0}/sendDocument\" wide\n\n $misc_00 = \"Screenshot.png\" wide\n $misc_01 = \".phem\" wide\n\n $evasion_01 = \"wireshark\" wide\n $evasion_02 = \"httpdebbugerui\" wide\n $evasion_03 = \"VirtualBox\" wide\n $evasion_04 = \"VBox\" wide\n $evasion_05 = \"VMware Virtual\" wide\n $evasion_06 = \"Hyper-V Video\" wide\n\n condition:\n (2 of ($report_*))\n or (1 of ($url*) and 2 of ($misc*) and 3 of ($evasion*))\n}", "rule_count": 1, "rule_names": [ "phemedrone" ], "rule_creation_date": "2025-12-01", "rule_modified_date": "2025-12-11", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Phemedrone" ], "rule_tactic_tags": [ "attack.credential_access", "attack.defense_evasion", "attack.discovery", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1083", "attack.t1497", "attack.t1041", "attack.t1555", "attack.t1555.003", "attack.t1622" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pikabot_loader_dba02f78ebc7_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568668Z", "creation_date": "2026-03-23T11:46:25.568670Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568676Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.elastic.co/security-labs/pikabot-i-choose-you\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot\nhttps://attack.mitre.org/techniques/T1027/" ], "name": "pikabot_loader_dba02f78ebc7.yar", "content": "rule pikabot_loader_dba02f78ebc7 {\n meta:\n title = \"Pikabot Loader (dba02f78ebc7)\"\n id = \"c23b2370-0886-456e-b55a-dba02f78ebc7\"\n description = \"Detects the Pikabot Loader used to inject Pikabot core into a suspended instance of ctfmon.exe.\\nPikabot is an emerging malware family as of 2023, comprising a downloader/installer, loader, and core backdoor component. It demonstrates advanced techniques in evasion, injection, and anti-analysis.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.elastic.co/security-labs/pikabot-i-choose-you\\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot\\nhttps://attack.mitre.org/techniques/T1027/\"\n date = \"2024-02-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Trojan.Pikabot\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // ffc39c3fdbe06c62d04f4853fd2f0dda2e745a2886776b2ee39418c53d764441\n\n $syscall = {\n 58 // pop eax\n A3 ?? ?? ?? ?? // mov dword_645961D0, eax\n 54 // push esp\n 58 // pop eax\n 83 C0 04 // add eax, 4\n FF 30 // push dword ptr [eax]\n 8F 05 ?? ?? ?? ?? // pop dword_645961D4\n 83 C0 04 // add eax, 4\n 50 // push eax\n 8F 05 ?? ?? ?? ?? // pop dword_645961D8\n E8 ?? ?? ?? ?? // call sub_6458DD94\n 83 C4 04 // add esp, 4\n A3 ?? ?? ?? ?? // mov dword_645961DC, eax\n 31 C0 // xor eax, eax\n 64 8B 0D C0 00 00 00 // mov ecx, large fs:0C0h\n 85 C9 // test ecx, ecx\n 74 01 // jz short loc_64581038\n 40 // inc eax\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "pikabot_loader_dba02f78ebc7" ], "rule_creation_date": "2024-02-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Pikabot" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pingcastle_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571471Z", "creation_date": "2026-03-23T11:46:25.571474Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571480Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.pingcastle.com/" ], "name": "pingcastle.yar", "content": "import \"pe\"\n\nrule pingcastle {\n meta:\n title = \"PingCastle Tool\"\n id = \"5ac26e75-2c41-470c-9201-6be64da95d9c\"\n description = \"Detects the execution of PingCastle without PE metadata information, which is unusual.\\nPingCastle is a legitimate tool designed for Active Directory security analysis, often used during reconnaissance to identify vulnerabilities.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate.\"\n references = \"https://www.pingcastle.com/\"\n date = \"2023-03-20\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1087.002;attack.t1482;attack.t1018;attack.t1615\"\n classification = \"Windows.Tool.PingCastle\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = \"$ActiveDirectoryNameTranslateResult[]\" ascii fullword\n $s2 = \"schemas.microsoft.com._2008._1.ActiveDirectory\" ascii fullword\n $s3 = \"ActiveDirectoryNameFormat\" ascii fullword\n $s4 = \"LSA_OBJECT_ATTRIBUTES\" ascii fullword\n $s5 = \"NETLOGON_TRUSTED_DOMAIN_ARRAY\" ascii fullword\n $s6 = \"SAMPR_RID_ENUMERATION\" ascii fullword\n $s7 = \"PingCastle.shares\" ascii fullword\n $s8 = \"AddAdminSDHolderSDDLRulesToDelegation\" ascii fullword\n $s9 = \"k__BackingField\" ascii fullword\n $s10 = \"%{DistinguishedName} {Account} {Right}\" ascii fullword\n $s11 = \"PingCastle.ADWS\" ascii fullword\n $s12 = \"PingCastle version\" wide fullword\n\n condition:\n 10 of ($s*) and pe.version_info[\"OriginalFilename\"] != \"PingCastle.exe\"\n}\n", "rule_count": 1, "rule_names": [ "pingcastle" ], "rule_creation_date": "2023-03-20", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.PingCastle" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1087.002", "attack.t1018", "attack.t1482", "attack.t1615" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pjw_api_hashing_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563778Z", "creation_date": "2026-03-23T11:46:25.563780Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563786Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/carbanak-week-part-one-a-rare-occurrence" ], "name": "pjw_api_hashing.yar", "content": "rule pjw_api_hashing {\n meta:\n title = \"PJW API Hashing\"\n id = \"45cd457e-9870-4208-ae8e-2e9f8b952ae7\"\n description = \"Detects the use of the PJW hashing function.\\nThe PJW (Peter J. Weinberger) hashing algorithm is used by malware to obfuscate the import of Windows API functions.\\nThis technique allows malicious code to dynamically resolve API function calls while avoiding detection by security tools.\\nThe PJW hash function was initially identified in the Carbanak banking trojan and has since been widely adopted by various malware families for API hashing purposes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity.\"\n references = \"https://cloud.google.com/blog/topics/threat-intelligence/carbanak-week-part-one-a-rare-occurrence\"\n date = \"2024-05-27\"\n modified = \"2025-11-26\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027.007\"\n classification = \"Windows.Generic.ApiHashing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n // Detection for this sample:\n // ebff8e5324010b0572b971205707faa234154416533f68a4091d4b5b7cf0f4b7\n\n $stub_function_PJW = {\n c1 ?? 04 // shl eax, 0x4\n 8b ?? ?8 // mov ecx, dword [ebp+0x8 {arg1}]\n 0f be ?? // movsx edx, byte [ecx]\n 03 ?? // add eax, edx\n 89 ?5 ?? // mov dword [ebp-0x8 {var_c_1}], eax\n 8b ?5 ?8 // mov eax, dword [ebp+0x8 {arg1}]\n 83 ?? 01 // add eax, 0x1\n 89 ?5 08 // mov dword [ebp+0x8 {arg1}], eax\n 8b ?5 ?? // mov eax, dword [ebp-0x8 {var_c_1}]\n 25 00 00 00 f0 // and eax, 0xf0000000\n 89 ?5 ?? // mov dword [ebp-0x14 {var_18_1}], eax\n 74 ?? // je 0x40c6d9\n 8b ?? ?? // mov eax, dword [ebp-0x14 {var_18_1}]\n c1 ?? 18 // shr eax, 0x18\n }\n $stub_hashed = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 b57dae09 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_CreateFileW = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 2789d60a // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_CreateMutexW = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 7714e40e // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_CreateProcessW = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 5764e101 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_DeleteFileW = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 6740d60a // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_DeviceIoControl = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 ac6fbc06 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_ExitProcess = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 336cd907 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_FindResourceA = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 11116805 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_GetCommandLineW = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 678a340c // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_GetFileSize = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 d5696700 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_GetModuleFileNameW = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 178bfa0d // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_GetModuleHandleA = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 91ec3b0a // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_GetProcAddress = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 031d3c0b // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_GetTempPathW = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 17108a00 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_GetThreadContext = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 e4c7b904 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_LoadLibraryA = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 f1f0ad0a // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_LoadResource = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 15b1b309 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_LockResource = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 1568b309 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_OpenMutexW = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 17ca4903 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_QueueUserAPC = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 e3ad1709 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_ReadFile = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 a5cb780b // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_ResumeThread = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 4427230f // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_SetFilePointer = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 f25dd30b // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_SetThreadContext = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 e487b804 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_SizeofResource = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 b596aa0d // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_Sleep = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 c02b5a00 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_VirtualAlloc = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 e3cad803 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_VirtualAllocEx = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 18e4ca08 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_VirtualFree = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 05d13d0b // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_VirtualProtect = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 64182d07 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_VirtualQuery = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 2927c803 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_WaitForSingleObject = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 b4ca7904 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_WideCharToMultiByte = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 b53d2c06 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_WriteFile = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 b592a900 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $stub_hashed_WriteProcessMemory = {\n 83 c4 08 // add esp, 0x8\n (89 ?? ?? | a3 ?? ?? ?? ??) // mov dword [xxx], eax\n 68 99b04806 // push hash\n 8b ?? ?? // mov register, dword [xxx]\n 5? // push register\n e8 // call api_hashing\n }\n $s_exclude_toshiba = \"Toshiba TEC Corporation\" ascii wide\n $s_exclude_rite = \"Re-Rite\" ascii wide\n $s_exclude_bridge = \"e-BRIDGE\" ascii wide\n $s_exclude_cmake = \"cmake-master-dev\\\\external\\\\cmake\\\\Utilities\" ascii wide\n $s_exclude_sqlbuilder = \"SQL-Builder\" ascii wide\n // b49cb54a73f628683891a3a9bc6c5ebaf3861d6c4e8737e32adbf81e43f93bc9\n $s_exclude_watchguard = \"wg_savefile() -- array calloc() failed\" ascii fullword\n // 219a5b1bf3efdd331b7a2c3bd54e6690993acacd13f8b285ceb6915663a7fb10\n $s_exclude_teklynx = \"LvcOleDB.dll\" wide fullword\n\n condition:\n (\n any of ($stub_function_*) or\n (2 of ($stub_hashed*))\n )\n and not 1 of ($s_exclude_*)\n}\n", "rule_count": 1, "rule_names": [ "pjw_api_hashing" ], "rule_creation_date": "2024-05-27", "rule_modified_date": "2025-11-26", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ApiHashing" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027.007" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-plugx_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565960Z", "creation_date": "2026-03-23T11:46:25.565962Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565968Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\nhttps://www.exabeam.com/blog/infosec-trends/take-a-deep-dive-into-plugx-malware/" ], "name": "plugx_dll.yar", "content": "rule plugx_dll_payload {\n meta:\n title = \"PlugX DLL Payload\"\n id = \"4315f4dc-b74a-4562-81d3-f2cbd3760140\"\n description = \"Detects the PlugX DLL Payload.\\nPlugX is a well known RAT (Remote Access Tool) with samples dating back to 2008 that has seen usage by a number of different threat actors.\\nThe PlugX final payload is shellcode delivered via thread injection to a legitimate windows process.\\nIt is recommended to investigate the process tree of this alert and actions taken by the injected process to determine maliciousness.\"\n references = \"https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\\nhttps://www.exabeam.com/blog/infosec-trends/take-a-deep-dive-into-plugx-malware/\"\n date = \"2025-11-13\"\n modified = \"2025-11-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Trojan.Plugx\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 887466615d3eac65711077c7b464d9ad70810c33f4ccfec8e49306bce0083da4\n // 81acffaa10a787dd7dc9836e3f16c8e502146cf34cb468a68833e67b1be39b78\n\n $encrypted_config = {\n 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 88 13 00 00 60 ea 00 00 ?? ?? ?? 00 00 00 00 00\n }\n\n $config_decryption_call = {\n 6A 04 // push 0x4 {var_434}\n 68 [4] // push data_100a1014 {var_438}\n 6A (03|04|05|06) // push 0x3 {var_43c}\n FF 74 24 34 // push dword [esp+0x34 {var_408}] {var_440_1}\n FF D0 // call eax\n }\n\n $switch_case = {\n 89 C1 // mov ecx, eax\n 81 E9 [4] // sub ecx, 0x8316427f\n 0F 84 [2] 00 00 // je 0x10004ff9\n EB 00 // jmp 0x10003e12\n }\n\n $ror13_kernel32 = {\n 5B BC 4A 6A\n }\n\n $ror13_ntdll = {\n 5D 68 FA 3C\n }\n\n $exclusion_sap_businessintel = \"$SAP Business Objects Production 2\" ascii\n\n condition:\n (\n ((#switch_case > 10) and (1 of ($ror13_*)))\n or\n ($encrypted_config and (#config_decryption_call == 3))\n ) and not 1 of ($exclusion_*)\n}\n", "rule_count": 1, "rule_names": [ "plugx_dll_payload" ], "rule_creation_date": "2025-11-13", "rule_modified_date": "2025-11-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Plugx" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-plugx_payload_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.562931Z", "creation_date": "2026-03-23T11:46:25.562934Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.562940Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\nhttps://www.exabeam.com/blog/infosec-trends/take-a-deep-dive-into-plugx-malware/" ], "name": "plugx_payload.yar", "content": "rule plugx_thread_payload {\n meta:\n title = \"PlugX Thread Payload\"\n id = \"d03d1e4f-e14c-4cd9-bcc2-643290dbe369\"\n description = \"Detects the PlugX payload.\\nThe PlugX is a well known RAT (Remote Access Tool) with samples dating back to 2008 that has seen usage by a number of different threat actors.\\nThe PlugX final payload is a shellcode delivered via thread injection to a legitimate Windows process.\\nIt is recommended to investigate the process tree of this alert and actions taken by the injected process to determine maliciousness.\"\n references = \"https://lab52.io/blog/mustang-pandas-plugx-new-variant-targetting-taiwanese-government-and-diplomats/\\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\\nhttps://www.exabeam.com/blog/infosec-trends/take-a-deep-dive-into-plugx-malware/\"\n date = \"2025-11-06\"\n modified = \"2025-11-12\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1027\"\n classification = \"Windows.Trojan.Plugx\"\n context = \"thread\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 49967aa9054574e031b4b3015cd70e0ac7993e76d19d77664c86c198c8e4ba01\n // 324bfb2f414be221e24aaa9fb22cb49e4d4c0904bd7c203afdff158ba63fe35b\n // 31f73090908b52bfd810589fc8d6a6212edda8bd2c378e3a6d556221b92922a2\n // 1acb061ce63ee8ee172fbdf518bd261ef2c46d818ffd4b1614db6ce3daa5a885\n\n $hklm_registry_open_params = {\n 68 02 00 00 80 // push 0x80000002 {var_4ec} {0x80000002}\n E8 // call 0x3ff00\n }\n\n $str_decryption_stub_1 = {\n 8B [2-4] // mov edx, dword [esp {var_20_1}]\n 8A [3-4] // mov bl, byte [esp+edx+0x4 {var_1c}]\n 89 D9 // mov ecx, ebx\n 80 E3 ?? // and bl, 0x46\n F6 D1 // not cl\n 80 E1 ?? // and cl, 0xb9\n 08 CB // or bl, cl\n 8B [2-3] // mov ecx, dword [esp {var_20_1}]\n 88 DF // mov bh, bl\n 80 F3 ?? // xor bl, 0xa9\n 80 F7 ?? // xor bh, 0x56\n 80 C1 ?? // add cl, 0xef\n 20 CB // and bl, cl\n F6 D1 // not cl\n 20 F9 // and cl, bh\n 08 D9 // or cl, bl\n [4] // mov byte [esp+edx+0x4 {var_1c}], cl\n [2-4] // mov ecx, dword [esp {var_20_1}]\n 41 // inc ecx\n EB // jmp 0x161\n }\n\n $str_decryption_stub_2 = {\n 8B [2-4] // mov ecx, dword [esp {var_20}]\n 8A [3-4] // mov dl, byte [esp+ecx+0x4 {var_1c}]\n 89 D0 // mov eax, edx\n 88 D6 // mov dh, dl\n 80 E2 ?? // and dl, 0x4b\n F6 D0 // not al\n 80 E6 ?? // and dh, 0x10\n 24 ?? // and al, 0xa4\n 08 C6 // or dh, al\n 8B [2-3] // mov eax, dword [esp {var_20}]\n 08 F2 // or dl, dh\n 04 ?? // add al, 0xef\n 88 C6 // mov dh, al\n 24 ?? // and al, 0xb4\n F6 D6 // not dh\n 80 E6 ?? // and dh, 0x4b\n 08 F0 // or al, dh\n 30 D0 // xor al, dl\n [4] // mov byte [esp+ecx+0x4 {var_1c}], al\n [2-4] // mov eax, dword [esp {var_20}]\n 40 // inc eax\n EB // jmp 0x8a\n }\n\n $str_decryption_stub_3= {\n 8B [2-4] // mov edx, dword [esp {var_94}] // STR_DEC\n 8A [3-4] // mov bl, byte [esp+edx+0x4 {var_90}]\n 89 D9 // mov ecx, ebx\n 80 E3 ?? // and bl, 0x10\n F6 D1 // not cl\n 80 E1 ?? // and cl, 0xef\n 08 CB // or bl, cl\n 8B [2-3] // mov ecx, dword [esp {var_94}]\n 88 DF // mov bh, bl\n F6 D7 // not bh\n 80 C1 ?? // add cl, 0xef\n 20 CF // and bh, cl\n F6 D1 // not cl\n 20 D9 // and cl, bl\n 08 F9 // or cl, bh\n [4] // mov byte [esp+edx+0x4 {var_90}], cl\n [3-4] // mov ecx, dword [esp {var_94}]\n 41 // inc ecx\n EB // jmp 0x236\n }\n\n $str_decryption_stub_4 = {\n 8B [2-4] // mov ecx, dword [esp {var_94_1}]\n 8A [3-4] // mov bl, byte [esp+ecx+0x4 {var_90}]\n 89 DA // mov edx, ebx\n 80 E3 ?? // and bl, 0x10\n F6 D2 // not dl\n 80 E2 ?? // and dl, 0xef\n 08 D3 // or bl, dl\n 8B [2-3] // mov edx, dword [esp {var_94_1}]\n 88 DF // mov bh, bl\n 80 E3 ?? // and bl, 0xce\n F6 D7 // not bh\n 80 E7 ?? // and bh, 0x31\n 80 C2 ?? // add dl, 0xef\n 08 FB // or bl, bh\n 88 D7 // mov bh, dl\n 80 E2 ?? // and dl, 0xce\n F6 D7 // not bh\n 80 E7 ?? // and bh, 0x31\n 08 FA // or dl, bh\n 30 DA // xor dl, bl\n [4] // mov byte [esp+ecx+0x4 {var_90}], dl\n [3-4] // mov ecx, dword [esp {var_94_1}]\n 41 // inc ecx\n EB // jmp 0x302\n }\n\n $str_decryption_stub_5 = {\n 8B [2-4] // mov eax, dword [esp {var_94_3}]\n 8A [3-4] // mov dl, byte [esp+eax+0x4 {var_90}]\n 89 D1 // mov ecx, edx\n 80 E2 ?? // and dl, 0x2e\n F6 D1 // not cl\n 80 E1 ?? // and cl, 0xd1\n 08 CA // or dl, cl\n 8B [2-3] // mov ecx, dword [esp {var_94_3}]\n 88 D6 // mov dh, dl\n 80 F2 ?? // xor dl, 0x41\n 80 F6 ?? // xor dh, 0x3a\n 80 E2 ?? // and dl, 0x45\n 80 E6 ?? // and dh, 0xba\n 80 C1 ?? // add cl, 0xef\n 08 D6 // or dh, dl\n 88 CA // mov dl, cl\n 80 E1 ?? // and cl, 0xba\n F6 D2 // not dl\n 80 E2 ?? // and dl, 0x45\n 08 D1 // or cl, dl\n 30 F1 // xor cl, dh\n [4] // mov byte [esp+eax+0x4 {var_90}], cl\n [3-4] // mov eax, dword [esp {var_94_3}]\n 40 // inc eax\n EB // jmp 0x5ed\n }\n\n $str_decryption_stub_6 = {\n 8B [2-4] // mov eax, dword [esp {var_94_4}]\n 8A [3-4] // mov dl, byte [esp+eax+0x4 {var_90}]\n 89 D1 // mov ecx, edx\n 88 D6 // mov dh, dl\n 80 E2 ?? // and dl, 0x88\n F6 D1 // not cl\n 80 E6 ?? // and dh, 0x60\n 80 E1 ?? // and cl, 0x17\n 08 CE // or dh, cl\n 8B [2-3] // mov ecx, dword [esp {var_94_4}]\n 80 F6 ?? // xor dh, 0x70\n 08 F2 // or dl, dh\n 80 C1 ?? // add cl, 0xef\n 88 CE // mov dh, cl\n 80 E1 ?? // and cl, 0x77\n F6 D6 // not dh\n 80 E6 ?? // and dh, 0x88\n 08 F1 // or cl, dh\n 30 D1 // xor cl, dl\n [4] // mov byte [esp+eax+0x4 {var_90}], cl\n [3-4] // mov eax, dword [esp {var_94_4}]\n 40 // inc eax\n EB // jmp 0x6bb\n }\n\n condition:\n $hklm_registry_open_params and 1 of ($str_decryption_stub_*)\n}\n", "rule_count": 1, "rule_names": [ "plugx_thread_payload" ], "rule_creation_date": "2025-11-06", "rule_modified_date": "2025-11-12", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Plugx" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1106", "attack.t1027" ], "rule_score": 100, "rule_context": [ "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-potential_malicious_python_modules_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573742Z", "creation_date": "2026-03-23T11:46:25.573746Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573754Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://github.com/skelsec/pypykatz\nhttps://github.com/n1nj4sec/pupy\nhttps://github.com/rootm0s/WinPwnage\nhttps://github.com/AlessandroZ/LaZagne\nhttps://github.com/SecureAuthCorp/impacket\nhttps://github.com/byt3bl33d3r/CrackMapExec\nhttps://github.com/PowerShellMafia/PowerSploit" ], "name": "potential_malicious_python_modules.yar", "content": "rule potential_malicious_python_modules {\n meta:\n title = \"Malicious Python Module\"\n id = \"db2127fd-de6b-4351-8648-2aec9a5f4059\"\n description = \"Detects the presence of known malicious Python modules linked to tools such as Pypykatz, Pupy, WinPwnage, LaZagne, Impacket, CrackMapExec, and PowerSploit.\\nThese tools are commonly used for activities like privilege escalation, remote control, and data exfiltration.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the legitimacy of this action.\"\n references = \"https://github.com/skelsec/pypykatz\\nhttps://github.com/n1nj4sec/pupy\\nhttps://github.com/rootm0s/WinPwnage\\nhttps://github.com/AlessandroZ/LaZagne\\nhttps://github.com/SecureAuthCorp/impacket\\nhttps://github.com/byt3bl33d3r/CrackMapExec\\nhttps://github.com/PowerShellMafia/PowerSploit\"\n date = \"2020-12-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0192;attack.s0349;attack.t1059.006\"\n classification = \"Windows.Tool.PythonMaliciousModule\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n // https://github.com/skelsec/pypykatz\n // pypykatz[.|\\|/]\n $pypykatz = { 70 79 70 79 6b 61 74 7a (5c | 2e | 2f) }\n\n // https://github.com/n1nj4sec/pupy\n $pupy_string1 = \"exe_pupyx64.exe\" ascii\n $pupy_string2 = \"pupy.error\" ascii\n $pupy_string3 = \"get_pupy_config\" ascii\n $pupy_string4 = \"get_pupy_config() -> string\" ascii\n $pupy_string5 = \"get current pupy architecture (x86 or x64)\" ascii\n\n // https://github.com/guardicore/monkey\n // infection_monkey[.|\\|/]\n $infection_monkey = { 69 6e 66 65 63 74 69 6f 6e 5f 6d 6f 6e 6b 65 79 (5c | 2e | 2f) }\n\n // https://github.com/rootm0s/WinPwnage\n // Used by Pupy and some attackers.\n // winpwnage[.|\\|/]\n $winpwnage_pyx = { 77 69 6e 70 77 6e 61 67 65 (5c | 2e | 2f) }\n\n // https://github.com/AlessandroZ/LaZagne\n // lazagne[.|\\|/]config[.|\\|/]\n $lazagne_config = { 6c 61 7a 61 67 6e 65 (5c | 2e | 2f) 63 6f 6e 66 69 67 (5c | 2e | 2f) }\n\n // https://github.com/AlessandroZ/LaZagne\n // lazagne[.|\\|/]softwares[.|\\|/]windows\n $lazagne_softwares_windows = { 6c 61 7a 61 67 6e 65 (5c | 2e | 2f) 73 6f 66 74 77 61 72 65 73 (5c | 2e | 2f) 77 69 6e 64 6f 77 73 }\n\n // https://github.com/SecureAuthCorp/impacket\n // impacket[.|\\|/]\n $impacket = { 69 6d 70 61 63 6b 65 74 (5c | 2e | 2f) }\n\n // https://github.com/byt3bl33d3r/CrackMapExec\n // cme[.|\\|/]modules\n $cme_modules = { 63 6d 65 (5c | 2e | 2f) 6d 6f 64 75 6c 65 73 }\n\n // https://github.com/PowerShellMafia/PowerSploit\n // PowerSploit can be packed with the malicious tool.\n // PowerSploit[.|\\|/]Exfiltration\n $powersploit = { 70 6f 77 65 72 73 70 6c 6f 69 74 (5c | 2e | 2f) 45 78 66 69 6c 74 72 61 74 69 6f 6e }\n\n // Possible packed powershell scripts\n $clear_ps1_credential_injection = \"Invoke-CredentialInjection.ps1\"\n $clear_ps1_mimikatz = \"Invoke-Mimikatz.ps1\"\n $clear_ps1_token_manipulation = \"Invoke-TokenManipulation.ps1\"\n $clear_ps1_reflective_pe_injection = \"Invoke-ReflectivePEInjection.ps1\"\n $clear_ps1_dll_injection = \"Invoke-DllInjection.ps1\"\n\n // Exclusion for C:\\Program Files\\Trend Micro\\AMSP\\coreServiceShell.exe\n $trend1 = \"C:\\\\Program Files\\\\Trend Micro\\\\AMSP\\\\coreServiceShell.exe\" ascii fullword\n $trend2 = \"C:\\\\ProgramData\\\\Trend Micro\\\\AMSP\\\\temp\\\\virus\" ascii fullword\n $trend3 = \"trendmicro.com\" ascii fullword\n $trend4 = \"!http://www.savestibet.com/\"\n\n // Exclusion for\n // - c:\\users\\XXX\\Appdata\\Roaming\\JetBrains\\IdeaIC2023.2\\plugins\\python-ce\\lib\\python-ce.jar (https://plugins.jetbrains.com/plugin/7322-python-community-edition)\n // - C:\\Program Files\\JetBrains\\PyCharm 2023.2.1\\plugins\\python\\lib\\python.jar\n // - C:\\Program Files\\JetBrains\\CLion 2023.2.2\\plugins\\python-ce\\lib\\python-ce.jar\n $intellij1 = \"merged_full_v5_splitted/impacket.json\" ascii fullword\n $intellij2 = \"META-INF/intellij.python.community\" ascii fullword\n $intellij3 = \"com/jetbrains/python/\" ascii\n\n // Exclusion for AppData\\Roaming\\Code\\User\\globalStorage\\visualstudioexptteam.intellicode-api-usage-examples\\supported_calls.json\n // json might already be ingested by the browser, so we have no longer ponctuation, so adding a generic element to the mix to be sure to exclude what's right\n $code_intellisense1 = \"attribute_calls\" ascii\n $code_intellisense2 = \"builtins\" ascii\n $code_intellisense3 = \"version\" ascii\n $code_intellisense4 = \"element_of(\" ascii\n $code_intellisense5 = \"#NoneType#.\" ascii\n\n condition:\n (\n #pypykatz > 3 or\n 2 of ($pupy_*) or\n #infection_monkey > 3 or\n #impacket > 3 or\n #winpwnage_pyx > 3 or\n #lazagne_config > 3 or\n #lazagne_softwares_windows > 3 or\n #cme_modules > 3 or\n #powersploit > 3 or\n 3 of ($clear_ps1_*)\n )\n and not all of ($trend*)\n and not all of ($intellij*)\n and not all of ($code_intellisense*)\n // NOTE: filesize is used to limit false positive with Yara memory\n and filesize < 50MB\n}\n", "rule_count": 1, "rule_names": [ "potential_malicious_python_modules" ], "rule_creation_date": "2020-12-11", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.PythonMaliciousModule" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1059.006" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-powershdll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571133Z", "creation_date": "2026-03-23T11:46:25.571136Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571141Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/p3nt4/PowerShdll" ], "name": "powershdll.yar", "content": "rule powershdll {\n meta:\n title = \"PowerShdll HackTool\"\n id = \"ecbe1a2b-6057-4173-b589-3348a3ff8def\"\n description = \"Detects the PowerShdll tool.\\nPowerShdll is a tool designed to execute PowerShell scripts without spawning the PowerShell executable.\\nThis technique allows attackers to evade traditional detection mechanisms that monitor for the creation of the powershell.exe process.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate.\"\n references = \"https://github.com/p3nt4/PowerShdll\"\n date = \"2022-10-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.001;attack.defense_evasion;attack.t1202\"\n classification = \"Windows.HackTool.PowerShdll\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 856594ecb59159157b1bc436325858e118a0f018198ec11b72d1c31b7f6fee4b\n // b451e9ffae8144f6f23a3661f1148f77e2a511d5c9796c376522689a47de355e\n // b86a1529079e22bcb551e1986dc9faad03f8b8b5b41b56adbc614102d19c1216\n\n $s1 = \"PowerShdll.exe\" fullword wide\n $s2 = \"PowerShdll.dll\" fullword wide\n $s3 = \"36ebf9aa-2f37-4f1d-a2f1-f2a45deeaf21\" fullword ascii\n $s4 = \"31D2B969-7608-426E-9D8E-A09FC9A516801\" fullword ascii\n $s5 = \"LoadScript\" ascii\n $s6 = \"AddScript\" fullword ascii\n\n condition:\n uint16(0) == 0x5a4d and filesize < 40KB and 4 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "powershdll" ], "rule_creation_date": "2022-10-11", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.PowerShdll" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1202", "attack.t1059.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ppldump_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576245Z", "creation_date": "2026-03-23T11:46:25.576248Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576253Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/itm4n/PPLdump\nhttps://itm4n.github.io/the-end-of-ppldump/\nhttps://attack.mitre.org/techniques/T1003/001/" ], "name": "ppldump.yar", "content": "rule ppldump {\n meta:\n title = \"PPLdump HackTool\"\n id = \"c5bd38ce-c017-4dc6-82dd-3f3dea77964b\"\n description = \"Detects PPLdump, a tool to dump the memory of a Protected Process Light (PPL) using a userland exploit.\\nPPLdump is designed to bypass LSA protection and extract the memory of the LSASS process, which can be used for credential dumping.\\nIt is recommended to investigate the process responsible for the presence or execution of this file to look for malicious indicators or actions.\"\n references = \"https://github.com/itm4n/PPLdump\\nhttps://itm4n.github.io/the-end-of-ppldump/\\nhttps://attack.mitre.org/techniques/T1003/001/\"\n date = \"2024-01-23\"\n modified = \"2025-03-05\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001\"\n classification = \"Windows.HackTool.PPLdump\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 5a142574f37834a0d27e8317231c5457683ee644a6717afd124b633d4641262d\n // 96933b4c14006368e584ae8b77cd9feba20fdecab4e68a6bb46ba09fd1aaa265\n // 8a3f338a1e3633d13c74c993775a345ccac3a6887d697cbe89f2fa5fb4fe1199\n\n $c1 = \"Global\\\\%ws_DLL_LOADED\" wide fullword\n $c2 = \"Global\\\\%ws_DUMP_SUCCESS\" wide fullword\n $c3 = \"\\\\KnownDlls\\\\%ws\" wide fullword\n $c4 = \"%ws\\\\%ws %d \\\"%ws\\\" %ws\" wide fullword\n\n $s1 = \"PID=%d | File='%ws' | GUID='%ws\" wide fullword\n $s2 = \"[-] Failed to delete KnownDll entry '%ws\" wide fullword\n $s3 = \"%ws DumpProcessMemory: %ws\" wide fullword\n $s4 = \"NtOpenSymbolicLinkObject('%ws', WRITE_DAC) OK\" wide fullword\n $s5 = \"[+] Dump successfull! :)\" wide fullword\n $s6 = \"[!] Failed to get the protection level of process with PID %d\" wide fullword\n $s7 = \"Found a potential Process candidate: PID=%d - Image='%ws' - User='%ws'\" wide fullword\n $s8 = \"[-] Failed to delete KnownDll entry '%ws'\" wide fullword\n\n condition:\n 3 of ($c*) and 2 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "ppldump" ], "rule_creation_date": "2024-01-23", "rule_modified_date": "2025-03-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.PPLdump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pplfault_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581709Z", "creation_date": "2026-03-23T11:46:25.581711Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581717Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/gabriellandau/PPLFault\nhttps://www.elastic.co/security-labs/inside-microsofts-plan-to-kill-pplfault" ], "name": "pplfault.yar", "content": "import \"pe\"\n\nrule pplfault {\n meta:\n title = \"PPLFault HackTool\"\n id = \"c7e4f1f1-eb6c-491c-97a9-1ecd85c842f8\"\n description = \"Detects the PPLFault HackTool.\\nPPLFault is a tool that exploits vulnerabilities to bypass LSA protection, terminate or blind PPL processes, and modify kernel memory without using vulnerable drivers.\\nIt is recommended to investigate the process responsible for the presence or execution of this file to look for malicious indicators or actions.\"\n references = \"https://github.com/gabriellandau/PPLFault\\nhttps://www.elastic.co/security-labs/inside-microsofts-plan-to-kill-pplfault\"\n date = \"2024-01-24\"\n modified = \"2025-03-05\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.001;attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.HackTool.PPLFault\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // f89a40eea7410cc50e20408f18350dc3232f68df3ed70d3362ba391871dffa17\n // f61e1b2b2115ccd62ef93e3ac8353f354ca7bd7806abd40c55e12352cb1ab4e0\n\n $s1 = \"CreateFile for oplock failed with GLE %u\" ascii fullword\n $s2 = \"Hydrating %llu bytes at offset %llu\" ascii fullword\n $s3 = \"Hydrating %llu PAYLOAD bytes at offset %llu\" ascii fullword\n $s4 = \"InstallSymlink: MoveFileExW failed with GLE: %u\" ascii fullword\n $s5 = \"SpawnPPL: CreateProcessW failed with GLE: %u\" ascii fullword\n $s6 = \"CfRegisterSyncRoot failed with HR 0x%08x GLE %u\" ascii fullword\n $s7 = \"FindOffsetOfEntrypoint: ImageNtHeader failed with GLE %u. Is this a PE file?\" ascii fullword\n $s8 = \"GetShellcode: %u bytes of shellcode written over DLL entrypoint\" ascii fullword\n $s9 = \"C:\\\\PPLFaultTemp\\\\EventAggregationPH.dll\" wide fullword\n $s10 = \"C:\\\\GodFaultTemp\\\\EventAggregationPH.dll\" wide fullword\n $s11 = \"C:\\\\Windows\\\\System32\\\\EventAggregation.dll.bak\" wide fullword\n\n $resource_pplfault = {4c 89 44 24 18 89 54 24 10 48 89 4c 24 08 48 83 ec 78 48 c7 44 24 48 00 00 00 00 48 c7 44 24 68}\n $resource_godfault = {4c 89 44 24 18 89 54 24 10 48 89 4c 24 08 48 83 ec 38 e8 89 08 00 00 48 89 44 24 20 e8 ff 06 00}\n\n condition:\n 5 of ($s*) or\n for any i in (0 .. pe.number_of_resources) : (\n $resource_pplfault at pe.resources[i].offset or\n $resource_godfault at pe.resources[i].offset\n )\n}\n", "rule_count": 1, "rule_names": [ "pplfault" ], "rule_creation_date": "2024-01-24", "rule_modified_date": "2025-03-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.PPLFault" ], "rule_tactic_tags": [ "attack.credential_access", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1003.001", "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-prism_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572621Z", "creation_date": "2026-03-23T11:46:25.572623Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572629Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.prism" ], "name": "prism.yar", "content": "rule prism_x64 {\n meta:\n title = \"Prism RAT\"\n id = \"e202ac83-95d8-442d-88e9-b33d783059eb\"\n description = \"Detects the usage of Prism, an open source backdoor and reverse shell. \\nPrism is designed to provide remote access to a compromised system, allowing attackers to execute commands and maintain persistence.\\nThese backdoors are often dropped by other malware or used in APT activities.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/elf.prism\"\n date = \"2021-08-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1041;attack.t1059\"\n classification = \"Linux.Malware.Prism\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Clear string that are used to outline the Prism configuration in its main.\n $clear_marker_1 = \"Flush Iptables:\\t\" ascii\n $clear_marker_2 = \"Version:\\t\\t%s\\n\" ascii\n $clear_marker_3 = \"Mode:\\t\\t\\tstatic\\n Host:\\t\\t\\t%s\\n Port:\\t\\t\\t%d\\n Respawn Delay:\\t\\t%d sec\\n\" ascii\n $clear_marker_4 = \"Mode:\\t\\t\\ticmp\\nKey:\\t\\t\\t%s\\n\" ascii\n $clear_marker_5 = \"Shell:\\t\\t\\t%s\\n\" ascii\n $clear_marker_6 = \"Process name:\\t\\t%s\\n\" ascii\n $clear_marker_7 = \"Detach:\\t\\t\" ascii\n $clear_marker_8 = \"I'm not root :(\" ascii\n\n $socket_creation_pattern = {\n BA 00 00 00 00 // mov edx, 0\n BE 01 00 00 00 // mov esi, 1 // SOCK_STREAM\n BF 02 00 00 00 // mov edi, 2 // AF_INET\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX // socket\n 89 45 ?? // mov dword ptr [rbp + 0xXX], eax // Grab return value\n 83 7D ?? 00 // cmp dword ptr [rbp + 0xXX], 0 // Check for error\n }\n\n $reverse_shell_spawning = {\n 8B 45 ?? // mov eax, dword ptr [rbp + 0xXX]\n BE 00 00 00 00 // mov esi, 0 // stdin\n 89 C7 // mov edi, eax // fd\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX // dup2\n\n 8B 45 ?? // mov eax, dword ptr [rbp + 0xXX]\n BE 01 00 00 00 // mov esi, 1 // stdout\n 89 C7 // mov edi, eax // fd\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX // dup2\n\n 8B 45 ?? // mov eax, dword ptr [rbp + 0xXX]\n BE 02 00 00 00 // mov esi, 2 // stderr\n 89 C7 // mov edi, eax // fd\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX // dup2\n\n BA 00 00 00 00 // mov edx, 0\n BE ?? ?? ?? ?? // mov esi, 0xXXXXXXXX // arg = offset to shell string\n BF ?? ?? ?? ?? // mov edi, 0xXXXXXXXX // file = offset to shell string\n B8 00 00 00 00 // mov edx, 0\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX // execl\n\n 8B 45 ?? // mov eax, dword ptr [rbp + 0xXX]\n 89 C7 // mov edi, eax // fd\n E8 ?? ?? ?? ?? // call 0xXXXXXXXX // close\n }\n\n condition:\n uint32(0) == 0x464C457F and filesize < 100KB and (4 of ($clear_marker_*) or ($socket_creation_pattern and $reverse_shell_spawning))\n}\n", "rule_count": 1, "rule_names": [ "prism_x64" ], "rule_creation_date": "2021-08-26", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Malware.Prism" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1059", "attack.t1041" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-proxyblob_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590453Z", "creation_date": "2026-03-23T11:46:25.590455Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590461Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/quarkslab/proxyblob" ], "name": "proxyblob.yar", "content": "rule proxyblob_hacktool {\n meta:\n title = \"Proxyblob HackTool\"\n id = \"92bda796-f394-4990-a97e-46c203263241\"\n description = \"Detects the Proxyblob HackTool.\\nProxyBlob is a Golang tool designed to create SOCKS proxy tunnels through the Azure Blob Storage service, used to proxy network traffic and bypass firewall restrictions.\\nIt is recommended to verify if the usage of this tool is legitimate.\"\n references = \"https://github.com/quarkslab/proxyblob\"\n date = \"2026-02-16\"\n modified = \"2026-02-23\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1090;attack.t1573.001;attack.t1571\"\n classification = \"HackTool.Proxyblob\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a9c958a3ddc568cb76dd62fdae50c02f555c54092661b326f6f8997d380dc510\n // ea7f9ec52d656a79aa01f7351b4c6b9b903e55d71b11b742eaa2e413a3cacfad\n // 3b44cba944aad704a88a05497051be61cc5fe082db81504d92e22d7868e0b77d\n\n $s1 = \"proxyblob\" ascii\n $s2 = \"github.com/Azure/azure-sdk-for-go/\" ascii\n $s3 = \"github.com/rs/zerolog\" ascii\n\n condition:\n all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "proxyblob_hacktool" ], "rule_creation_date": "2026-02-16", "rule_modified_date": "2026-02-23", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.Proxyblob" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1090", "attack.t1573.001", "attack.t1571" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pseudomanuscrypt_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583093Z", "creation_date": "2026-03-23T11:46:25.583095Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583101Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt\nhttps://www.youtube.com/watch?v=uakw2HMGZ-I" ], "name": "pseudomanuscrypt.yar", "content": "rule pseudomanuscrypt {\n meta:\n title = \"PseudoManuscrypt Spyware\"\n id = \"b891b841-3ba2-413c-9b24-3e9dfb681dc8\"\n description = \"Detects the PseudoManuscrypt Spyware.\\nPseudoManuscrypt is a spyware known for stealing browser cookies, keystrokes, and cryptocurrency information.\\nIt is commonly spread through fake cracked software downloads on malicious websites.\\nThe malware establishes persistence and communicates with its command and control servers to exfiltrate stolen data.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt\\nhttps://www.youtube.com/watch?v=uakw2HMGZ-I\"\n date = \"2023-09-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055.012;attack.credential_access;attack.t1555\"\n classification = \"Windows.Spyware.PseudoManuscrypt\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // fd6cbe99be50a03ab25307c78393470002cd904d4b08b875e0611a31c779da3f\n // 32e60467041b40146d87fc1c8c734f60f7e3763820e0c2a852a801c8afd1c7ab\n\n $s1 = \"[Time:]%d-%d-%d %d:%d:%d\" wide fullword\n $s2 = \"_kasssperskdy\" wide fullword\n $s3 = \"SOFTWARE\\\\Classes\\\\CLSID\\\\{SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}\" wide fullword\n $s4 = \"%ssvchost.exe -k WspService\" wide fullword\n $s5 = \"LoaderDll%d\" wide fullword\n\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "pseudomanuscrypt" ], "rule_creation_date": "2023-09-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Spyware.PseudoManuscrypt" ], "rule_tactic_tags": [ "attack.credential_access", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055.012", "attack.t1555" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pspy_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585822Z", "creation_date": "2026-03-23T11:46:25.585826Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585835Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/DominicBreuker/pspy\nhttps://attack.mitre.org/techniques/T1057/" ], "name": "pspy.yar", "content": "import \"hash\"\n\nrule pspy_binaries {\n meta:\n title = \"Pspy Process Monitoring Binaries\"\n id = \"a1ddeded-18da-4c3f-922e-56e468668506\"\n description = \"Detects the pspy precompiled binaries.\\nPspy is a popular open-source tool written in Go that enables the enumeration of processes on Linux systems without requiring root privileges. These binaries are often used for legitimate process monitoring but can also be leveraged by attackers for unauthorized system reconnaissance.\\nIt is recommended to investigate the presence of these binaries to ensure they are being used in accordance with intended permissions and policies.\"\n references = \"https://github.com/DominicBreuker/pspy\\nhttps://attack.mitre.org/techniques/T1057/\"\n date = \"2023-08-01\"\n modified = \"2025-03-12\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1057\"\n classification = \"Linux.Tool.pspy\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $github = \"github.com/dominicbreuker/pspy\" ascii\n\n condition:\n $github or\n hash.sha256(0, filesize) == \"f2e8ed736e90aa38fd23606937e9e8393db6d10cb3be426afe4b65564860df35\" or\n hash.sha256(0, filesize) == \"e0277c164facb2d0fb95682a77887dd908b0e1dacb28a2bcafd6728b34835425\"\n}\n", "rule_count": 1, "rule_names": [ "pspy_binaries" ], "rule_creation_date": "2023-08-01", "rule_modified_date": "2025-03-12", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Tool.pspy" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1057" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ptunnel_ng_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586767Z", "creation_date": "2026-03-23T11:46:25.586769Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586775Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/utoni/ptunnel-ng\nhttps://stuff.mit.edu/afs/sipb/user/golem/tmp/ptunnel-0.61.orig/web\nhttps://attack.mitre.org/techniques/T1572" ], "name": "ptunnel_ng.yar", "content": "rule ptunnel_ng {\n meta:\n title = \"Ptunnel HackTool\"\n id = \"9b9cf09c-ed1d-4ba0-af1c-c8b9204281be\"\n description = \"Detects the ptunnel-ng and ptunnel binary.\\nPtunnel (PingTunnel) is an ICMP tunneling proxy written in C that may used to bypass network controls.\\nIt is recommended to verify that this binary is expected in your environment and to investigate for any suspicious network connections.\"\n references = \"https://github.com/utoni/ptunnel-ng\\nhttps://stuff.mit.edu/afs/sipb/user/golem/tmp/ptunnel-0.61.orig/web\\nhttps://attack.mitre.org/techniques/T1572\"\n date = \"2025-09-24\"\n modified = \"2025-09-30\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1572\"\n classification = \"HackTool.ptunnel\"\n context = \"process,memory,thread,file.pe,file.elf\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e4d46ed34dfc6806feec15a3eeddbfa92b2651066014dfea58e1f7fdd2d50812 (Windows)\n // f84ddc4ab25990acd3c1b5b555a2e576c82c86f2c3c7752d13c72295d8922a14 (Linux)\n\n $s1 = \"Destination at %s:%u\" ascii\n $s2 = \"ptunnel is exiting.\" ascii\n $s3 = \"One of the options are missing of invalid.\" ascii\n $s4 = \"/run/ptunnel.pid\" ascii\n $s5 = \"/var/log/ptunnel.log\" ascii\n $s6 = \"/var/lib/ptunnel\" ascii\n\n $print_statistics = \"[inf]: I/O: %6.2f/%6.2f mb ICMP I/O/R: %8u/%8u/%8u Loss: %4.1f%%\" ascii\n\n condition:\n 3 of ($s*) or $print_statistics\n}", "rule_count": 1, "rule_names": [ "ptunnel_ng" ], "rule_creation_date": "2025-09-24", "rule_modified_date": "2025-09-30", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.ptunnel" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1572" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pupy_memory_dlls_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585985Z", "creation_date": "2026-03-23T11:46:25.585989Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585997Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0192/\nhttps://github.com/n1nj4sec/pupy" ], "name": "pupy_memory_dlls.yar", "content": "rule pupy_memory_dll_generic {\n meta:\n title = \"Generic Pupy DLL\"\n id = \"61e5b7cc-7d3d-49ea-953f-69c1d2fa1079\"\n description = \"Detects the Pupy RAT in memory.\\nPupy is a cross-platform remote access tool (RAT) with multiple post-exploitation capabilities, primarily written in Python. It uses all-in-memory execution to minimize its footprint and can communicate through various transports. Pupy can inject itself into processes, load remote Python code, packages, and C-extensions directly from memory, enabling persistence and lateral movement.\"\n references = \"https://attack.mitre.org/software/S0192/\\nhttps://github.com/n1nj4sec/pupy\"\n date = \"2021-02-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0192;attack.t1055.001;attack.t1055.004;attack.t1059.001\"\n classification = \"Windows.Framework.Pupy\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $canary = \"bf33298a48b9ce43b1e70f64eacdcc2fb30b9f95c3ec7cde4efa23ed3c785827\"\n\n $s1 = \"[INJECT] inject_via_apcthread: Can't do x64->x86 APC injection yet. GetLastError()=%d\"\n $s2 = \"[INJECT] inject_via_apcthread: Invalid target architecture GetLastError()=%d\"\n $s3 = \"[INJECT] inject_via_apcthread: LoadLibraryA failed GetLastError()=%d\"\n $s4 = \"[INJECT] inject_via_apcthread: GetProcAddress NtQueueApcThread failed GetLastError()=%d\"\n $s5 = \"[INJECT] inject_via_apcthread: CreateToolhelp32Snapshot failed GetLastError()=%d\"\n $s6 = \"[INJECT] inject_via_apcthread: Thread32First failed GetLastError()=%d\"\n $s7 = \"[INJECT] inject_via_apcthread: VirtualAllocEx failed GetLastError()=%d\"\n $s8 = \"[INJECT] inject_via_apcthread: WriteProcessMemory lpRemoteApcStub failed GetLastError()=%d\"\n $s9 = \"[INJECT] inject_via_apcthread: WriteProcessMemory lpRemoteApcContext failed GetLastError()=%d\"\n $s10 = \"[INJECT] inject_via_remotethread_wow64: GetVersionEx failed GetLastError()=%d\"\n $s12 = \"[INJECT] inject_via_remotethread_wow64: VirtualAlloc pExecuteX64 failed GetLastError()=%d\"\n $s13 = \"[INJECT] inject_via_remotethread_wow64: VirtualAlloc pX64function failed GetLastError()=%d\"\n $s14 = \"[INJECT] inject_via_remotethread_wow64: pExecuteX64( pX64function, ctx ) failed GetLastError()=%d\"\n $s15 = \"[INJECT] inject_via_remotethread_wow64: ctx->t.hThread is NULL GetLastError()=%d\"\n $s16 = \"[INJECT] inject_via_remotethread: CreateRemoteThread failed\"\n $s17 = \"[INJECT] inject_via_remotethread: ResumeThread failed\"\n $s18 = \"[INJECT] inject_dll. No Dll buffer supplied.\"\n $s19 = \"[INJECT] inject_dll. GetReflectiveLoaderOffset failed.\"\n $s20 = \"[INJECT] inject_dll. OpenProcess failed.\"\n $s21 = \"[INJECT] inject_dll. VirtualAllocEx 1 failed GetLastError()=%d\"\n $s22 = \"[INJECT] inject_dll. VirtualAllocEx 2 failed\"\n $s23 = \"[INJECT] inject_dll. WriteProcessMemory 1 failed GetLastError()=%d\"\n $s24 = \"[INJECT] inject_dll. WriteProcessMemory 2 failed\"\n $s25 = \"[INJECT] inject_dll. VirtualAllocEx failed GetLastError()=%d\"\n $s26 = \"[INJECT] inject_dll. WriteProcessMemory 2 failed GetLastError()=%d\"\n $s27 = \"[INJECT] inject_dll. VirtualProtectEx failed GetLastError()=%d\"\n $s28 = \"[INJECT] inject_dll. inject_via_apcthread failed GetLastError()=%d\"\n\n condition:\n 2 of them and not $canary\n}\n", "rule_count": 1, "rule_names": [ "pupy_memory_dll_generic" ], "rule_creation_date": "2021-02-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Pupy" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.004", "attack.t1059.001", "attack.t1055.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-pupy_reflective_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580886Z", "creation_date": "2026-03-23T11:46:25.580888Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580894Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0192/\nhttps://github.com/n1nj4sec/pupy" ], "name": "pupy_reflective_loader.yar", "content": "rule pupy_reflective_loader {\n meta:\n title = \"Reflective Pupy Loader\"\n id = \"166b0ddc-dda0-48dd-b555-7ea708a4857b\"\n description = \"Detects Pupy's reflective loader.\\nPupy is a cross-platform RAT and post-exploitation tool that uses reflective injection to load malicious payloads in memory. This rule identifies the reflective loader component which enables the execution of Python-based payloads without writing them to disk.\\nIt is recommended to monitor process creation and check for signs of reflective code injection in suspicious processes.\"\n references = \"https://attack.mitre.org/software/S0192/\\nhttps://github.com/n1nj4sec/pupy\"\n date = \"2021-05-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0192;attack.t1055.001\"\n classification = \"Windows.Framework.Pupy\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // https://github.com/n1nj4sec/pupy/blob/f9083ef9cce073de41ca1e5926119463c3750550/client/sources/LoadLibraryR.c#L82\n /*\n ** DWORD dwReflectiveLoaderSymHashes[] = {\n ** symhash(REFLECTIVE_LOADER_SYMNAME),\n ** 0x994d06f3, // ReflectiveLoader\n ** 0x6249c9c2, // Loader\n ** 0xda5392de // RLEp\n ** };\n */\n $magic_values = {\n // x86_64 | x86_32\n // --------------------------------|---------------------------\n F3 06 4D 99 // mov [rsp+88h+var_xx], 994D06F3h | mov [ebp-0x2c],0x994d06f3\n [3-4]\n C2 C9 49 62 // mov [rsp+88h+var_xx], 6249C9C2h | mov [ebp-0x28],0x6249c9c2\n [3-4]\n DE 92 53 DA // mov [rsp+88h+var_xx], DA5392DEh | mov [ebp-0x24],0xda5392de\n }\n\n condition:\n $magic_values\n}\n", "rule_count": 1, "rule_names": [ "pupy_reflective_loader" ], "rule_creation_date": "2021-05-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Pupy" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1055.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-purehvnc_rat_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563052Z", "creation_date": "2026-03-23T11:46:25.563055Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563065Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-multi-stage-loader\nhttps://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/\nhttps://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\nhttps://www.netresec.com/?page=Blog&month=2025-08&post=PureRAT-ResolverRAT-PureHVNC" ], "name": "purehvnc_rat.yar", "content": "rule purehvnc_rat {\n meta:\n title = \"PureHVNC RAT\"\n id = \"51c5b6e7-726d-48a3-8b46-04c837a27283\"\n description = \"Detects PureHVNC, also know as PureRAT and ResolverRAT.\\nPureHVNC is a sophisticated Remote Access Trojan (RAT) sold as a Malware-as-a-Service. It generally used to gain hidden remote control of Windows systems while targeting crypto-wallets, password managers and 2FA apps.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to investigate for any suspicious network connections.\"\n references = \"https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-multi-stage-loader\\nhttps://research.checkpoint.com/2025/under-the-pure-curtain-from-rat-to-builder-to-coder/\\nhttps://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/\\nhttps://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/\\nhttps://www.netresec.com/?page=Blog&month=2025-08&post=PureRAT-ResolverRAT-PureHVNC\"\n date = \"2025-11-07\"\n modified = \"2025-11-12\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055;attack.execution;attack.t1059.006;attack.collection;attack.credential_access;attack.t1056.001;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Trojan.PureHVNC\"\n context = \"process,memory,thread\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 8cc58301bbe1f6129fcec90fc0e710654c0d6213c7edc9bae71d5c1e7a122126\n\n $certificate = \"MIIE3jCCAsagAwIBAgIQAMTLIwGVeCI1OftMRp4RvTANBgkqhkiG9w0BAQ0FADAQMQ4wDAYDVQQDDAVDY3Z2cDAgFw0yNTA3MDMxNjU2NTlaGA85OTk5MTIzMTIzNTk1OVowEDEOMAwGA1UEAwwFQ2N2dnAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCYn/4KHohvzJWh6BH9QN4E3NdrL8gm91F2RePSrPXPyBNVsJ4qDIf0pj6MEmfwVtFQwRgkPzJI98zvthX9FyyKe8fqlYfyK/XnX4a2wFAeFVIRCSHSWcAz4iModa8LQeqKwBCrNKOITIa52OuychN2j62n1Bf16K836Abyss3oNT+DE/ngUKwvWmPAnW9emQpWKaHveT8kVApa61Ek0HtDuW1KeDD5P+yZf9X3sXfn3THJSAS2hjO3LhUTG6si7yYyuQX7DId+yVQ7DuzbM2GZThHF47MSmZHAhiu5G/fBzp/YMZSQA0qyZpc5Am636dTKoTmLGFtWJlDQBQ//Bn5C6fuD4k8x0PvJqhTWIcevWzERML5/fYYC3FO/rbjlXcK0qny08GGtkB8Opky6GtGZ2TDV9Et0M8e9qnwIjrGPsg+vTI2+eEHpXBExF1lMplomYA3CpWOlMsD2ldUOrqbuejCOaXxJPcWa1PVhEWo/31d58+eZGvQkEQa6J8ef8u8cCLRQ1wcq3cnjP9F24ofjYli+/HxLLv3NiSMPqQwk9beoRy9Q+kMcIHUzZT99udL9xf6jZWGIkp7+XuIIRC6KlVqRw5nuaDHFiQU3QqGTgtCw2ytXkWYxZkIE9Iovo+sOE4h0TpMEwH7I1I3r3h40velQPlN3fvtuPL67o68VzQIDAQABozIwMDAdBgNVHQ4EFgQU8l0AsdVlgu++vqKWXyQ3nFMy8iEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAU7N1Z1ERS2oLJdxqIPJUYfzJMu29ni59DT2jMdSJLEYivAcxeEA9lzhZHZcWGptkOH5EsGJs1ze5Rzgyc3GV2MyQ78FEcqwh5VQ503EZosjiRB7yMjRhZi3u5fx+uZxQpbQ+sQvPpgBFUrw4qQ6nonrczWrcoCvFR2kHfKeVq4EuBSktKrDNpmsH2BQPifLRei+QTgzxbR7C7MR7391xNYN3/tsvdXBfV3nvOkLDzJWBFVeDfqgLR+dDRn7uDWwPzWfcFUyqvn3fhS4+hpYCbJP1+1RnnDu0m3ocPXWGPRCMJp75BYsULMCM7/9p7d7yXWnbQ6aqE3KWt3xvMi1COtu6H6tadw3Y1Fs8ryCqM93zAEAqExck8izcf/AkQ4KV5WpNxXRF7/lisQvbxe3csMUGgU7V292Bdc4QS5KiVubN1B4u5xPmYIxroPsR+GMA8Q928zSsntRuq2kre9uwNrgIlk1Z7kVRaT17kafRquGBt2AAEEOZYTeaEOEDk86PP9gphbNpDSwz7NadEK7W/g2wJcjPph3CSd4CV7GnFu7jY8hnKp0clRIRk5VyHzeM6T7Dlj7QYq/F9GYlfDerqkr7PAGQBBuEknRGw5q9PXedkzZIQ84WdhYtATIgEiRol08ghbc9j2AW89CwmnxYrVBHdvV2P/6Z5qaRWZOJZAo=\"\n\n $strings1 = \"SELECT * FROM AntiVirusProduct\" wide fullword\n $strings2 = \"SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')\" wide fullword\n $strings3 = \"{0} {1}Bit\" wide fullword\n $strings4 = \"{0}d {1}h {2}m {3}s\" wide fullword\n\n $extensions_id1 = \"ibnejdfjmmkpcnlpebklmnkoeoihofec\" wide fullword\n $extensions_id2 = \"fhbohimaelbohpjbbldcngcnapndodjp\" wide fullword\n $extensions_id3 = \"dkdedlpgdmmkkfjabffeganieamfklkm\" wide fullword\n $extensions_id4 = \"bfnaelmomeimhlpmgjnjophhpkkoljpa\" wide fullword\n $extensions_id5 = \"bocpokimicclpaiekenaeelehdjllofo\" wide fullword\n\n $extensions_name1 = \"TronLink\" wide fullword\n $extensions_name2 = \"Jaxx Liberty\" wide fullword\n $extensions_name3 = \"Nifty Wallet\" wide fullword\n $extensions_name4 = \"Coin98 Wallet\" wide fullword\n $extensions_name5 = \"Liquality Wallet\" wide fullword\n\n $applications1 = \"MapleStudio\\\\ChromePlus\\\\User Data\\\\\" wide fullword\n $applications2 = \"Fenrir Inc\\\\Sleipnir5\\\\setting\\\\modules\\\\ChromiumViewer\\\\\" wide fullword\n $applications3 = \"CatalinaGroup\\\\Citrio\\\\User Data\\\\\" wide fullword\n $applications4 = \"Sputnik\\\\Sputnik\\\\User Data\\\\\" wide fullword\n $applications5 = \"CocCoc\\\\Browser\\\\User Data\\\\\" wide fullword\n\n condition:\n $certificate or (\n all of ($strings*) and\n 3 of ($extensions_id*) and\n 3 of ($extensions_name*) and\n 3 of ($applications*)\n )\n}\n", "rule_count": 1, "rule_names": [ "purehvnc_rat" ], "rule_creation_date": "2025-11-07", "rule_modified_date": "2025-11-12", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.PureHVNC" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access", "attack.defense_evasion", "attack.execution", "attack.exfiltration", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1056.001", "attack.t1059.006", "attack.t1041", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-qakbot_unpacked_dll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589034Z", "creation_date": "2026-03-23T11:46:25.589037Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589042Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\nhttps://attack.mitre.org/techniques/T1071/001/" ], "name": "qakbot_unpacked_dll.yar", "content": "rule qakbot_unpacked_dll {\n meta:\n title = \"Qakbot Unpacked DLL\"\n id = \"aa47c35c-1a06-4003-a010-b40ceedf2e51\"\n description = \"Detects Qakbot, a modular information stealer also known as QBot or Pinkslipbot.\\nThis rule identifies the presence of an unpacked Qakbot DLL, which is commonly used to steal data from infected systems and act as a loader for additional payloads via C2 server communication.\\nIt is recommended to isolate the affected system and analyze network traffic for signs of command and control activity.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot\\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\\nhttps://attack.mitre.org/techniques/T1071/001/\"\n date = \"2022-11-16\"\n modified = \"2026-02-09\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Malware.Qakbot\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 8b08c031d365a0b4d032c6e51bf773655e15795fe3eabcd3fa6487ffe9f3d6b3\n\n $s1 = \"%u&%s&%u\" fullword ascii\n $s2 = \"%u.%u.%u.%u.%u.%u.%04x\" fullword ascii\n\n $check_system_language = {\n 6A 23 // push 23h ; '#'\n 66 89 45 E8 // mov [ebp+var_18], ax\n 33 F6 // xor esi, esi\n 58 // pop eax\n 6A 3F // push 3Fh ; '?'\n 66 89 45 EA // mov [ebp+var_16], ax\n 58 // pop eax\n 6A 2C // push 2Ch ; ','\n 66 89 45 EC // mov [ebp+var_14], ax\n 58 // pop eax\n 6A 2B // push 2Bh ; '+'\n 66 89 45 EE // mov [ebp+var_12], ax\n 58 // pop eax\n 6A 37 // push 37h ; '7'\n 66 89 45 F0 // mov [ebp+var_10], ax\n 58 // pop eax\n 6A 40 // push 40h ; '@'\n 59 // pop ecx\n 6A 43 // push 43h ; 'C'\n 66 89 45 F2 // mov [ebp+var_E], ax\n 58 // pop eax\n 6A 28 // push 28h ; '('\n 66 89 45 F6 // mov [ebp+var_A], ax\n 58 // pop eax\n 6A 42 // push 42h ; 'B'\n 66 89 45 F8 // mov [ebp+var_8], ax\n 58 // pop eax\n 6A 22 // push 22h ; '\"'\n 66 89 45 FA // mov [ebp+var_6], ax\n 58 // pop eax\n 6A 1A // push 1Ah\n }\n\n $random_alphanumeric_strings = {\n 33 DB // xor ebx, ebx\n 59 // pop ecx\n 59 // pop ecx\n 6A 06 // push 6\n 5E // pop esi\n\n // loc_4A0C8C2:\n FF 75 FC // push [ebp+var_4]\n E8 ?? ?? ?? ?? // call sub_4A0A5D0\n 48 // dec eax\n 50 // push eax\n 8D 85 30 F6 FF FF // lea eax, [ebp+var_9D0]\n 6A 00 // push 0\n 50 // push eax\n E8 ?? ?? ?? ?? // call sub_4A136D5\n 8B 4D FC // mov ecx, [ebp+var_4]\n 83 C4 10 // add esp, 10h\n 8A 04 08 // mov al, [eax+ecx]\n 88 04 3B // mov [ebx+edi], al\n 43 // inc ebx\n 3B DE // cmp ebx, esi\n 7C D7 // jl short loc_4A0C8C2\n }\n\n condition:\n all of ($s*) and (\n $check_system_language or\n $random_alphanumeric_strings\n )\n}\n", "rule_count": 1, "rule_names": [ "qakbot_unpacked_dll" ], "rule_creation_date": "2022-11-16", "rule_modified_date": "2026-02-09", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.Qakbot" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-quasar_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573491Z", "creation_date": "2026-03-23T11:46:25.573493Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573499Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/quasar/Quasar\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/QuasarRAT.A\nhttps://attack.mitre.org/software/S0262/" ], "name": "quasar.yar", "content": "rule quasar_rat {\n meta:\n title = \"Quasar RAT\"\n id = \"ce220ba0-cccd-4dc2-9377-7beef54e7bf2\"\n description = \"Detects Quasar RAT, an open-source remote access tool that has been publicly available on GitHub since at least 2014.\\nQuasar is a remote access tool (RAT) that has been increasingly used by malicious actors. It provides various malicious capabilities such as webcam recording, keylogging, UAC bypasses, and extraction and decryption of browser secrets. This rule identifies common patterns associated with the RAT's client-side activities.\\nIt is recommended to verify if the presence of this tool is legitimate.\"\n references = \"https://github.com/quasar/Quasar\\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat\\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/QuasarRAT.A\\nhttps://attack.mitre.org/software/S0262/\"\n date = \"2024-10-31\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1056.001;attack.privilege_escalation;attack.t1548\"\n classification = \"Windows.Trojan.QuasarRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 5c76b09c0f287820cc34b5f06a8fd627bface66474241daa4b5d86273cf3102d\n // af48acd7ce4572f4b9f954e7a2dc331d8e885f7f677e61dc03f4014ebc01577c\n // b34efa5d36e786823d595617c3051c8e8cf7cbea2379055e303e12de9771beab\n // 43cb301add7569dfe23cfbd11affb0e413969ced7a47fc4dfc6d9f452baf9e66\n\n $module_regseeker1 = \"Could not open root registry keys, you may not have the needed permission\" wide fullword\n $module_regseeker2 = \"Invalid rootkey, could not be found.\" wide fullword\n\n $module_regeditor1 = \"Cannot create key: Error writing to the registry\" wide fullword\n $module_regeditor2 = \"Cannot delete key: Error writing to the registry\" wide fullword\n $module_regeditor3 = \"Cannot rename key: Error writing to the registry\" wide fullword\n $module_regeditor4 = \"Cannot create value: Error writing to the registry\" wide fullword\n $module_regeditor5 = \"Cannot delete value: Error writing to the registry\" wide fullword\n $module_regeditor6 = \"Cannot rename value: Error writing to the registry\" wide fullword\n $module_regeditor7 = \"You do not have write access to registry: \" wide fullword\n $module_regeditor8 = \", try running client as administrator\" wide fullword\n\n $module_startup1 = \"/create /tn \\\"\" wide fullword\n $module_startup2 = \"\\\" /sc ONLOGON /tr \\\"\" wide fullword\n $module_startup3 = \"/rl HIGHEST /f\" wide fullword\n $module_startup4 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" wide fullword\n $module_startup5 = \"schtasks\" wide fullword\n\n // User Agent used in Browser Module\n $module_agent_website = \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A\" wide fullword\n // User Agent used in Geolocation Module\n $module_agent_geoloc = \"Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0\" wide fullword\n\n $module_uninstall1 = \"@echo off\" wide fullword\n $module_uninstall2 = \"chcp 65001\" wide fullword\n $module_uninstall3 = \"echo DONT CLOSE THIS WINDOW!\" wide fullword\n $module_uninstall4 = \"ping -n 10 localhost > nul\" wide fullword\n $module_uninstall5 = \"del /a /q /f \" wide fullword\n\n condition:\n all of ($module_regseeker*) or\n all of ($module_regeditor*) or\n all of ($module_uninstall*) or\n all of ($module_startup*) or\n all of ($module_agent*)\n}\n", "rule_count": 1, "rule_names": [ "quasar_rat" ], "rule_creation_date": "2024-10-31", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.QuasarRAT" ], "rule_tactic_tags": [ "attack.credential_access", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1056.001", "attack.t1548" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rakshasa_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564961Z", "creation_date": "2026-03-23T11:46:25.564963Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564969Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Mob2003/rakshasa" ], "name": "rakshasa.yar", "content": "rule rakshasa {\n meta:\n title = \"Rakshasa Tunneling Tool\"\n id = \"81ef3193-7cca-421e-9742-a22ee24fa566\"\n description = \"Detects Rakshasa, a TCP/UDP tunnel tool used for establishing covert communication channels.\\nRakshasa is a tool designed to create encrypted tunnels for command and control or data exfiltration purposes.\\nIt is often used by attackers during the initial access or lateral movement phases of an attack to pivot within a compromised environment.\\nThis rule identifies instances of Rakshasa based on its unique build signatures and binary object references.\\nIt is recommended to investigate the context around the usage of this tool to determine whether its presence on the host is legitimate.\"\n references = \"https://github.com/Mob2003/rakshasa\"\n date = \"2024-01-31\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1572\"\n classification = \"Tool.Rakshasa\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c52c546afd23b92e2200e9c0ffc05d6079e4da831822be13f3289d3d85013ba4\n // 52431cea9164ee715f8c90558e9ff77c061ef3acbeaef3d5d3c69ccf62e8d7e6\n // ccfa30a40445d5237aaee1e015ecfcd9bdbe7665a6dc2736b28e5ebf07ec4597\n // 97a48fc70bae6ba3d47f9261ff0872fc31b7b3ad7342053f29bea81346fe1a7e\n // 6deb4162aed4794fe8ba2b4f68d9759207cb386afba4c32a1744f75705b3d35f\n // 011900219bac10b4c66871e35de226d3a2bda55d1703aff135bfb6158a07ce0a\n // 445b81086d25f3e25627236131c34f35889ae54fe4f28e8abe933fa042a9f527\n // be33fac18a4ae3a9a0c4ced45917b5d5a031f8bbd32f205e7a53c6f570516ecd\n // 0de6fe3c3cfcb97fb683bb316e6da49de2b01890bef199c8d5c365e865b2cd0e\n // 4d05ab80576a8c98f549946c1c08b649697d675838778f39fe0bbdb4763e4ad3\n // ce6b91e619018286ac50d7d1829606db86b24d9d232e10b47b5670c4b7ae3dca\n // 613f2a2f83e7796997cb9310aee787f146cfef852758a5a84f52aed1cf9ca3aa\n\n $string_gobuild_1 = \"Go build ID: \\\"PL4dDTRXq9TuA7dkNm1I/TZMovUVV9bRZn9bDiPCB/qfanw0E06PmrhCMiVUjp/PdaKBhXPo1-6TwFy5B4_\\\"\" ascii fullword\n $string_gobuild_2 = \"Go build ID: \\\"-0BzbrGuCkKmc0vr4YKL/zAqk93HPEz-qbLMtEuET/KjZDtoK1zuIEAX93v4jP/jwjXucccMjNXTujS__5f\\\"\" ascii fullword\n $string_gobuild_3 = \"Go build ID: \\\"tbMGCaTLvIG9y8kaU4te/T_AP2EOr6R8F4J7rF0W_/Z6VgNnW6YyfaQHmfgker/MDokYtJFEDd85m0ELMmN\\\"\" ascii fullword\n $string_gobuild_4 = \"Go build ID: \\\"edXcwaWc_RlZkJ9xgjy7/v2vbKWaN_uG0LGt94xFt/DYAYAtRnUP0Ly7EXexzs/NHBtOZT420QfFHQqRokY\\\"\" ascii fullword\n $string_gobuild_5 = \"Go build ID: \\\"IOzA3a_4-n9--x88DC7m/tQsWekHMYmhytKzw6j3p/FeK6nKBde9BQhT05Qboj/Nrw7uv2kmjjxj69mlit7\\\"\" ascii fullword\n $string_gobuild_6 = \"Go build ID: \\\"NUOnQVxGUBU27_Bz9jCm/CQ2mL1OJDYFSe-PtfKRu/JYYLfB0ay7z-2ztCHu0V/HjRzQIx76EL0-h-8730P\\\"\" ascii fullword\n $string_gobuild_7 = \"Go build ID: \\\"xzINQcNWBaQLzAFuDMNX/uTSU8WV3_Ki5boTP5ubq/bRh4bofxU6PtH3Mz3jRm/D_RiqSzvUsdVJ8_C_y2s\\\"\" ascii fullword\n $string_gobuild_8 = \"Go build ID: \\\"KKj2ES1hxhNlhlaz49hW/tKIqHJ-kaSE3og1t76q2/uGwGyIA7cz5boICVd4o3/hGHlX-FEVw1-Wye08kfm\\\"\" ascii fullword\n\n // object\n $string_object_1 = \"rakshasa/aes.\" ascii\n $string_object_2 = \"rakshasa/common.\" ascii\n $string_object_3 = \"rakshasa_lite/aes.\" ascii\n $string_object_4 = \"rakshasa_lite/common.\" ascii\n $string_object_5 = \"rakshasa_lite/server.\" ascii\n $string_object_6 = \"rakshasa/server.\" ascii\n\n condition:\n 1 of ($string_gobuild_*) or 3 of ($string_object_*)\n}\n", "rule_count": 1, "rule_names": [ "rakshasa" ], "rule_creation_date": "2024-01-31", "rule_modified_date": "2025-03-04", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Tool.Rakshasa" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1572", "attack.t1071.001" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomhub_python_backdoor_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569520Z", "creation_date": "2026-03-23T11:46:25.569523Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569528Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.trendmicro.com/fr_fr/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\nhttps://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/" ], "name": "ransomhub_python_backdoor.yar", "content": "rule ransomhub_python_backdoor {\n meta:\n title = \"Ransomhub Python Backdoor\"\n id = \"0a3d982e-0193-43a5-9946-011eac227ded\"\n description = \"Detects the presence of a Python-based backdoor commonly used by the RansomHub ransomware group, which enables remote access and execution of malicious payloads\\nThis backdoor is part of their intrusion techniques facilitating ransomware deployment and persistence.\\nIt is recommended to investigate the process and its network connections to determine its legitimacy and to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.trendmicro.com/fr_fr/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\\nhttps://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/\"\n date = \"2025-06-13\"\n modified = \"2025-06-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.006;attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Backdoor.Ransomhub\"\n context = \"memory\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c2d99f4fabf5e19bdd42f2a78471e923cd3d082de392799406314e2978e4ba03\n // 493a35f2dcb86aae910294bbdd51c40848e44f4f91c78f18c4d0e8f471a6cf16\n // 6d3bc2509a73de493edf4f3e897a71add97128ba0821ea28acd34b426e85f05f\n // 0f0db5079a9fbd760bb24ee979e2e808b2dc089c17033310838474a53a267f04\n // 48ad4a533807c71acdf6ffbd781ea11d3c7822ff625cad4fa6cc38827f5c45d1\n\n $obfuscate_s1 = \"from Crypto.Cipher import AES, ChaCha20\" ascii\n $obfuscate_s2 = \"def get_hw_key():\" ascii\n $obfuscate_s3 = \"def pc_start(enc):\" ascii\n $obfuscate_s4 = \"if line.startswith('TracerPid:') and int(line.split()[1]) != 0:\" ascii\n $obfuscate_s5 = \"hw_key = get_hw_key()\" ascii\n $obfuscate_s6 = \"launch_hidden()\" ascii\n $obfuscate_s7 = \"exec(pc_start(\" ascii\n\n $deobfuscated_s1 = \"_K = 'AnyPassword'\" ascii\n $deobfuscated_s2 = \"def verify_client(self):\" ascii\n $deobfuscated_s3 = \"def start_transferring(self):\" ascii\n $deobfuscated_s4 = \"class ControllerCommandConnection(threading.Thread):\" ascii\n $deobfuscated_s5 = \"def CONNECT_transferring(self):\" ascii\n $deobfuscated_s6 = \"def main(proxy_server_address, proxy_port_for_command_connection, allow_no_verifing, login, password):\" ascii\n $deobfuscated_s7 = \"main(proxy_ip, proxy_port, _A, _J, _K)\" ascii\n\n condition:\n all of ($obfuscate_s*) or all of ($deobfuscated_s*)\n}\n", "rule_count": 1, "rule_names": [ "ransomhub_python_backdoor" ], "rule_creation_date": "2025-06-13", "rule_modified_date": "2025-06-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.Ransomhub" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1059.006", "attack.t1027" ], "rule_score": 100, "rule_context": [ "memory" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_akira_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589220Z", "creation_date": "2026-03-23T11:46:25.589222Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589227Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2024/10/02/threat-brief-understanding-akira-ransomware\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a" ], "name": "ransomware_akira.yar", "content": "import \"pe\"\n\nrule akira {\n meta:\n title = \"Akira Ransomware\"\n id = \"78fb13e1-cb9f-44f4-8de8-f413d37b8680\"\n description = \"Detects Akira ransomware, a human-operated ransomware used to compromise enterprise networks by exploiting public-facing vulnerabilities (notably VPN and RDP), abusing valid credentials and phishing to gain initial access, performing credential dumping and domain discovery for privilege escalation, establishing persistence through created accounts, and using legitimate administration and tunneling tools for lateral movement and command and control.\\nAfter reconnaissance and data collection, threat actors exfiltrate sensitive information using common file transfer and cloud sync tools, employ a double-extortion model, and encrypt systems with a hybrid ChaCha20/RSA scheme while inhibiting recovery.\\nIt is recommended to isolate the machine and investigate the context around this alert for signs of unauthorized access,discovery activity or ransomware encryption behavior.\"\n references = \"https://blog.qualys.com/vulnerabilities-threat-research/2024/10/02/threat-brief-understanding-akira-ransomware\\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a\"\n date = \"2026-01-15\"\n modified = \"2026-02-03\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486;attack.t1490;attack.defense_evasion;attack.t1562.001;attack.exfiltration;attack.t1567.002;attack.t1537\"\n classification = \"Windows.Ransomware.Akira\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // fd84c9c09358e721173725d0a1eeae08cd0c6d74b2f44646552adc4b19883e90\n // f12e00c1f9ee0e3ad6389f1f74bf4acc7c91a54948a4637b037357108f81133c\n // f11b60b273e2606e91832edbb014ad229563f5c537ddab11dba80018c11364dd\n\n $s_stub00 = {\n 48 8D 55 91 // lea rdx, [rbp+410h+var_47F]\n 48 8D 8D 90 02 00 00 // lea rcx, [rbp+410h+var_180]\n E8 [2] 03 00 // call sub_14003EE60\n 90 // nop\n C6 45 A8 00 // mov [rbp+410h+var_468], 0\n C6 45 A9 [1] // mov [rbp+410h+var_467], 15h\n C6 45 AA [1] // mov [rbp+410h+var_466], 21h ; '!'\n C6 45 AB [1] // mov [rbp+410h+var_465], 2Eh ; '.'\n C6 45 AC [1] // mov [rbp+410h+var_464], 21h ; '!'\n C6 45 AD [1] // mov [rbp+410h+var_463], 64h ; 'd'\n C6 45 AE [1] // mov [rbp+410h+var_462], 21h ; '!'\n C6 45 AF [1] // mov [rbp+410h+var_461], 2Eh ; '.'\n C6 45 B0 [1] // mov [rbp+410h+var_460], 21h ; '!'\n C6 45 B1 [1] // mov [rbp+410h+var_45F], 2Eh ; '.'\n C6 45 B2 [1] // mov [rbp+410h+var_45E], 21h ; '!'\n C6 45 B3 [1] // mov [rbp+410h+var_45D], 59h ; 'Y'\n C6 45 B4 [1] // mov [rbp+410h+var_45C], 21h ; '!'\n C6 45 B5 [1] // mov [rbp+410h+var_45B], 28h ; '('\n C6 45 B6 [1] // mov [rbp+410h+var_45A], 21h ; '!'\n C6 45 B7 [1] // mov [rbp+410h+var_459], 1Eh\n C6 45 B8 [1] // mov [rbp+410h+var_458], 21h ; '!'\n C6 45 B9 [1] // mov [rbp+410h+var_457], 28h ; '('\n C6 45 BA [1] // mov [rbp+410h+var_456], 21h ; '!'\n C6 45 BB [1] // mov [rbp+410h+var_455], 21h ; '!'\n C6 45 BC [1] // mov [rbp+410h+var_454], 21h ; '!'\n 0F B6 45 A9 // movzx eax, [rbp+410h+var_467]\n 0F B6 45 A8 // movzx eax, [rbp+410h+var_468]\n 84 C0 // test al, al\n 75 // jnz short loc_1400026E4\n }\n\n condition:\n pe.imphash() == \"f89d971f855e5743dd4d1e73a5da5699\"\n or 1 of ($s_stub*)\n}", "rule_count": 1, "rule_names": [ "akira" ], "rule_creation_date": "2026-01-15", "rule_modified_date": "2026-02-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Akira" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.exfiltration", "attack.impact" ], "rule_technique_tags": [ "attack.t1490", "attack.t1562.001", "attack.t1537", "attack.t1567.002", "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_badrabbit_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583272Z", "creation_date": "2026-03-23T11:46:25.583274Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583283Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0606/\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html" ], "name": "ransomware_badrabbit.yar", "content": "rule ransomware_badrabbit {\n meta:\n title = \"BadRabbit Ransomware\"\n id = \"bea900d8-e98c-4c83-9fec-1b25d235a8f4\"\n description = \"Detects the BadRabbit ransomware, a malicious software used during attacks targeting organizations in eastern Europe and Russia in October 2017.\\nBadRabbit is a ransomware that encrypts files and demands payment for decryption. It shares similarities with NotPetya but uses a different encryption method. The ransomware typically drops a README.html file and uses specific file naming conventions. It also attempts to spread laterally by dropping copies of itself in specific directories and using scheduled tasks for persistence.\\nIt is recommended to perform a thorough investigation of network shares and connected devices to prevent further spread.\"\n references = \"https://attack.mitre.org/software/S0606/\\nhttps://blog.talosintelligence.com/2017/10/bad-rabbit.html\"\n date = \"2022-02-22\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486;attack.s0606\"\n classification = \"Windows.Ransomware.BadRabbit\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648\n\n $strings_wide1 = \"Oops! Your files have been encrypted.\" fullword wide\n $strings_wide2 = \"%ws C:\\\\Windows\\\\%ws,#1 %ws\" fullword wide\n $strings_wide3 = \"%wswevtutil cl %ws &\" fullword wide\n $strings_wide4 = \"schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \\\"%ws\\\" /ST %02d:%02d:00\" fullword wide\n $strings_wide5 = \"process call create \\\"C:\\\\Windows\\\\System32\\\\rundll32.exe\" fullword wide\n\n $hash_process = {\n 8B 55 08 // mov edx, [ebp+arg_0]\n 8A 14 4A // mov dl, [edx+ecx*2]\n 8B C6 // mov eax, esi\n 83 E0 03 // and eax, 3\n 8D 44 05 FC // lea eax, [ebp+eax+var_4]\n 32 10 // xor dl, [eax]\n FE CA // dec dl\n 41 // inc ecx\n 46 // inc esi\n 88 10 // mov [eax], dl\n 3B 4D 0C // cmp ecx, [ebp+arg_4]\n 72 E4 // jb short loc_10007DA5\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 500KB and (\n (4 of ($strings_wide*)) and $hash_process\n )\n}\n", "rule_count": 1, "rule_names": [ "ransomware_badrabbit" ], "rule_creation_date": "2022-02-22", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.BadRabbit" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_blackbytent_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569021Z", "creation_date": "2026-03-23T11:46:25.569024Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569030Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte\nhttps://blogs.blackberry.com/en/2022/12/blackbyte-ransomware-takes-an-extra-bite-using-double-extortion-methods\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/" ], "name": "ransomware_blackbytent.yar", "content": "rule ransomware_blackbytent_unpacked {\n meta:\n title = \"BlackByteNT Ransomware\"\n id = \"b1e6c47f-09f4-4921-b9b1-805af8af0045\"\n description = \"Detects the unpacked BlackByteNT ransomware.\\nBlackByteNT, also known as BlackByte 3.0, is a version of the BlackByte ransomware first seen in early 2023. This ransomware is written in C++ and is known to use vulnerable drivers to disable security products via the BYOVD technique.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte\\nhttps://blogs.blackberry.com/en/2022/12/blackbyte-ransomware-takes-an-extra-bite-using-double-extortion-methods\\nhttps://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/\"\n date = \"2024-02-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.BlackByteNT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 87d7caf2e0c77e2f1b2a852183903acdd52551284f7a27e8712a40a2cf6764b0\n // d8591297cf8f7df51bc919acbca4e00d6e4f428b544778610a25e1fabc43ff32\n // 2cd5067eabc2711c8bf7247e562eccb609d474a08c703d7b1d3b9cf771fb7231\n // 843fb8472ed4e8848c26fc59c034a92aa66554be6a6679d1f68fe24d8b009ff3\n // 4002ac696ed04e3d1623fb460adf70c60124c386ccccbc125900643af0a1587d\n\n $s1 = \"/download/symbols/ntkrnlmp.pdb/\" ascii\n $s2 = \"ransomdetect.sys,reaqtor.sys,redlight.sys\" ascii\n $s3 = \"BLACKBYTE\" ascii fullword\n $s4 = \".onion/\" ascii\n $s5 = \"Your Key to access the chat: \" ascii\n\n $x1 = {\n 8D 41 BF // lea eax, [rcx-41h]\n 66 83 F8 3E // cmp ax, 3Eh ; '>'\n 77 0A // ja short loc_7FF6265CE3DC\n 66 83 F9 5A // cmp cx, 5Ah ; 'Z'\n 77 04 // ja short loc_7FF6265CE3DC\n 66 83 C1 20 // add cx, 20h ; ' '\n }\n\n condition:\n all of ($s*) or #x1 > 8\n}\n", "rule_count": 1, "rule_names": [ "ransomware_blackbytent_unpacked" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.BlackByteNT" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_blackcat_linux_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564253Z", "creation_date": "2026-03-23T11:46:25.564255Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564261Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/blackcat-ransomware/\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html" ], "name": "ransomware_blackcat_linux.yar", "content": "rule ransomware_blackcat_linux {\n meta:\n title = \"BlackCat Ransomware (Linux)\"\n id = \"deb48071-00a2-4ede-a5d1-0ca239faae55\"\n description = \"Detects the BlackCat (aka ALPHV) ransomware on Linux systems.\\nBlackCat is a Rust-based ransomware that encrypts files and executes specific commands to spread or persist.\\nIt often searches for and encrypts sensitive files.\\nIt is recommended to investigate the process tree and file system operations for suspicious activities.\"\n references = \"https://unit42.paloaltonetworks.com/blackcat-ransomware/\\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\"\n date = \"2022-03-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Linux.Ransomware.BlackCat\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1\n // f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083\n // f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6\n // 5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42\n // e7060538ee4b48b0b975c8928c617f218703dab7aa7814ce97481596f2a78556\n // 9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26\n\n // Caracteristic strings\n $s1 = \"Starting File Unlockers\" ascii\n $s2 = \"File is already decrypted\" ascii\n $s3 = \"Waiting for ESXi Preparation...\" ascii\n $s4 = \"Removing Snapshots\" ascii\n $s5 = \"uname -r\" ascii\n $s6 = \"esxcli --formatter=csv --format-param=fields==\\\"WorldID,DisplayName\\\" vm process list\" ascii\n $s7 = \"vim-cmd vmsvc/snapshot.removeall\" ascii\n $s8 = \"system(\\\"esxcli vm process kill --type=force\" ascii\n\n condition:\n uint32(0) == 0x464c457f and filesize < 4MB and 6 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_blackcat_linux" ], "rule_creation_date": "2022-03-18", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Ransomware.BlackCat" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_blackcat_windows_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574430Z", "creation_date": "2026-03-23T11:46:25.574432Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574438Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/blackcat-ransomware/\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html" ], "name": "ransomware_blackcat_windows.yar", "content": "rule ransomware_blackcat_windows {\n meta:\n title = \"BlackCat Windows ransomware\"\n id = \"38e6e4df-9f7a-4635-b180-539a71575edd\"\n description = \"Detects the BlackCat (ALPHV) ransomware on Windows systems.\\nBlackCat is a Rust-based ransomware first appearing in mid-November 2021. It primarily targets Windows systems but also has Linux variants. The ransomware uses AES encryption and employs various techniques to persist and propagate, including UAC bypass, process injection, and removal of shadow copies.\\nThis rule detects BlackCat activity through specific strings and patterns in its configuration files.\\nIt identifies behaviors such as attempting to remove shadow copies, mounting hidden partitions, and using a masquerade technique in memory.\\nThe detection also looks for characteristic strings related to its encryption and file handling processes.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://unit42.paloaltonetworks.com/blackcat-ransomware/\\nhttps://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html\"\n date = \"2022-03-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.BlackCat\"\n context = \"process,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a15f278540238f0308608e76a76c01c60e04f5e5bbe9ffce5455f2e965574a12\n // 3ed830b0803b63aca0a82661475c863801afd2e2b03c2675b05019d55f25a1f4\n // 3a96c3075b8494fe6a76c6325946ab3f200e75ce26ad886446ea1394b5ac6ba1\n // c50bca08a8e80850ec18d258ff937b7b72a500d9027c730c86b05aa73c938b5d\n // 4aa1fb1a55c6f0207955ec34b62f4c2551b7030cfc98fdef981a61ef0f9b2e1a\n // 6dd995d896a9a593b2c48d09da60bd83866d8577273f36d38788d83ad8173e68\n // d0e0923cf7f97c86b6cde608bc7a0332d03881e598de7b8e41c114d1576e4534\n // 3850817e83a1cf4195920110bb2995a0386fdaeacbf81e13f52bdb3d124911f5\n // 3b18241ac1018db1c2fb5c9e8306490bcafb373c852f1c5ebae65c672632a620\n // 9fb1067dd3edf3d517517e9c191f3f07067bf30aa034a36ebf6543d83cea5ec1\n // e69a13add1245bc1b7b6337e64eee9b53395b9574f2b85d32f891680c7165ff5\n // 7bb383b31d1b415bc067e612203cc6bda53e914f7ca5291299e92f59d47cabf8\n // d3fd49f8f42fa571209af568a65119433e114bb66da21eda12b96a16b5ebfe21\n // 3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc\n // 5a604a8f0e72f3bf7901b7b67f881031a402ab8072269c00233a554df548f54d\n // 67d1f4077e929385cfd869bf279892bf10a2c8f0af4119e4bc15a2add9461fec\n // 6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896\n // bacedbb23254934b736a9daf6de52620c9250a49686d519ceaf0a8d25da0a97f\n // f2b3f1ed693021b20f456a058b86b08abfc4876c7a3ae18aea6e95567fd55b2e\n // 731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161\n // 59868f4b346bd401e067380cac69080709c86e06fae219bfb5bc17605a71ab3f\n // 7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e\n // 3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83\n // cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae\n\n // Caracteristic strings\n $s1 = \"Starting File Unlockers\" ascii\n $s2 = \"uac_bypass::shell_exec=\" ascii\n $s3 = \"File already has encrypted extension ->\" ascii\n $s4 = \"File is already decrypted ->\" ascii\n $s5 = \"cmd.exe /c for /F \\\"tokens=*\\\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \\\"%1\\\"\" ascii\n $s6 = \"Trying to remove shadow copies\" fullword ascii\n $s7 = \"Trying to mount hidden partitions\" ascii\n $s8 = \"masquerade_peb\" fullword ascii\n $s9 = \"${EXTENSION}${ACCESS_KEY}${NOTE_FILE_NAME}\" ascii\n $s10 = \"Invalid access token.\" ascii\n\n // BlackCat config file dict keys\n // This can only detect first variant of BlackCat because since march 2022 a new variant use the command-line option ACCCESS_TOKEN to generate an AES key used to decrypt the encrypted config.\n $json_key1 = \"\\\"note_file_name\\\"\" ascii\n $json_key2 = \"\\\"note_full_text\\\"\" ascii\n $json_key3 = \"\\\"default_file_cipher\\\"\" ascii\n $json_key4 = \"\\\"kill_services\\\"\" ascii\n $json_key5 = \"\\\"kill_processes\\\"\" ascii\n $json_key6 = \"\\\"exclude_directory_names\\\"\" ascii\n $json_key7 = \"\\\"enable_network_discovery\\\"\" ascii\n $json_key8 = \"\\\"enable_self_propagation\\\"\" ascii\n $json_key9 = \"\\\"enable_esxi_vm_kill\\\"\" ascii\n $json_key10 = \"\\\"enable_esxi_vm_snapshot_kill\\\"\" ascii\n $json_key11 = \"\\\"esxi_vm_kill_exclude\\\"\" ascii\n\n condition:\n uint16(0) == 0x5a4d and filesize < 4MB and (7 of ($s*) or 8 of ($json_key*))\n}\n", "rule_count": 1, "rule_names": [ "ransomware_blackcat_windows" ], "rule_creation_date": "2022-03-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.BlackCat" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_braincipher_linux_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.565751Z", "creation_date": "2026-03-23T11:46:25.565755Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.565764Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://protergo.id/all-about-brain-cipher-ransomware-2024/" ], "name": "ransomware_braincipher_linux.yar", "content": "rule ransomware_braincipher_linux {\n meta:\n title = \"Brain Cipher Ransomware\"\n id = \"be6e4655-0c9b-412d-8a35-4f13c6278168\"\n description = \"Detects the Brain Cipher ransomware for Linux.\\nBrain Cipher is a ransomware targeting Linux systems. It encrypts files using the Chacha20 cipher and leaves specific markers such as a welcome message and an email.\\nThe ransomware searches for files in directories like /home/httpd and .qpkg, indicating its focus on certain system locations.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://protergo.id/all-about-brain-cipher-ransomware-2024/\"\n date = \"2024-07-26\"\n modified = \"2025-11-27\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Linux.Ransomware.BrainCipher\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 824916939cbe500d2dee0aa3a61b6f97ca6346bff655c9a67007b726584db8a8\n\n $canary = \"e9ec2d299f96aa6260bc290a8cdae5d5d4988b5a86e8842ca4ce834833484d15\" ascii\n\n $fatal_1 = \"Welcome to Brain Cipher Ransomware!\" ascii fullword\n $fatal_2 = \"Email to support: brain.support@cyberfear.com\"\n\n $str_1 = \".system/opt\" ascii\n $str_2 = \"/home/httpd\" ascii\n $str_3 = \".qpkg\" ascii\n $str_4 = \"/mnt/ext/opt\" ascii\n $str_5 = \"Processing chunk %d\\\\%d (%s)\\n\" ascii\n\n $fn_xor_key_stream_1 = {\n 8B 84 24 // mov eax,dword ptr [esp + local_84]\n D8 01 00 00\n 89 04 24 // mov dword ptr [esp]=>local_25c,eax\n 8B 84 24 // mov eax,dword ptr [esp + local_74]\n E8 01 00 00\n 89 44 24 04 // mov dword ptr [esp + local_258],eax\n 89 54 24 08 // mov dword ptr [esp + local_254],edx\n 89 54 24 0C // mov dword ptr [esp + local_250],edx\n 89 44 24 10 // mov dword ptr [esp + local_24c],eax\n 89 54 24 14 // mov dword ptr [esp + local_248],edx\n 89 54 24 18 // mov dword ptr [esp + local_244],edx\n E8 ?? ?? // call golang.org/x/crypto/chacha20.(*cipher).xorkeys undefined golang.org/x/crypto/ch\n ?? ??\n }\n\n $fn_xor_key_stream_2 = {\n 8B 8C 24 // mov ecx,dword ptr [esp + local_84]\n D8 01 00 00\n 89 0C 24 // mov dword ptr [esp]=>local_25c,ecx\n 8B 94 24 // mov edx,dword ptr [esp + local_74]\n E8 01 00 00\n 89 54 24 04 // mov dword ptr [esp + local_258],edx\n C7 44 24 // mov dword ptr [esp + local_254],0x100000\n 08 00 00\n 10 00\n C7 44 24 // mov dword ptr [esp + local_250],0x100000\n 0C 00 00\n 10 00\n 89 54 24 10 // mov dword ptr [esp + local_24c],edx\n C7 44 24 // mov dword ptr [esp + local_248],0x100000\n 14 00 00\n 10 00\n C7 44 24 // mov dword ptr [esp + local_244],0x100000\n 18 00 00\n 10 00\n E8 ?? ?? // call golang.org/x/crypto/chacha20.(*cipher).xorkeys undefined golang.org/x/crypto/ch\n ?? ??\n }\n\n condition:\n ((any of ($fatal_*) or all of ($str_*)) and not $canary) or all of ($fn_*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_braincipher_linux" ], "rule_creation_date": "2024-07-26", "rule_modified_date": "2025-11-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Ransomware.BrainCipher" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_cactus_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574461Z", "creation_date": "2026-03-23T11:46:25.574463Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574469Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection\nhttps://www.swascan.com/cactus-ransomware-malware-analysis/" ], "name": "ransomware_cactus.yar", "content": "rule ransomware_cactus {\n meta:\n title = \"Cactus Ransomware\"\n id = \"9a0ae99d-eedc-475a-9c30-1495030c4352\"\n description = \"Detects the Cactus ransomware.\\nCactus is a ransomware variant actively targeting Windows systems.\\nIt creates a file named 'CaCtUs.ReAdMe.txt' containing a ransom note and appends '.encrypted by Cactus' to encrypted files. The ransomware also creates a malicious scheduled task using schtasks.exe to maintain persistence.\\nCactus encrypts files and attempts to delete volume shadow copies to prevent data recovery.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection\\nhttps://www.swascan.com/cactus-ransomware-malware-analysis/\"\n date = \"2023-10-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.Cactus\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 4b0a5d6a176317437978211a423a7c1cdf832baa7984bba09aeeb5a1e4d07aa3\n // 69b6b447ce63c98acc9569fdcc3780ced1e22ebd50c5cad9ee1ea7a4d42e62cc\n // 78c16de9fc07f1d0375a093903f86583a4e32037a7da8aa2f90ecb15c4862c17\n // 9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a\n // d1db583aad156dc4edd093a64aade4180a77477cb247347e3fc97cae401d061f\n $canary = \"e08b56f7a57256dc8f4b3ef0605a1cb6e9c7573804d02dbfeacaa9308e46bf37\"\n\n $s1 = \"C:\\\\ProgramData\\\\ntuser.dat\" ascii fullword\n $s2 = \"CaCtUs.ReAdMe.txt\" wide fullword\n $s3 = \" encrypted by Cactus.\" wide\n $s4 = \"Backup contact: TOX (https://tox.chat/):\" wide fullword\n $s5 = \"C:\\\\Windows\\\\system32\\\\schtasks.exe /create /sc MINUTE /mo 5 /rl HIGHEST /ru SYSTEM /tn \\\"Updates Check Task\\\" /tr \\\"cmd /c cd C:\\\\ProgramData &&\" wide fullword\n\n $u1 = \"fixedIDCorrect\" ascii fullword\n $u2 = \"startByParams\" ascii fullword\n $u3 = \"needExtraLogger\" ascii fullword\n $u4 = \"needLogger\" ascii fullword\n $u5 = \"totalFilesSkipped\" ascii fullword\n $u6 = \"totalFilesSkippedAccess\" ascii fullword\n $u7 = \"totalFilesProcessed\" ascii fullword\n $u8 = \"FindVolumeClose\" ascii fullword\n\n $process_file_s1 = \"success file \" wide fullword\n $process_file = {\n 48 8B 45 38 // mov rax, [rbp+20h+fileSize]\n 48 C1 E8 06 // shr rax, 6\n 48 BA 73 3D 0A D7 A3 70 3D 0A // mov rdx, 0A3D70A3D70A3D73h\n 48 F7 E2 // mul rdx\n 48 89 D0 // mov rax, rdx\n 48 C1 E0 04 // shl rax, 4\n 48 89 45 F8 // mov [rbp+20h+hashSize], rax\n 48 81 7D F8 00 80 02 00 // cmp [rbp+20h+hashSize], 28000h\n 76 08 // jbe short loc_140006B3A\n 48 C7 45 F8 00 80 02 00 // mov [rbp+20h+hashSize], 28000h\n }\n\n condition:\n (4 of ($s*) or\n all of ($u*) or\n all of ($process_file*))\n and not $canary\n}\n", "rule_count": 1, "rule_names": [ "ransomware_cactus" ], "rule_creation_date": "2023-10-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Cactus" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_chaos_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566495Z", "creation_date": "2026-03-23T11:46:25.566498Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566507Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous\nhttps://blog.talosintelligence.com/new-chaos-ransomware/" ], "name": "ransomware_chaos.yar", "content": "rule chaos_ransomware {\n meta:\n title = \"CHAOS Ransomware\"\n id = \"8d9ff024-3b63-4cc9-8924-833645ded8eb\"\n description = \"Detects the C++ CHAOS ransomware version.\\nThis ransomware resurfaced in 2025 with new capabilities such as using clipboard hijacking for cryptocurrency theft by modifying bitcoin wallet addresses copied in the clipboard by the attacker one. Finally, it uses destructive extortion by deleting the content of large files (larger than 1.3GB).\\nIt is recommended to perform a thorough investigation of network shares and connected devices to prevent further spread and to analyze the host for other malicious content or actions.\"\n references = \"https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous\\nhttps://blog.talosintelligence.com/new-chaos-ransomware/\"\n date = \"2025-10-15\"\n modified = \"2025-11-20\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1497;attack.t1622;attack.t1140;attack.privilege_escalation;attack.t1134;attack.command_and_control;attack.t1071\"\n classification = \"Windows.Ransomware.CHAOS\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // f4b5b1166c1267fc5a565a861295a20cf357c17d75418f40b4f14b094409d431\n // fc8d39c8e9f294a39e5e86c5f56f4fac311fdbd7604c7e65e139826d01db06d9\n // fe717bab60f1b03012b1e6287e3f3725f1ad5163897041b824024aedabb7c46d\n\n $some_str00=\"Large file: %S\"\n $some_str01=\"Encrypted: %S\"\n $some_str02=\"2. Email transaction ID to:\"\n $some_str03=\"Clipboard monitor started\"\n $some_str04=\"BTC detected\"\n $some_str05=\"Admin check...\"\n $some_str06=\"Admin confirmed\"\n $some_str07=\"vssadmin delete shadows /all /quiet >nul 2>&1\"\n $some_str08=\"wmic shadowcopy delete >nul 2>&1\"\n $some_str09=\"bcdedit /set {default} bootstatuspolicy ignoreallfailures >nul 2>&1\"\n $some_str10=\"bcdedit /set {default} recoveryenabled no >nul 2>&1\"\n $some_str11=\"wbadmin delete catalog -quiet >nul 2>&1\"\n $some_str12=\"svchost_log.txt\"\n $some_str13=\"Important files encrypted. Check README.\"\n $some_str14=\"chaos_debug.log\"\n $some_str15=\"=== CHAOS Ransomware Debug Log ===\"\n $some_str16=\"File already encrypted, skipping\"\n $some_str17=\"Not a target file type, skipping\"\n $some_str18=\"File too large (>50MB), skipping\"\n $some_str19=\"Dropped ransom note: %S\"\n $some_str20=\"Starting CHAOS ransomware..\"\n $some_str21=\"=== ENCRYPTION COMPLETE ===\"\n $some_str22=\"%s.chaos\" wide\n $some_str23=\"%s\\\\READ_ME_CHAOS_%d.txt\" wide\n $some_str24=\"CHAOS Debug\" wide\n $some_str25=\"No files were encrypted.\\nCheck log: %TEMP%\\\\chaos_debug.log\" wide\n $some_str26=\"chaos@protonmail.com\"\n $some_str27=\"\"\n $some_str28=\"ChaosClipboardMonitor\" wide\n\n $mutex=\"SvcHost_7z459ajrk\"\n\n $stub_enumerate_files00 = {\n 0F 29 70 B8 // movaps xmmword ptr [rax-48h], xmm6\n 0F 29 78 A8 // movaps xmmword ptr [rax-58h], xmm7\n 4C 8B E1 // mov r12, rcx\n 41 B5 01 // mov r13b, 1\n 4C 8B 71 10 // mov r14, [rcx+10h]\n 48 B9 FE FF FF FF FF FF FF 7F // mov rcx, 7FFFFFFFFFFFFFFEh\n 48 8B C1 // mov rax, rcx\n 49 2B C6 // sub rax, r14\n 48 83 F8 02 // cmp rax, 2\n 0F 82 D9 0C 00 00 // jb loc_14000CBB5\n 4D 8B FC // mov r15, r12\n 49 83 7C 24 18 07 // cmp qword ptr [r12+18h], 7\n 76 04 // jbe short loc_14000BEEB\n 4D 8B 3C 24 // mov r15, [r12]\n }\n $stub_enumerate_files01 = {\n 89 9D 78 04 00 00 // mov [rbp+460h+arg_8], ebx\n BA 3A 00 00 00 // mov edx, 3Ah ; ':'\n 41 B8 5C 00 00 00 // mov r8d, 5Ch ; '\\'\n 49 BD FE FF FF FF FF FF FF 7F // mov r13, 7FFFFFFFFFFFFFFEh\n 66 0F 6F 35 7A 03 03 00 // movdqa xmm6, cs:xmmword_14003D860\n }\n $stub_enumerate_recursive = {\n 0F 29 70 B8 // movaps xmmword ptr [rax-48h], xmm6\n 0F 29 78 A8 // movaps xmmword ptr [rax-58h], xmm7\n 4C 8B E1 // mov r12, rcx\n 41 B5 01 // mov r13b, 1\n 4C 8B 71 10 // mov r14, [rcx+10h]\n 48 B9 FE FF FF FF FF FF FF 7F // mov rcx, 7FFFFFFFFFFFFFFEh\n 48 8B C1 // mov rax, rcx\n 49 2B C6 // sub rax, r14\n 48 83 F8 02 // cmp rax, 2\n 0F 82 D9 0C 00 00 // jb loc_14000CBB5\n 4D 8B FC // mov r15, r12\n 49 83 7C 24 18 07 // cmp qword ptr [r12+18h], 7\n }\n\n condition:\n $mutex\n or (1 of ($stub_*) and 4 of ($some_str*))\n or 10 of ($some_str*)\n}\n", "rule_count": 1, "rule_names": [ "chaos_ransomware" ], "rule_creation_date": "2025-10-15", "rule_modified_date": "2025-11-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.CHAOS" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071", "attack.t1497", "attack.t1134", "attack.t1622" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_darkside_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568955Z", "creation_date": "2026-03-23T11:46:25.568958Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568963Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.mandiant.com/resources/blog/shining-a-light-on-darkside-ransomware-operations" ], "name": "ransomware_darkside.yar", "content": "rule ransomware_darkside {\n meta:\n title = \"Darkside Ransomware\"\n id = \"f226af0c-0553-44cf-80f2-6adfd3a8dc24\"\n description = \"Detects the Darkside Ransomware.\\nDarkside is a ransomware known for its association with the DarkSide hacking group. It encrypts files on infected systems, typically appending a specific extension to encrypted files. \\nThe ransomware is designed to disrupt operations and demands payment for decryption keys.\\nIt is often delivered through phishing emails or malicious links, and it uses tools like PsExec for persistence and lateral movement within a network.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.mandiant.com/resources/blog/shining-a-light-on-darkside-ransomware-operations\"\n date = \"2021-05-19\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.Darkside\"\n context = \"process,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\n // Unicode string '\\\\?\\C:\\*recycle*' used to locate recycle bin in order to empty it\n $s1 = {\n 66 C7 04 47 2A 00 // mov word ptr [edi+eax*2], 2Ah\n C7 44 47 02 72 00 65 00 // mov dword ptr [edi+eax*2+2], 650072h\n C7 44 47 06 63 00 79 00 // mov dword ptr [edi+eax*2+6], 790063h\n C7 44 47 0A 63 00 6C 00 // mov dword ptr [edi+eax*2+0Ah], 6C0063h\n C7 44 47 0E 65 00 2A 00 // mov dword ptr [edi+eax*2+0Eh], 2A0065h\n 66 C7 44 47 12 00 00 // mov word ptr [edi+eax*2+12h], 0\n }\n condition:\n uint16(0) == 0x5A4D and filesize < 100KB and $s1\n}\n", "rule_count": 1, "rule_names": [ "ransomware_darkside" ], "rule_creation_date": "2021-05-19", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Darkside" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_funklocker_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583349Z", "creation_date": "2026-03-23T11:46:25.583351Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583359Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/" ], "name": "ransomware_funklocker.yar", "content": "rule ransomware_funklocker {\n meta:\n title = \"FunkLocker Ransomware\"\n id = \"556fd44a-16f5-41ed-9f85-dc4e45b1e4e5\"\n description = \"Detects the FunkLocker ransomware via characteristic strings.\\nFunkLocker is a Rust-based ransomware targeting Windows systems. This malware employs evasion techniques including masquerading as legitimate system processes to avoid detection and incorporates virtual machine detection mechanisms to evade automated analysis environments.\\nIf this alert is a true-positive, it is recommended to immediately isolate the affected machine from the network to prevent lateral movement, to initiate incident response procedures and investigate other hosts for signs of compromise.\"\n references = \"https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/\"\n date = \"2025-01-10\"\n modified = \"2025-07-03\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.FunkLocker\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd\n // 89b9f7499d59d0d308f5ad02cd6fddd55b368190c37f6c5413c4cfcd343eeff3\n // c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c\n\n $s_misc1 = \"Your organization, device has been successfully infiltrated by funksec ransomware!\" ascii\n $s_misc2 = \"VM detected, aborting\" ascii\n $s_misc3 = \"Scheduled task created to run ransomware at startup\" ascii\n $s_misc4 = \"downloaded_wallpaper.jpg\" ascii\n\n $s_proc00 = \"iTunes.exe\" ascii\n $s_proc01 = \"photoshop.exe\" ascii\n $s_proc02 = \"powerpnt.exe\" ascii\n $s_proc03 = \"node.exe\" ascii\n $s_proc04 = \"discord.exe\" ascii\n $s_proc05 = \"spotify.exe\" ascii\n $s_proc06 = \"skype.exe\" ascii\n $s_proc07 = \"teams.exe\" ascii\n $s_proc08 = \"vlc.exe\" ascii\n\n $s_vm_detection_srv00 = \"vboxservice\" ascii\n $s_vm_detection_srv01 = \"qemu\" ascii\n $s_vm_detection_srv02 = \"hyperv\" ascii\n $s_vm_detection_srv03 = \"vmware\" ascii\n\n condition:\n all of ($s_misc*) and\n 6 of ($s_proc*) and\n 2 of ($s_vm_detection_srv*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_funklocker" ], "rule_creation_date": "2025-01-10", "rule_modified_date": "2025-07-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.FunkLocker" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_hermeticransom_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586845Z", "creation_date": "2026-03-23T11:46:25.586848Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586853Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia" ], "name": "ransomware_hermeticransom.yar", "content": "rule hermetic_ransom {\n meta:\n title = \"HermeticRansom\"\n id = \"0f46fcd6-b6f6-4b88-bc75-f12944b6f017\"\n description = \"Detects the ransomware HermeticRansom (aka PartyTicket).\\nHermeticRansom is a Go-based ransomware known for its role in attacks targeting organizations in Ukraine in February 2022.\\nIt uses a flawed encryption mechanism that makes it decryptable under certain conditions, as it does not properly initialize the encryption key.\\nThe ransomware drops a note demanding payment in exchange for decryption keys and includes specific text strings related to its operation, such as voting-related messages and encryption confirmation.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\"\n date = \"2022-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.002\"\n classification = \"Windows.Ransomware.HermeticRansom\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\n\n $s1 = \"403forBiden/wHiteHousE\" ascii\n $s2 = \"The only thing that we learn from new elections is we learned nothing from the old!\" ascii\n $s3 = \"Thank you for your vote! All your files, documents, photoes, videos, databases etc. have been successfully encrypted!\" ascii\n $s4 = \"Now your computer has a special ID:\" ascii\n $s5 = \"Do not try to decrypt then by yourself - it's impossible!\" ascii\n $s6 = \"vote2024forjb@protonmail.com\" ascii\n $s7 = \"encryptedJBadvapi32.dll\" ascii\n\n $go_buildid1 = \"Go build ID:\" ascii\n $go_buildid2 = \"qb0H7AdWAYDzfMA1J80B/nJ9FF8fupJl4qnE4WvA5/PWkwEJfKUrRbYN59_Jba/2o0VIyvqINFbLsDsFyL2\" ascii\n\n condition:\n uint16(0) == 0x5A4D and filesize < 5MB and ((5 of ($s*)) or (all of ($go_buildid*)))\n}\n", "rule_count": 1, "rule_names": [ "hermetic_ransom" ], "rule_creation_date": "2022-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.HermeticRansom" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1485", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_icefire_linux_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586308Z", "creation_date": "2026-03-23T11:46:25.586310Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586316Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/" ], "name": "ransomware_icefire_linux.yar", "content": "rule ransomware_icefire_linux {\n meta:\n title = \"IceFire Ransomware (Linux)\"\n id = \"5ca01180-d889-4fd4-94fb-0c9b1ce7f29b\"\n description = \"Detects the IceFire ransomware.\\nIceFire is a ransomware that first emerged in March 2022 targeting Windows systems.\\nA Linux variant appeared in March 2023, exploiting a vulnerability in IBM Aspera Faspex.\\nIt is recommended to investigate the process tree and file system operations for suspicious activities.\"\n references = \"https://www.sentinelone.com/labs/icefire-ransomware-returns-now-targeting-linux-enterprise-networks/\"\n date = \"2023-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Linux.Ransomware.IceFire\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b\n\n $s1 = \"********************Your network has been infected!!!********************\" ascii fullword\n $s2 = \"/iFire-readme.txt\" ascii fullword\n $s3 = \"iFire\" ascii fullword\n $s4 = \".cfg.o.sh.img.txt.xml.jar.pid.ini.pyc.a.so.run.env.cache.xmlb\" ascii fullword\n $s5 = \"6666666666666666\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\crypto/init.c\" ascii fullword\n\n condition:\n uint16(0) == 0x457f and 2 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_icefire_linux" ], "rule_creation_date": "2023-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Ransomware.IceFire" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_industrial_spy_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576454Z", "creation_date": "2026-03-23T11:46:25.576456Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576461Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware" ], "name": "ransomware_industrial_spy.yar", "content": "rule ransomware_industrial_spy {\n meta:\n title = \"Industrial Spy Ransomware\"\n id = \"b947045c-38bf-4962-9ac7-31e6edde7e51\"\n description = \"Detects the Industrial Spy ransomware.\\nThis ransomware removes shadow copies and displays a ransom note instructing victims to pay at a TOR hidden site.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware\"\n date = \"2022-07-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.IndustrialSpy\"\n context = \"process,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // dfd6fa5eea999907c49f6be122fd9a078412eeb84f1696418903f2b369bec4e0\n\n $s1 = \"File opening error is:\" fullword wide\n $s2 = \"File unlocking error\" fullword wide\n $s3 = \"\\\\microsoft\\\\\" fullword wide\n $s4 = \"\\\\google\\\\chrome\" fullword wide\n $s5 = \"\\\\mozilla\\\\firefox\" fullword wide\n $s6 = \"\\\\opera\\\\\" fullword wide\n\n\n // 0xFEEDBEEF is appended at the end of files\n\n $o1 = {EF BE ED FE} // 81 3E EF BE ED FE cmp dword ptr [rsi], 0FEEDBEEFh\n $o2 = {B8 AB AA AA AA} // B8 AB AA AA AA mov eax, 0AAAAAAABh\n\n // C7 44 24 50 01 23 45 67 mov [rsp+0E40h+var_DF0], 67452301h\n // C7 44 24 54 89 AB CD EF mov [rsp+0E40h+var_DEC], 0EFCDAB89h\n // C7 44 24 58 FE DC BA 98 mov [rsp+0E40h+var_DE8], 98BADCFEh\n // C7 44 24 5C 76 54 32 10 mov [rsp+0E40h+var_DE4], 10325476h\n $o3 = { 01 23 45 67\n [4] 89 AB CD EF\n [4] FE DC BA 98\n [4] 76 54 32 10\n }\n\n // DES SBox\n $o4 = { 38 30 28 20 18 10 08 00\n 39 31 29 21 19 11 09 01\n 3A 32 2A 22 1A 12 0A 02\n 3B 33 2B 23 3E 36 2E 26\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 300KB and all of ($s*) and all of ($o*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_industrial_spy" ], "rule_creation_date": "2022-07-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.IndustrialSpy" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_lockbit_v3_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577842Z", "creation_date": "2026-03-23T11:46:25.577845Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577850Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\nhttps://www.txone.com/blog/malware-analysis-lockbit-3-0/" ], "name": "ransomware_lockbit_v3.yar", "content": "rule ransomware_lockbit_v3 {\n meta:\n title = \"LockBit 3.0 Ransomware\"\n id = \"86d13d46-97f1-4cdd-acbb-ccd81a40ffc2\"\n description = \"Detects the LockBit 3.0 ransomware, also known as LockBit Black, a highly destructive ransomware variant first identified in March 2022.\\nLockBit 3.0 employs a password-based unpacking mechanism to decrypt its original text section, a technique reminiscent of the BlackCat ransomware.\\nThis method is used to obfuscate the malware's true nature and evade initial detection.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\\nhttps://www.txone.com/blog/malware-analysis-lockbit-3-0/\"\n date = \"2024-05-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.LockBit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 99e9a539fef7c700018a515d2d4dc956a2ea280a6ce7d4f1495c122ad081e9eb\n // dd66f2bea47cca7b54aad15492de0de218e66fac761e73e11db8826396d6954d\n // 469604b689856c87463cad6d8df0e9f0da388d4046562b7979ded9f2f4a7b0cb\n // ef65e2732f9d5bccadcb70f4721f340663ea605618b469915c36d85140c7e850\n // 7655eef333753f91469fb05856dda21e43d1108a7cb93754f386d675edcd55b5\n // 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce\n // eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12\n // c75916ce1b114a3618c287b1a094ed206ff1aa3e5f5208f91c5c601a5247427a\n\n $unpack_sections1 = {\n 66 83 F8 61 // cmp ax, 61h ; 'a'\n 72 0C // jb short loc_41B15F\n 66 83 F8 66 // cmp ax, 66h ; 'f'\n 77 06 // ja short loc_41B15F\n 66 83 E8 57 // sub ax, 57h ; 'W'\n EB 14 // jmp short loc_41B173\n\n // loc_41B15F:\n 66 83 F8 30 // cmp ax, 30h ; '0'\n 72 0C // jb short loc_41B171\n 66 83 F8 39 // cmp ax, 39h ; '9'\n 77 06 // ja short loc_41B171\n 66 83 E8 30 // sub ax, 30h ; '0'\n EB 02 // jmp short loc_41B173\n }\n\n $unpack_sections2 = {\n B9 61 00 00 00 // mov ecx, 61h ; 'a'\n AC // lodsb\n 3C 41 // cmp al, 41h ; 'A'\n 72 06 // jb short loc_41B10A\n 3C 5A // cmp al, 5Ah ; 'Z'\n 77 02 // ja short loc_41B10A\n 0C 20 // or al, 20h\n }\n\n $unpack_sections3 = {\n 3D 75 80 91 76 // cmp eax, 76918075h\n 74 ?? // jz short loc_41B082\n 3D 1B A4 04 00 // cmp eax, 4A41Bh\n 74 ?? // jz short loc_41B082\n 3D 9B B4 84 0B // cmp eax, 0B84B49Bh\n 75 ?? // jnz short loc_41B09A\n }\n\n $decrypt_text_segment = {\n 8A 54 0D 00 // mov dl, [ebp+ecx+var_s0]\n 02 D3 // add dl, bl\n 8A 5C 15 00 // mov bl, [ebp+edx+var_s0]\n 8A 54 1D 00 // mov dl, [ebp+ebx+var_s0]\n 8A 54 15 00 // mov dl, [ebp+edx+var_s0]\n FE C2 // inc dl\n 8A 44 15 00 // mov al, [ebp+edx+var_s0]\n 30 07 // xor [edi], al\n 8A 54 1D 00 // mov dl, [ebp+ebx+var_s0]\n 86 54 0D 00 // xchg dl, [ebp+ecx+var_s0]\n 88 54 1D 00 // mov [ebp+ebx+var_s0], dl\n }\n\n $str_hashing = {\n 33 C9 // xor ecx, ecx\n B9 30 00 00 00 // mov ecx, 30h ; '0'\n 8D 0C 4D 01 00 00 00 // lea ecx, ds:1[ecx*2]\n 02 F1 // add dh, cl\n 2A F1 // sub dh, cl\n 33 C9 // xor ecx, ecx\n B9 06 00 00 00 // mov ecx, 6\n 8D 0C 4D 01 00 00 00 // lea ecx, ds:1[ecx*2]\n D3 CA // ror edx, cl\n 03 D0 // add edx, eax\n 90 // nop\n 85 C0 // test eax, eax\n 75 ?? // jnz short loc_4011D2\n }\n\n $api_hash = {\n 0F EF C0 // pxor mm0, mm0\n 0F EF C9 // pxor mm1, mm1\n 33 C0 // xor eax, eax\n 40 // inc eax\n C1 E0 05 // shl eax, 5\n 8D 40 10 // lea eax, [eax+10h]\n 64 8B 00 // mov eax, fs:[eax]\n 8B 40 0C // mov eax, [eax+0Ch]\n 8D 48 0C // lea ecx, [eax+0Ch]\n 89 4D F8 // mov [ebp+var_8], ecx\n 8B 48 0C // mov ecx, [eax+0Ch]\n }\n\n condition:\n 2 of them\n}\n", "rule_count": 1, "rule_names": [ "ransomware_lockbit_v3" ], "rule_creation_date": "2024-05-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.LockBit" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_lynx_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583311Z", "creation_date": "2026-03-23T11:46:25.583314Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583321Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/" ], "name": "ransomware_lynx.yar", "content": "rule ransomware_lynx {\n meta:\n title = \"Lynx Ransomware\"\n id = \"ca10d357-f2c9-44df-b1a8-892c733e3dd8\"\n description = \"Detects the Lynx ransomware.\\nLynx is a ransomware that emerged in July 2024 as the successor to the Inc ransomware group.\\nThis ransomware continues the same double extortion tactics, encrypting victim files and threatening to leak stolen data unless a ransom is paid.\\nThe ransomware family is known for its sophisticated encryption methods and use of error handling mechanisms to mask its activities.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/\"\n date = \"2024-12-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.Lynx\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b\n // 85699c7180ad77f2ede0b15862bb7b51ad9df0478ed394866ac7fa9362bf5683\n // ecbfea3e7869166dd418f15387bc33ce46f2c72168f571071916b5054d7f6e49\n // 589ff3a5741336fa7c98dbcef4e8aecea347ea0f349b9949c6a5f6cd9d821a23\n\n $s1 = \"Encrypt 100%% from entire file\" ascii\n $s2 = \"[-] Error while importing key: %s\" ascii fullword\n $s3 = \"[-] Failed to decode readme: %s\" ascii fullword\n $s4 = \"LYNX\" ascii fullword\n $s5 = \"[+] Proccess %s with PID: %d was killed succesffully\" wide fullword\n $s6 = \"\\\\background-image.jpg\" wide fullword\n\n $x = {\n 0F B7 3C 03 // movzx edi, word ptr [ebx+eax]\n 8B D1 // mov edx, ecx\n 8D 4A BF // lea ecx, [edx-41h]\n 83 F9 19 // cmp ecx, 19h\n 8D 72 20 // lea esi, [edx+20h]\n 8D 4F BF // lea ecx, [edi-41h]\n 0F 47 F2 // cmova esi, edx\n 83 F9 19 // cmp ecx, 19h\n 8D 57 20 // lea edx, [edi+20h]\n 0F 47 D7 // cmova edx, edi\n 2B D6 // sub edx, esi\n 75 09 // jnz short loc_405E3A\n }\n\n condition:\n 4 of ($s*) or $x\n}\n", "rule_count": 1, "rule_names": [ "ransomware_lynx" ], "rule_creation_date": "2024-12-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Lynx" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_notes_linux_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589251Z", "creation_date": "2026-03-23T11:46:25.589254Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589259Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://github.com/threatlabz/ransomware_notes/\nhttps://github.com/eshlomo1/Ransomware-NOTE" ], "name": "ransomware_notes_linux.yar", "content": "rule ransomware_notes_linux {\n meta:\n title = \"Ransomware Notes on linux\"\n id = \"1f83e636-5c55-4842-8e48-3c9e5c1c7c3f\"\n description = \"Detects notes dropped by ransomware after encrypting files on Linux systems.\\nThese notes typically contain demands for payment, instructions for decryption, and warnings about data leakage.\\nThe rule identifies such notes by scanning for specific strings left by various ransomware families, aiding in the identification of different ransomware strains.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/threatlabz/ransomware_notes/\\nhttps://github.com/eshlomo1/Ransomware-NOTE\"\n date = \"2024-02-26\"\n modified = \"2026-02-11\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Linux.Ransomware.Unknown\"\n context = \"process,memory,thread,file.elf\"\n os = \"Linux\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n // Detection for this sample:\n // 756ad48c814dea9e8f9f65dd2d796913386eb46d23514854dceeba91cd94772d\n\n $canary = \"d6540ca7d3407bc543c3cb7b20a2fca13c96efa183faf250775baea2f2f8257ac25ac59f7a0a27a04c8733ee47ca971cf4b81c4513319d4ff301cc7e81da488d\"\n\n $s_8base_00 = \"Now its fate is up to you\" wide ascii\n $s_8base_01 = \"After 4 days starting tomorrow your leaked data will be Disclosed or sold\" wide ascii\n $s_abysslocker_00 = \"Your company Servers are locked and Data has been taken to our servers.\" wide ascii\n $s_abysslocker_01 = \"We will make you business stop forever by using all of our experience to make your partners\" wide ascii\n $s_akira_01 = \"Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead\" wide ascii\n $s_akira_02 = \"keep all the tears and resentment to ourselves and try to build a constructive dialogue\" wide ascii\n $s_alphav_00 = \"Data on Your network was exfiltrated and encrypted\" wide ascii\n $s_alphav_01 = \"Modifying encrypted files will result in permanent data loss!\" wide ascii\n $s_alphav_02 = \"If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly\" wide ascii\n $s_alphav_03 = \"Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate\" wide ascii\n $s_atomsilo_00 = \"The only way to decrypt your files safely is to buy the special decryption software from us\" wide ascii\n $s_atomsilo_01 = \"Sorry to inform you that your files has been obtained and encrypted by us\" wide ascii\n $s_avaddon_00 = \"If you do not contact as in a 3 days we will post information about your breach on our public news website\" wide ascii\n $s_avaddon_01 = \"DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED\" wide ascii\n $s_avoslocker_00 = \"Contact us soon, because those who don't have their data leaked in our press release blog\" wide ascii\n $s_bianlian_00 = \"touch no files, don't try to recover by yourself, that may lead to it's complete loss\" wide ascii\n $s_biglock_00 = \"AND MARKED BY EXTENSION .nermer\" wide ascii\n $s_biglock_01 = \"YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES\" wide ascii\n $s_bitpaymer_00 = \"YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED!\" wide ascii\n $s_bitpaymer_01 = \"Your network was hacked and encrypted\" wide ascii\n $s_bitransomware_00 = \"The only method of recovering files is to purchase an unique decryptor\" wide ascii\n $s_blackbasta_00 = \"Your data are stolen and encrypted\" wide ascii\n $s_blackbasta_01 = \"we will consider this as a hostile intent and initiate the publication of whole compromised data immediately\" wide ascii\n $s_blackbyte_00 = \"Your network has been breached and all data was encrypted\" wide ascii\n $s_blackbyte_01 = \"If you read this message thats means your files already for sell in our Auction\" wide ascii\n $s_blackbyte_02 = \"All your files have been encrypted, your confidential data has been stolen\" wide ascii\n $s_blackbyte_03 = \"in order to decrypt files and avoid leakage, you must follow our steps\" wide ascii\n $s_blackhunt_00 = \"Remember we are first and last solution for your files otherwise you will only waste money and time\" wide ascii\n $s_blackmatter_00 = \"Your network is encrypted, and currently not operational\" wide ascii\n $s_blackmatter_01 = \"We are not a politically motivated group and we do not need anything\" wide ascii\n $s_blacksuit_00 = \"Your safety service did a really poor job of protecting your files against our professionals\" wide ascii\n $s_blacksnake_00 = \"NOT BIGGER THAN 5 MB, WE ARE NOT RESPONSIBLE IF THE FILE CONTAINS ANY PERSONAL INFORMATION\" wide ascii\n $s_bluesky_00 = \"YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED!\" wide ascii\n $s_cactus_00 = \"Your systems were accessed and encrypted by Cactus\" wide ascii\n $s_cactus_01 = \"we have downloaded a huge pack of confidential information from your systems\" wide ascii\n $s_cartel_00 = \"Its just a business. We absolutely do not care about you and your deals, except getting benefits\" wide ascii\n $s_cerber_01_generic = \"YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED\" wide ascii nocase\n $s_cerber_02 = \"the worst situation already happened and now it depends on\" wide ascii\n $s_cerber_03 = \"your determination and speed of your actions the further life\" wide ascii\n $s_cerber_04 = \"DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED!!!\" wide ascii\n $s_chilelocker_00 = \"copy or move any files or you can DAMAGE them and decryption will be impossible.\" wide ascii\n $s_chilelocker_01 = \"Your security perimeter was BREACHED\" wide ascii\n $s_chilelocker_02 = \"Critically important servers and hosts were completely ENCRYPTED.\" wide ascii\n $s_cloak_00 = \"Your network is hacked and files are encrypted\" wide ascii\n $s_clop_00 = \"Your network has been penetrated\" wide ascii\n $s_clop_01 = \"DO NOT ATTEMPT TO RESTORE OR MOVE THE FILES YOURSELF. THIS MAY DESTROY THEM\" wide ascii\n $s_conti_00 = \"All of your files are currently encrypted by CONTI\" wide ascii\n $s_cryptnet_00 = \"All of your files are encrypted and stolen. Stolen data will be published soon\" wide ascii\n $s_cryptomix_00 = \"All your files have been encrypted\" wide ascii\n $s_cryptxxx_00 = \"you better not waste your time, because there is no other way to get your files\" wide ascii\n $s_cryptox_00_generic = \"Do not try to decrypt your data using third party software\" ascii wide nocase\n $s_cuba_00 = \"Good day. All your files are encrypted. For decryption contact us\" ascii wide nocase\n $s_dagonlocker_00 = \"partner contracts and employees has been exfiltrated to our internal servers\" wide ascii\n $s_darkangels_00 = \"We encrypted your workstations and servers to make the fact of the intrusion visible\" wide ascii\n $s_doppelpaymer_00 = \"backups and shadow copies are unavailable until you pay for a decryption tool\" wide ascii\n $s_doppelpaymer_01 = \"decide not to cooperate your sensitive data will be shared to public\" wide ascii\n $s_doppelpaymer_02 = \"files on each host in the network have been encrypted with a strong algorythm\" wide ascii\n $s_dragonforce_00 = \"have been stolen from your network and encrypted with a strong algorithm\" wide ascii\n $s_ech0raix = \"All your data has been locked(crypted)\" wide ascii\n $s_esxiargs = \"otherwise we will expose some data and raise the price\" wide ascii\n $s_ftcode = \"Decoders of other users is not suitable to back your files - encryption key is created on your computer\" wide ascii\n $s_gandcrab_00 = \"The only method of recovering files is to purchase an unique private key\" wide ascii\n $s_gwisinlocker = \"We have exfiltrated a lot of sensitive data from your networks\" wide ascii\n $s_h0lygh0st = \"you can return all of your files immediately if you pay\" wide ascii\n $s_hive_00 = \"Your network has been breached and all data were encrypted\" wide ascii\n $s_hunters_00 = \"Don't waste time. Inform your CEO about the incident ASAP. Show Data Leak Site:\" wide ascii\n $s_icefire = \"Restore your data posible only buying private key from us\" wide ascii\n $s_inc_00 = \"We have hacked you and downloaded all confidential data of your company and its clients\" wide ascii\n $s_jaff = \"After instalation, run the Tor Browser and enter address:\" wide ascii\n $s_karakurt = \"We breached your internal network and took control over all of your systems\" wide ascii\n $s_karma = \"Contact us to negotiate the terms of reversing the damage we have done\" wide ascii\n $s_knight_00 = \"Your files are encrypted, without our help, it's irreversible.\" wide ascii\n $s_knight_01 = \"If you don't pay the ransom, the data will be published on our blog\" wide ascii\n $s_lilith = \"All your important files have been encrypted and stolen\" wide ascii\n $s_lockbit00 = \"We are the oldest ransomware affiliate program on the planet\" wide ascii\n $s_lockbit01 = \"You can contact us and decrypt one file for free on these TOR sites\" wide ascii\n $s_lockbit02 = \"If you don't pay the ransom, the data will be published on our TOR darknet sites\" wide ascii\n $s_locky = \"Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server\" wide ascii\n $s_lorenz00 = \"It's just a business. We absolutely do not care about you and your deals, except getting benefits\" wide ascii\n $s_luckbit = \"We have targeted your organization for a reason, and we possess the capability to carry out our threats\" wide ascii\n $s_IV = \"But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files\" wide ascii\n $s_magniber = \"ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!\" wide ascii\n $s_makop = \"We have exfiltrated tons of your private data to our servers including data of your clients\" wide ascii\n $s_mallow = \"To return your files in work condition you need decryption tool\" wide ascii\n $s_maze = \"The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers\" wide ascii\n $s_medusa = \"1. We have PENETRATE your network and COPIED data\" wide ascii\n $s_medusalocker = \"If you decide to not pay, we will release your data to public or re-seller\" wide ascii\n $s_moneymessage = \"we will post the files we stole from your internal network, in our blog\" wide ascii\n $s_monti = \"DON'T TRY TO CONTACT feds or any recovery companies\" wide ascii\n $s_nefilim = \"If we do not come to an agreement your data will be leaked on this website\" wide ascii\n $s_nemty00 = \"It's a business, if we can't provide full decryption, other people won't trust us\" wide ascii\n $s_nemty01 = \"We provide test decryption, as proof that we can decrypt your data\" wide ascii\n $s_netwalker = \"the only way to get your files back is to cooperate with us and get the decrypter program\" wide ascii\n $s_nevada = \"Greetings! Your files were stolen and encrypted\" wide ascii\n $s_qlocker = \"This key is stored in our server and the only way to receive your key and decrypt your files is\" wide ascii\n $s_quantum = \"in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted\" wide ascii\n $s_ragnarlocker00 = \"it means your network was PENETRATED and your most sensitive files were COMPROMISED\" wide ascii\n $s_ragnarlocker01 = \"it means your network was PENETRATED and all of your files and data has been ENCRYPTED\" wide ascii\n $s_ragnarok = \"Attention:if you wont pay the ransom in five days,\" wide ascii\n $s_rancoz = \"If you do not pay the ransom we will attack your company repeatedly again!\" wide ascii\n $s_ransomexx00 = \"Please don’t try to modify or rename any of encrypted files, because it can result in serious data loss and decryption failure.\" wide ascii\n $s_ransomexx01 = \"To get details about this accident download TOR browser and visit:\" wide ascii\n $s_ransomexx02 = \"Contact us ONLY if you officially represent the whole affected network\" wide ascii\n $s_ranzy = \"Your servers is LOCKED. Do not try to use other software\" wide ascii\n $s_raworld = \"Your data are stolen and encrypted when you read this letter\" wide ascii\n $s_redalert = \"We have encrypted your files and stole large amount of sensitive data\" wide ascii\n $s_revil00 = \"Our encryption algorithm is the most technically difficult and max resistant to burglary\" wide ascii\n $s_rhysida = \"Our team has developed a unique key, specifically designed to restore your digital security\" wide ascii\n $s_royal = \"Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server\" wide ascii\n $s_rtmlocker = \"The only way to recover your files is to buy our dedicated software\" wide ascii\n $s_scarecrow = \"ScareCrow encrypted your files!\" wide ascii\n $s_schoolboys = \"We are not a politically motivated group and we do not need anything other than your money\" wide ascii\n $s_shadow = \"The data will be published on TOR website if you do not pay the ransom\" wide ascii\n $s_slug = \"If you don't contact within three days, we'll start leaking data\" wide ascii\n $s_snatch = \"All your files are encrypted and only we can decrypt them\" wide ascii\n $s_stop = \"The only method of recovering files is to purchase decrypt tool and unique key for you\" wide ascii\n $s_suncrypt = \"If you fail to follow our recommendations, you will never see your files again\" wide ascii\n $s_teslacrypt = \"Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server\" wide ascii\n $s_trigona = \"The program uses a secure AES algorithm, which makes decryption impossible without contacting us\" wide ascii\n $s_ubomb = \"YOUR COMPANY NETWORK HAS BEEN PENETRATED\" wide ascii\n $s_underground = \"they can be restored to their original state with a decryptor key that only we have\" wide ascii\n $s_vohuk = \"ALL YOUR FILES ARE STOLEN AND ENCRYPTED.\" wide ascii\n $s_xorist = \"will allow you to decrypt the files, is locate on a secret server on the internet\" wide ascii\n $s_yanluowang = \"We will also stop any communication with you, and continue DDoS, calls to employees and business partners\" wide ascii\n $s_zeon = \"downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond\" wide ascii\n\n // Exclusions to limit false positive\n $filter_00 = \"veeamfs is readonly!\" ascii fullword\n $filter_01 = \"unknown veeamfs version: \" ascii fullword\n $filter_02 = \"/var/tmp/veeam/socket/veeamservice.sock\" ascii fullword\n $filter_03 = \"Veeam RPC server terminated.\" ascii fullword\n $filter_04 = \"-lflush,VeeamAgent.Default.log\" ascii fullword\n $filter_05 = \"Veeam RPC packet not recognized.\" ascii\n // Zimbra clamd (f75e21159c75c2c002cf7810f53744ba13323ac8b70c4e2d952a38c4ffc6902d)\n $filter_06 = \"ClamAV %s/%u/%s\" ascii fullword\n $filter_07 = \"clamd_virus_found_cb \" ascii fullword\n // /usr/bin/ceph-osd (a6526dc673243048ec56e21a6eea2112c9547d8ab8a30eca03f81ae6aceb65ce)\n $filter_08 = \"ceph::common::CephContext::~CephContext()\" ascii fullword\n $filter_09 = \"Cephx version required\" ascii\n\n condition:\n 1 of ($s_*)\n and not $canary\n and not 2 of ($filter_*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_notes_linux" ], "rule_creation_date": "2024-02-26", "rule_modified_date": "2026-02-11", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Ransomware.Unknown" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 70, "rule_context": [ "file.elf", "thread", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_notes_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590359Z", "creation_date": "2026-03-23T11:46:25.590361Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590367Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://github.com/threatlabz/ransomware_notes/\nhttps://github.com/eshlomo1/Ransomware-NOTE" ], "name": "ransomware_notes.yar", "content": "rule ransomware_notes {\n meta:\n title = \"Ransomware Notes\"\n id = \"1e98a35f-f2b4-4f4d-80e7-80ee9d35c91d\"\n description = \"Detects the ransomware notes dropped after encryption.\\nThese notes typically contain messages from various ransomware families, such as Cerber, Locky, and others, instructing victims on how to pay the ransom or provide proof of encryption. The messages often include specific instructions, deadlines, or demands for payment in exchange for the decryption key.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/threatlabz/ransomware_notes/\\nhttps://github.com/eshlomo1/Ransomware-NOTE\"\n date = \"2024-02-23\"\n modified = \"2026-02-11\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.Unknown\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"moderate\"\n\n strings:\n // Detection for this sample:\n // 6a207be6807f1ea51f0bdeeb89e3ea4f0560f48f9b7ed3ed4ea68a212e2714ca\n\n $canary = \"709b12cb94f42b127ca6af9cff87ff8fd00edb4b97cf05a7ef4594c9ca02f3ac\"\n\n $s_8base_00 = \"Now its fate is up to you\" wide ascii\n $s_8base_01 = \"After 4 days starting tomorrow your leaked data will be Disclosed or sold\" wide ascii\n $s_abysslocker_00 = \"Your company Servers are locked and Data has been taken to our servers.\" wide ascii\n $s_abysslocker_01 = \"We will make you business stop forever by using all of our experience to make your partners\" wide ascii\n $s_akira_01 = \"Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead\" wide ascii\n $s_akira_02 = \"keep all the tears and resentment to ourselves and try to build a constructive dialogue\" wide ascii\n $s_alphav_00 = \"Data on Your network was exfiltrated and encrypted\" wide ascii\n $s_alphav_01 = \"Modifying encrypted files will result in permanent data loss!\" wide ascii\n $s_alphav_02 = \"If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly\" wide ascii\n $s_alphav_03 = \"Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate\" wide ascii\n $s_atomsilo_00 = \"The only way to decrypt your files safely is to buy the special decryption software from us\" wide ascii\n $s_atomsilo_01 = \"Sorry to inform you that your files has been obtained and encrypted by us\" wide ascii\n $s_avaddon_00 = \"If you do not contact as in a 3 days we will post information about your breach on our public news website\" wide ascii\n $s_avaddon_01 = \"DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED\" wide ascii\n $s_avoslocker_00 = \"Contact us soon, because those who don't have their data leaked in our press release blog\" wide ascii\n $s_bianlian_00 = \"touch no files, don't try to recover by yourself, that may lead to it's complete loss\" wide ascii\n $s_biglock_00 = \"AND MARKED BY EXTENSION .nermer\" wide ascii\n $s_biglock_01 = \"YOUR FILES ARE SAFE! ONLY MODIFIED :: ChaCha + AES\" wide ascii\n $s_bitpaymer_00 = \"YOUR COMPANY HAS BEEN SUCCESSFULLY PENETRATED!\" wide ascii\n $s_bitpaymer_01 = \"Your network was hacked and encrypted\" wide ascii\n $s_bitransomware_00 = \"The only method of recovering files is to purchase an unique decryptor\" wide ascii\n $s_blackbasta_00 = \"Your data are stolen and encrypted\" wide ascii\n $s_blackbasta_01 = \"we will consider this as a hostile intent and initiate the publication of whole compromised data immediately\" wide ascii\n $s_blackbyte_00 = \"Your network has been breached and all data was encrypted\" wide ascii\n $s_blackbyte_01 = \"If you read this message thats means your files already for sell in our Auction\" wide ascii\n $s_blackbyte_02 = \"All your files have been encrypted, your confidential data has been stolen\" wide ascii\n $s_blackbyte_03 = \"in order to decrypt files and avoid leakage, you must follow our steps\" wide ascii\n $s_blackhunt_00 = \"Remember we are first and last solution for your files otherwise you will only waste money and time\" wide ascii\n $s_blackmatter_00 = \"Your network is encrypted, and currently not operational\" wide ascii\n $s_blackmatter_01 = \"We are not a politically motivated group and we do not need anything\" wide ascii\n $s_blacksuit_00 = \"Your safety service did a really poor job of protecting your files against our professionals\" wide ascii\n $s_blacksnake_00 = \"NOT BIGGER THAN 5 MB, WE ARE NOT RESPONSIBLE IF THE FILE CONTAINS ANY PERSONAL INFORMATION\" wide ascii\n $s_bluesky_00 = \"YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED!\" wide ascii\n $s_cactus_00 = \"Your systems were accessed and encrypted by Cactus\" wide ascii\n $s_cactus_01 = \"we have downloaded a huge pack of confidential information from your systems\" wide ascii\n $s_cartel_00 = \"Its just a business. We absolutely do not care about you and your deals, except getting benefits\" wide ascii\n $s_cerber_01_generic = \"YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED\" wide ascii nocase\n $s_cerber_02 = \"the worst situation already happened and now it depends on\" wide ascii\n $s_cerber_03 = \"your determination and speed of your actions the further life\" wide ascii\n $s_cerber_04 = \"DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED!!!\" wide ascii\n $s_chilelocker_00 = \"copy or move any files or you can DAMAGE them and decryption will be impossible.\" wide ascii\n $s_chilelocker_01 = \"Your security perimeter was BREACHED\" wide ascii\n $s_chilelocker_02 = \"Critically important servers and hosts were completely ENCRYPTED.\" wide ascii\n $s_cloak_00 = \"Your network is hacked and files are encrypted\" wide ascii\n $s_clop_00 = \"Your network has been penetrated\" wide ascii\n $s_clop_01 = \"DO NOT ATTEMPT TO RESTORE OR MOVE THE FILES YOURSELF. THIS MAY DESTROY THEM\" wide ascii\n $s_conti_00 = \"All of your files are currently encrypted by CONTI\" wide ascii\n $s_cryptnet_00 = \"All of your files are encrypted and stolen. Stolen data will be published soon\" wide ascii\n $s_cryptomix_00 = \"All your files have been encrypted\" wide ascii\n $s_cryptxxx_00 = \"you better not waste your time, because there is no other way to get your files\" wide ascii\n $s_cryptox_00_generic = \"Do not try to decrypt your data using third party software\" ascii wide nocase\n $s_cuba_00 = \"Good day. All your files are encrypted. For decryption contact us\" ascii wide nocase\n $s_dagonlocker_00 = \"partner contracts and employees has been exfiltrated to our internal servers\" wide ascii\n $s_darkangels_00 = \"We encrypted your workstations and servers to make the fact of the intrusion visible\" wide ascii\n $s_doppelpaymer_00 = \"backups and shadow copies are unavailable until you pay for a decryption tool\" wide ascii\n $s_doppelpaymer_01 = \"decide not to cooperate your sensitive data will be shared to public\" wide ascii\n $s_doppelpaymer_02 = \"files on each host in the network have been encrypted with a strong algorythm\" wide ascii\n $s_dragonforce_00 = \"have been stolen from your network and encrypted with a strong algorithm\" wide ascii\n $s_ech0raix = \"All your data has been locked(crypted)\" wide ascii\n $s_esxiargs = \"otherwise we will expose some data and raise the price\" wide ascii\n $s_ftcode = \"Decoders of other users is not suitable to back your files - encryption key is created on your computer\" wide ascii\n $s_gandcrab_00 = \"The only method of recovering files is to purchase an unique private key\" wide ascii\n $s_gwisinlocker = \"We have exfiltrated a lot of sensitive data from your networks\" wide ascii\n $s_h0lygh0st = \"you can return all of your files immediately if you pay\" wide ascii\n $s_hive_00 = \"Your network has been breached and all data were encrypted\" wide ascii\n $s_hunters_00 = \"Don't waste time. Inform your CEO about the incident ASAP. Show Data Leak Site:\" wide ascii\n $s_icefire = \"Restore your data posible only buying private key from us\" wide ascii\n $s_inc_00 = \"We have hacked you and downloaded all confidential data of your company and its clients\" wide ascii\n $s_jaff = \"After instalation, run the Tor Browser and enter address:\" wide ascii\n $s_karakurt = \"We breached your internal network and took control over all of your systems\" wide ascii\n $s_karma = \"Contact us to negotiate the terms of reversing the damage we have done\" wide ascii\n $s_knight_00 = \"Your files are encrypted, without our help, it's irreversible.\" wide ascii\n $s_knight_01 = \"If you don't pay the ransom, the data will be published on our blog\" wide ascii\n $s_lilith = \"All your important files have been encrypted and stolen\" wide ascii\n $s_lockbit00 = \"We are the oldest ransomware affiliate program on the planet\" wide ascii\n $s_lockbit01 = \"You can contact us and decrypt one file for free on these TOR sites\" wide ascii\n $s_lockbit02 = \"If you don't pay the ransom, the data will be published on our TOR darknet sites\" wide ascii\n $s_locky = \"Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server\" wide ascii\n $s_lorenz00 = \"It's just a business. We absolutely do not care about you and your deals, except getting benefits\" wide ascii\n $s_luckbit = \"We have targeted your organization for a reason, and we possess the capability to carry out our threats\" wide ascii\n $s_IV = \"But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files\" wide ascii\n $s_magniber = \"ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!\" wide ascii\n $s_makop = \"We have exfiltrated tons of your private data to our servers including data of your clients\" wide ascii\n $s_mallow = \"To return your files in work condition you need decryption tool\" wide ascii\n $s_maze = \"The only method to restore your files is to purchase a unique for you private key which is securely stored on our servers\" wide ascii\n $s_medusa = \"1. We have PENETRATE your network and COPIED data\" wide ascii\n $s_medusalocker = \"If you decide to not pay, we will release your data to public or re-seller\" wide ascii\n $s_moneymessage = \"we will post the files we stole from your internal network, in our blog\" wide ascii\n $s_monti = \"DON'T TRY TO CONTACT feds or any recovery companies\" wide ascii\n $s_nefilim = \"If we do not come to an agreement your data will be leaked on this website\" wide ascii\n $s_nemty00 = \"It's a business, if we can't provide full decryption, other people won't trust us\" wide ascii\n $s_nemty01 = \"We provide test decryption, as proof that we can decrypt your data\" wide ascii\n $s_netwalker = \"the only way to get your files back is to cooperate with us and get the decrypter program\" wide ascii\n $s_nevada = \"Greetings! Your files were stolen and encrypted\" wide ascii\n $s_qlocker = \"This key is stored in our server and the only way to receive your key and decrypt your files is\" wide ascii\n $s_quantum = \"in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted\" wide ascii\n $s_ragnarlocker00 = \"it means your network was PENETRATED and your most sensitive files were COMPROMISED\" wide ascii\n $s_ragnarlocker01 = \"it means your network was PENETRATED and all of your files and data has been ENCRYPTED\" wide ascii\n $s_ragnarok = \"Attention:if you wont pay the ransom in five days,\" wide ascii\n $s_rancoz = \"If you do not pay the ransom we will attack your company repeatedly again!\" wide ascii\n $s_ransomexx00 = \"Please don’t try to modify or rename any of encrypted files, because it can result in serious data loss and decryption failure.\" wide ascii\n $s_ransomexx01 = \"To get details about this accident download TOR browser and visit:\" wide ascii\n $s_ransomexx02 = \"Contact us ONLY if you officially represent the whole affected network\" wide ascii\n $s_ranzy = \"Your servers is LOCKED. Do not try to use other software\" wide ascii\n $s_raworld = \"Your data are stolen and encrypted when you read this letter\" wide ascii\n $s_redalert = \"We have encrypted your files and stole large amount of sensitive data\" wide ascii\n $s_revil00 = \"Our encryption algorithm is the most technically difficult and max resistant to burglary\" wide ascii\n $s_rhysida = \"Our team has developed a unique key, specifically designed to restore your digital security\" wide ascii\n $s_royal = \"Alas, as a result your critical data was not only encrypted but also copied from your systems on a secure server\" wide ascii\n $s_rtmlocker = \"The only way to recover your files is to buy our dedicated software\" wide ascii\n $s_scarecrow = \"ScareCrow encrypted your files!\" wide ascii\n $s_schoolboys = \"We are not a politically motivated group and we do not need anything other than your money\" wide ascii\n $s_shadow = \"The data will be published on TOR website if you do not pay the ransom\" wide ascii\n $s_slug = \"If you don't contact within three days, we'll start leaking data\" wide ascii\n $s_snatch = \"All your files are encrypted and only we can decrypt them\" wide ascii\n $s_stop = \"The only method of recovering files is to purchase decrypt tool and unique key for you\" wide ascii\n $s_suncrypt = \"If you fail to follow our recommendations, you will never see your files again\" wide ascii\n $s_teslacrypt = \"Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server\" wide ascii\n $s_trigona = \"The program uses a secure AES algorithm, which makes decryption impossible without contacting us\" wide ascii\n $s_ubomb = \"YOUR COMPANY NETWORK HAS BEEN PENETRATED\" wide ascii\n $s_underground = \"they can be restored to their original state with a decryptor key that only we have\" wide ascii\n $s_vohuk = \"ALL YOUR FILES ARE STOLEN AND ENCRYPTED.\" wide ascii\n $s_xorist = \"will allow you to decrypt the files, is locate on a secret server on the internet\" wide ascii\n $s_yanluowang = \"We will also stop any communication with you, and continue DDoS, calls to employees and business partners\" wide ascii\n $s_zeon = \"downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond\" wide ascii\n\n // Exclusions to limit false positive\n $filter_00 = \"FortiAmsi\\\\x64\\\\Release\\\\FortiAmsi.pdb\" ascii\n $filter_01 = \"FortiAMSI Provider\" wide\n $filter_02 = \"FortiAmsi DLL load\" wide\n $filter_03 = \"FortiAmsi DllRegisterServer\" wide\n $filter_04 = \"\\\\veeam-ransomware-stats\\\\main\\\\Binaries\\\\x64\\\\Release\\\\RansomwareStats.pdb\" ascii\n $filter_05 = \"Veeam Software Group\" ascii\n $filter_06 = \"Veeam Backup & Replication\" wide\n // RansomwareStats.dll (Veeam Software Group GmbH)\n $filter_07 = \"RansomwareStats.dll\" ascii\n $filter_08 = \"\\\\Release\\\\RansomwareStats.pdb\" ascii\n $filter_09 = \"Veeam Software Group GmbH0\" ascii\n\n condition:\n 1 of ($s_*)\n and not $canary\n and not 3 of ($filter_*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_notes" ], "rule_creation_date": "2024-02-23", "rule_modified_date": "2026-02-11", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Unknown" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_notpetya_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574261Z", "creation_date": "2026-03-23T11:46:25.574264Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574273Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0368/\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" ], "name": "ransomware_notpetya.yar", "content": "rule ransomware_notpetya {\n meta:\n title = \"NotPetya Ransomware\"\n id = \"d65f3525-63e8-44c4-a3a1-0aa9b4b9929b\"\n description = \"Detects the NotPetya malware used during a worldwide attack in June 2017.\\nNotPetya was designed to overwrite critical system files and data, making it impossible to recover.\\nThe malware typically drops a file named README.txt containing a ransom note, and creates specific registry entries to ensure persistence across reboots.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://attack.mitre.org/software/S0368/\\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\"\n date = \"2022-02-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486;attack.s0368\"\n classification = \"Windows.Ransomware.NotPetya\"\n context = \"process,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // match all samples\n $strings_ascii1 = \"Repairing file system on C:\" fullword ascii\n $strings_ascii2 = \"The type of the file system is NTFS.\" fullword ascii\n $strings_ascii3 = \"Ooops, your important files are encrypted.\" fullword ascii\n\n //\n // match only :\n // 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\n // 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1\n //\n $strings_wide1 = \"wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:\" fullword wide\n $strings_wide2 = \"schtasks %ws/Create /SC once /TN \\\"\\\" /TR \\\"%ws\\\" /ST %02d:%02d\" fullword wide\n $strings_wide3 = \"-d C:\\\\Windows\\\\System32\\\\rundll32.exe \\\"C:\\\\Windows\\\\%s\\\",#1\" fullword wide\n $strings_wide4 = \"process call create \\\"C:\\\\Windows\\\\System32\\\\rundll32.exe \\\\\\\"C:\\\\Windows\\\\%s\\\\\\\" #1 \" fullword wide\n\n $sample1 = {\n C7 45 F8 78 56 34 12 // mov [ebp+var_8], 12345678h\n 33 DB // xor ebx, ebx\n 8D 50 02 // lea edx, [eax+2]\n\n // loc_100086D1: ; CODE XREF: sub_10008677+63↓j\n 66 8B 08 // mov cx, [eax]\n 83 C0 02 // add eax, 2\n 66 85 C9 // test cx, cx\n 75 F5 // jnz short loc_100086D1\n 2B C2 // sub eax, edx\n D1 F8 // sar eax, 1\n 8B F8 // mov edi, eax\n\n // loc_100086E2: ; CODE XREF: sub_10008677+93↓j\n 33 D2 // xor edx, edx\n 85 FF // test edi, edi\n 74 1E // jz short loc_10008706\n 8B F3 // mov esi, ebx\n\n // loc_100086EA: ; CODE XREF: sub_10008677+8D↓j\n 8B C6 // mov eax, esi\n 83 E0 03 // and eax, 3\n 8D 4C 05 F8 // lea ecx, [ebp+eax+var_8]\n 8A 84 55 EC FD FF FF // mov al, byte ptr [ebp+edx*2+pe.szExeFile]\n 32 01 // xor al, [ecx]\n FE C8 // dec al\n 42 // inc edx\n 46 // inc esi\n 88 01 // mov [ecx], al\n 3B D7 // cmp edx, edi\n 72 E4 // jb short loc_100086EA\n\n // loc_10008706: ; CODE XREF: sub_10008677+6F↑j\n 43 // inc ebx\n 83 FB 03 // cmp ebx, 3\n 72 D6 // jb short loc_100086E2\n 81 7D F8 44 4B 21 2E // cmp [ebp+var_8], 2E214B44h\n 74 18 // jz short loc_1000872D\n 81 7D F8 7E 52 03 64 // cmp [ebp+var_8], 6403527Eh\n 74 09 // jz short loc_10008727\n 81 7D F8 05 30 1B 65 // cmp [ebp+var_8], 651B3005h\n 75 0A // jnz short loc_10008731\n }\n\n // 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0\n $sample2 = {\n 2c 00 23 00 31 00 20 00 00 00 00 00 00 00 00 00 // |,.#.1. .........|\n 72 00 75 00 6e 00 64 00 6c 00 6c 00 33 00 32 00 // |r.u.n.d.l.l.3.2.|\n 2e 00 65 00 78 00 65 00 20 00 00 00 00 00 00 00 // |..e.x.e. .......|\n 63 00 3a 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 // |c.:.\\.W.i.n.d.o.|\n 77 00 73 00 5c 00 00 00 53 00 54 00 55 00 42 00 // |w.s.\\...S.T.U.B.|\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 500KB and (\n (2 of ($strings_ascii*)) and\n (\n ((3 of ($strings_wide*)) or $sample1) or\n ($sample2)\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "ransomware_notpetya" ], "rule_creation_date": "2022-02-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.NotPetya" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_petya_156a2fdea12d_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574392Z", "creation_date": "2026-03-23T11:46:25.574396Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574404Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/" ], "name": "ransomware_petya_156a2fdea12d.yar", "content": "rule ransomware_petya_156a2fdea12d {\n meta:\n title = \"Petya Ransomware (156a2fdea12d)\"\n id = \"9342705a-4487-414e-8874-156a2fdea12d\"\n description = \"Detects the Petya ransomware.\\nPetya, is a destructive ransomware that encrypts files and demands payment for decryption.\\nIt is notorious for its use of a fake CHKDSK screen to deceive users and its method of encryption, which includes overwriting the master boot record (MBR) and encrypting files using AES and XOR operations.\"\n references = \"https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/\"\n date = \"2022-02-25\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.Petya\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // SFX Packing XML information\n $s1 = \"WinRAR SFX module\" ascii\n $s2 = \"WinRAR SFX module\" ascii\n $s5 = \"\"\n $str_linux12 = \"Kill processes disabled\"\n $str_linux13 = \"Remove snapshots disabled\"\n $str_linux14 = \"Kill VMs disabled\"\n $str_linux15 = \"No path specified! It is mandatory for blacklist mode\"\n $str_linux16 = \"-- Qilin \\r\\rYour network/system was encrypted. \\rEncrypted files have new extension.\"\n $str_linux17 = \"File tree traversing done. Waiting workers to complete...\"\n $str_linux18 = \"[%08x] Failed to rename encrypted file to '%s': %d \"\n $str_linux19 = \"esxcli vm process kill -t force -w \"\n $str_linux20 = \"Killing VM \\\"%s\\\" with World ID \"\n\n condition:\n (\n $stub\n or 1 of ($debug_win_typo*)\n or 2 of ($help_*)\n or 5 of ($debug_win*)\n or 5 of ($str_linux*)\n ) and not $canary\n}", "rule_count": 1, "rule_names": [ "qilin_ransomware" ], "rule_creation_date": "2025-11-05", "rule_modified_date": "2025-12-08", "rule_os": [ "windows", "linux" ], "rule_classifications": [ "Ransomware.Qilin" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.impact" ], "rule_technique_tags": [ "attack.t1562.002", "attack.t1497.001", "attack.t1490", "attack.t1027.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_ransomtuga_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583243Z", "creation_date": "2026-03-23T11:46:25.583245Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583251Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Tugamer89/RansomTuga" ], "name": "ransomware_ransomtuga.yar", "content": "rule ransomtuga {\n meta:\n title = \"RansomTuga Ransomware\"\n id = \"3d5b4092-9653-4cec-820b-df85bb3998f1\"\n description = \"Detects the RansomTuga ransomware.\\nRansomTuga is an advanced ransomware and semi-stealer designed to encrypt files and collect sensitive data.\\nThe malware employs anti-debugging and anti-analysis techniques to avoid detection by security software.\"\n references = \"https://github.com/Tugamer89/RansomTuga\"\n date = \"2024-04-03\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.RansomTuga\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 490f36cd2a3773554a3698ab96134398942d9d92673cdbbfb89e5b92a054c4d0\n // 4efa8380b2986ee710411df08dba27fef5dd2f80877959be74d3b850a371c623\n // 5f8ff572f6f1ed39121999a557c71e9364faa642648d8ae64d8e40de2a7b18b1\n // 79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a\n\n $s1 = \"./wallpaper.jpg\" ascii fullword\n $s2 = \"./ICON.ico\" ascii fullword\n $s3 = \"./emailSender.ps1\" ascii fullword\n $s4 = \"../x64/Release/DataDecryptor.exe\" ascii fullword\n $s5 = \"../x64/Release/debugFolder_backup/exe_example.exe\" ascii fullword\n $s6 = \"../x64/Release/debugFolder_backup/pdfsample.pdf\" ascii fullword\n\n $crypt1 = {\n C1 FA ?? // sar edx, 5\n 8B C2 // mov eax, edx\n C1 E8 1F // shr eax, 1Fh\n 03 D0 // add edx, eax\n 0F ?? ?? // movzx eax, dx\n 6B C8 ?? // imul ecx, eax, 3Ah ; ':'\n }\n\n $crypt2 = {\n F2 0F 70 C2 D8 // pshuflw xmm0, xmm2, 0D8h\n F3 0F 70 C8 D8 // pshufhw xmm1, xmm0, 0D8h\n 66 0F 70 D1 D8 // pshufd xmm2, xmm1, 0D8h\n }\n\n condition:\n 4 of ($s*) or\n (\n 2 of ($s*) and\n #crypt1 > 5 and\n #crypt2 > 5\n )\n}\n", "rule_count": 1, "rule_names": [ "ransomtuga" ], "rule_creation_date": "2024-04-03", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.RansomTuga" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_rhysida_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574304Z", "creation_date": "2026-03-23T11:46:25.574307Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574317Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal Research" ], "name": "ransomware_rhysida.yar", "content": "rule ransomware_rhysida {\n meta:\n title = \"Rhysida Ransomware\"\n id = \"640d9662-61d0-4ef4-8067-79e98239389a\"\n description = \"Detects the Rhysida ransomware.\\nRhysida is a ransomware that employs AES and CHACHA20 encryption to encrypt victim files.\\nIt creates a ransomware note on disk and modifies the wallpaper to display a message demanding payment.\"\n references = \"Internal Research\"\n date = \"2023-05-16\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1486\"\n classification = \"Windows.Ransomware.Rhysida\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6\n\n $crypto_str_1 = \"src/stream/chacha/chacha_setup.c\" fullword ascii\n $crypto_str_2 = \"src/pk/rsa/rsa_encrypt_key.c\" fullword ascii\n $crypto_str_3 = \"src/pk/rsa/rsa_exptmod.c\" fullword ascii\n $crypto_str_4 = \"src/pk/rsa/rsa_import.c\" fullword ascii\n $crypto_str_5 = \"src/pk/rsa/rsa_make_key.c\" fullword ascii\n $crypto_str_6 = \"keylen == 32 || keylen == 16\" fullword ascii\n\n $pdf_str_1 = \"/Producer\" ascii\n $pdf_str_2 = \"/Author\" ascii\n $pdf_str_3 = \"/Title\" ascii\n $pdf_str_4 = \"/Subject\" ascii\n $pdf_str_5 = \"/Creator\" ascii\n $pdf_str_6 = \"/Keywords\" ascii\n $pdf_str_7 = \"/Filter /FlateDecode\" ascii\n\n $rhysida_str_1 = \"cmd.exe /c reg delete \\\"HKCU\\\\Conttol Panel\\\\Desktop\\\" /v Wallpaper /f\" fullword ascii\n $rhysida_str_2 = \"cmd.exe /c reg delete \\\"HKCU\\\\Conttol Panel\\\\Desktop\\\" /v WallpaperStyle /f\" fullword ascii\n $rhysida_str_3 = \"cmd.exe /c reg add \\\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ActiveDesktop\\\" /v NoChangingWallPaper /t REG_SZ /d 1 /f\" fullword ascii\n $rhysida_str_4 = \"cmd.exe /c reg add \\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\ActiveDesktop\\\" /v NoChangingWallPaper /t REG_SZ /d 1 /f\" fullword ascii\n $rhysida_str_5 = \"cmd.exe /c reg add \\\"HKCU\\\\Control Panel\\\\Desktop\\\" /v Wallpaper /t REG_SZ /d\" ascii\n $rhysida_str_6 = \"cmd.exe /c reg add \\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\" /v Wallpaper /t REG_SZ /d\" ascii\n $rhysida_str_7 = \"cmd.exe /c reg add \\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\" /v WallpaperStyle /t REG_SZ /d 2 /f\" fullword ascii\n $rhysida_str_8 = \"cmd.exe /c reg add \\\"HKCU\\\\Control Panel\\\\Desktop\\\" /v WallpaperStyle /t REG_SZ /d 2 /f\" fullword ascii\n $rhysida_str_9 = \"rundll32.exe user32.dll,UpdatePerUserSystemParameters\" fullword ascii\n $rhysida_str_10 = \"ERROR rename file %s to %s %d\" fullword ascii\n $rhysida_str_11 = \"ERROR open file_to_crypt %s\" fullword ascii\n $rhysida_str_12 = \"file_to_crypt size [%ld] bytes\" fullword ascii\n $rhysida_str_13 = \"ERROR rsa_encrypt_key %s\" fullword ascii\n $rhysida_str_14 = \"ERROR rsa_encrypt_IV %s\" fullword ascii\n $rhysida_str_15 = \"Processing block [%d] from file [%s] [%d]/[%ld] size\" fullword ascii\n $rhysida_str_16 = \"ERROR fread file_to_crypt [%d] [%d] [%s]\" fullword ascii\n $rhysida_str_17 = \"Start xxx_encrypt\" fullword ascii\n $rhysida_str_18 = \"ERROR xxx_encrypt %lu %s %s\" fullword ascii\n $rhysida_str_19 = \"ERROR fread file_to_crypt %s %lu\" fullword ascii\n $rhysida_str_20 = \"ERROR cipher key crypted length %ld\" fullword ascii\n $rhysida_str_21 = \"ERROR cipher IV crypted length %ld\" fullword ascii\n $rhysida_str_22 = \"ERROR fwrite cipher_IV_out %d %lu\" fullword ascii\n $rhysida_str_23 = \"Query ending...\" fullword ascii\n $rhysida_str_24 = \"ERROR fwrite cipher_key_out %d %lu\" fullword ascii\n $rhysida_str_25 = \"ERROR rsa_import_key public\" fullword ascii\n $rhysida_str_26 = \"ERROR Unable to register aes_enc_desc cipher %s\" fullword ascii\n $rhysida_str_27 = \"ERROR Cipher AES not found\" fullword ascii\n $rhysida_str_28 = \"ERROR register CHC hash %s\" fullword ascii\n $rhysida_str_29 = \"ERROR binding AES to CHC %s\" fullword ascii\n $rhysida_str_30 = \"ERROR Hash CHC not found\" fullword ascii\n $rhysida_str_31 = \"ERROR AES getting key size %s\" fullword ascii\n\n // File filtering\n $op_1 = {\n 0F 85 ?? ?? ?? ?? // jnz loc_417A53\n 48 8D 05 ?? ?? ?? ?? // lea rax, QUERY_FILE_POSS\n 48 8B 00 // mov rax, [rax]\n 8B 55 ?? // mov edx, [rbp+thread_n]\n 48 63 D2 // movsxd rdx, edx\n 48 C1 E2 02 // shl rdx, 2\n 48 01 D0 // add rax, rdx\n 8B 00 // mov eax, [rax]\n 3D FF 03 00 00 // cmp eax, 3FFh\n }\n\n // PRNG initialization\n $op_2 = {\n 83 7D FC 27 // cmp [rbp+i], 27h ; '''\n 7E ?? // jle short loc_4196CD\n 48 8D 45 ?? // lea rax, [rbp+prng_entr]\n 4C 8B 45 ?? // mov r8, [rbp+prng_val]\n BA 28 00 00 00 // mov edx, 28h ; '('\n 48 89 C1 // mov rcx, rax\n E8 ?? ?? ?? ?? // call chacha20_prng_add_entropy\n 89 45 ?? // mov [rbp+err], eax\n 83 7D ?? 00 // cmp [rbp+err], 0\n 74 ?? // jz short loc_41973D\n B8 04 00 00 00 // mov eax, 4\n }\n\n // Filtering out files with executable extensions\n $op_3 = {\n 48 C1 E0 02 // shl rax, 2\n 48 01 C8 // add rax, rcx\n 48 8D 14 85 00 00 00 00 // lea rdx, ds:0[rax*4]\n 48 8D 05 ?? ?? ?? ?? // lea rax, exclude_extensions ; \".\"\n 8B 04 02 // mov eax, [rdx+rax]\n 83 F8 40 // cmp eax, 40h ; '@'\n 0F 8E ?? ?? ?? ?? // jle loc_416BB1\n 8B 45 ?? // mov eax, [rbp+exclude_c]\n 48 63 C8 // movsxd rcx, eax\n 8B 45 ?? // mov eax, [rbp+exclude_i]\n 48 63 D0 // movsxd rdx, eax\n 48 89 D0 // mov rax, rdx\n 48 01 C0 // add rax, rax\n 48 01 D0 // add rax, rdx\n 48 C1 E0 02 // shl rax, 2\n 48 01 C8 // add rax, rcx\n 48 8D 14 85 00 00 00 00 // lea rdx, ds:0[rax*4]\n }\n\n condition:\n (4 of ($crypto_str_*) and 4 of ($pdf_str_*) and 7 of ($rhysida_str_*)) or all of ($op_*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_rhysida" ], "rule_creation_date": "2023-05-16", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Rhysida" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1486" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_robbinhood_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566690Z", "creation_date": "2026-03-23T11:46:25.566692Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566698Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/" ], "name": "ransomware_robbinhood_driver.yar", "content": "rule ransomware_robbinhood_driver {\n meta:\n title = \"Robbinhood Ransomware Driver\"\n id = \"82818947-11a0-4595-b0e8-7a19a7d80305\"\n description = \"Detects the Robbinhood ransomware driver.\\nThis malware is loaded by a vulnerable signed driver and can terminate security solutions to maintain persistence and evade detection.\\nThe driver is known to remove security software from the system, potentially allowing the ransomware to operate undetected.\"\n references = \"https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/\"\n date = \"2022-07-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Ransomware.Robbinhood\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // 0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8\n\n $s1 = \"C:\\\\Users\\\\Mikhail\\\\Desktop\\\\Robnhold\\\\x64\\\\Win7Release\\\\Robbnhold.pdb\" fullword ascii\n $s2 = \"\\\\Device\\\\Robnhold\" fullword wide\n $s3 = \"\\\\DosDevices\\\\Robnhold\" fullword wide\n $s4 = \"\\\\DosDevices\\\\A:\\\\\" fullword wide\n $s5 = \"PsAcquireProcessExitSynchronization\" fullword wide\n\n $robn_tag = { 52 6F 62 6E } // \"Robn\" tag\n\n condition:\n uint16(0) == 0x5A4D and filesize < 200KB and 3 of ($s*) and #robn_tag > 2\n}\n", "rule_count": 1, "rule_names": [ "ransomware_robbinhood_driver" ], "rule_creation_date": "2022-07-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Robbinhood" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_robbinhood_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583206Z", "creation_date": "2026-03-23T11:46:25.583209Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583217Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/" ], "name": "ransomware_robbinhood.yar", "content": "rule ransomware_robbinhood {\n meta:\n title = \"Robbinhood Ransomware\"\n id = \"efc7eed5-a2bc-4a4d-9f8a-34715df03530\"\n description = \"Detects the Robbinhood ransomware.\\nRobbinhood is a ransomware that is packed with UPX and uses custom and vulnerable kernel drivers to disable security solutions.\"\n references = \"https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/\"\n date = \"2022-08-01\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Ransomware.Robbinhood\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // 74ca4283ccc55c82bdf55a4056efda889c9fbe017279829b32109462b753af73\n\n $s1 = \"RBNLDrv\" fullword ascii\n $s2 = \"rbnl.sys\" fullword ascii\n $s3 = \"gdrv.sys\" fullword ascii\n $s4 = \"\\\\\\\\.\\\\%s\" fullword wide\n $s5 = \"!GIODrv\" fullword wide\n $s6 = \"\\\\temp\\\\rbnl.sys\" fullword wide\n $s7 = \"RBNLDrv\" fullword wide\n $s8 = \"Robnhold\" fullword wide\n $s9 = \"\\\\temp\\\\gdrv.sys\" fullword wide\n $s10 = \"SeLoadDriverPrivilege\" fullword ascii\n\n // Custom executable copy from specific structure\n $op1 = {\n 8B C3 // mov eax, ebx\n 48 69 D0 28 01 00 00 // imul rdx, rax, 128h\n 0F B7 4C ?? ?? // movzx ecx, word ptr [rdx+rdi+2Eh]\n 48 83 C2 30 // add rdx, 30h ; '0'\n 48 03 CA // add rcx, rdx\n 48 8B D5 // mov rdx, rbp ; Str2\n 48 03 CF // add rcx, rdi ; Str1\n E8 ?? ?? ?? ?? // call _stricmp\n 85 C0 // test eax, eax\n 74 ?? // jz short loc_140002E8C\n FF C3 // inc ebx\n 3B 1F // cmp ebx, [rdi]\n }\n\n // Navigating through CI image sections\n $op2 = {\n 48 83 EC 50 // sub rsp, 50h\n B8 4D 5A 00 00 // mov eax, 5A4Dh\n 48 8B E9 // mov rbp, rcx\n 66 39 01 // cmp [rcx], ax\n 74 ?? // jz short loc_140002B3F\n 33 C0 // xor eax, eax\n 48 83 C4 50 // add rsp, 50h\n 5D // pop rbp\n C3 // retn\n 48 63 ?? ?? // movsxd rax, dword ptr [rcx+3Ch]\n 48 03 C1 // add rax, rcx\n 81 38 50 45 00 00 // cmp dword ptr [rax], 4550h\n 75 ?? // jnz short loc_140002B37\n [18-22]\n B9 0B 02 00 00 // mov ecx, 20Bh\n [14-18]\n 48 05 88 00 00 00 // add rax, 88h ; 'ˆ'\n EB ?? // jmp short loc_140002B83\n 48 83 C0 78 // add rax, 78h ; 'x'\n }\n\n // Search for Windows version and CI function call\n $op3 = {\n 81 3D ?? ?? ?? ?? AB 3F 00 00 // cmp cs:gBuildNumber, 3FABh\n 8B DF // mov ebx, edi\n 72 ?? // jb short loc_140002D16\n 8B F7 // mov esi, edi\n 0F 1F 80 00 00 00 00 // nop dword ptr [rax+00000000h]\n 8B CB // mov ecx, ebx\n 49 03 CE // add rcx, r14\n 80 39 E8 // cmp byte ptr [rcx], 0E8h ; 'è'\n 75 ?? // jnz short loc_140002CEC\n FF C6 // inc esi\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 400KB and 5 of ($s*) and 1 of ($op*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_robbinhood" ], "rule_creation_date": "2022-08-01", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Robbinhood" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_robinhood_steel_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569082Z", "creation_date": "2026-03-23T11:46:25.569085Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569090Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/" ], "name": "ransomware_robinhood_steel.yar", "content": "rule ransomware_robbinhood_steel {\n meta:\n title = \"Robbinhood Ransomware's STEEL Module\"\n id = \"5e061e07-0ca0-4f3e-af82-12dbbf3f9b7d\"\n description = \"Detects the Robbinhood ransomware's STEEL module.\\nThe STEEL module is responsible for terminating security solutions using a custom kernel driver. This module injects malicious code into legitimate system processes to gain elevated privileges and disrupt security measures.\\nIt is recommended to isolate the affected system and analyze the kernel driver for potential malicious activities.\"\n references = \"https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/\"\n date = \"2022-08-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Ransomware.Robbinhood\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // 74ca4283ccc55c82bdf55a4056efda889c9fbe017279829b32109462b753af73\n\n $str_drv_1 = \"NtLoadDriver\" fullword ascii\n $str_drv_2 = \"gdrv.sys\" fullword ascii\n $str_drv_3 = \"robnr.sys\" fullword ascii\n $str_drv_4 = \"rbnl.sys\" fullword ascii\n $str_drv_5 = \"NtUnloadDriver\" fullword ascii\n $str_drv_6 = \"SeLoadDriverPrivilege\" fullword wide\n $str_drv_7 = \"SeDebugPrivilege\" fullword wide\n $str_drv_8 = \"RBNLDrv\" fullword ascii\n $str_drv_9 = \"\\\\\\\\.\\\\Robnhold\" fullword wide\n\n $str_other_1 = \"cmd.exe /c reg delete HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\\" fullword ascii\n $str_other_2 = \"regedit /s \" fullword ascii\n $str_other_3 = \"cmd.exe /c reg IMPORT \" fullword ascii\n $str_other_4 = \"\\\\Registry\\\\Machine\\\\System\\\\CurrentControlSet\\\\Services\\\\\" fullword wide\n $str_other_5 = \"sc delete\" fullword ascii\n $str_other_6 = \"cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & taskkill /f /im %s & Del /f /q \\\"%s\\\"\" wide\n $str_other_7 = \"cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \\\"%s\\\" & sc delete WindowsDeviceACL\" fullword wide\n\n condition:\n uint16(0) == 0x5A4D and filesize < 400KB and 5 of ($str_drv_*) and 4 of ($str_other_*)\n}\n", "rule_count": 1, "rule_names": [ "ransomware_robbinhood_steel" ], "rule_creation_date": "2022-08-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Robbinhood" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-ransomware_system_language_discovery_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583129Z", "creation_date": "2026-03-23T11:46:25.583131Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583137Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/\nhttps://www.txone.com/blog/malware-analysis-lockbit-3-0/\nhttps://attack.mitre.org/techniques/T1614/001/" ], "name": "ransomware_system_language_discovery.yar", "content": "rule system_language_discovery {\n meta:\n title = \"System Language Discovery\"\n id = \"4d2f1821-4f93-49f5-9ef3-dabe58d35047\"\n description = \"Detects binaries that attempt to gather information about the system language, a technique commonly used by the Darkside and LockBit ransomwares.\\nThis behavior is significant as certain ransomware variants, including Darkside and LockBit, check for specific system languages (e.g., Russian or Ukrainian) to avoid execution in non-targeted regions.\"\n references = \"https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/\\nhttps://www.txone.com/blog/malware-analysis-lockbit-3-0/\\nhttps://attack.mitre.org/techniques/T1614/001/\"\n date = \"2024-05-17\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1614.001\"\n classification = \"Windows.Ransomware.Generic\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a18a6bacc0d8b1dd4544cdf1e178a98a36b575b5be8b307c27c65455b1307616\n // 029c5d48e425206e2ae84a63d62bdbc80362702913b38618a423c541c8a0ed40\n // cd727c8fc0303b9a77641cc43061fa6ae9de3a0af40fd525c4a745c1dcdd5965\n\n $x1 = {\n C1 E3 0A // shl ebx, 0Ah\n 80 F3 01 // xor bl, 1\n C0 E3 04 // shl bl, 4\n 80 F3 09 // xor bl, 9\n 66 3B DE // cmp bx, si\n 74 ?? // jz short loc_4080F6\n 66 3B DF // cmp bx, di\n 75 ?? // jnz short loc_4080FB\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "system_language_discovery" ], "rule_creation_date": "2024-05-17", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Ransomware.Generic" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1614.001" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-raspberryrobin_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574963Z", "creation_date": "2026-03-23T11:46:25.574965Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574970Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\nhttps://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/\nhttps://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/" ], "name": "raspberryrobin.yar", "content": "rule raspberry_robin {\n meta:\n title = \"Raspberry Robin Malware\"\n id = \"684dbdd0-eb93-49c0-b6d5-95fc4996e701\"\n description = \"Detects Raspberry Robin, an evasive malware primarily used as an initial access vector for threat actors and ransomware operations.\\nKnown for its worm-like behavior, Raspberry Robin often spreads through USB devices and leverages legitimate system processes to avoid detection.\\nIt is recommended to investigate for additional signs of malicious activity and to take contact with the end user in order to clean the infected USB key.\"\n references = \"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\\nhttps://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/\\nhttps://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/\"\n date = \"2024-03-19\"\n modified = \"2025-07-03\"\n author = \"HarfangLab\"\n tags = \"attack.initial_access;attack.t1091;attack.execution;attack.defense_evasion;attack.t1497;attack.t1218.002;attack.t1218.009;attack.t1218.010;attack.t1218.011;attack.t1055.001;attack.t1027.002;attack.t1027.007;attack.t1562.001;attack.t1622;attack.persistence;attack.t1547.001;attack.t1543.003;attack.command_and_control;attack.t1573;attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.Worm.RaspberryRobin\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this samples:\n // e5ab91456bdb1ec8c84d400152244fc90812bdd62e7170e75c9709bb83c8dad7\n // ea3226ee1e0ff00714e7bbe9eb7647d4d8bbc200fed8555e3bbf22ba85d29e43\n\n $stub_00 = {\n 8d 44 24 18 // lea eax, [esp+0x18 {var_78}]\n [8-12] // mov dword [data_10163394], 0x1595\n 8b 8c 24 80 00 00 00 // mov ecx, dword [esp+0x80 {var_10}]\n 89 04 24 // mov dword [esp {var_90}], eax {var_78}\n 89 4c 24 04 // mov dword [esp+0x4 {var_8c_1}], ecx\n [4-6] // call sub_100c4250\n 89 e1 // mov ecx, esp {var_90}\n 8d 54 24 18 // lea edx, [esp+0x18 {var_78}]\n 89 11 // mov dword [ecx {var_90}], edx {var_78}\n ff d0 // call eax\n 83 ec 04 // sub esp, 0x4\n b8 02 00 00 00 // mov eax, 0x2\n }\n\n $stub_01 = {\n 8b 45 ?? // mov eax, dword [ebp-0x10 {var_14_1}]\n 8b 48 ?? // mov ecx, dword [eax+0x3c]\n 81 3c 08 50 45 00 00 // cmp dword [eax+ecx], 0x4550\n 74 17 // je 0x1000a4ec\n eb 25 // jmp 0x1000a4fc\n 8b 45 ?? // mov eax, dword [ebp-0xc {var_10}]\n 8b 4d ?? // mov ecx, dword [ebp-0x8 {var_c}]\n 66 81 39 4d 5a // cmp word [ecx], 0x5a4d\n 89 45 ?? // mov dword [ebp-0x14 {var_18_1}], eax\n 89 4d ?? // mov dword [ebp-0x10 {var_14_1}], ecx\n 74 dc // je 0x1000a4c6\n eb 10 // jmp 0x1000a4fc\n 8b 45 ?? // mov eax, dword [ebp-0x14 {var_18_1}]\n a3 ?? ?? ?? ?? // mov dword [data_102db338], eax\n 8b 45 ?? // mov eax, dword [ebp-0x10 {var_14_1}]\n 83 c4 ?? // add esp, 0x14\n 5d // pop ebp {__saved_ebp}\n c3 // retn {__return_addr}\n }\n\n $stub_02 = {\n 8b 45 ?? // mov eax, dword [ebp-0x24 {var_28}]\n 8b 4d ?? // mov ecx, dword [ebp-0x20 {var_24}]\n 8b 55 ?? // mov edx, dword [ebp-0x1c {var_20}]\n 01 ca // add edx, ecx\n 89 15 ?? ?? ?? ?? // mov dword [data_102db338], edx\n 8b 4d ?? // mov ecx, dword [ebp-0x14 {var_18}]\n 8a 1c ?? // mov bl, byte [ecx+eax]\n 8b 55 ?? // mov edx, dword [ebp-0x18 {var_1c}]\n 88 1c ?? // mov byte [edx+eax], bl\n 05 01 00 00 00 // add eax, 0x1\n 8b 75 ?? // mov esi, dword [ebp-0x10 {var_14}]\n 39 f0 // cmp eax, esi\n 89 45 ?? // mov dword [ebp-0x28 {var_2c_1}], eax\n 74 19 // je 0x1000b3cb\n a1 ?? ?? ?? ?? // mov eax, dword [data_102db334]\n 8b 0d ?? ?? ?? ?? // mov ecx, dword [data_102db338]\n 8b 55 ?? // mov edx, dword [ebp-0x28 {var_2c_1}]\n 89 4d ?? // mov dword [ebp-0x1c {var_20}], ecx\n 89 45 ?? // mov dword [ebp-0x20 {var_24}], eax\n 89 55 ?? // mov dword [ebp-0x24 {var_28}], edx\n eb bb // jmp 0x1000b386\n }\n\n $stub_03 = {\n 55 // push ebp {__saved_ebp}\n 89 e5 // mov ebp, esp {__saved_ebp}\n 57 // push edi {__saved_edi}\n 56 // push esi {__saved_esi}\n 83 ec 1c // sub esp, 0x1c\n 8b 45 18 // mov eax, dword [ebp+0x18 {arg5}]\n 8b 4d 14 // mov ecx, dword [ebp+0x14 {arg4}]\n 8b 55 10 // mov edx, dword [ebp+0x10 {arg3}]\n 8b 75 0c // mov esi, dword [ebp+0xc {arg2}]\n 8b 7d 08 // mov edi, dword [ebp+0x8 {arg1}]\n c7 05 ?? ?? ?? ?? ?? ?? ?? ?? // mov dword [data_1001af7c], 0x21bd\n 81 f9 00 00 00 00 // cmp ecx, 0x0\n 89 45 f4 // mov dword [ebp-0xc {var_10}], eax\n 89 7d f0 // mov dword [ebp-0x10 {var_14}], edi\n 89 55 ec // mov dword [ebp-0x14 {var_18}], edx\n 89 75 e8 // mov dword [ebp-0x18 {var_1c}], esi\n 75 19 // jne 0x100071f9\n 8b 45 f0 // mov eax, dword [ebp-0x10 {var_14}]\n 89 04 24 // mov dword [esp {var_28_1}], eax\n 8b 4d e8 // mov ecx, dword [ebp-0x18 {var_1c}]\n 89 4c 24 04 // mov dword [esp+0x4 {var_24_1}], ecx\n 8b 55 f4 // mov edx, dword [ebp-0xc {var_10}]\n 89 54 24 08 // mov dword [esp+0x8 {var_20_1}], edx\n e8 ?? ?? ?? ?? // call sub_100072f0\n }\n\n $stub04 = {\n 8B 85 [2] FF FF // mov eax, [ebp+var_140]\n B9 (42 01|01 00) 00 00 // mov ecx, 142h\n 05 (01|08) 00 00 00 // add eax, 8\n 3D (42|47) 01 00 00 // cmp eax, 142h\n 89 85 [2] FF FF // mov [ebp+var_140], eax\n 89 8D [2] FF FF // mov [ebp+var_144], ecx\n 7? DD // jnz short loc_402A87\n }\n\n $stub05 = {\n 89 85 F0 FE FF FF // mov [ebp+var_110], eax\n FF D1 // call ecx ; __imp_GetModuleFileNameA\n 83 EC 0C // sub esp, 0Ch\n 80 BD F7 FE FF FF ?? // cmp [ebp+var_109], 54h ; 'T'\n 89 85 EC FE FF FF // mov [ebp+var_114], eax\n }\n\n $stub06 = {\n 8B 85 [2] FF FF // mov eax, [ebp+var_140]\n B9 (42 01|01 00) 00 00 // mov ecx, 142h\n 05 (01|08) 00 00 00 // add eax, 8\n 3D (42|47) 01 00 00 // cmp eax, 142h\n 89 85 [2] FF FF // mov [ebp+var_140], eax\n 89 8D [2] FF FF // mov [ebp+var_144], ecx\n 7? DD // jnz short loc_402A87\n }\n\n $stub07 = {\n 89 85 F0 FE FF FF // mov [ebp+var_110], eax\n FF D1 // call ecx ; __imp_GetModuleFileNameA\n 83 EC 0C // sub esp, 0Ch\n 80 BD F7 FE FF FF ?? // cmp [ebp+var_109], 54h ; 'T'\n 89 85 EC FE FF FF // mov [ebp+var_114], eax\n }\n\n $stub08 = {\n 55 // push ebp\n 89 E5 // mov ebp, esp\n 53 // push ebx\n 57 // push edi\n 56 // push esi\n 83 E4 F8 // and esp, 0FFFFFFF8h\n 83 EC ?? // sub esp, 60h\n 8B 45 0C // mov eax, [ebp+arg_4]\n 8B 4D 08 // mov ecx, [ebp+arg_0]\n 31 D2 // xor edx, edx\n 8A 1D 00 40 40 00 // mov bl, byte_404000\n 80 FB 00 // cmp bl, 0\n }\n\n $stub09 = {\n 55 // push ebp\n 89 E5 // mov ebp, esp\n ?? // push edi\n 56 // push esi\n 83 EC 34 // sub esp, 34h\n 8B 45 08 // mov eax, [ebp+arg_0]\n 8B 48 ?? // mov ecx, [eax+28h]\n C6 01 4D // mov byte ptr [ecx], 4Dh ; 'M'\n C6 41 01 5A // mov byte ptr [ecx+1], 5Ah ; 'Z'\n C7 41 3C D0 00 00 00 // mov dword ptr [ecx+3Ch], 0D0h\n C7 81 D0 00 00 00 50 45 00 00 // mov dword ptr [ecx+0D0h], 4550h\n 66 C7 81 D4 00 00 00 4C 01 // mov word ptr [ecx+0D4h], 14Ch\n }\n\n $stub10 = {\n 89 E6 // mov esi, esp\n C7 46 0C 04 00 00 00 // mov dword ptr [esi+0Ch], 4\n C7 46 08 00 10 00 00 // mov dword ptr [esi+8], 1000h\n C7 46 04 00 00 2E 00 // mov dword ptr [esi+4], 2E0000h\n C7 06 00 00 00 00 // mov dword ptr [esi], 0\n }\n\n $emulation_api00 = \"MpCallPostEntryPointCode\" wide\n $emulation_api01 = \"MpCallPreEntryPointCode\" wide ascii\n $emulation_api02 = \"MpExitThread\" wide ascii\n $emulation_api03 = \"MpFinalize\" wide ascii\n $emulation_api04 = \"MpReportEvent\" wide ascii\n $emulation_api05 = \"MpReportEventEx\" wide ascii\n $emulation_api06 = \"MpReportEventW\" wide ascii\n $emulation_api07 = \"MpSehHandler\" wide ascii\n $emulation_api08 = \"MpStartProcess\" wide ascii\n $emulation_api09 = \"MpSwitchToNextThread_WithCheck\" wide ascii\n $emulation_api10 = \"MpVmp32Entry\" wide ascii\n $emulation_api11 = \"MpVmp32FastEnter\" wide ascii\n\n $filter_00 = \"mpengine.pdb\" ascii\n $filter_01 = \"MsMpEngCP.pdb\" ascii\n $filter_02 = \"MsMpEngSvc.pdb\" ascii\n $filter_03 = \"MpGear.pdb\" ascii\n $filter_04 = \"mrtstub.pdb\" ascii\n $filter_05 = \"mrt.pdb\" ascii\n $filter_06 = \"PEBMPAT:Obfuscator_EW2\" wide ascii\n $filter_07 = \"Unimplemented type change to VT_\" wide ascii\n $filter_08 = \"VirTool:Win32/Obfuscator\" wide ascii\n $filter_09 = \"VDMConsoleOperation\" wide ascii\n $filter_10 = \"VDMOperationStarted\" wide ascii\n $filter_11 = \"MpValidateVFSHandle\" wide ascii\n $filter_12 = \"mpSwitchToNextThread_NewObjMgr\" wide ascii\n $filter_13 = \"Initialize engine first!\" wide ascii\n $filter_14 = \"MpIntHandlerReturnAddress\" wide ascii\n $filter_15 = \"MpDriver\" wide ascii\n $filter_16 = \"ntoskrnl.pdb\" ascii\n $filter_17 = \"Microsoft Corporation\" wide ascii\n $filter_18 = \"mscorlib.pdb\" ascii\n $filter_19 = \"dbghelp.pdb\" ascii\n $filter_20 = \"msvcrt.pdb\" ascii\n $filter_21 = \"sigutils\\\\vdlls\\\\\" ascii\n $filter_22 = \"Microsoft.Windows.MalwareRemovalTool\" wide ascii\n $filter_23 = \"mrt.exe\" wide ascii\n\n condition:\n 1 of ($stub*) or (1 of ($emulation_*) and not 1 of ($filter*))\n}\n", "rule_count": 1, "rule_names": [ "raspberry_robin" ], "rule_creation_date": "2024-03-19", "rule_modified_date": "2025-07-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Worm.RaspberryRobin" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.execution", "attack.initial_access", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1497", "attack.t1218.010", "attack.t1055.001", "attack.t1547.001", "attack.t1543.003", "attack.t1622", "attack.t1573", "attack.t1091", "attack.t1218.009", "attack.t1027.007", "attack.t1218.011", "attack.t1562.001", "attack.t1218.002", "attack.t1068", "attack.t1027.002" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rdpwinst_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571027Z", "creation_date": "2026-03-23T11:46:25.571029Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571036Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/stascorp/rdpwrap" ], "name": "rdpwinst.yar", "content": "import \"pe\"\n\nrule rdpwinst {\n meta:\n title = \"RDPWInst Tool\"\n id = \"bfff23e9-fd42-470f-96ae-579dfb8531ec\"\n description = \"Detects RDPWInst, a tool to enable Remote Desktop Host support and concurrent RDP sessions on reduced functionality systems for home usage.\\nRDPWInst is often used by attackers like Ducktail for enabling unauthorized RDP access to target systems.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate.\"\n references = \"https://github.com/stascorp/rdpwrap\"\n date = \"2023-10-20\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.lateral_movement;attack.t1021.001\"\n classification = \"Windows.Tool.RDPWInst\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9d36c4dd5dda9e1a8d67c13e43efc3b6c1847abd4487acad0a2b335019786e17\n\n $s1 = \"[-] OpenKeyReadOnly error (code\" wide fullword\n $s2 = \"[-] Another third-party TermService library is installed.\" wide fullword\n $s3 = \"\\\\system32\\\\reg.exe\\\" add HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\TermService\\\\Parameters /v ServiceDll /t REG_EXPAND_SZ /d \\\"\" wide fullword\n $s4 = \"rdpwrap.ini\" wide fullword\n $s5 = \"[*] RDP Wrapper Library is not installed.\" wide fullword\n $s6 = \"[*] Your INI file is newer than public file. Are you a developer? :)\" wide fullword\n\n condition:\n 4 of ($s*) or\n pe.version_info[\"OriginalFilename\"] == \"RDPWInst.exe\"\n}\n", "rule_count": 1, "rule_names": [ "rdpwinst" ], "rule_creation_date": "2023-10-20", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.RDPWInst" ], "rule_tactic_tags": [ "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1021.001" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-reaper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580968Z", "creation_date": "2026-03-23T11:46:25.580970Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580976Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/MrEmpy/Reaper/\nhttps://www.loldrivers.io/drivers/edd29861-6984-4dbe-8e7c-22e9b6cf68d0/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "reaper.yar", "content": "rule reaper {\n meta:\n title = \"Reaper HackTool\"\n id = \"73fff51d-ec3b-4286-94cf-676894844c6c\"\n description = \"Detects the Reaper HackTool, a tool designed to kill protected processes using a vulnerable driver.\\nReaper loads the KProcessHacker.sys driver and uses it to terminate specified processes. This tool is often used to bypass process protection mechanisms, such as for killing EDR software.\\nIt is recommended to isolate the affected system, to unload and remove the KProcessHacker.sys driver and to investigate the process responsible for the execution of Reaper.\"\n references = \"https://github.com/MrEmpy/Reaper/\\nhttps://www.loldrivers.io/drivers/edd29861-6984-4dbe-8e7c-22e9b6cf68d0/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-05\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n classification = \"Windows.HackTool.Reaper\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 32051f61c8d6d1d9bb19fd225ff3a3a2f6c06673f92398cf7178f235ecf3abf2\n\n $s_device = \"\\\\\\\\.\\\\GlobalRoot\\\\Device\\\\KProcessHacker2\" wide ascii\n $s_winapi_01 = \"CreateFile\" wide ascii\n $s_winapi_02 = \"DeviceIoControl\" wide ascii\n $s_winapi_03 = \"OpenSCManager\" wide ascii\n $s_winapi_04 = \"OpenService\" wide ascii\n $s_winapi_05 = \"StartService\" wide ascii\n $s_winapi_06 = \"ControlService\" wide ascii\n $s_winapi_07 = \"CreateService\" wide ascii\n $s_winapi_08 = \"OpenProcess\" wide ascii\n $ioctl_kill = { (99 99 20 df|df 20 99 99) }\n $ioctl_suspend = { (99 99 20 d7|d7 20 99 99) }\n\n $filter_01 = \"SeDebugPrivilege\" wide ascii\n\n condition:\n 1 of ($ioctl_*)\n and all of ($s_*)\n and not $filter_01\n}\n", "rule_count": 1, "rule_names": [ "reaper" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Reaper" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-recycledgate_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585914Z", "creation_date": "2026-03-23T11:46:25.585917Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585926Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/thefLink/RecycledGate/" ], "name": "recycledgate.yar", "content": "rule recycledgate {\n meta:\n title = \"Recycled Gate Technique\"\n id = \"6dba5071-2641-4cef-9f5f-6b1e8c664838\"\n description = \"Detects the Recycled Gate technique.\\nRecycled Gate is a technique used to bypass user-mode hooking in security tools like EDRs (Endpoint Detection and Response) through direct syscalls.\\nIt operates as a variation of HellsGate, which manipulates syscall parameters to avoid detection.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/thefLink/RecycledGate/\"\n date = \"2023-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055\"\n classification = \"Windows.Generic.RecycledGate\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // d32d6ff536a22ed155879715c34b711f531c8384becf73849a66a938ef2b1505\n // bbe6f27a0ffa7ef62a615def2a348e6c768bcdba3554e9f6d32e1e01d595ed3f\n // f9b47d6e79f6fcbecef5788ea12c333b96ba9aafe8754acddd56664167902690\n\n $s1 = \"[*] Resolving Syscall: %x\" ascii fullword\n $s2 = \"Found syscall using Hells Gate\" ascii\n $s3 = \"Syscall nr: %d\" ascii\n $s4 = \"Gate: %p\" ascii\n\n // https://github.com/thefLink/RecycledGate/blob/main/src/GateTrampolin.asm\n $trampoline_1 = {\n // PrepareSyscall\n 4D 33 DB // xor r11, r11\n 4D 33 D2 // xor r10, r10\n 4C 8B D9 // mov r11, rcx\n 4C 8B D2 // mov r10, rdx\n C3 // retn\n\n // DoSyscall\n 41 52 // push r10\n 48 33 C0 // xor rax, rax\n 4C 8B D1 // mov r10, rcx\n 41 8B C3 // mov eax, r11d\n C3 // retn\n }\n $trampoline_2 = {\n // PrepareSyscall\n 4D 31 DB // xor r11, r11\n 4D 31 D2 // xor r10, r10\n 49 89 CB // mov r11, rcx\n 49 89 D2 // mov r10, rdx\n C3 // retn\n\n // DoSyscall\n 41 52 // push r10\n 48 31 C0 // xor rax, rax\n 49 89 CA // mov r10, rcx\n 44 89 D8 // mov eax, r11d\n C3 // retn\n }\n\n condition:\n 3 of ($s*) or 1 of ($trampoline_*)\n}\n", "rule_count": 1, "rule_names": [ "recycledgate" ], "rule_creation_date": "2023-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RecycledGate" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-redline_stealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568237Z", "creation_date": "2026-03-23T11:46:25.568241Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568250Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://socradar.io/what-is-redline-stealer-and-what-can-you-do-about-it/\nhttps://www.cloudsek.com/blog/technical-analysis-of-the-redline-stealer" ], "name": "redline_stealer.yar", "content": "rule redline_stealer {\n meta:\n title = \"RedLine Stealer\"\n id = \"3824d3e0-34bc-48b4-ae8e-2c481e1f5078\"\n description = \"Detects the RedLine Stealer malware.\\nRedLine Stealer is a malicious software used to steal sensitive information from infected systems. It collects data from browsers like Gecko and Chromium-based ones, targeting authentication details such as cookies, credit card information, and login credentials.\\nIt is recommended to remove any traces of the malware.\"\n references = \"https://socradar.io/what-is-redline-stealer-and-what-can-you-do-about-it/\\nhttps://www.cloudsek.com/blog/technical-analysis-of-the-redline-stealer\"\n date = \"2023-09-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555.003\"\n classification = \"Windows.Stealer.RedLine\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 101955ce9bc6b74a01f44f7e2a30ca960b86d36650c2d069944e33a51e7a05c6\n // 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390\n // 0226012d07469431fc88548fecdd4cc6e38bde912dfbdd0fd943402717b494cb\n\n $sa_1 = \"ParseDiscordTokens\" ascii\n $sa_2 = \"EnumerateDirectories\" ascii\n $sa_3 = \"get_Credentials\" ascii fullword\n $sa_4 = \"browserPaths\" ascii fullword\n $sa_5 = \"chiperText\" ascii fullword\n $sa_6 = \"scanners\" ascii fullword\n\n $sw_1 = \"ParseDiscordTokens\" wide\n $sw_2 = \"EnumerateDirectories\" wide\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "redline_stealer" ], "rule_creation_date": "2023-09-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.RedLine" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-reflective_loader_5c8949b7f037_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563621Z", "creation_date": "2026-03-23T11:46:25.563623Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563629Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal Research" ], "name": "reflective_loader_5c8949b7f037.yar", "content": "rule reflective_loader_5c8949b7f037 {\n meta:\n title = \"Reflective Loader (5c8949b7f037)\"\n id = \"266e2bb5-36d5-4eb2-8db6-5c8949b7f037\"\n description = \"Detects payloads performing reflective loading.\\nReflective loading is a technique where malicious payloads are executed directly within the memory of a process, rather than creating a new thread or process backed by a file on disk.\\nThis method is often used to avoid detection and persistence mechanisms.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"Internal Research\"\n date = \"2021-02-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1620;attack.t1055.002;attack.execution;attack.t1129\"\n classification = \"Windows.Generic.ReflectiveLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // TODO: update this to match on eax to edi on all operations...\n $ror13_nt_flush_instruction_cache_link = {\n // ror13_loop:\n C1 CF 0D // ror edi, 0xd\n 0F BE C0 // movsx eax, al\n 03 F8 // add edi, eax\n 41 // inc ecx\n 8A 01 // mov al, byte ptr [ecx]\n 84 C0 // test al, al\n 75 ?? // jne ror13_loop\n 81 FF B8 0A 4C 53 // cmp edi, 0x534c0ab8\n 75 ?? // jne continue_loop\n 8B 45 ?? // mov eax, dword ptr [ebp + 0xXX]\n 0F B7 08 // movzx ecx, word ptr [eax]\n 8B 46 ?? // mov eax, dword ptr [esi + 0xXX]\n 8D 04 88 // lea eax, [eax + ecx * 4]\n 8B 04 10 // mov eax, dword ptr [eax + edx]\n 03 C2 // add eax, edx\n 89 45 ?? // mov dword ptr [ebp + 0xXX], eax\n 8B 45 ?? // mov eax, dword ptr [ebp + 0xXX]\n 05 FF FF 00 00 // add eax, 0xffff\n 89 45 ?? // mov dword ptr [ebp + 0xXX], eax\n }\n\n // TODO: inverted logics (16 different patterns)\n $ror13_standard_injection_lookup = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) 8E 4E 0E EC | // cmp (eax to edi), 0xec0e4e8e\n 3D 8E 4E 0E EC // cmp eax, 0xec0e4e8e (second encoding)\n )\n\n (74|75) ?? // (je|jne) 0xXX\n\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) AA FC 0D 7C | // cmp (eax to edi), 0x7c0dfcaa\n 3D AA FC 0D 7C // cmp eax, 0x7c0dfcaa (second encoding)\n )\n\n (74|75) ?? // (je|jne) 0xXX\n\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) 54 CA AF 91 | // cmp (eax to edi), 0x91afca54\n 3D 54 CA AF 91 // cmp eax, 0x91afca54 (second encoding)\n )\n\n (74|75) ?? // (je|jne) 0xXX\n }\n\n $ror13_loadlibrarya_hash = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) 8E 4E 0E EC | // cmp (eax to edi), 0xec0e4e8e\n 3D 8E 4E 0E EC // cmp eax, 0xec0e4e8e (second encoding)\n )\n\n 75 ?? // jne 0xXXX\n 8B (00 | 01 | 02 | 03 | 04 | 05 | 06 | 07) [0-1] // mov eax, dword ptr [eax to edi + optioanl register]\n 03 (C6 | C7) // add eax, (edi or esi)\n 89 45 ?? // mov dword ptr [ebp + 0xXX], eax\n EB ?? // jmp 0xXXX\n }\n\n $ror13_getprocaddress_hash = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) AA FC 0D 7C | // cmp (eax to edi), 0x7c0dfcaa\n 3D AA FC 0D 7C // cmp eax, 0x7c0dfcaa (second encoding)\n )\n\n 75 ?? // jne 0xXXX\n 8B (00 | 01 | 02 | 03 | 04 | 05 | 06 | 07) [0-1] // mov eax, dword ptr [eax to edi + optioanl register]\n 03 (C6 | C7) // add eax, (edi or esi)\n 89 45 ?? // mov dword ptr [ebp + 0xXX], eax\n EB ?? // jmp 0xXXX\n }\n\n $ror13_virtualalloc_hash = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) 54 CA AF 91 | // cmp (eax to edi), 0x91afca54\n 3D 54 CA AF 91 // cmp eax, 0x91afca54 (second encoding)\n )\n\n 75 ?? // jne 0xXXX\n 8B (00 | 01 | 02 | 03 | 04 | 05 | 06 | 07) [0-1] // mov eax, dword ptr [eax to edi + optioanl register]\n 03 (C6 | C7) // add eax, (edi or esi)\n 89 45 ?? // mov dword ptr [ebp + 0xXX], eax\n EB ?? // jmp 0xXXX\n }\n\n\n $ror13_virtuallock_hash = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) F2 32 F6 0E | // cmp (eax to edi), 0xef632f2\n 3D F2 32 F6 0E // cmp eax, 0xef632f2 (second encoding)\n )\n\n 75 ?? // jne 0xXXX\n 8B (00 | 01 | 02 | 03 | 04 | 05 | 06 | 07) [0-1] // mov eax, dword ptr [eax to edi + optioanl register]\n 03 (C6 | C7) // add eax, (edi or esi)\n 89 45 ?? // mov dword ptr [ebp + 0xXX], eax\n }\n\n $exclusion_unchecky = \"Unchecky\" fullword wide\n\n // TODO: More patterns\n\n condition:\n any of them and not 1 of ($exclusion_*)\n}\n", "rule_count": 1, "rule_names": [ "reflective_loader_5c8949b7f037" ], "rule_creation_date": "2021-02-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ReflectiveLoader" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1129", "attack.t1620", "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-reflective_loader_91f36cfd02f6_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589114Z", "creation_date": "2026-03-23T11:46:25.589117Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589132Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://medium.com/@s12deff/reflective-dll-injection-e2955cc16a77\nhttps://unprotect.it/technique/reflective-dll-injection/\nhttps://attack.mitre.org/techniques/T1620/" ], "name": "reflective_loader_91f36cfd02f6.yar", "content": "rule reflective_loader_91f36cfd02f6 {\n meta:\n title = \"Reflective Loader (91f36cfd02f6)\"\n id = \"c02cfae5-3bb1-477c-acf3-91f36cfd02f6\"\n description = \"Detects payloads performing reflective loading.\\nReflective loading is a technique where malicious payloads are executed directly within the memory of a process, rather than creating a new thread or process backed by a file on disk.\\nThis method is often used to avoid detection and persistence mechanisms.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://medium.com/@s12deff/reflective-dll-injection-e2955cc16a77\\nhttps://unprotect.it/technique/reflective-dll-injection/\\nhttps://attack.mitre.org/techniques/T1620/\"\n date = \"2025-05-06\"\n modified = \"2026-01-27\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1620;attack.t1055.002;attack.execution;attack.t1129\"\n classification = \"Windows.Generic.ReflectiveLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 045741feb3510b3add9695a2c9006cfcd626a6ddfd2d4dd8e119415c4f93de3d\n // 185360ca978e84d47cce8a17a8fd3d78d52c399741fe02f5cf250338a2ad01ca\n\n $stub_homemade_getprocaddress_00 = {\n 48 8B 44 24 60 // mov rax, [rsp+58h+arg_0]\n 48 89 44 24 28 // mov [rsp+58h+var_30], rax\n 48 8B 44 24 28 // mov rax, [rsp+58h+var_30]\n 0F B7 00 // movzx eax, word ptr [rax]\n 3D 4D 5A 00 00 // cmp eax, 5A4Dh\n 74 07 // jz short loc_180004055\n 33 C0 // xor eax, eax\n E9 // jmp loc_1800041F0\n }\n\n $stub_homemade_getprocaddress_01 = {\n 48 8B 44 24 28 // mov rax, [rsp+58h+var_30]\n 48 63 40 3C // movsxd rax, dword ptr [rax+3Ch]\n 48 8B 4C 24 60 // mov rcx, [rsp+58h+arg_0]\n 48 03 C8 // add rcx, rax\n 48 8B C1 // mov rax, rcx\n 48 89 44 24 30 // mov [rsp+58h+var_28], rax\n 48 8B 44 24 30 // mov rax, [rsp+58h+var_28]\n 81 38 50 45 00 00 // cmp dword ptr [rax], 4550h\n 74 07 // jz short loc_180004082\n 33 C0 // xor eax, eax\n E9 // jmp loc_1800041F0\n }\n\n $stub_02 = {\n B8 08 00 00 00 // mov eax, 8\n 48 6B C0 00 // imul rax, 0\n 48 8B 4C 24 30 // mov rcx, [rsp+58h+var_28]\n 48 8B 84 01 88 00 00 00 // mov rax, [rcx+rax+88h]\n 48 89 44 24 20 // mov [rsp+58h+var_38], rax\n 8B 44 24 20 // mov eax, dword ptr [rsp+58h+var_38]\n 48 8B 4C 24 60 // mov rcx, [rsp+58h+arg_0]\n 48 03 C8 // add rcx, rax\n 48 8B C1 // mov rax, rcx\n 48 89 44 24 18 // mov [rsp+58h+var_40], rax\n 48 8B 44 24 18 // mov rax, [rsp+58h+var_40]\n 8B 40 1C // mov eax, [rax+1Ch]\n 48 8B 4C 24 60 // mov rcx, [rsp+58h+arg_0]\n 48 03 C8 // add rcx, rax\n 48 8B C1 // mov rax, rcx\n 48 89 44 24 48 // mov [rsp+58h+var_10], rax\n 48 8B 44 24 18 // mov rax, [rsp+58h+var_40]\n 8B 40 20 // mov eax, [rax+20h]\n 48 8B 4C 24 60 // mov rcx, [rsp+58h+arg_0]\n 48 03 C8 // add rcx, rax\n 48 8B C1 // mov rax, rcx\n 48 89 44 24 38 // mov [rsp+58h+var_20], rax\n 48 8B 44 24 18 // mov rax, [rsp+58h+var_40]\n 8B 40 24 // mov eax, [rax+24h]\n 48 8B 4C 24 60 // mov rcx, [rsp+58h+arg_0]\n 48 03 C8 // add rcx, rax\n 48 8B C1 // mov rax, rcx\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "reflective_loader_91f36cfd02f6" ], "rule_creation_date": "2025-05-06", "rule_modified_date": "2026-01-27", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ReflectiveLoader" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1129", "attack.t1620", "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-reflective_loader_fd52e21c4483_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586044Z", "creation_date": "2026-03-23T11:46:25.586046Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586052Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/stephenfewer/ReflectiveDLLInjection" ], "name": "reflective_loader_fd52e21c4483.yar", "content": "rule reflective_loader_fd52e21c4483 {\n meta:\n title = \"Reflective Loader (fd52e21c4483)\"\n id = \"84effc75-5bfe-4dd2-b45b-fd52e21c4483\"\n description = \"Detects payloads performing reflective loading.\\nReflective loading is a technique where malicious payloads are executed directly within the memory of a process, rather than creating a new thread or process backed by a file on disk.\\nThis method is often used to avoid detection and persistence mechanisms.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/stephenfewer/ReflectiveDLLInjection\"\n date = \"2021-02-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1620;attack.t1055.002;attack.execution;attack.t1129\"\n classification = \"Windows.Generic.ReflectiveLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $ror13_nt_flush_instruction_cache_link = {\n // ror13_loop:\n C1 CA 0D // ror edx, 0xd\n 0F BE C0 // movsx eax, al\n 49 03 CC // add rcx, r12\n 03 D0 // add edx, eax\n 8A 01 // mov al, byte ptr [rcx]\n 84 C0 // test al, al\n 75 ?? // je ror13_loop\n 81 FA B8 0A 4C 53 // cmp edx, 0x534c0ab8 // NTFLUSHINSTRUCTIONCACHE_HASH\n 75 ?? // je continue_loop\n 43 8B 44 03 1C // mov eax, dword ptr [r11 + r8 + 0x1c]\n 41 0F B7 12 // movzx edx, word ptr [r10]\n 66 03 FB // add di, bx\n 49 8D 0C 00 // lea rcx, [r8 + rax]\n 8B 2C 91 // mov ebp, dword ptr [rcx + rdx * 4]\n 49 03 E8 // add rbp, r8\n 48 89 AC 24 88 00 00 00 // mov qword ptr [rsp + 0x88], rbp\n 33 ED // xor ebp, ebp\n }\n\n // TODO: inverted logics (16 different patterns)\n $ror13_standard_injection_lookup = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) 8E 4E 0E EC | // cmp (eax to edi), 0xec0e4e8e\n 3D 8E 4E 0E EC // cmp eax, 0xec0e4e8e (second encoding)\n )\n\n (74|75) ?? // (je|jne) 0xXX\n\n\n [0-1] // Possible prefix for cmp...\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) AA FC 0D 7C | // cmp (eax to edi), 0x7c0dfcaa\n 3D AA FC 0D 7C // cmp eax, 0x7c0dfcaa (second encoding)\n )\n\n (74|75) ?? // (je|jne) 0xXX\n\n [0-1] // Possible prefix for cmp...\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) 54 CA AF 91 | // cmp (eax to edi), 0x91afca54\n 3D 54 CA AF 91 // cmp eax, 0x91afca54 (second encoding)\n )\n\n (74|75) ?? // (je|jne) 0xXX\n }\n\n $ror13_loadlibrarya_hash = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) 8E 4E 0E EC | // cmp (eax to edi), 0xec0e4e8e\n 3D 8E 4E 0E EC // cmp eax, 0xec0e4e8e (second encoding)\n )\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n EB ?? // jmp 0xXXX\n }\n\n $ror13_getprocaddress_hash = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) AA FC 0D 7C | // cmp (eax to edi), 0x7c0dfcaa\n 3D AA FC 0D 7C // cmp eax, 0x7c0dfcaa (second encoding)\n )\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n EB ?? // jmp 0xXXX\n }\n\n $ror13_virtualalloc_hash = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) 54 CA AF 91 | // cmp (eax to edi), 0x91afca54\n 3D 54 CA AF 91 // cmp eax, 0x91afca54 (second encoding)\n )\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n EB ?? // jmp 0xXXX\n }\n\n\n $ror13_virtuallock_hash = {\n (\n 81 (F8 | F9 | FA | FB | FC | FD | FE | FF) F2 32 F6 0E | // cmp (eax to edi), 0xef632f2\n 3D F2 32 F6 0E // cmp eax, 0xef632f2 (second encoding)\n )\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n EB ?? // jmp 0xXXX\n }\n\n\n // Now -O0 variant (saw in Cobalt Strike 4.0)\n\n $ror13_loadlibrarya_hash_O0 = {\n 81 7C 24 ?? 8E 4E 0E EC // cmp dword ptr [rsp + XX], 0xec0e4e8e\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n 8B ?? // mov register X, dword ptr [register Y]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for mov\n // NOTE: We ignore one more byte that is useless but still a valid encoding.\n 89 ?? ?? [0-1] // mov dword ptr [register X], register Y\n\n (\n EB ?? | // jmp 0xXXX\n E9 ?? ?? ?? ?? // jmp 0xXXX (second encoding)\n )\n }\n\n $ror13_getprocaddress_hash_O0 = {\n 81 7C 24 ?? AA FC 0D 7C // cmp dword ptr [rsp + XX], 0x7c0dfcaa\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n 8B ?? // mov register X, dword ptr [register Y]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for mov\n // NOTE: We ignore one more byte that is useless but still a valid encoding.\n 89 ?? ?? [0-1] // mov dword ptr [register X], register Y\n\n (\n EB ?? | // jmp 0xXXX\n E9 ?? ?? ?? ?? // jmp 0xXXX (second encoding)\n )\n }\n\n $ror13_virtualalloc_hash_O0 = {\n 81 7C 24 ?? 54 CA AF 91 // cmp dword ptr [rsp + XX], 0x91afca54\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n 8B ?? // mov register X, dword ptr [register Y]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for mov\n // NOTE: We ignore one more byte that is useless but still a valid encoding.\n 89 ?? ?? [0-1] // mov dword ptr [register X], register Y\n\n (\n EB ?? | // jmp 0xXXX\n E9 ?? ?? ?? ?? // jmp 0xXXX (second encoding)\n )\n }\n\n $ror13_loadlibraryexa_hash_O0 = {\n 81 7C 24 ?? FC A4 53 07 // cmp dword ptr [rsp + XX], 0x753a4fc\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n 8B ?? // mov register X, dword ptr [register Y]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for mov\n // NOTE: We ignore one more byte that is useless but still a valid encoding.\n 89 ?? ?? [0-1] // mov dword ptr [register X], register Y\n\n (\n EB ?? | // jmp 0xXXX\n E9 ?? ?? ?? ?? // jmp 0xXXX (second encoding)\n )\n }\n\n $ror13_getmodulehandlea_hash_O0 = {\n 81 7C 24 ?? 04 49 32 D3 // cmp dword ptr [rsp + XX], 0xd3324904\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n 8B ?? // mov register X, dword ptr [register Y]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for mov\n // NOTE: We ignore one more byte that is useless but still a valid encoding.\n 89 ?? ?? [0-1] // mov dword ptr [register X], register Y\n\n (\n EB ?? | // jmp 0xXXX\n E9 ?? ?? ?? ?? // jmp 0xXXX (second encoding)\n )\n }\n\n $ror13_virtual_protect_hash_O0 = {\n 81 7C 24 ?? 1B C6 46 79 // cmp dword ptr [rsp + XX], 0x7946c61b\n\n 75 ?? // jne 0xXXX\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n 8B ?? // mov register X, dword ptr [register Y]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for add\n (01|03) ?? // add register X, register Y\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? // mov register X, dword ptr [register Y + register Z * I]\n\n [0-1] // Optional REX prefix for mov\n 8B ?? ?? [0-1] // mov register X, dword ptr [register Y + optional I]\n\n [0-1] // Optional REX prefix for mov\n // NOTE: We ignore one more byte that is useless but still a valid encoding.\n 89 ?? ?? [0-1] // mov dword ptr [register X], register Y\n\n (\n EB ?? | // jmp 0xXXX\n E9 ?? ?? ?? ?? // jmp 0xXXX (second encoding)\n )\n }\n\n $exclusion_unchecky = \"Unchecky\" fullword wide\n\n // NEP2.dll Game Engine Protector\n // 9716148baf2a1bdf3ec32a139edd26507ff1a8bd714fa4a70ff3f8bce4611762\n $exclusion_nep2_1 = \"NEP_StartScan\" ascii fullword\n $exclusion_nep2_2 = \"NEP2.dll\" ascii fullword\n $exclusion_nep2_3 = \"\\\\\\\\.\\\\NEPKernel\" wide fullword\n $exclusion_nep2_4 = \"StartEngineProtect\" wide fullword\n $exclusion_nep2_5 = \"nepgameengineprotector\" wide\n\n condition:\n any of ($ror13_*) and not $exclusion_unchecky and not all of ($exclusion_nep2_*)\n}\n", "rule_count": 1, "rule_names": [ "reflective_loader_fd52e21c4483" ], "rule_creation_date": "2021-02-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ReflectiveLoader" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1129", "attack.t1620", "attack.t1055.002" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-remcom_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571225Z", "creation_date": "2026-03-23T11:46:25.571227Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571233Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://talhatariq.wordpress.com/2006/04/14/the-open-source-psexec/\nhttps://github.com/kavika13/RemCom\nhttps://github.com/SecureAuthCorp/impacket/blob/master/impacket/examples/remcomsvc.py" ], "name": "remcom.yar", "content": "import \"pe\"\n\nrule remcom {\n meta:\n title = \"RemComSvc\"\n id = \"aa6baaee-ac24-4e9e-8ffa-686732a7224d\"\n description = \"Detects RemComSvc, a remote management service commonly associated with PSEXEC functionality.\\nRemComSvc is a component often utilized for remote execution and lateral movement within a system.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate in your infrastructure.\"\n references = \"https://talhatariq.wordpress.com/2006/04/14/the-open-source-psexec/\\nhttps://github.com/kavika13/RemCom\\nhttps://github.com/SecureAuthCorp/impacket/blob/master/impacket/examples/remcomsvc.py\"\n date = \"2021-05-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.lateral_movement;attack.t1021.002;attack.t1570;attack.execution;attack.t1569.002\"\n classification = \"Windows.Tool.RemCom\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n $s1 = \"RemComSvc\" ascii wide fullword\n $s2 = \"\\\\\\\\.\\\\pipe\\\\RemCom_communicaton\" ascii wide fullword\n\n // Exclusion for ADSelfService Plus\n // https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-remcomsvc-exe-is-detected-as-a-threat\n $e1 = \"cmd.exe /q /c \\\"%s\\\"\" ascii wide fullword\n $e2 = \"D:\\\\task\\\\remcom_code\\\\rmp\\\\remcom_1_2\\\\RemComSvc\\\\Release\\\\RemComSvc.pdb\" ascii fullword\n $e3 = \"RemComSvc Invoked for UEMS Agent Installation\" ascii fullword\n\n condition:\n (uint16(0) == 0x5a4d) and filesize < 500KB and all of ($s*)\n and not\n (\n (\n // 7f8e465edd27cdcd1d28292c35440d745b8bd528e21d6f56eb683b65d922eaed\n 2 of ($e*) and\n filepath == \"C:\\\\Windows\\\\RemComSvc.exe\"\n )\n or\n (\n // 850a3b0da11557a3ff567efdb4452161419b0fbb8bd4aa18fc4dc79990a3aeb5\n 2 of ($e*) and\n pe.number_of_signatures == 1 and\n pe.signatures[0].subject == \"/C=IN/ST=Tamil Nadu/L=Chennai/O=ZOHO Corporation Private Limited/CN=ZOHO Corporation Private Limited\" and\n filepath == \"C:\\\\Windows\\\\SysWOW64\\\\RemComSvc.exe\"\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "remcom" ], "rule_creation_date": "2021-05-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.RemCom" ], "rule_tactic_tags": [ "attack.execution", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1021.002", "attack.t1569.002", "attack.t1570" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-remcos_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568759Z", "creation_date": "2026-03-23T11:46:25.568783Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568789Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\nhttps://cyble.com/blog/threat-actor-employs-powershell-backed-steganography-in-recent-spam-campaigns/" ], "name": "remcos.yar", "content": "rule remcos {\n meta:\n title = \"Remcos Rat\"\n id = \"0c692d20-ad86-4637-9844-6a83c8df311b\"\n description = \"Detects Remcos (Remote Control & Surveillance Software), a commercial Remote Access Tool (RAT) used to remotely control computers.\\nRemcos has been widely used in malicious campaigns by threat actors and is often linked to phishing attacks.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\\nhttps://cyble.com/blog/threat-actor-employs-powershell-backed-steganography-in-recent-spam-campaigns/\"\n date = \"2023-09-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.defense_evasion;attack.t1548.002;attack.collection;attack.credential_access;attack.t1056.001;attack.command_and_control;attack.t1573.001\"\n classification = \"Windows.Trojan.Remcos\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 453864da0004d5541e43217b9e87a1794d3ca2d5beaaff01646b6574bdfddfe0\n\n $s1 = \"Remcos Agent initialized\" ascii fullword\n $s2 = \"Remcos restarted by watchdog!\" ascii fullword\n $s3 = \"[+] ucmCMLuaUtilShellExecMethod\" ascii fullword\n $s4 = \"Keylogger initialization failure: error\" ascii fullword\n $s5 = \"[Chrome Cookies found, cleared!]\" ascii fullword\n\n condition:\n 3 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "remcos" ], "rule_creation_date": "2023-09-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Remcos" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1056.001", "attack.t1548.002", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rentdrv2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581599Z", "creation_date": "2026-03-23T11:46:25.581601Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581606Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BlackSnufkin/GhostDriver/\nhttps://github.com/keowu/BadRentdrv2/\nhttps://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "rentdrv2.yar", "content": "rule ghostdriver_badrentdrv2_killer {\n meta:\n title = \"GhostDriver and BadRentdrv2 HackTools\"\n id = \"4d095aee-5c41-499d-b9ee-e5ee612e2793\"\n description = \"Detects the GhostDriver and BadRentdrv2 hacktools.\\nTGhostDriver and BadRentdrv2 load the rentdrv2.sys vulnerable driver and use it to terminate protected processes.\\nIt is recommended to investigate the process responsible for the execution of these tools and to isolate infected systems.\"\n references = \"https://github.com/BlackSnufkin/GhostDriver/\\nhttps://github.com/keowu/BadRentdrv2/\\nhttps://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-05\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n classification = \"Windows.HackTool.BadRentdrv2\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a1bd6ea04a84446697ef2a75f0752345e8977bd82e09eedc647f2abd70d41651\n // a9e588c596095ac27e5244541c0e20ff4e483b838f0e57859dac1a6a84aeff59\n\n $device = \"\\\\\\\\.\\\\rentdrv2\" wide ascii\n $winapi_01 = \"CreateFile\" wide ascii\n $winapi_02 = \"DeviceIoControl\" wide ascii\n $winapi_03 = \"OpenSCManager\" wide ascii\n $winapi_04 = \"OpenService\" wide ascii\n $winapi_05 = \"StartService\" wide ascii\n $winapi_06 = \"CreateService\" wide ascii\n $ioctl_kill = { (22 E0 10|10 E0 22) }\n\n condition:\n all of them\n\n}\n", "rule_count": 1, "rule_names": [ "ghostdriver_badrentdrv2_killer" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-05", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.BadRentdrv2" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-resocks_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571256Z", "creation_date": "2026-03-23T11:46:25.571258Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571264Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/RedTeamPentesting/resocks" ], "name": "resocks.yar", "content": "rule resocks {\n meta:\n title = \"Resocks Tool\"\n id = \"5ab1a56f-96e9-4f22-bee9-a5584ce995b9\"\n description = \"Detects Resocks, a reverse/back-connect SOCKS5 proxy tunnel that can be used to route traffic through a system that can't be directly accessed (e.g. due to NAT).\\nIt allows establishing a connection from a restricted environment to an external server, enabling lateral movement and communication.\\nIt is recommended to investigate the execution context as well as surrounding detections to determine the usage of this tool is legitimate.\"\n references = \"https://github.com/RedTeamPentesting/resocks\"\n date = \"2023-06-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1572\"\n classification = \"Windows.Tool.Resocks\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 23442ac9a69f05a58743b59cef324f9658dc2181f448eb03bb2a910d88ac930f\n\n $repo = \"github.com/RedTeamPentesting/resocks\" ascii\n\n $s1 = \"crypto/tls.(*clientHelloMsg).marshal.func\" ascii\n $s2 = \"proxyrelay.RunRelayWithEventCallback.func1\" ascii\n $s3 = \"/kbtls.ClientTLSConfigForClientName\" ascii\n $s4 = \"Configures a static connection key instead of generating a key (default can be set\" ascii\n $s5 = \"AnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCertcipher\" ascii\n\n condition:\n uint16(0) == 0x5a4d and ($repo or 4 of ($s*))\n}\n", "rule_count": 1, "rule_names": [ "resocks" ], "rule_creation_date": "2023-06-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Resocks" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1572", "attack.t1071.001" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-revengerat_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568728Z", "creation_date": "2026-03-23T11:46:25.568730Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568736Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat\nhttps://attack.mitre.org/software/S0379/" ], "name": "revengerat.yar", "content": "rule revenge_rat {\n meta:\n title = \"Revenge RAT\"\n id = \"adbebeba-f042-4277-9835-c04603e42747\"\n description = \"Detects Revenge RAT, a freely available remote access tool written in .NET.\\nRevenge RAT is a remote access tool that provides attackers with remote control capabilities over a compromised system. It is known to gather system information, maintain persistence, and perform remote execution of commands.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat\\nhttps://attack.mitre.org/software/S0379/\"\n date = \"2024-06-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0379;attack.discovery;attack.t1082;attack.command_and_control;attack.t1132.001;attack.t1105;attack.t1102.002\"\n classification = \"Windows.Trojan.RevengeRAT\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 340f4a7db0024413428f3663d06af5d5b430a2dadc8931a8b6c75b650e951f69\n // 011d513517baf505a49e5f051b18d5dcb0f8a2c9a53c778a2ffffab931572b97\n // 17a97f5698f2f19b4b43dc985193f734f8146c83d73daf853df9506f58b696b3\n // f89e0e38e38cd6df4720703d2b8b3d2217b25a60e845ec6bbd4a4a45919babb7\n\n $lime1 = \"Lime.Connection\" ascii fullword\n $lime2 = \"IdGenerator\" ascii fullword\n $lime4 = \"Lime.Helper\" ascii fullword\n $lime3 = \"EXECUTION_STATE\" ascii fullword\n $lime5 = \"Lime.NativeMethods\" ascii fullword\n $lime6 = \"PacketHandler\" ascii fullword\n\n $a1 = \"keepAlivePing!\" wide fullword\n $a2 = \"Select * from AntiVirusProduct\" wide fullword\n $a3 = \"SELECT * FROM FirewallProduct\" wide fullword\n $a4 = \"select * from Win32_Processor\" wide fullword\n $a5 = \"HKEY_LOCAL_MACHINE\\\\HARDWARE\\\\DESCRIPTION\\\\SYSTEM\\\\CENTRALPROCESSOR\\\\0\" wide fullword\n\n $b1 = \"PreventSleep\" ascii fullword\n $b2 = \"SendInfo\" ascii fullword\n $b3 = \"GetHardDiskSerialNumber\" ascii fullword\n $b4 = \"GetCamera\" ascii fullword\n $b5 = \"ES_DISPLAY_REQUIRED\" ascii fullword\n $b6 = \"StringBuilder\" ascii fullword\n $b7 = \"capGetDriverDescriptionA\" ascii fullword\n\n $rat = \"Revenge-RAT\" wide fullword\n\n condition:\n 5 of ($lime*) or\n all of ($a*) or\n all of ($b*) or\n ($rat and (3 of ($lime*) or 3 of ($a*) or 3 of ($b*)))\n}\n", "rule_count": 1, "rule_names": [ "revenge_rat" ], "rule_creation_date": "2024-06-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.RevengeRAT" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.discovery" ], "rule_technique_tags": [ "attack.t1132.001", "attack.t1102.002", "attack.t1105", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-reverse_api_name_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563745Z", "creation_date": "2026-03-23T11:46:25.563747Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563753Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "Internal research" ], "name": "reverse_api_name.yar", "content": "rule reversed_api_name {\n meta:\n title = \"Reversed Windows API Name\"\n id = \"dff40640-c158-4479-a2ab-4f0604717ed8\"\n description = \"Detects reversed Windows API/DLL names used by malware.\\nMalware developers often reverse API/DLL names to bypass static analysis by antivirus/EDR solutions.\\nThese reversed names are restored in memory when needed to call functions like GetProcAddress or LoadLibrary.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"Internal research\"\n date = \"2024-07-09\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.t1027.013;attack.t1027.007\"\n classification = \"Windows.Generic.ReversedAPINameWide\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n // Detection for these samples:\n // ad408fa674752071e462d0793a8694e8800d91d18a0aba17a8c2ad6e5e75\n // d9b12f2e4b080fabbdb4149d7f75b09d643ce1b9a9e2a3df79d7328aa423\n // 839018975d80565f9835e0515621052ecacd0e34cc67bb5a0fa006418106\n\n $s_function_0 = \"23eludoM\" ascii wide\n $s_function_1 = \"AegasseMhctapsiD\" ascii wide\n $s_function_2 = \"AegasseMteG\" ascii wide\n $s_function_3 = \"AelbairaVtnemnorivnEteS\" ascii wide\n $s_function_4 = \"AemaNretupmoCteG\" ascii wide\n $s_function_5 = \"AgnirtSoTyraniBtpyrC\" ascii wide\n $s_function_6 = \"AmunEnepOteNW\" ascii wide\n $s_function_7 = \"Anelrtsl\" ascii wide\n $s_function_8 = \"AnepOtenretnI\" ascii wide\n $s_function_9 = \"AnoitamrofnIemuloVteG\" ascii wide\n $s_function_10 = \"AsetubirttAeliFteG\" ascii wide\n $s_function_11 = \"ataDdraobpilCteG\" ascii wide\n $s_function_12 = \"ataDdraobpilCteS\" ascii wide\n $s_function_13 = \"ataDtupnIwaRteG\" ascii wide\n $s_function_14 = \"AtcennoCtenretnI\" ascii wide\n $s_function_15 = \"AtseuqeRdnEpttH\" ascii wide\n $s_function_16 = \"AtseuqeRnepOpttH\" ascii wide\n $s_function_17 = \"AxEtseuqeRdneSpttH\" ascii wide\n $s_function_18 = \"AyraniBoTgnirtStpyrC\" ascii wide\n $s_function_19 = \"cexEniW\" ascii wide\n $s_function_20 = \"collAeRpaeH\" ascii wide\n $s_function_21 = \"collAlabolG\" ascii wide\n $s_function_22 = \"collAlacoL\" ascii wide\n $s_function_23 = \"collAlautriV\" ascii wide\n $s_function_24 = \"collApaeH\" ascii wide\n $s_function_25 = \"corPwodniWllaC\" ascii wide\n $s_function_26 = \"cpAeueuQtresnIeK\" ascii wide\n $s_function_27 = \"CPAresUeueuQ\" ascii wide\n $s_function_28 = \"daerhTcpAeueuQ\" ascii wide\n $s_function_29 = \"daerhTdnepsuS\" ascii wide\n $s_function_30 = \"daerhTemuseR\" ascii wide\n $s_function_31 = \"daerhTetaerC\" ascii wide\n $s_function_32 = \"daerhTetanimreT\" ascii wide\n $s_function_33 = \"daerhTetomeRetaerC\" ascii wide\n $s_function_34 = \"daerhTnepO\" ascii wide\n $s_function_35 = \"daerhTnoitamrofnIteS\" ascii wide\n $s_function_36 = \"daerhTteG\" ascii wide\n $s_function_37 = \"daerhTteS\" ascii wide\n $s_function_38 = \"daerhTtxetnoCteS\" ascii wide\n $s_function_39 = \"daoLgeR\" ascii wide\n $s_function_40 = \"daolnwoDLRU\" ascii wide\n $s_function_41 = \"draobpilCnepO\" ascii wide\n $s_function_42 = \"ecivreSetaerC\" ascii wide\n $s_function_43 = \"ecivreSeteleD\" ascii wide\n $s_function_44 = \"ecivreSlortnoC\" ascii wide\n $s_function_45 = \"ecivreSnepO\" ascii wide\n $s_function_46 = \"ecivreStratS\" ascii wide\n $s_function_47 = \"ecruoseRdaoL\" ascii wide\n $s_function_48 = \"ecruoseRdniF\" ascii wide\n $s_function_49 = \"ecruoseRfOeziS\" ascii wide\n $s_function_50 = \"ecruoseRkcoL\" ascii wide\n $s_function_51 = \"ecruoseRmunEteNW\" ascii wide\n $s_function_52 = \"edoMrorrEteS\" ascii wide\n $s_function_53 = \"eerFpaeH\" ascii wide\n $s_function_54 = \"egasseMdaerhTtsoP\" ascii wide\n $s_function_55 = \"egasseMdneS\" ascii wide\n $s_function_56 = \"egasseMetalsnarT\" ascii wide\n $s_function_57 = \"egasseMkeeP\" ascii wide\n $s_function_58 = \"egasseMtsoP\" ascii wide\n $s_function_59 = \"egasseMyfitoNdneS\" ascii wide\n $s_function_60 = \"elbaliavAataDyreuQtenretnI\" ascii wide\n $s_function_61 = \"elbaTteNpIteG\" ascii wide\n $s_function_62 = \"eldnaHesolC\" ascii wide\n $s_function_63 = \"eldnaHesolCtenretnI\" ascii wide\n $s_function_64 = \"eliFdaeR\" ascii wide\n $s_function_65 = \"eliFdaeRtenretnI\" ascii wide\n $s_function_66 = \"eliFetaerC\" ascii wide\n $s_function_67 = \"eliFeteleD\" ascii wide\n $s_function_68 = \"eliFetirW\" ascii wide\n $s_function_69 = \"eliFetirWtenretnI\" ascii wide\n $s_function_70 = \"eliFevoM\" ascii wide\n $s_function_71 = \"eliFfOweiVpaM\" ascii wide\n $s_function_72 = \"eliFfOweiVpamnU\" ascii wide\n $s_function_73 = \"eliFteS\" ascii wide\n $s_function_74 = \"eliFtuPptF\" ascii wide\n $s_function_75 = \"eludoMteG\" ascii wide\n $s_function_76 = \"emaNresUteG\" ascii wide\n $s_function_77 = \"emaNretupmoCteG\" ascii wide\n $s_function_78 = \"emaNtnuoccApukooL\" ascii wide\n $s_function_79 = \"emantsohteG\" ascii wide\n $s_function_80 = \"emanybtsohteG\" ascii wide\n $s_function_81 = \"emiTteGemiT\" ascii wide\n $s_function_82 = \"epiPdemaNkeeP\" ascii wide\n $s_function_83 = \"epiPdemaNtcennoC\" ascii wide\n $s_function_84 = \"epiPetaerC\" ascii wide\n $s_function_85 = \"epyTevirDteG\" ascii wide\n $s_function_86 = \"erahSteN\" ascii wide\n $s_function_87 = \"esolCdniF\" ascii wide\n $s_function_88 = \"etaerCpaeH\" ascii wide\n $s_function_89 = \"etatSdetcennoCteGtenretnI\" ascii wide\n $s_function_90 = \"etatSdraobyeKteG\" ascii wide\n $s_function_91 = \"etatSyeKcnysAteG\" ascii wide\n $s_function_92 = \"etatSyeKteG\" ascii wide\n $s_function_93 = \"eteleDgeR\" ascii wide\n $s_function_94 = \"etucexEllehS\" ascii wide\n $s_function_95 = \"eulaVegelivirPpukooL\" ascii wide\n $s_function_96 = \"eulaVmunEgeR\" ascii wide\n $s_function_97 = \"eulaVtnemnorivnEmetsySteS\" ascii wide\n $s_function_98 = \"eulaVtnemnorivnEmetsySyreuQ\" ascii wide\n $s_function_99 = \"evaSgeR\" ascii wide\n $s_function_100 = \"ftnirpwns_\" ascii wide\n $s_function_101 = \"gnippaMeliFnepO\" ascii wide\n $s_function_102 = \"gnirtSgubeDtuptuO\" ascii wide\n $s_function_103 = \"gnirtSmorFdiuU\" ascii wide\n $s_function_104 = \"htaPhcraeS\" ascii wide\n $s_function_105 = \"kooHswodniWkoohnU\" ascii wide\n $s_function_106 = \"kooHtnevEniWteS\" ascii wide\n $s_function_107 = \"lacigoLteG\" ascii wide\n $s_function_108 = \"lacitirCsIssecorPteSltR\" ascii wide\n $s_function_109 = \"llDdaoLrdL\" ascii wide\n $s_function_110 = \"lortnoCoIeciveD\" ascii wide\n $s_function_111 = \"ltcoIASW\" ascii wide\n $s_function_112 = \"maraPyeKteStpyrC\" ascii wide\n $s_function_113 = \"metsySnwodtuhS\" ascii wide\n $s_function_114 = \"metsySteG\" ascii wide\n $s_function_115 = \"modnaRneGtpyrC\" ascii wide\n $s_function_116 = \"munEesolCteNW\" ascii wide\n $s_function_117 = \"nekoTetacilpuD\" ascii wide\n $s_function_118 = \"nekoTsegelivirPtsujdA\" ascii wide\n $s_function_119 = \"nepOgeR\" ascii wide\n $s_function_120 = \"nepOLRU\" ascii wide\n $s_function_121 = \"noisreVteG\" ascii wide\n $s_function_122 = \"noisreVteGltR\" ascii wide\n $s_function_123 = \"noitcennoCddAteNW\" ascii wide\n $s_function_124 = \"noitceSetaerC\" ascii wide\n $s_function_125 = \"noitceSfOweiVpaM\" ascii wide\n $s_function_126 = \"noitceSfOweiVpamnU\" ascii wide\n $s_function_127 = \"noitucexEyaleD\" ascii wide\n $s_function_128 = \"nS23plehlooTetaerC\" ascii wide\n $s_function_129 = \"ofnImetsySevitaNteG\" ascii wide\n $s_function_130 = \"ohcEdneSpmcI\" ascii wide\n $s_function_131 = \"paeHetaerCltR\" ascii wide\n $s_function_132 = \"paeHssecorPteG\" ascii wide\n $s_function_133 = \"pmeTteG\" ascii wide\n $s_function_134 = \"porPteS\" ascii wide\n $s_function_135 = \"punaelCASW\" ascii wide\n $s_function_136 = \"putratSASW\" ascii wide\n $s_function_137 = \"rdda_tenI\" ascii wide\n $s_function_138 = \"reganaMCSnepO\" ascii wide\n $s_function_139 = \"remiTelbatiaWetaerC\" ascii wide\n $s_function_140 = \"remiTelbatiaWteS\" ascii wide\n $s_function_141 = \"remiTeueuQremiTetaerC\" ascii wide\n $s_function_142 = \"remiTteS\" ascii wide\n $s_function_143 = \"resUnOdeggoLetanosrepmI\" ascii wide\n $s_function_144 = \"retnuoCecnamrofrePyreuQ\" ascii wide\n $s_function_145 = \"rorrEtsaLteG\" ascii wide\n $s_function_146 = \"seciveDtupnIwaRretsigeR\" ascii wide\n $s_function_147 = \"segelivirPnekoTtsujdA\" ascii wide\n $s_function_148 = \"selacoLmetsySmunE\" ascii wide\n $s_function_149 = \"sepyTecruoseRmunE\" ascii wide\n $s_function_150 = \"sredaeHtseuqeRddApttH\" ascii wide\n $s_function_151 = \"srevirDeciveDmunE\" ascii wide\n $s_function_152 = \"ssecorPdnepsuS\" ascii wide\n $s_function_153 = \"ssecorPemuseR\" ascii wide\n $s_function_154 = \"ssecorPetaerC\" ascii wide\n $s_function_155 = \"ssecorPetanimreT\" ascii wide\n $s_function_156 = \"ssecorPmunE\" ascii wide\n $s_function_157 = \"ssecorPnepO\" ascii wide\n $s_function_158 = \"ssecorPnoitamrofnIteS\" ascii wide\n $s_function_159 = \"ssecorPnoitamrofnIyreuQ\" ascii wide\n $s_function_160 = \"ssecorPresUetaerC\" ascii wide\n $s_function_161 = \"ssecorPteG\" ascii wide\n $s_function_162 = \"sserddAcorPteG\" ascii wide\n $s_function_163 = \"stcejbOelpitluMroFtiaW\" ascii wide\n $s_function_164 = \"stsixEeliFhtaP\" ascii wide\n $s_function_165 = \"swodniWmunE\" ascii wide\n $s_function_166 = \"swodniWpotkseDmunE\" ascii wide\n $s_function_167 = \"tcejbOelgniSroFtiaW\" ascii wide\n $s_function_168 = \"tcennoC\" ascii wide\n $s_function_169 = \"tcetorPlautriV\" ascii wide\n $s_function_172 = \"tekcoSASW\" ascii wide\n $s_function_173 = \"tekcosltcoi\" ascii wide\n $s_function_174 = \"tenretnI\" ascii wide\n $s_function_176 = \"tlBhctertS\" ascii wide\n $s_function_177 = \"tneserPreggubeDetomeRkcehC\" ascii wide\n $s_function_178 = \"tneserPreggubeDsI\" ascii wide\n $s_function_179 = \"tnevEteSemit\" ascii wide\n $s_function_180 = \"tnuoCkciTteG\" ascii wide\n $s_function_181 = \"tohspanS23plehlooTetaerC\" ascii wide\n $s_function_182 = \"tseuqeRdneSpttH\" ascii wide\n $s_function_183 = \"tseuqeRnepOpttH\" ascii wide\n $s_function_184 = \"tsriF23daerhT\" ascii wide\n $s_function_185 = \"tsriF23ssecorP\" ascii wide\n $s_function_186 = \"tsriFdniF\" ascii wide\n $s_function_187 = \"txeN23daerhT\" ascii wide\n $s_function_188 = \"txeN23ssecorP\" ascii wide\n $s_function_189 = \"txeNdniF\" ascii wide\n $s_function_190 = \"txetnoCdaerhTteS\" ascii wide\n $s_function_191 = \"txetnoCeriuqcAtpyrC\" ascii wide\n $s_function_192 = \"WeliFetaerC\" ascii wide\n $s_function_193 = \"WeliFeteleD\" ascii wide\n $s_function_194 = \"WemaNeliFeludoMteG\" ascii wide\n $s_function_195 = \"WhtaPpmeTteG\" ascii wide\n $s_function_196 = \"WhtaPredloFteGHS\" ascii wide\n $s_function_197 = \"Wnelrtsl\" ascii wide\n $s_function_198 = \"wodniWdniF\" ascii wide\n $s_function_199 = \"wodniWdnuorgeroFteG\" ascii wide\n $s_function_200 = \"wodniWdnuorgeroFteS\" ascii wide\n $s_function_201 = \"wodniWteG\" ascii wide\n $s_function_202 = \"wodniWteS\" ascii wide\n $s_function_203 = \"WssecorPetaerC\" ascii wide\n $s_function_204 = \"WtsriF23ssecorP\" ascii wide\n $s_function_205 = \"WtxeN23ssecorP\" ascii wide\n $s_function_206 = \"WxEemaNeliFeludoMteG\" ascii wide\n $s_function_207 = \"xEkooHtxeNllaC\" ascii wide\n $s_function_208 = \"xetuMetaerC\" ascii wide\n $s_function_209 = \"xEyreuQlautriV\" ascii wide\n $s_function_210 = \"yciloPPEDssecorPteS\" ascii wide\n $s_function_211 = \"ycneuqerFecnamrofrePyreuQ\" ascii wide\n $s_function_212 = \"yeKdaoLnUgeR\" ascii wide\n $s_function_213 = \"yeKecalpeRgeR\" ascii wide\n $s_function_214 = \"yeKerotseRgeR\" ascii wide\n $s_function_215 = \"yeKetaerCgeR\" ascii wide\n $s_function_216 = \"yeKeteleD\" ascii wide\n $s_function_217 = \"yeKeulaVeteleD\" ascii wide\n $s_function_218 = \"yeKeulaVteS\" ascii wide\n $s_function_219 = \"yeKfederPedirrevOgeR\" ascii wide\n $s_function_220 = \"yeKlautriVpaM\" ascii wide\n $s_function_221 = \"yeKmunEgeR\" ascii wide\n $s_function_222 = \"yeKtoHretsigeR\" ascii wide\n $s_function_223 = \"yortseDtpyrC\" ascii wide\n $s_function_224 = \"yrarbiLdaoL\" ascii wide\n $s_function_225 = \"yreuQgeR\" ascii wide\n $s_function_226 = \"yromeMevoMltR\" ascii wide\n $s_function_227 = \"yromeMlautriVdaeR\" ascii wide\n $s_function_228 = \"yromeMlautriVetacollA\" ascii wide\n $s_function_229 = \"yromeMlautriVetirW\" ascii wide\n $s_function_230 = \"yromeMlautriVtcetorP\" ascii wide\n $s_function_231 = \"yromeMssecorPdaeR\" ascii wide\n $s_function_232 = \"yromeMssecorPetirW\" ascii wide\n $s_function_233 = \"yromeMypoCltR\" ascii wide\n $s_function_234 = \"yrotceriDtnerruCteS\" ascii wide\n $s_function_235 = \"yrtsigeRtcennoCgeR\" ascii wide\n $s_function236 = \"lld.teniniw\" ascii wide\n $s_function237 = \"lld.23lenrek\" ascii wide\n $s_function238 = \"lld.trcvsm\" ascii wide\n $s_function239 = \"lld.23tpyrc\" ascii wide\n $s_function240 = \"lld.23ipavda\" ascii wide\n $s_function241 = \"lld.23llehs\" ascii wide\n $s_function242 = \"lld.ipawlhs\" ascii wide\n $s_function243 = \"lld.23resu\" ascii wide\n $s_function244 = \"lld.ipasp\" ascii wide\n $s_exclude00 = \"AitStatic.exe\" ascii wide nocase\n $s_exclude01 = \"AitStatic.pdb\" ascii wide nocase\n\n // C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfswp.exe\n // 89a6e36915d2433bcf1dbc76eb7c411cf173bef7b0a544524249feeb35ce5db9\n $s_exclude02 = \"Kaspersky Anti-Virus worker process\" wide\n $s_exclude03 = \"https://activation-test.kaspersky-labs.com/activate\" ascii\n\n condition:\n not 1 of ($s_exclude*)\n and 5 of ($s_function*)\n}\n", "rule_count": 1, "rule_names": [ "reversed_api_name" ], "rule_creation_date": "2024-07-09", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ReversedAPINameWide" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.013", "attack.t1027.007", "attack.t1027" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-revsocks_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577040Z", "creation_date": "2026-03-23T11:46:25.577042Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577047Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/kost/revsocks\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a\nhttps://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/?hl=en" ], "name": "revsocks.yar", "content": "rule revsocks {\n meta:\n title = \"Revsocks HackTool\"\n id = \"13cde9d6-e3b1-499f-9644-e3c2af600f2c\"\n description = \"Detects Revsocks HackTool.\\nRevsocks is a Golang-based reverse socks5 tunneler with SSL/TLS and proxy support, used to proxy network traffic and bypass firewall restrictions.\\nIt is recommended to verify if the usage of this tool is legitimate.\"\n references = \"https://github.com/kost/revsocks\\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a\\nhttps://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/?hl=en\"\n date = \"2025-01-29\"\n modified = \"2025-05-09\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1090;attack.t1573.001;attack.t1571\"\n classification = \"HackTool.Revsocks\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 04b922157b6f2a91753cae038a716eb3291f308067feaee27de0e3731feb5754\n // 6bb160ebdc59395882ff322e67e000a22a5c54ac777b6b1f10f1fef381df9c15\n\n $s1 = \"github.com/kost/revsocks\" ascii\n $s2 = \"Start on the client: revsocks -listen\" ascii\n $s3 = \"[%s] Error creating client in yamux for %s: %v\" ascii\n $s4 = \"[%s] Got Client from %s\" ascii\n $s5 = \"[%s] Starting to copy conn to stream for %s\" ascii\n\n $f1 = \"main.connectviaproxy\" ascii fullword\n $f2 = \"main.connectForSocks\" ascii fullword\n $f3 = \"main.DnsConnectSocks\" ascii fullword\n $f4 = \"main.listenForAgents\" ascii fullword\n $f5 = \"main.listenForClients\" ascii fullword\n\n condition:\n 2 of ($s*) and 2 of ($f*)\n}\n", "rule_count": 1, "rule_names": [ "revsocks" ], "rule_creation_date": "2025-01-29", "rule_modified_date": "2025-05-09", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.Revsocks" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1090", "attack.t1573.001", "attack.t1571" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rhadhamanthys_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568386Z", "creation_date": "2026-03-23T11:46:25.568388Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568394Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys\nhttps://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/" ], "name": "rhadhamanthys.yar", "content": "rule rhadhamanthys {\n meta:\n title = \"Rhadhamanthys Stealer\"\n id = \"aec90a67-022c-4e29-871c-55b363d0368d\"\n description = \"Detects Rhadhamanthys Stealer.\\nRhadhamanthys is a malicious information stealer primarily distributed through malicious Google advertisements. It injects its core component into a sacrificial process to evade detection by process-based defenses.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys\\nhttps://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\"\n date = \"2024-03-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055;attack.discovery;attack.t1082;attack.credential_access;attack.t1539;attack.t1555\"\n classification = \"Windows.Stealer.Rhadhamanthys\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // ee4a487e78f23f5dffc35e73aeb9602514ebd885eb97460dd26635f67847bd16\n\n $s1 = \"/bin/KeePassHax.dll\" ascii fullword\n $s2 = \"cf66fb58f5ca3485\" ascii fullword\n $s3 = \"8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D\" ascii fullword\n $s4 = \"%Systemroot%\\\\system32\\\\rundll32.exe\" wide fullword\n $s5 = \"LUA://DecHdAutoAp\" wide fullword\n $s6 = \"hdokiejnpimakedhajhdlcegeplioahd\" wide fullword\n $s7 = \"\\\\\\\\.\\\\pipe\\\\{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\" wide fullword\n\n $b1 = \"Sleipnir5\" ascii fullword\n $b2 = \"PaleMoon\" ascii fullword\n $b3 = \"CocCoc\" ascii fullword\n\n $x1 = {\n 41 0F B6 40 FF // movzx eax, byte ptr [r8-1]\n 41 0F B6 50 FE // movzx edx, byte ptr [r8-2]\n C1 E2 08 // shl edx, 8\n 0B D0 // or edx, eax\n 41 0F B6 00 // movzx eax, byte ptr [r8]\n 49 83 E8 04 // sub r8, 4\n C1 E2 08 // shl edx, 8\n 0B D0 // or edx, eax\n 41 0F B6 40 05 // movzx eax, byte ptr [r8+5]\n C1 E2 08 // shl edx, 8\n 0B D0 // or edx, eax\n 89 11 // mov [rcx], edx\n 48 83 C1 04 // add rcx, 4\n 49 83 E9 01 // sub r9, 1\n 75 CE // jnz short loc_4D78A\n }\n\n $x2 = {\n 46 BB FF 00 00 00 // mov ebx, 0FFh\n 23 F3 // and esi, ebx\n 0F B6 44 31 08 // movzx eax, byte ptr [rcx+rsi+8]\n 03 F8 // add edi, eax\n 23 FB // and edi, ebx\n 0F B6 5C 39 08 // movzx ebx, byte ptr [rcx+rdi+8]\n 88 5C 31 08 // mov [rcx+rsi+8], bl\n 88 44 39 08 // mov [rcx+rdi+8], al\n 02 C3 // add al, bl\n 8B 5D 08 // mov ebx, [rbp+8]\n 0F B6 C0 // movzx eax, al\n 8A 44 08 08 // mov al, [rax+rcx+8]\n 32 04 13 // xor al, [rbx+rdx]\n 88 02 // mov [rdx], al\n 42 FF 4D 14 // dec [rbp+arg_4]\n 75 CB // jnz short loc_E781\n }\n\n condition:\n (5 of ($s*) and 2 of ($b*)) or\n (1 of ($s*) and 1 of ($b*) and 1 of ($x*))\n}\n", "rule_count": 1, "rule_names": [ "rhadhamanthys" ], "rule_creation_date": "2024-03-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Rhadhamanthys" ], "rule_tactic_tags": [ "attack.credential_access", "attack.defense_evasion", "attack.discovery", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1055", "attack.t1555", "attack.t1539", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-robotdropper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572750Z", "creation_date": "2026-03-23T11:46:25.572752Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572758Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blogs.blackberry.com/en/2024/11/robotdropper-automates-delivery-of-multiple-infostealers\nhttps://trac-labs.com/advancing-through-the-cyberfront-legionloader-commander-6af38ebe39d4" ], "name": "robotdropper.yar", "content": "rule robotdropper {\n meta:\n title = \"RobotDropper Loader\"\n id = \"318691bd-9f7d-4fde-8e81-b08419da48e3\"\n description = \"Detects the RobotDropper malware, a defense evasion-focused loader.\\nRobotDropper primarily employs DLL sideloading and process hollowing techniques to evade detection.\\nIts malicious payload is stored within a password-protected archive, which is typically executed to deploy additional stealer malware as the final payload.\"\n references = \"https://blogs.blackberry.com/en/2024/11/robotdropper-automates-delivery-of-multiple-infostealers\\nhttps://trac-labs.com/advancing-through-the-cyberfront-legionloader-commander-6af38ebe39d4\"\n date = \"2025-01-09\"\n modified = \"2025-07-02\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.012\"\n classification = \"Windows.Loader.RobotDropper\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 37075bac3d6ceae449489c5dd053f95bb1f3e4bc6cfae7755ff275ca553701bd\n\n $s_rc4 = {\n 45 33 C9 // xor r9d, r9d\n 4C 8B D1 // mov r10, rcx\n 45 8B D9 // mov r11d, r9d\n 4D 85 C0 // test r8, r8\n 74 41 // jz short locret_180008A1F\n 66 90 // xchg ax, ax\n 49 8D 41 01 // lea rax, [r9+1]\n 44 0F B6 C8 // movzx r9d, al\n 48 8D 52 01 // lea rdx, [rdx+1]\n 43 0F B6 0C 11 // movzx ecx, byte ptr [r9+r10]\n 4A 8D 04 19 // lea rax, [rcx+r11]\n 44 0F B6 D8 // movzx r11d, al\n 43 0F B6 04 13 // movzx eax, byte ptr [r11+r10]\n 43 88 04 11 // mov [r9+r10], al\n 43 88 0C 13 // mov [r11+r10], cl\n 43 0F B6 04 11 // movzx eax, byte ptr [r9+r10]\n 48 03 C1 // add rax, rcx\n 0F B6 C0 // movzx eax, al\n 42 0F B6 0C 10 // movzx ecx, byte ptr [rax+r10]\n 30 4A FF // xor [rdx-1], cl\n 49 83 E8 01 // sub r8, 1\n 75 C1 // jnz short loc_1800089E0\n C3 // retn\n }\n\n $antivm00 = \"|vbOXmINIrDRdn\" nocase\n $antivm01 = \"|vbOXgUEST\" nocase\n $antivm02 = \"|PIPE|vbOXmINIrDRdn\" nocase\n $antivm03 = \"|vbOXtRAYipc\" nocase\n $antivm04 = \"|PIPE|vbOXtRAYipc\" nocase\n\n $stub_decrypt_servername = {\n FE C2 // inc dl\n 0F B6 D2 // movzx edx, dl\n 8B 4C 96 08 // mov ecx, [esi+edx*4+8]\n 8D 04 0B // lea eax, [ebx+ecx]\n 0F B6 D8 // movzx ebx, al\n 8B 44 9E 08 // mov eax, [esi+ebx*4+8]\n 89 44 96 08 // mov [esi+edx*4+8], eax\n 89 4C 9E 08 // mov [esi+ebx*4+8], ecx\n 02 C8 // add cl, al\n 0F B6 C1 // movzx eax, cl\n 8B 4D F8 // mov ecx, [ebp+var_8]\n 8A 44 86 08 // mov al, [esi+eax*4+8]\n 30 04 39 // xor [ecx+edi], al\n 47 // inc edi\n 3B 7D FC // cmp edi, [ebp+var_4]\n 7C D0 // jl short loc_40F4C0\n }\n\n $str_conf00 = \"nonencrypt\"\n $str_conf01 = \"crypto_domain\"\n $str_conf02 = \"postback_id\"\n $str_conf03 = \"postback_url\"\n $str_conf04 = \"postback_path\"\n $str_conf05 = \"execute_method\"\n $str_conf06 = \"is_encrypt\"\n $str_conf07 = \"is_compressed\"\n $str_conf08 = \"is_x64\"\n $str_conf09 = \"need_captcha\"\n\n $stub_decrypt_heap = {\n 45 8B 1A // mov r11d, [r10]\n 41 8B C3 // mov eax, r11d\n C1 E0 06 // shl eax, 6\n 41 8B CB // mov ecx, r11d\n C1 E9 08 // shr ecx, 8\n 33 C8 // xor ecx, eax\n 41 8B C1 // mov eax, r9d\n 83 E0 03 // and eax, 3\n 03 0C 87 // add ecx, [rdi+rax*4]\n 41 03 CB // add ecx, r11d\n 41 03 C9 // add ecx, r9d\n 41 29 4A 04 // sub [r10+4], ecx\n 41 8B 42 04 // mov eax, [r10+4]\n 41 89 02 // mov [r10], eax\n }\n\n $stub_prepare_call_encrypt_heap = {\n\n 41 B0 01 // mov r8b, 1\n C6 45 28 00 // mov byte ptr [rbp+arg_18], 0\n 48 8D 55 28 // lea rdx, [rbp+arg_18]\n 48 8B CE // mov rcx, rsi\n E8 [2-6] // call sub_180013B30\n 41 B0 01 // mov r8b, 1\n C6 45 28 00 // mov byte ptr [rbp+arg_18], 0\n 48 8D 55 28 // lea rdx, [rbp+arg_18]\n 48 8B CE // mov rcx, rsi\n E8 // call sub_180013CC0\n }\n\n $stub_api_hashing_00 = {\n 48 8B 4C 24 28 // mov rcx, [rsp+0D8h+var_B0]\n 48 89 41 ?? // mov [rcx+10h], rax\n BA FE 90 CB 49 // mov edx, 49CB90FEh\n 48 8B 4C 24 20 // mov rcx, [rsp+0D8h+var_B8]\n E8 // call api_hashing_0\n }\n\n $stub_api_hashing_01 = {\n 48 8B 4C 24 28 // mov rcx, [rsp+0D8h+var_B0]\n 48 89 41 ?? // mov [rcx+18h], rax\n BA 42 AE C7 F7 // mov edx, 0F7C7AE42h\n 48 8B 4C 24 20 // mov rcx, [rsp+0D8h+var_B8]\n E8 // call api_hashing_0\n }\n\n $stub_api_hashing_02 = {\n 48 8B 4C 24 28 // mov rcx, [rsp+0D8h+var_B0]\n 48 89 41 ?? // mov [rcx+20h], rax\n BA 2E 97 58 4F // mov edx, 4F58972Eh\n 48 8B 4C 24 20 // mov rcx, [rsp+0D8h+var_B8]\n E8 // call api_hashing_0\n }\n\n $stub_api_hashing_03 = {\n 48 8B 4C 24 28 // mov rcx, [rsp+0D8h+var_B0]\n 48 89 41 ?? // mov [rcx+28h], rax\n BA 13 04 18 5D // mov edx, 5D180413h\n 48 8B 4C 24 20 // mov rcx, [rsp+0D8h+var_B8]\n E8 // call api_hashing_0\n }\n\n $stub_api_hashing_04 = {\n 48 8B 4C 24 28 // mov rcx, [rsp+0D8h+var_B0]\n 48 89 41 ?? // mov [rcx+50h], rax\n BA E7 E2 DD 7B // mov edx, 7BDDE2E7h\n 48 8B 4C 24 20 // mov rcx, [rsp+0D8h+var_B8]\n E8 // call api_hashing_0\n }\n\n condition:\n 3 of ($antivm*)\n or 1 of ($stub_*)\n or 5 of ($str*)\n or $stub_decrypt_servername\n or $s_rc4\n}\n", "rule_count": 1, "rule_names": [ "robotdropper" ], "rule_creation_date": "2025-01-09", "rule_modified_date": "2025-07-02", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.RobotDropper" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-roguepotato_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581848Z", "creation_date": "2026-03-23T11:46:25.581850Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581911Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/antonioCoco/RoguePotato/\nhttps://attack.mitre.org/techniques/T1068/" ], "name": "roguepotato.yar", "content": "rule roguepotato {\n meta:\n title = \"RoguePotato HackTool\"\n id = \"580e3ea5-3344-4bd9-a97e-6429297153c5\"\n description = \"Detects the RoguePotato HackTool.\\nRoguePotato is a privilege escalation tool that fakes an OXID resolver to force the BITS service to authenticate and steal its token.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/antonioCoco/RoguePotato/\\nhttps://attack.mitre.org/techniques/T1068/\"\n date = \"2024-02-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.HackTool.RoguePotato\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a4778d50307de4ab13e48de90d72b7c5e19b4f9356a611a9faf95cfda0523c46\n // 9c5d53208d324f6f14e3417fe072be9b0f29aa35299f99c30bbaf602790b7480\n\n $s1 = \"[!] Error. CLSID %S not found. Bad path to object.\" ascii fullword\n $s2 = \"[-] RpcServerUseProtseqEp() failed with status code %d\" ascii fullword\n $s3 = \"[-] RpcServerRegisterIf2() failed with status code %d\" ascii fullword\n $s4 = \"[-] RpcServerInqBindings() failed with status code %d\" ascii fullword\n $s5 = \"[-] RpcServerRegisterAuthInfoA() failed with status code %d\" ascii fullword\n $s6 = \"RoguePotato\" ascii fullword\n $s7 = \"[-] RpcEpRegister() failed with status code %d\" ascii fullword\n $s8 = \"[*] Starting RogueOxidResolver RPC Server listening on port %s ... \" ascii fullword\n $s9 = \"[-] RpcServerListen() failed with status code %d\" ascii fullword\n $s10 = \"[*] SecurityCallback RPC call\" ascii fullword\n $s11 = \"[*] ResolveOxid RPC call\" ascii fullword\n $s12 = \"[*] ServerAlive RPC call\" ascii fullword\n $s13 = \"[*] ResolveOxid2 RPC call, this is for us!\" ascii fullword\n $s14 = \"localhost/pipe/%s[\\\\pipe\\\\epmapper]\" ascii fullword\n $s15 = \"[*] ResolveOxid2: returned endpoint binding information = ncacn_np:%s\" ascii fullword\n $s16 = \"[*] ServerAlive2 RPC Call\" ascii fullword\n $s17 = \"[-] Error CreatePipe %d\" ascii fullword\n $s18 = \"[*] Listening on pipe %S, waiting for client to connect\" ascii fullword\n $s19 = \"[*] Client connected!\" ascii fullword\n $s20 = \"[-] Failed to impersonate the client.%d %d\" ascii fullword\n $s21 = \"[*] Creating Pipe Server thread..\" ascii fullword\n $s22 = \"[*] Creating TriggerDCOM thread...\" ascii fullword\n $s23 = \"[+] Starting RoguePotato...\" ascii fullword\n $s24 = \"[*] Creating Rogue OXID resolver thread\" ascii fullword\n $s25 = \"[!] RogueOxidResolver not run locally. Ensure you run it on your remote machine\" ascii fullword\n\n condition:\n 4 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "roguepotato" ], "rule_creation_date": "2024-02-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.RoguePotato" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-romcom_payload_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568888Z", "creation_date": "2026-03-23T11:46:25.568890Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568896Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass" ], "name": "romcom_payload.yar", "content": "rule romcom_payload {\n meta:\n title = \"RomCom RAT Payload\"\n id = \"daf31b29-795e-463a-8fde-91221db0f600\"\n description = \"Detects the RomCom RAT payload.\\nRomCom is a Remote Access Trojan (RAT) associated with an attacker group known for embedding malicious payloads within legitimate applications like KeePass, SolarWinds, and PDF readers.\\nThe RomCom RAT establishes command and control communication to perform various malicious activities on an infected system.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass\"\n date = \"2022-11-04\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Trojan.RomCom\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933\n\n $s1 = \"WinHTTP Example/1.0\" fullword wide\n $s2 = \"PUBLIC\" fullword wide\n\n $xor_decryption_seq = {\n 44 32 4F 0B // xor r9b, [rdi+0Bh]\n 44 32 4F 0A // xor r9b, [rdi+0Ah]\n 44 32 4F 08 // xor r9b, [rdi+8]\n 44 32 4F 07 // xor r9b, [rdi+7]\n 44 32 4F 05 // xor r9b, [rdi+5]\n 44 32 4F 04 // xor r9b, [rdi+4]\n 44 32 CE // xor r9b, sil\n }\n\n $write_encrypted_data_to_file = {\n 75 ?? // jnz short loc_18007047E\n 85 FF // test edi, edi\n 75 ?? // jnz short loc_180070463\n 45 8D 46 F7 // lea r8d, [r14-9]\n 41 81 E0 FF 0F 00 80 // and r8d, 80000FFFh\n 7D ?? // jge short loc_18007045D\n 41 FF C8 // dec r8d\n 41 81 C8 00 F0 FF FF // or r8d, 0FFFFF000h\n 41 FF C0 // inc r8d\n 48 8D 55 09 // lea rdx, [rbp+9\n EB ?? // jmp short loc_18007049F\n 45 8B C6 // mov r8d, r14d\n 41 81 E0 FF 0F 00 80 // and r8d, 80000FFFh\n 7D ?? // jge short loc_180070494\n 41 FF C8 // dec r8d\n 41 81 C8 00 F0 FF FF // or r8d, 0FFFFF000h\n 41 FF C0 // inc r8d\n EB ?? // jmp short loc_180070494\n 85 FF // test edi, edi\n 75 ?? // jnz short loc_18007048E\n 48 8D 55 09 // lea rdx, [rbp+9]\n 41 B8 F7 0F 00 00 // mov r8d, 0FF7h\n EB 11 // jmp short loc_18007049F\n 41 B8 00 10 00 00 // mov r8d, 1000h ; nNumberOfBytesToWrite\n 8B C7 // mov eax, edi\n C1 E0 0C // shl eax, 0C\n }\n\n condition:\n #xor_decryption_seq > 15 and $write_encrypted_data_to_file and all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "romcom_payload" ], "rule_creation_date": "2022-11-04", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.RomCom" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rootkit_projector_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578068Z", "creation_date": "2026-03-23T11:46:25.578070Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578076Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://twitter.com/struppigel/status/1551503748601729025" ], "name": "rootkit_projector_driver.yar", "content": "rule rootkit_projector_driver {\n meta:\n title = \"Projector Kernel Rootkit\"\n id = \"08fc4ec2-62d6-4f9e-9e6a-765863b54a6b\"\n description = \"Detects the Projector kernel driver rootkit. Projector was first spotted in May 2022 and is a Microsoft-signed kernel rootkit that has the ability to hide its actions through minifilters and Windows kernel callbacks.\\nIt is recommended to check for any unexpected processes or files related to the Projector rootkit components, such as minifilters or kernel-mode drivers, to ensure system integrity.\"\n references = \"https://twitter.com/struppigel/status/1551503748601729025\"\n date = \"2022-07-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1547.006\"\n classification = \"Windows.Rootkit.Projector\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 0f5e3d33c824f9f03d038b4f1a376b15cc5f1694aef086bd17c516ad951fc45a\n // 7da5e6b6212c03d4d862795d05aace1a06db4943489cb639b9ca9a88563c9d0f\n // 8fb3d3db095920345cafc55821598b4f46f8d756caf2f18016e331e5567e6a41\n // 71a12491b91eff58d2c834160bf8eb03be2e78548c9d06f435b31d9e7dcaecd8\n\n $driver_loading_str_1 = \"IoCreateDriver\" fullword wide\n $driver_loading_str_2 = \"RtlImageDirectoryEntryToData\" fullword wide\n $driver_loading_str_3 = \"RtlQueryModuleInformation\" fullword wide\n\n $s1 = \"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)\" fullword wide // Security descriptor\n $s2 = \"%u:<%wZ>\" fullword wide // Format strings\n $s3 = \"\\\\Device\\\\Projector_Pro1_deviced\" fullword wide\n $s4 = \"\\\\??\\\\Projector_Pro1_deviced\" fullword wide\n $s5 = \"\\\\Device\\\\KB_VRX_deviceVRd\" fullword wide\n $s6 = \"\\\\??\\\\KB_VRX_deviceVRd\" fullword wide\n $s7 = \"\\\\Device\\\\WfpVpnUsrCtlX\" fullword wide\n $s8 = \"\\\\DosDevices\\\\WfpVpnUsrCtlX\" fullword wide\n $s9 = \"vpn.sys\" fullword wide\n\n $op_time_check = {\n 75 ?? // jnz short loc_1400193F9\n E8 ?? ?? ?? ?? // call PrGetCurrentTime\n 2B 05 ?? ?? ?? ?? // sub eax, cs:gInitTime\n 3D 88 13 00 00 // cmp eax, 1388h\n 0F 82 ?? ?? ?? ?? // jb loc_140019495\n }\n\n $op_allocate_pool_with_tag = {\n 48 81 FB 00 00 40 01 // cmp rbx, 1400000h\n 0F 87 ?? ?? ?? ?? // ja loc_14001897F\n 41 B9 53 63 61 6E // mov r9d, 'nacS' ; Tag\n 4C 8B C3 // mov r8, rbx ; NumberOfBytes\n 33 D2 // xor edx, edx ; PoolType\n 48 8B CF // mov rcx, rdi ; Instance\n E8 ?? ?? ?? ?? // call FltAllocatePoolAlignedWithTag\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 2MB and all of ($driver_loading_str_*) and 3 of ($s*) and 1 of ($op*)\n}\n", "rule_count": 1, "rule_names": [ "rootkit_projector_driver" ], "rule_creation_date": "2022-07-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Rootkit.Projector" ], "rule_tactic_tags": [ "attack.persistence" ], "rule_technique_tags": [ "attack.t1547.006" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rootkit_projector_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574901Z", "creation_date": "2026-03-23T11:46:25.574903Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574909Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://twitter.com/struppigel/status/1551503748601729025" ], "name": "rootkit_projector.yar", "content": "rule rootkit_projector_loader {\n meta:\n title = \"Projector Rootkit Loader\"\n id = \"e3a6c6b4-7c56-417e-adc0-8b8c83c3dfad\"\n description = \"Detects the Projector kernel driver rootkit loader.\\nProjector, first identified in May 2022, is a sophisticated Microsoft-signed kernel rootkit. It leverages minifilters and Windows kernel callbacks to hide its activities, enabling persistence and evading detection. The rootkit loads via specific driver-related functions and manipulates system structures to maintain stealth.\\nIt is recommended to scan for unauthorized kernel drivers, terminate any associated processes, and ensure no malicious modifications have been made.\"\n references = \"https://twitter.com/struppigel/status/1551503748601729025\"\n date = \"2022-07-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1547.006\"\n classification = \"Windows.Rootkit.Projector\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 7da5e6b6212c03d4d862795d05aace1a06db4943489cb639b9ca9a88563c9d0f\n // 0f5e3d33c824f9f03d038b4f1a376b15cc5f1694aef086bd17c516ad951fc45a\n\n $driver_loading_str_1 = \"IoCreateDriver\" fullword wide\n $driver_loading_str_2 = \"RtlImageDirectoryEntryToData\" fullword wide\n $driver_loading_str_3 = \"RtlQueryModuleInformation\" fullword wide\n\n $resource_str_1 = \"D:P(A;;GA;;;SY)(A;;GRGWGX;;;BA)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)\" fullword wide // Security descriptor\n $resource_str_2 = \"%u:<%wZ>\" fullword wide // Format strings\n $resource_str_3 = \"\\\\Device\\\\Projector_Pro1_deviced\" fullword wide\n $resource_str_4 = \"\\\\??\\\\Projector_Pro1_deviced\" fullword wide\n $resource_str_5 = \"\\\\Device\\\\KB_VRX_deviceVRd\" fullword wide\n $resource_str_6 = \"\\\\??\\\\KB_VRX_deviceVRd\" fullword wide\n $resource_str_7 = \"\\\\Device\\\\WfpVpnUsrCtlX\" fullword wide\n $resource_str_8 = \"\\\\DosDevices\\\\WfpVpnUsrCtlX\" fullword wide\n $resource_str_9 = \"vpn.sys\" fullword wide\n\n $loader_str_1 = \"link111:%s\" fullword ascii\n $loader_str_2 = \"SysName\" fullword ascii\n $loader_str_3 = \"%s%s.sys\" fullword ascii\n $loader_str_4 = \"ChaPox2\" fullword ascii\n $loader_str_5 = \".sys\" fullword ascii\n $loader_str_6 = \"System32\\\\drivers\\\\\" fullword ascii\n $loader_str_7 = \"NewSys\" fullword ascii\n $loader_str_8 = \"OldSys\" fullword ascii\n $loader_str_9 = \"MyDriver264\" fullword ascii\n\n $op_name_randomization = {\n 33 C9 // xor ecx, ecx\n FF 15 ?? ?? ?? ?? // call cs:_time64\n 48 8B C8 // mov rcx, rax ; Seed\n FF 15 ?? ?? ?? ?? // call cs:srand\n FF 15 ?? ?? ?? ?? // call cs:rand\n 44 8B C0 // mov r8d, eax\n B8 D3 20 0D D2 // mov eax, 0D20D20D3h\n 41 F7 E8 // imul r8d\n 41 03 D0 // add edx, r8d\n C1 FA 05 // sar edx, 5\n 8B CA // mov ecx, edx\n C1 E9 1F // shr ecx, 1Fh\n 03 D1 // add edx, ecx\n 6B CA 27 // imul ecx, edx, 27h ; '''\n 44 2B C1 // sub r8d, ecx\n 41 83 F8 27 // cmp r8d, 27h ; '''\n }\n\n $op_write_drv = {\n 41 B8 0B 00 00 00 // mov r8d, 0Bh ; Size\n 48 8D 15 ?? ?? ?? ?? // lea rdx, aMydriver264 ; \"MyDriver264\"\n 48 8D 8D ?? 00 00 00 // lea rcx, [rbp+0F40h+var_E78] ; void *\n E8 ?? ?? ?? ?? // call sub_14000AC30\n 48 8D 8D ?? 00 00 00 // lea rcx, [rbp+0F40h+var_E78]\n E8 ?? ?? ?? ?? // call sub_1400150D0\n BA 03 01 00 00 // mov edx, 103h ; uSize\n 48 8D 8D ?? ?? 00 00 // lea rcx, [rbp+0F40h+Buffer] ; lpBuffer\n FF 15 ?? ?? ?? ?? // call cs:GetSystemDirectoryA\n C7 44 ?? ?? A3 00 00 00 // mov [rsp+10E0h+var_1090], 0A3h ; '£'\n C7 44 ?? ?? 8C 00 00 00 // mov [rsp+10E0h+var_1098], 8Ch ; 'Œ'\n C7 44 ?? ?? 8D 00 00 00 // mov [rsp+10E0h+var_10A0], 8Dh\n C7 44 ?? ?? 9A 00 00 00 // mov [rsp+10E0h+var_10A8], 9Ah ; 'š'\n C7 44 ?? ?? 89 00 00 00 // mov dword ptr [rsp+10E0h+hTemplateFile], 89h ; '‰'\n C7 44 ?? ?? 96 00 00 00 // mov [rsp+10E0h+dwFlagsAndAttributes], 96h ; '–'\n C7 44 ?? ?? 8D 00 00 00 // mov [rsp+10E0h+dwCreationDisposition], 8Dh\n BA 09 00 00 00 // mov edx, 9\n 41 B9 9B 00 00 00 // mov r9d, 9Bh ; '›'\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 4MB and all of ($driver_loading_str_*) and 3 of ($resource_str_*) and 5 of ($loader_str_*) and 1 of ($op*)\n}\n", "rule_count": 1, "rule_names": [ "rootkit_projector_loader" ], "rule_creation_date": "2022-07-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Rootkit.Projector" ], "rule_tactic_tags": [ "attack.persistence" ], "rule_technique_tags": [ "attack.t1547.006" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rop_gadget_search_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566110Z", "creation_date": "2026-03-23T11:46:25.566112Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566118Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/JLospinoso/gargoyle/\nhttps://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Bramwell%20Brizendine%20Shiva%20Shashank%20Kusuma%20-%20Techniques%20for%20Creating%20Process%20Injection%20Attacks%20with%20Advanced%20Return-Oriented%20Programming%20white%20paper.pdf" ], "name": "rop_gadget_search.yar", "content": "rule rop_gadget_search {\n meta:\n title = \"ROP Gadget Search\"\n id = \"e805adba-7867-4c3c-b34e-3b821165b649\"\n description = \"Detects code patterns associated with ROP (Return-oriented programming) pattern searches.\\nROP (Return-oriented programming) patterns are structured sequences of gadgets (assembly instructions) designed to achieve a specific outcome by manipulating execution flow.\\nDifferent patterns in existing code and libraries can essentially be chained together, allowing for multiple WinAPIs to function in unison; this facilitates the execution of complex tasks that would usually require shellcode to be achieved, all done without the use of traditional shellcode.\\nThis rule detects patterns that look for executable sections of existing DLLs and arguments used for executable memory allocation.\\nIt is recommended to investigate processes using with unusual callback patterns, examine memory regions containing the detected code sequences, analyze parent-child process relationships, and correlate with other suspicious behaviors such as process injection, memory allocation in remote processes, or unsigned code execution.\"\n references = \"https://github.com/JLospinoso/gargoyle/\\nhttps://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Bramwell%20Brizendine%20Shiva%20Shashank%20Kusuma%20-%20Techniques%20for%20Creating%20Process%20Injection%20Attacks%20with%20Advanced%20Return-Oriented%20Programming%20white%20paper.pdf\"\n date = \"2025-11-17\"\n modified = \"2025-11-24\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.009\"\n classification = \"Windows.Generic.RopGadgetSearch\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e9e9b3501a745f285f1d4e164520842e0128db694e56c85f74f3a2b44144bcdb\n // 54044abd4d781a88a304e684bce7dfe959fa087729d89256d798f8445da4d233\n // d1ad71445b7ce560d362f8ca5e5c1f7c0a87c4548a81f708dea95649d61458ee\n\n // This detection is based on the Gargoyle implementation:\n // 1. Search of memory executable sections in DLLs\n // 2. VirtualProtectEx Arguments\n\n // 1.\n // if (section_header->Characteristics & IMAGE_SCN_MEM_EXECUTE) {\n // filtered_section_headers.push_back(section_header);\n // printf(\"[ ] Found executable section \\\"%s\\\" at 0x%p.\\n\", section_header->Name, dll_base + section_header->VirtualAddress);\n // }\n $system_dll_rop_gadget_search = {\n 8B 45 BC // mov eax, dword [ebp-0x44 {var_48}]\n 8B 48 24 // mov ecx, dword [eax+0x24 {_IMAGE_SECTION_HEADER::Characteristics}]\n 81 E1 00 00 00 20 // and ecx, 0x20000000 // Look for executable sections in DLL\n (74|75|76) // je 0x4421e7\n }\n\n // 2.\n $pic_allocation_args = {\n 6A (04|40) // push 0x40 {flProtect} // PAGE_READWRITE | PAGE_EXECUTE_READWRITE\n 68 00 30 00 00 // push 0x3000 {flAllocationType} // MEM_COMMIT | MEM_RESERVE\n }\n\n $exclusion_ibw30 = \"@oclcpica.nl/\" ascii\n\n condition:\n $pic_allocation_args and $system_dll_rop_gadget_search and not 1 of ($exclusion_*)\n}\n", "rule_count": 1, "rule_names": [ "rop_gadget_search" ], "rule_creation_date": "2025-11-17", "rule_modified_date": "2025-11-24", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.RopGadgetSearch" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.009" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rottenpotato_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576214Z", "creation_date": "2026-03-23T11:46:25.576217Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576222Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/breenmachine/RottenPotatoNG\nhttps://attack.mitre.org/techniques/T1068/" ], "name": "rottenpotato.yar", "content": "rule rottenpotato {\n meta:\n title = \"RottenPotato HackTool\"\n id = \"33b2cf53-ec67-4e05-9fe4-948457da7360\"\n description = \"Detects the RottenPotato HackTool.\\nRottenPotato is a privilege escalation tool that leverages NTLM relay to enable local privilege escalation. It takes advantage of the Windows NTLM authentication protocol to capture and reuse credentials, allowing attackers to escalate privileges within a compromised system.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/breenmachine/RottenPotatoNG\\nhttps://attack.mitre.org/techniques/T1068/\"\n date = \"2024-02-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.HackTool.RottenPotato\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // f47795749ee04612e976771b8bfb548a224dd713c9fe39d58d5c948ba5578d9e\n\n $s1 = \"Error in AquireCredentialsHandle\" ascii fullword\n $s2 = \"WSAStartup failed with error: %d\" ascii fullword\n $s3 = \"RPC -> recv failed with error: %d\" ascii fullword\n $s4 = \"RPC -> send failed with error: %d\" ascii fullword\n $s5 = \"RPC -> bytes Sent: %ld\" ascii fullword\n $s6 = \"RPC-> Connection closed\" ascii fullword\n $s7 = \"COM -> bytes sent: %d\" ascii fullword\n $s8 = \"COM -> send failed with error: %d\" ascii fullword\n $s9 = \"COM -> bytes received: %d\" ascii fullword\n $s10 = \"COM -> recv failed with error: %d\" ascii fullword\n $s11 = \"Waiting for auth...\" ascii fullword\n $s12 = \"Auth result: %d\" ascii fullword\n $s13 = \"MSFRottenPotato.pdb\" ascii\n\n condition:\n 8 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "rottenpotato" ], "rule_creation_date": "2024-02-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.RottenPotato" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rshell_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577566Z", "creation_date": "2026-03-23T11:46:25.577568Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577574Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html" ], "name": "rshell.yar", "content": "rule rshell {\n meta:\n title = \"RShell Malware\"\n id = \"1fa44713-2eec-43b4-9909-ae272275ad3d\"\n description = \"Detects the RShell backdoor.\\nRShell is a C++ macOS backdoor used by the LuckyMouse attacker group.\\nIt allows attackers to issue commands to a target macOS host and communicates using Binary JSON (BSON) over TCP sockets without encryption.\"\n references = \"https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/\\nhttps://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html\"\n date = \"2022-11-08\"\n modified = \"2025-03-12\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1095\"\n classification = \"MacOS.Malware.RShell\"\n context = \"process,memory,file.macho\"\n os = \"MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $c2_commands_1 = {\n 64 69 72 00 // dir\n 70 61 74 68 00 // path\n 64 6F 77 6E 00 // down\n 72 65 61 64 00 // read\n 75 70 6C 6F 61 64 00 // upload\n 77 72 69 74 65 00 // write\n 64 65 6C // del\n }\n $c2_commands_2 = {\n 6C 6F 67 69 6E 00 // login\n 68 6F 73 74 6E 61 6D 65 00 // hostname\n 6C 61 6E 00 // lan\n 75 73 65 72 6E 61 6D 65 00 // username\n 76 65 72 73 69 6F 6E // version\n }\n\n condition:\n uint32be(0) == 0xcffaedfe and all of them\n}\n", "rule_count": 1, "rule_names": [ "rshell" ], "rule_creation_date": "2022-11-08", "rule_modified_date": "2025-03-12", "rule_os": [ "macos" ], "rule_classifications": [ "MacOS.Malware.RShell" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1095" ], "rule_score": 100, "rule_context": [ "memory", "file.macho", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rubeus_c01d93bfcf19_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585009Z", "creation_date": "2026-03-23T11:46:25.585012Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585017Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/GhostPack/Rubeus" ], "name": "rubeus_c01d93bfcf19.yar", "content": "rule rubeus_c01d93bfcf19 {\n meta:\n title = \"Rubeus Tool (c01d93bfcf19)\"\n id = \"328b9ad8-d682-4624-940f-c01d93bfcf19\"\n description = \"Detects Rubeus.\\nRubeus is a C# tool used for interacting with and manipulating Kerberos tickets, enabling various attacks like ticket harvesting, forging, and Kerberoasting. It provides functionalities for ticket requests, renewals, and constrained delegation abuse, among others, commonly used in post-exploitation scenarios.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/GhostPack/Rubeus\"\n date = \"2021-04-07\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1558;attack.t1558.001;attack.t1558.002;attack.t1558.003;attack.t1558.004\"\n classification = \"Windows.Tool.Rubeus\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Rubeus.Commands.Brute.DomainUsernames()\n $domain_usernames = {\n 11 ?? // ldloc.s 0xA\n 20 2E 05 07 80 // ldc.i4 0x8007052E\n 2E ?? // beq.s loc_12202\n\n [0-2] // br.s\n\n 11 ?? // ldloc.s 0xF\n 20 30 20 07 80 // ldc.i4 0x80072030\n 2E ?? // beq.s loc_149EB\n\n [0-2] // br.s\n\n 11 ?? // ldloc.s 0xF\n 20 32 20 07 80 // ldc.i4 0x80072032\n 2E ?? // beq.s loc_149E0\n\n [0-2] // br.s\n\n 11 ?? // ldloc.s 0xF\n 20 3A 20 07 80 // ldc.i4 0x8007203A\n 2E ?? // beq.s loc_149CA\n }\n\n condition:\n $domain_usernames\n}\n", "rule_count": 1, "rule_names": [ "rubeus_c01d93bfcf19" ], "rule_creation_date": "2021-04-07", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Rubeus" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1558", "attack.t1558.001", "attack.t1558.004", "attack.t1558.002", "attack.t1558.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rubeus_ebaa57ddf7d5_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563208Z", "creation_date": "2026-03-23T11:46:25.563212Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563221Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/GhostPack/Rubeus" ], "name": "rubeus_ebaa57ddf7d5.yar", "content": "rule rubeus_ebaa57ddf7d5 {\n meta:\n title = \"Rubeus Tool (ebaa57ddf7d5)\"\n id = \"96cff2c8-8ae6-496b-ad56-ebaa57ddf7d5\"\n description = \"Detects Rubeus.\\nRubeus is a C# tool used for interacting with and manipulating Kerberos tickets, enabling various attacks like ticket harvesting, forging, and Kerberoasting. It provides functionalities for ticket requests, renewals, and constrained delegation abuse, among others, commonly used in post-exploitation scenarios.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/GhostPack/Rubeus\"\n date = \"2021-03-24\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1558;attack.t1558.001;attack.t1558.002;attack.t1558.003;attack.t1558.004\"\n classification = \"Windows.Tool.Rubeus\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // TypeLibGUID\n $guid = \"658C8B7F-3664-4A95-9572-A3E5871DFC06\" ascii nocase wide\n\n // Rubeus ASCII logo\n $ascii_logo_1 = \" ______ _ \" wide\n $ascii_logo_2 = \" (_____ \\\\ | | \" wide\n $ascii_logo_3 = \" _____) )_ _| |__ _____ _ _ ___ \" wide\n $ascii_logo_4 = \" | __ /| | | | _ \\\\| ___ | | | |/___)\" wide\n $ascii_logo_5 = \" | | \\\\ \\\\| |_| | |_) ) ____| |_| |___ |\" wide\n $ascii_logo_6 = \" |_| |_|____/|____/|_____)____/(___/\" wide\n\n // A bunch of log messages\n $log_1 = \"[+] Password change success!\" wide\n $log_2 = \"[X] Password change error: {0}\" wide\n $log_3 = \"[*] Building Authenticator with encryption key type\" wide\n $log_4 = \"[*] Building AP-REQ for the MS Kpassword request\" wide\n $log_5 = \"[*] New password value: {0}\" wide\n $log_6 = \"[*] Changing password for user: {0}@{1}\" wide\n $log_7 = \"[*] Building TGS-REQ renewal for: \" wide\n $log_8 = \"[*] Sleeping for {0} minutes (endTime-30) before the next renewal\" wide\n $log_9 = \"[*] User : {0}@{1}\" wide\n $log_11 = \"[*] endtime : {0}\" wide\n $log_12 = \"[*] renew-till : {0}\" wide\n $log_13 = \"[*] renew-till window ({0}) has passed.\" wide\n $log_14 = \"[*] Initializing Kerberos GSS-API w/ fake delegation for target\" wide\n $log_15 = \"[+] Kerberos GSS-API initialization success!\" wide\n $log_16 = \"[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.\" wide\n $log_17 = \"[*] Found the AP-REQ delegation ticket in the GSS-API output.\" wide\n $log_18 = \"[X] Error: InitializeSecurityContext error: {0}\" wide\n $log_19 = \"[X] Error: AcquireCredentialsHandle error: {0}\" wide\n $log_20 = \"[X] You need to be in high integrity for the actions specified.\" wide\n\n // Strings that are useful to deliver the payload (aka not logs)\n // They act as a final barrier in case the binary is stripped of useless strings (ascii log+logs)\n $payload_1 = \"(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))\" wide\n $payload_2 = \"(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(samAccountName={0}))\" wide\n $payload_3 = \"(&(|{0})(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))\" wide\n $payload_4 = \"(samAccountName={0})(!(UserAccountControl:1.2.840.113556.1.4.803:=2))\" wide\n $payload_5 = \"(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))\" wide\n $payload_6 = \"$krb5asrep${0}@{1}:{2}\" wide\n $payload_7 = \"$krb5asrep$23${0}@{1}:{2}\" wide\n $payload_8 = \"20370913024805Z\" wide\n $payload_9 = \"1.3.6.1.5.2.3.1\" wide\n\n condition:\n uint16(0) == 0x5A4D and (\n $guid\n or (all of ($ascii_logo_*))\n or (13 of ($log_*))\n or (6 of ($payload_*))\n )\n}\n", "rule_count": 1, "rule_names": [ "rubeus_ebaa57ddf7d5" ], "rule_creation_date": "2021-03-24", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Rubeus" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1558", "attack.t1558.001", "attack.t1558.004", "attack.t1558.002", "attack.t1558.003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rugmi_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573106Z", "creation_date": "2026-03-23T11:46:25.573108Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573113Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.infostealers.com/article/novice-rugmi-loader-delivers-various-spyware/\nhttps://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22023.pdf" ], "name": "rugmi_loader.yar", "content": "rule rugmi_loader {\n meta:\n title = \"Rugmi Loader\"\n id = \"dc5cf6d9-a778-44cd-8cdb-663d6376d895\"\n description = \"Detects the Rugmi Loader, a malicious Windows application used by threat actors to deliver information stealers.\\nRugmi Loader is known for its ability to inject its components into legitimate processes to achieve persistence and evade detection. It typically operates by using process injection techniques and in-memory execution to avoid traditional file-based detection methods. This loader is often associated with the distribution of various information stealers such as Lumma Stealer, Vidar, and Raccoon Stealer.\"\n references = \"https://www.infostealers.com/article/novice-rugmi-loader-delivers-various-spyware/\\nhttps://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22023.pdf\"\n date = \"2024-09-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.t1140;attack.t1036;attack.t1055\"\n classification = \"Windows.Loader.Rugmi\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e2b5a2c5c54abc1724da865782cecad96296c2c0e59c5d94a8f00c4fa764ec7d\n // e68623c00519af8a266f9d70dedadf144324eff6d0919c194eb50d84cc8d53ed\n // aba2631f0a0154ccc91ba5254660ab97121516923586c3aabdfaf55fbcdb7780\n // 5a29de6bcf53d914ca0853d980dc2bfa325c83349b795321b65490edcc5d47c8\n // 57b6a6d2ef8764bdf933ff5b3a3d4708454ea0b8ec4b7653f260e5c8bc75fac4\n // bec843307a15e139adcfd719eced355d1daab2d179406a9274085eab0273c452\n // 6f345b9fda1ceb9fe4cf58b33337bb9f820550ba08ae07c782c2e142f7323748\n\n $x1 = {\n // loc_10002F8F:\n 0F AF 74 24 0C // imul esi, [esp+arg_8]\n 0F B6 0C 3A // movzx ecx, byte ptr [edx+edi]\n 03 F1 // add esi, ecx\n 42 // inc edx\n 3B D0 // cmp edx, eax\n 72 F0 // jb short loc_10002F8F\n }\n\n $x2 = {\n 8B 44 24 1C // mov eax, [esp+arg_18]\n 33 D2 // xor edx, edx\n 66 89 14 48 // mov [eax+ecx*2], dx\n 89 44 24 28 // mov [esp+arg_24], eax\n 8D 04 33 // lea eax, [ebx+esi]\n 89 44 24 24 // mov [esp+arg_20], eax\n 8D 44 24 24 // lea eax, [esp+arg_20]\n 50 // push eax\n C6 44 24 30 01 // mov [esp+4+arg_28], 1\n FF D7 // call edi\n }\n\n $x3 = {\n // loc_40652A:\n 8B 45 F8 // mov eax, [ebp+var_8]\n 03 45 FC // add eax, [ebp+var_4]\n 0F BE 08 // movsx ecx, byte ptr [eax]\n 85 C9 // test ecx, ecx\n 74 0B // jz short loc_406542\n 8B 55 FC // mov edx, [ebp+var_4]\n 83 C2 01 // add edx, 1\n 89 55 FC // mov [ebp+var_4], edx\n EB E8 // jmp short loc_40652A\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "rugmi_loader" ], "rule_creation_date": "2024-09-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.Rugmi" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution" ], "rule_technique_tags": [ "attack.t1036", "attack.t1140", "attack.t1106", "attack.t1055" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-runpe_in_memory_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577718Z", "creation_date": "2026-03-23T11:46:25.577719Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577725Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/aaaddress1/RunPE-In-Memory\nhttps://archive.is/RuKH4" ], "name": "runpe_in_memory.yar", "content": "import \"pe\"\n\nrule runpe_in_memory {\n meta:\n title = \"RunPE-In-Memory HackTool\"\n id = \"cdca5926-18d9-4f2c-a1f2-40a1956b227f\"\n description = \"Detects the RunPE-In-Memory HackTool.\\nRunPE-In-Memory is a tool designed to inject and execute Portable Executable (PE) files directly into the memory space of a process, enabling attackers to execute malicious code without writing it to disk. This technique is commonly used to evade detection by anti-malware solutions.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/aaaddress1/RunPE-In-Memory\\nhttps://archive.is/RuKH4\"\n date = \"2024-10-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1620\"\n classification = \"Windows.HackTool.RunPEInMemory\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ff56771b4eda8231b160a404b5da7211c5be3a6e029c0427f012d197fa3dc35e\n // e7eafa52a53de3a67f5fac4745af6dba1471ed164f65c5cca2ffce4feaf43669\n // 54e8fbae0aa7a279aaedb6d8eec0f95971397fea7fcee6c143772c8ee6e6b498\n\n $s1 = \"[+] Fix Import Address Table\" ascii fullword\n $s2 = \"[!] Not supported relocations format at %d: %d\" ascii\n $s3 = \"[+] File %s isn't a PE file.\" ascii fullword\n $s4 = \"[-] Allocate Image Base At %x Failure.\" ascii fullword\n $s5 = \"Run Exe Module: %s\" ascii fullword\n\n $fixiat = {\n 49 89 5B 20 // mov [r11+20h], rbx\n 49 B8 00 00 00 80 00 00 00 80 // mov r8, 8000000080000000h\n 49 89 73 F0 // mov [r11-10h], rsi\n 49 89 7B E8 // mov [r11-18h], rdi\n 4D 89 63 E0 // mov [r11-20h], r12\n 4D 89 6B D8 // mov [r11-28h], r13\n 4D 89 73 D0 // mov [r11-30h], r14\n 4C 8D 75 10 // lea r14, [rbp+10h]\n 4C 03 F1 // add r14, rcx\n 4D 89 7B C8 // mov [r11-38h], r15\n 48 C7 C1 F0 FF FF FF // mov rcx, 0FFFFFFFFFFFFFFF0h\n 4C 89 74 24 60 // mov [rsp+58h+arg_0], r14\n 48 2B C8 // sub rcx, rax\n 48 2B CD // sub rcx, rbp\n 48 89 4C 24 68 // mov [rsp+58h+arg_8], rcx\n }\n\n $xor1 = {\n 0F 1F 00 // nop dword ptr [rax]\n\n // loc_140001390:\n 30 0C 0F // xor [rdi+rcx], cl\n 48 FF C1 // inc rcx\n 48 3B CE // cmp rcx, rsi\n 7C F5 // jl short loc_140001390\n\n // loc_14000139B:\n 4C 89 64 24 60 // mov [rsp+48h+arg_10], r12\n 4C 89 74 24 68 // mov [rsp+48h+arg_18], r14\n 4C 89 7C 24 20 // mov [rsp+48h+var_28], r15\n 48 85 FF // test rdi, rdi\n }\n\n $xor2 = {\n 48 8D 04 31 // lea rax, [rcx+rsi]\n 48 2B F9 // sub rdi, rcx\n 0F 1F 00 // nop dword ptr [rax]\n\n // loc_140001400:\n 80 30 C7 // xor byte ptr [rax], 0C7h\n 48 8D 40 01 // lea rax, [rax+1]\n 48 83 EF 01 // sub rdi, 1\n 75 F3 // jnz short loc_140001400\n }\n\n condition:\n 3 of ($s*) or\n $fixiat or\n 1 of ($xor*) or\n // RunPEinMemory64.exe\n pe.imphash() == \"e783b8951b88d727c7c79868a2219f1d\" or\n // RunPEinMemory32.exe\n pe.imphash() == \"ff6ffd6e908fd627e916f2c76dd3eb8c\" or\n // Custom version\n pe.imphash() == \"b09c08b0f5712e5d87f286130fa3de2d\" or\n pe.imphash() == \"fa8b8d9aac4d71e1159d9ef3f9746ad0\"\n}\n", "rule_count": 1, "rule_names": [ "runpe_in_memory" ], "rule_creation_date": "2024-10-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.RunPEInMemory" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1620" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rust_dbj2_api_hashing_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589695Z", "creation_date": "2026-03-23T11:46:25.589697Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589703Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/trickster0/OffensiveRust\nhttps://attack.mitre.org/techniques/T1027/007/" ], "name": "rust_dbj2_api_hashing.yar", "content": "rule rust_DBJ2_api_hashing {\n meta:\n title = \"Generic Rust DBJ2 API Hashing\"\n id = \"27cd8ca8-79cf-41d7-8e14-57e9814c429c\"\n description = \"Detects API hashing code present in Rust samples.\\nAPI hashing is a technique used to dynamically resolve functions called by the malware, allowing it to hide malicious activities and evade defensive analysis. This technique helps the malware avoid static detection by using dynamic function resolution.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/trickster0/OffensiveRust\\nhttps://attack.mitre.org/techniques/T1027/007/\"\n date = \"2025-12-09\"\n modified = \"2025-12-11\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007;attack.privilege_escalation;attack.t1055.001;attack.t1055.002\"\n classification = \"Windows.Generic.ApiHashing\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3afb0d271a8f820fca5b61175e9091e692cbfb1fd436e611bab9abf7f51f7822\n // da3b988e7e9a20a31d0fd11f67d4c8148a99545d21009fba31c178a72744c414\n\n // struct _TEB* Self = gsbase->NtTib.Self\n // struct _PEB* rax_1\n // rax_1.d = Self->ProcessEnvironmentBlock.d\n // rax_1:4.d = Self->ProcessEnvironmentBlock:4.d\n // struct _LDR_DATA_TABLE_ENTRY_LIST_ENTRY_LO* Flink =\n // &rax_1->Ldr->InLoadOrderModuleList\n\n $peb_walk_to_module_names = {\n 50 // push rax {var_18}\n 65 48 8B 04 25 30 00 00 00 // mov rax, qword [gs:0x30]\n 48 8B 40 60 // mov rax, qword [rax+0x60 {_TEB::ProcessEnvironmentBlock.d}] {_TEB::ProcessEnvironmentBlock+4.d}\n 48 8B 50 18 // mov rdx, qword [rax+0x18 {_PEB::Ldr}]\n 48 83 C2 10 // add rdx, 0x10 {_PEB_LDR_DATA::InLoadOrderModuleList}\n }\n\n $djb2_hash_constant = {\n 41 B9 05 15 00 00 // mov r9d, 0x1505\n }\n\n $dbj2_hash_op = {\n 40 80 FE 61 // cmp sil, 0x61\n 40 0F B6 F6 // movzx esi, sil\n 40 0F B6 FF // movzx edi, dil\n 0F 42 FE // cmovb edi, esi\n 44 89 CE // mov esi, r9d\n C1 E6 05 // shl esi, 0x5\n 44 01 CE // add esi, r9d\n 44 0F B6 CF // movzx r9d, dil\n 41 01 F1 // add r9d, esi\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "rust_DBJ2_api_hashing" ], "rule_creation_date": "2025-12-09", "rule_modified_date": "2025-12-11", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.ApiHashing" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1027.007", "attack.t1055.002", "attack.t1055.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-rusthound_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584950Z", "creation_date": "2026-03-23T11:46:25.584952Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584958Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/OPENCYBER-FR/RustHound" ], "name": "rusthound.yar", "content": "rule rusthound {\n meta:\n title = \"RustHound Tool\"\n id = \"8ae00796-83ba-4ca0-9640-d8c2400581ea\"\n description = \"Detects RustHound, a Rust-based data collection tool used for reconnaissance and identity attacks in Active Directory environments.\\nRustHound collects data from Active Directory to reveal hidden relationships, aiding in identity-based attacks.\\nIt is derived from the SharpHound project and is part of the BloodHound framework.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/OPENCYBER-FR/RustHound\"\n date = \"2022-10-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1087;attack.t1482;attack.t1615;attack.t1201;attack.t1069.001;attack.collection;attack.t1560\"\n classification = \"Windows.Tool.RustHound\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // c9a65da2540901e3b6c93b71677457400aeea8cbc28426e3c3e6bf842f3f057b\n\n $general_1 = \"Domain name like: G0H4N.LAB\" ascii\n $general_2 = \"Domain Controler FQDN like: DC01.G0H4N.LAB\" ascii // Typo is intended.\n $general_3 = \"RustHound will compress the JSON files into a zip archive\" ascii\n $general_4 = \"https://twitter.com/g0h4n_0Active Directory data collector for BloodHound\" ascii\n $general_5 = \"Prepare ldaps request. Like ldaps://G0H4N.LAB/pathodirpath\" ascii\n\n $internal_structs_1 = \"rusthound::enums::acl\" fullword ascii\n $internal_structs_2 = \"rusthound::json::maker\" fullword ascii\n $internal_structs_3 = \"rusthound::ldap\" fullword ascii\n $internal_structs_4 = \"rusthound::modules::resolver\" fullword ascii\n $internal_structs_5 = \"rusthoundVerbosity level:\" fullword ascii\n\n $logging_1 = \"Replace SID with checker.rs started\" fullword ascii\n $logging_2 = \"Adding affected computers in domain GpoChanges\" fullword ascii\n $logging_3 = \"affected computers added!\" fullword ascii\n $logging_4 = \"guid for gplinks added!\" fullword ascii\n\n $json_files_1 = \"Making groups.json\" fullword ascii\n $json_files_2 = \"Making computers.json\" fullword ascii\n $json_files_3 = \"Making gpos.json\" fullword ascii\n $json_files_4 = \"Making containers.json\" fullword ascii\n\n $active_directory_1 = \"TRUSTED_DOMAIN_FULL_INFORMATION2\" fullword ascii\n $active_directory_2 = \"TOKEN_MANDATORY_POLICYPolicy\" fullword ascii\n $active_directory_3 = \"Connected to Active Directory!\" fullword ascii\n $active_directory_4 = \"M128AMINIDUMP_CALLBACK_TYPEMINIDUMP_DIRECTORY\" fullword ascii\n\n condition:\n (uint16(0) == 0x5A4D) and (\n all of ($json_files_*)\n or all of ($active_directory_*)\n or all of ($internal_structs_*)\n or all of ($logging_*)\n or 3 of ($general_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "rusthound" ], "rule_creation_date": "2022-10-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.RustHound" ], "rule_tactic_tags": [ "attack.collection", "attack.discovery" ], "rule_technique_tags": [ "attack.t1482", "attack.t1615", "attack.t1069.001", "attack.t1560", "attack.t1201", "attack.t1087" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-s4killer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582236Z", "creation_date": "2026-03-23T11:46:25.582238Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582243Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/enkomio/s4killer\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "s4killer.yar", "content": "rule s4killer {\n meta:\n title = \"S4killer HackTool\"\n id = \"2071f721-f13d-4db4-a990-f8731b52e2ec\"\n description = \"Detects S4killer HackTool.\\nS4killer is a tool that leverages the probmon.sys vulnerable driver to kill protected processes. It creates a service to load the driver and sends a specific filter message to register the processes to be terminated. This technique allows S4killer to disrupt or terminate protected processes, potentially hindering security mechanisms.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/enkomio/s4killer\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-03-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n os = \"Windows\"\n classification = \"Windows.HackTool.S4killer\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5109c98359a6cdcf14c156def1e0dd1440c4aa2b4882e590edf4a8ec54238592\n\n $certificate_serial_num = { 01 00 00 00 00 01 30 6D E1 66 BE }\n $certificate_subject = \"ITM System Co\"\n $driver_service_name = \"probmon\" wide ascii\n $filter_name = \"\\\\ITM_Mon\" wide ascii\n $regkey_creation00 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\\" wide ascii\n $regkey_creation01 = \"Instances\" wide ascii\n $key_value00 = \"Altitude\" wide ascii\n $key_value01 = \"145610\" wide ascii\n $loadpriv = \"SeLoadDriverPrivilege\" wide ascii\n $winapi00 = \"CreateService\" wide ascii\n $winapi01 = \"RegCreateKey\" wide ascii\n $winapi02 = \"OpenSCManager\" wide ascii\n $winapi03 = \"OpenService\" wide ascii\n $winapi04 = \"FilterLoad\" wide ascii\n $winapi05 = \"FilterConnectCommunicationPort\" wide ascii\n $winapi06 = \"FilterSendMessage\" wide ascii\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "s4killer" ], "rule_creation_date": "2024-03-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.S4killer" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-safetykatz_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567819Z", "creation_date": "2026-03-23T11:46:25.567821Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567827Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0002/\nhttps://github.com/GhostPack/SafetyKatz" ], "name": "safetykatz.yar", "content": "rule safetykatz {\n meta:\n title = \"SafetyKatz HackTool\"\n id = \"534f9b91-f1a0-4305-91af-3a9daeaa5ecd\"\n description = \"Detects SafetyKatz HackTool.\\nSafetyKatz is a modified version of the Mimikatz project combined with subtee's .NET PE Loader. It is primarily used for credential dumping, extracting plaintext Windows account logins and passwords. The tool also includes features for testing network security and enumerating system information.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://attack.mitre.org/software/S0002/\\nhttps://github.com/GhostPack/SafetyKatz\"\n date = \"2023-11-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0002;attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002;attack.t1550.003\"\n classification = \"Windows.HackTool.Safetykatz\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 0a9ba1ef5df3e340384eef59a79eb8ac85608d676478603aa91c5e90ae31eb7a\n\n $safety = \"SafetyKatz\" ascii\n\n $s1 = \"privilege::debug\" wide\n $s2 = \"{0}\\\\Temp\\\\filessasl.txt\" wide\n $s3 = \"[X] Not in high integrity, unable to grab a handle to lsass!\" wide\n $s4 = \"[X] Process is not 64-bit, this version of Mimikatz won't work yo'!\" wide\n\n condition:\n (uint16(0) == 0x5a4d and #safety > 1) or 3 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "safetykatz" ], "rule_creation_date": "2023-11-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Safetykatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003", "attack.t1550.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-seatbelt_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563560Z", "creation_date": "2026-03-23T11:46:25.563563Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563569Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/GhostPack/Seatbelt" ], "name": "seatbelt.yar", "content": "rule seatbelt {\n meta:\n title = \"Seatbelt Tool\"\n id = \"73f93502-a007-4575-806e-5d2ee0da57e8\"\n description = \"Detects Seatbelt, a C# project that performs security-oriented host-survey safety checks from both offensive and defensive perspectives.\\nIt identifies potential security weaknesses, misconfigurations, and vulnerable settings on a system. The tool is used for proactive security testing and red teaming exercises to assess an environment's security posture.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/GhostPack/Seatbelt\"\n date = \"2021-04-22\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082\"\n classification = \"Windows.Tool.Seatbelt\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // fa0f2d94a049d825bef77e103e33167250ed2ac0\n\n $log_01 = \"[*] Running commands remotely against the host '\" wide\n $log_02 = \"[!] Terminating exception running command '\" wide\n $log_03 = \"[*] Completed collection in {0} seconds\" wide\n $log_04 = \"[!] The highest .NET version is enrolled in AMSI!\" wide\n $log_05 = \"[*] You can invoke .NET version {0}.{1} to bypass AMSI.\" wide\n $log_06 = \"[!] NTLM clients support NTLMv1!\" wide\n $log_07 = \"[!] NTLM services on this machine support NTLMv1!\" wide\n $log_08 = \"[*] In medium integrity but user is a local administrator - UAC can be bypassed.\" wide\n $log_09 = \"[!] Version 2.0.50727 of the CLR is not installed - PowerShell v2.0 won't be able to run.\" wide\n $log_10 = \"[!] You can do a PowerShell version downgrade to bypass the logging.\" wide\n $log_11 = \"[!] Module logging is configured. Logging will not occur, however, because it requires PSv3.\" wide\n $log_12 = \"[!] Script block logging is configured. Logging will not occur, however, because it requires PSv5.\" wide\n $log_13 = \"[!] You can do a PowerShell version downgrade to bypass AMSI.\" wide\n $log_14 = \"[!] Certificate is used for client authentication!\" wide\n $log_15 = \"[X] 'Win32_DeviceGuard' WMI class unavailable\" wide\n $log_16 = \"[*] LAPS not installed\" wide\n $log_17 = \"[*] You can use SharpDPAPI or the Mimikatz \\\"dpapi::rdg\\\" module to decrypt any found .rdg files\" wide\n $log_18 = \"[!] Could not locate\" wide\n $log_19 = \"[!] Insufficient privileges to access\" wide\n $log_20 = \"[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken == 1.\" wide\n $log_21 = \"[!] Error accessing\" wide\n $log_22 = \"[*] AppIDSvc service is {0}\" wide\n $log_23 = \"[*] Applocker is not running because the AppIDSvc is not running\" wide\n $log_24 = \"[*] AppLocker not configured\" wide\n $log_25 = \"[*] {0} not configured\" wide\n $log_26 = \"[*] {0} is in {1}\" wide\n $log_27 = \"[*] No rules\" wide\n $log_28 = \"[*] Local accounts cannot be used for lateral movement.\" wide\n $log_29 = \"[X] 'MSFT_ScheduledTask' WMI class unavailable (minimum supported versions of Windows: 8/2012)\" wide\n $log_30 = \"[X] 'MSFT_DNSClientCache' WMI class unavailable (minimum supported versions of Windows: 8/2012)\" wide\n $log_31 = \"[*] Use the Mimikatz \\\"dpapi::masterkey\\\" module with appropriate arguments (/pvk or /rpc) to decrypt\" wide\n $log_32 = \"[*] You can also extract many DPAPI masterkeys from memory with the Mimikatz \\\"sekurlsa::dpapi\\\" module\" wide\n $log_33 = \"[*] You can also use SharpDPAPI for masterkey retrieval.\" wide\n $log_34 = \"[*] WDigest is enabled - plaintext password extraction is possible!\" wide\n $log_35 = \"[*] LSASS Protected Mode is enabled! You will not be able to access lsass.exe's memory easily.\" wide\n $log_36 = \"[*] RDP Restricted Admin Mode is enabled! You can use pass-the-hash to access RDP on this system.\" wide\n $log_37 = \"[*] UAC is disabled.\" wide\n $log_38 = \"[*] Any administrative local account can be used for lateral movement.\" wide\n $log_39 = \"[*] Default Windows settings - Only the RID-500 local admin account can be used for lateral movement.\" wide\n $log_40 = \"[*] LocalAccountTokenFilterPolicy == 1. Any administrative local account can be used for lateral movement.\" wide\n\n $sql_01 = \"SELECT Version FROM Win32_OperatingSystem\" wide\n $sql_02 = \"SELECT System.ItemPathDisplay,System.FileOwner,System.Size,System.DateCreated,System.DateAccessed,System.Search.Autosummary FROM SystemIndex WHERE Contains(*, '\\\"*{0}*\\\"') AND SCOPE = '{1}' AND (System.FileExtension = '.txt' OR System.FileExtension = '.doc' OR System.FileExtension = '.docx' OR System.FileExtension = '.ppt' OR System.FileExtension = '.pptx' OR System.FileExtension = '.xls' OR System.FileExtension = '.xlsx' OR System.FileExtension = '.ps1' OR System.FileExtension = '.vbs' OR System.FileExtension = '.config' OR System.FileExtension = '.ini')\" wide\n $sql_03 = \"SELECT * FROM Win32_DeviceGuard\" wide\n $sql_04 = \"SELECT * FROM Win32_QuickFixEngineering\" wide\n $sql_05 = \"SELECT * FROM AntiVirusProduct\" wide\n $sql_06 = \"SELECT Name, State FROM win32_service WHERE Name = 'AppIDSvc'\" wide\n $sql_07 = \"SELECT * from Win32_Printer\" wide\n $sql_08 = \"SELECT ProcessId, ExecutablePath, CommandLine FROM Win32_Process\" wide\n $sql_09 = \"SELECT * FROM Win32_Process WHERE SessionID != 0\" wide\n $sql_10 = \"SELECT * FROM MSFT_ScheduledTask\" wide\n $sql_11 = \"SELECT * FROM win32_service\" wide\n $sql_12 = \"SELECT * FROM MSFT_DNSClientCache\" wide\n $sql_13 = \"SELECT * FROM Win32_LoggedOnUser\" wide\n $sql_14 = \"SELECT * FROM Win32_LogonSession\" wide\n $sql_15 = \"SELECT * FROM Win32_Share\" wide\n $sql_16 = \"SELECT * FROM Win32_Process\" wide\n $sql_17 = \"SELECT * FROM win32_networkconnection\" wide\n $sql_18 = \"SELECT VariableValue from win32_environment WHERE name='\" wide\n\n $ascii_art_01 = \" %&&@@@&&\" wide\n $ascii_art_02 = \" &&&&&&&%%%, #&&@@@@@@%%%%%%###############%\" wide\n $ascii_art_03 = \" &%& %&%% &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%\" wide\n $ascii_art_04 = \"%%%%%%%%%%%######%%%#%%####% &%%**# @////(((&%%%%%%######################(((((((((((((((((((\" wide\n $ascii_art_05 = \"#%#%%%%%%%#######%#%%####### %&%,,,,,,,,,,,,,,,, @////(((&%%%%%#%#####################(((((((((((((((((((\" wide\n $ascii_art_06 = \"#%#%%%%%%#####%%#%#%%####### %%%,,,,,, ,,. ,, @////(((&%%%%%%%######################(#(((#(#((((((((((\" wide\n $ascii_art_07 = \"#####%%%#################### &%%...... ... .. @////(((&%%%%%%%###############%######((#(#(####((((((((\" wide\n $ascii_art_08 = \"#######%##########%######### %%%...... ... .. @////(((&%%%%%#########################(#(#######((#####\" wide\n $ascii_art_09 = \"###%##%%#################### &%%............... @////(((&%%%%%%%%##############%#######(#########((#####\" wide\n $ascii_art_10 = \"#####%###################### %%%.. @////(((&%%%%%%%################\" wide\n $ascii_art_11 = \" &%& %%%%% Seatbelt %////(((&%%%%%%%%#############*\" wide\n $ascii_art_12 = \" &%%&&&%%%%% v1.1.1 ,(((&%%%%%%%%%%%%%%%%%,\" wide\n $ascii_art_13 = \" #%%%%##,\" wide\n\n $critical_1 = \"Seatbelt.pdb\" ascii\n $critical_2 = \"Seatbelt.Commands.Windows.\" ascii\n $critical_3 = \"Seatbelt.exe\" ascii wide nocase\n\n condition:\n uint16(0) == 0x5A4D and (\n (2 of ($critical_*)) // Any of these strings is close to a hit\n or (26 of ($log_*)) // 2/3 of 40\n or (6 of ($sql_*)) // 2/3 of 18\n or (9 of ($ascii_art_*)) // 2/3 of 13\n )\n}\n", "rule_count": 1, "rule_names": [ "seatbelt" ], "rule_creation_date": "2021-04-22", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Seatbelt" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1082" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sectoprat_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582346Z", "creation_date": "2026-03-23T11:46:25.582348Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582354Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat" ], "name": "sectoprat.yar", "content": "rule sectoprat {\n meta:\n title = \"SecTopRAT Stealer\"\n id = \"5028f000-1e02-4920-98e4-4104d4837283\"\n description = \"Detects SecTopRAT, a .NET based stealer.\\nSecTopRAT is a sophisticated malware designed to steal sensitive information from infected systems.\\nIt contains various modules for scanning and exfiltrating data from popular applications such as Telegram, VPN services, Steam, Discord, browsers, files, FTP, and wallets.\\nThe malware uses configuration settings to determine which modules to execute and how to communicate with its command-and-control (C2) server.\\nIt also features persistence mechanisms and the ability to recursively scan for additional targets.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat\"\n date = \"2024-10-17\"\n modified = \"2025-07-02\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.credential_access;attack.t1555.003;attack.command_and_control;attack.t1071.001;attack.exfiltration;attack.t1041\"\n classification = \"Windows.Stealer.SecTopRat\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b47fa1551e423d7931a8cba61543ac25a4945d1c7e3fe405d5edc18663d10cae\n // a354c672e502b1f84041b96c0db87f9f63868908ab01a9d993476854de4834a7\n // 48378f048afb9220ee1a840e73b8d5b5060fef5df607abc90ed5b7ddbd17add9\n // 309d20f7a18a1ae1fed72e5c27b0ef2cc0d52dd1629efc250ca74b916730258f\n\n $s_recoursive00 = \"Recoursive\"\n $s_recoursive01 = \"k__BackingField\"\n $s_recoursive02 = \"get_Recoursive\"\n $s_recoursive03 = \"set_Recoursive\"\n\n $s_scan_get00 = \"get_ScanTelegram\"\n $s_scan_get01 = \"get_ScanVPN\"\n $s_scan_get02 = \"get_ScanSteam\"\n $s_scan_get03 = \"get_ScanDiscord\"\n $s_scan_get04 = \"get_ScanWallets\"\n\n $s_scan_set00 = \"set_ScanTelegram\"\n $s_scan_set01 = \"set_ScanVPN\"\n $s_scan_set02 = \"set_ScanSteam\"\n $s_scan_set03 = \"set_ScanDiscord\"\n $s_scan_set04 = \"set_ScanWallets\"\n\n\n $s_get01 = \"get_ScannedWallets\"\n $s_get02 = \"get_NordAccounts\"\n $s_get03 = \"get_Proton\"\n\n $s_set01 = \"set_ScannedWallets\"\n $s_set02 = \"set_NordAccounts\"\n $s_set03 = \"set_Proton\"\n\n condition:\n 2 of ($s_recoursive*) and\n 3 of ($s_scan_get*) and\n 3 of ($s_scan_set*) and\n 2 of ($s_get*) and\n 2 of ($s_set*)\n}\n", "rule_count": 1, "rule_names": [ "sectoprat" ], "rule_creation_date": "2024-10-17", "rule_modified_date": "2025-07-02", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.SecTopRat" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.discovery", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1041", "attack.t1555.003", "attack.t1082" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-shad0w_beacon_core_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578203Z", "creation_date": "2026-03-23T11:46:25.578206Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578215Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/bats3c/shad0w" ], "name": "shad0w_beacon_core.yar", "content": "import \"pe\"\n\nrule shad0w_beacon_core {\n meta:\n title = \"Shad0w Beacon Core\"\n id = \"0e80ae07-d963-4de4-90b0-1179ad3bbeb4\"\n description = \"Detects the SHAD0W Beacon core payload.\\nThis stage is the final payload downloaded from the command-and-control server and executes the attacker's commands.\\nIt is recommended to perform a full file analysis to determine if the binary is malicious.\"\n references = \"https://github.com/bats3c/shad0w\"\n date = \"2020-03-11\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002;attack.t1071.001\"\n classification = \"Windows.Framework.Shad0w\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s1 = \"%sType\\tCreated\\t\\t Last Access\\t Length\\t Name\"\n $s2 = \"%s----\\t-------\\t\\t -----------\\t ------\\t ----\"\n $s3 = \"DIR\\t%.2d/%.2d/%.4d %.2d:%.2d %.2d/%.2d/%.4d %.2d:%.2d \\t %s\"\n $s4 = \"FILE\\t%.2d/%.2d/%.4d %.2d:%.2d %.2d/%.2d/%.4d %.2d:%.2d %d\\t %s\"\n $s5 = \"username=%s&domain=%s&machine=%s&arch=%s&os=%s&secure=%s\"\n $s6 = \"Directory Changed to: '%s'\"\n $s7 = \"Resolving IsWow64Process(): FAILED\"\n $s8 = \"CreateToolhelp32Snapshot(): FAILED\"\n $s9 = \"BeaconRegisterC2\"\n $s10 = \"killed idle process\"\n $s11 = \"doing insecure exec\"\n $s12 = \"ReflectiveLoader\"\n\n $e1 = \"ERROR: The path '%s' was unable to be found.\"\n $e2 = \"ERROR: Access to the path '%s' is denied.\"\n $e3 = \"ERROR: The filename, directory name, or volume label syntax of '%s' is incorrect.\"\n $e4 = \"ERROR: The directory '%s' is invalid.\"\n $e5 = \"ERROR: listing '%s' code: %d.\"\n $e6 = \"ERROR: The file '%s' was unable to be found.\"\n $e7 = \"ERROR: changing directory to '%s' code: %d.\"\n $e8 = \"ERROR: Access to the file '%s' is denied.\"\n $e9 = \"ERROR: The filename, directory name, or volume label syntax of '%s' is incorrect.\"\n $e10 = \"ERROR: The file '%s' is invalid.\"\n $e11 = \"ERROR: listing '%s' code: %d.\"\n $e12 = \"ERROR: Failed to create '%s' because it already exists.\"\n $e13 = \"ERROR: Failed to create '%s' because one or more intermediate directories do not exist.\"\n $e14 = \"ERROR: Failed to create '%s' with error code: %d.\"\n $e15 = \"ERROR: Failed to delete '%s' because access is denied.\"\n $e16 = \"ERROR: Failed to delete '%s' because it could not be found.\"\n $e17 = \"ERROR: Failed to delete '%s' with error code: %d.\"\n $e18 = \"ERROR: The path '%s' was unable to be found.\"\n $e19 = \"ERROR: Access to '%s' is denied.\"\n $e20 = \"ERROR: The filename, directory name, or volume label syntax of '%s' is incorrect.\"\n $e21 = \"ERROR: The directory '%s' is invalid.\"\n\n condition:\n 8 of ($s*) and 15 of ($e*)\n}\n", "rule_count": 1, "rule_names": [ "shad0w_beacon_core" ], "rule_creation_date": "2020-03-11", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Shad0w" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1071.001", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-shad0w_beacon_decrypted_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578293Z", "creation_date": "2026-03-23T11:46:25.578296Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578304Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/bats3c/shad0w" ], "name": "shad0w_beacon_decrypted.yar", "content": "import \"pe\"\n\nrule shad0w_beacon_decrypted {\n meta:\n title = \"Decrypted Shad0w Beacon\"\n id = \"1c187528-ace8-4eac-9657-d89ec4ffd3d3\"\n description = \"Detects the SHAD0W Beacon stage1 payload after decryption.\\nThis stage establishes communication with the command-and-control server to download the final payload.\\nIt is recommended to block network traffic to the identified C2 server and analyze the payload for malicious activities.\"\n references = \"https://github.com/bats3c/shad0w\"\n date = \"2020-03-10\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002;attack.t1071.001\"\n classification = \"Windows.Framework.Shad0w\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Those are mingw strings, as all shad0w beacons are compiled with mingw\n $mingw_1 = \"GCC: (GNU) 10-win32\"\n $mingw_2 = \"Argument domain error (DOMAIN)\"\n $mingw_3 = \"Overflow range error (OVERFLOW)\"\n $mingw_4 = \"Partial loss of significance (PLOSS)\"\n $mingw_5 = \"Total loss of significance (TLOSS)\"\n $mingw_6 = \"The result is too small to be represented (UNDERFLOW)\"\n $mingw_7 = \"Argument singularity (SIGN)\"\n\n // Hard-coded strings present in the binary\n $shad0w_1 = \"FAILED TO FORMAT\"\n $shad0w_2 = \"[DEBUG] %s\"\n $shad0w_3 = \"made callback\"\n $shad0w_4 = \"payload=x64/windows\"\n $shad0w_5 = \"Content-Type: application/x-www-form-urlencoded\" wide\n $shad0w_6 = \"Error %u in WinHttpQueryDataAvailable.\"\n $shad0w_7 = \"Out of memory, must be a big stage\"\n $shad0w_8 = \"Allowing: %s\"\n $shad0w_9 = \"SetProcessMitigationPolicy (ProcessSignaturePolicy) failed\"\n\n condition:\n 5 of ($mingw_*) and 7 of ($shad0w_*)\n}\n", "rule_count": 1, "rule_names": [ "shad0w_beacon_decrypted" ], "rule_creation_date": "2020-03-10", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Shad0w" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1071.001", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-shad0w_beacon_unpacked_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578247Z", "creation_date": "2026-03-23T11:46:25.578250Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578259Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/bats3c/shad0w" ], "name": "shad0w_beacon_unpacked.yar", "content": "import \"pe\"\n\nrule shad0w_beacon_unpacked {\n meta:\n title = \"Unpacked Shad0w Beacon\"\n id = \"8c0e4bf5-cb7f-418a-aa42-25e54d6dc1b2\"\n description = \"Detects the SHAD0W Beacon stage1 payload after unpacking.\\nThis stage is encrypted and designed to download and execute the second stage payload upon decryption.\\nIt is recommended to isolate the system and perform a detailed analysis of the memory space.\"\n references = \"https://github.com/bats3c/shad0w\"\n date = \"2020-03-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002;attack.t1140\"\n classification = \"Windows.Framework.Shad0w\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $shellcode_loader = {\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 48 83 EC 30 // sub rsp, 30h\n E8 ?? ?? ?? ?? // call X\n 8B 05 ?? ?? ?? ?? // mov eax, cs:Size\n 89 C0 // mov eax, eax\n 41 B9 40 00 00 00 // mov r9d, 40h ; '@' ; flProtect\n 41 B8 00 10 00 00 // mov r8d, 1000h ; flAllocationType\n 48 89 C2 // mov rdx, rax ; dwSize\n B9 00 00 00 00 // mov ecx, 0 ; lpAddress\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:VirtualAlloc\n FF D0 // call rax ; VirtualAlloc\n 48 89 45 F8 // mov [rbp+var_8], rax\n 8B 05 ?? ?? ?? ?? // mov eax, cs:Size\n 89 C2 // mov edx, eax\n 48 8B 45 F8 // mov rax, [rbp+var_8]\n 49 89 D0 // mov r8, rdx ; Size\n 48 8D 15 ?? ?? ?? ?? // lea rdx, X ; Src\n 48 89 C1 // mov rcx, rax ; void *\n E8 ?? ?? ?? ?? // call memcpy\n 48 8B 45 F8 // mov rax, [rbp+var_8]\n FF D0 // call rax\n B8 00 00 00 00 // mov eax, 0\n 48 83 C4 30 // add rsp, 30h\n 5D // pop rbp\n C3 // retn\n }\n\n // Those are mingw strings, as all shad0w beacons are compiled with mingw\n $s1 = \"GCC: (GNU) 10-win32\"\n $s2 = \"Argument domain error (DOMAIN)\"\n $s3 = \"Overflow range error (OVERFLOW)\"\n $s4 = \"Partial loss of significance (PLOSS)\"\n $s5 = \"Total loss of significance (TLOSS)\"\n $s6 = \"The result is too small to be represented (UNDERFLOW)\"\n $s7 = \"Argument singularity (SIGN)\"\n\n condition:\n all of ($s*) and $shellcode_loader\n}\n", "rule_count": 1, "rule_names": [ "shad0w_beacon_unpacked" ], "rule_creation_date": "2020-03-08", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Shad0w" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1140", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-shad0w_beacon_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577595Z", "creation_date": "2026-03-23T11:46:25.577597Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577602Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/bats3c/shad0w" ], "name": "shad0w_beacon.yar", "content": "import \"pe\"\n\nrule shad0w_beacon {\n meta:\n title = \"Shad0w Beacon\"\n id = \"411e09a7-3b6e-43d9-9b19-829ac7527942\"\n description = \"Detects the SHAD0W Beacon initial stage payload.\\nThis stage is packed with UPX and encrypted with Donut, designed to evade detection and download the second stage.\\nIt is recommended to monitor for network traffic originating from this process.\"\n references = \"https://github.com/bats3c/shad0w\"\n date = \"2020-03-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.t1055.002;attack.t1140\"\n classification = \"Windows.Framework.Shad0w\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n condition:\n /*\n ** Import table represented by the import hash 9aebf3da4677af9275c461261e5abde3:\n **\n ** KERNEL32.DLL: LoadLibraryA\n ** KERNEL32.DLL: ExitProcess\n ** KERNEL32.DLL: GetProcAddress\n ** KERNEL32.DLL: VirtualProtect\n ** msvcrt.dll: exit\n **\n ** =============================================================================\n **\n ** Import table represented by the import hash 6c29ae5aa6b6070da1952d552421e5b9:\n **\n ** KERNEL32.DLL: LoadLibraryA\n ** KERNEL32.DLL: ExitProcess\n ** KERNEL32.DLL: GetProcAddress\n ** KERNEL32.DLL: VirtualProtect\n ** WINHTTP.dll: WinHttpOpen\n ** msvcrt.dll: exit\n */\n uint16(0) == 0x5a4d // Ensure the file is a PE\n and filesize >= 5KB and filesize <= 1MB // Ensure the file has a reasonnable size to be a shadow beacon\n and (pe.imphash() == \"9aebf3da4677af9275c461261e5abde3\" or pe.imphash() == \"6c29ae5aa6b6070da1952d552421e5b9\") // Ensure the import hash matches any import table described above\n and for all section in pe.sections : ( section.name matches /^[a-zA-Z]{3}[0-9]$/ ) // shad0w renames UPX sections with a 3-letter random string\n and for all section in pe.sections : ( not ( section.name matches /^UPX[0-9]+$/ ) ) // We don't want to trigger false positives against similar UPX-packed binaries.\n}\n", "rule_count": 1, "rule_names": [ "shad0w_beacon" ], "rule_creation_date": "2020-03-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Shad0w" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1140", "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-shadowpad_obfuscation_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583633Z", "creation_date": "2026-03-23T11:46:25.583635Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583640Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\nhttps://attack.mitre.org/software/S0596/" ], "name": "shadowpad_obfuscation.yar", "content": "rule backdoor_shadowpad_obfuscation {\n meta:\n title = \"ShadowPad Malware Obfuscation\"\n id = \"5db39d2a-7a81-4d9c-bc5b-6c7bba5205d4\"\n description = \"Detects the ShadowPad malware.\\nShadowPad is a modular backdoor attributed to APT41 (a Chinese APT) that is decrypted in memory using a custom decryption algorithm.\\nShadowPad plugins are sold separately and can add a variety of functionalities to the backdoor including obfuscation techniques, exfiltration or command and control abilities.\"\n references = \"https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html\\nhttps://attack.mitre.org/software/S0596/\"\n date = \"2023-07-17\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1055;attack.command_and_control;attack.t1071.001;attack.t1071.002;attack.t1071.004;attack.t1105;attack.s0596\"\n classification = \"Windows.Backdoor.ShadowPad\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 4e3a455e7f0b8f34385cd8320022719a8fc59d8bc091472990ac9a56e982a965\n\n $calc_addr_next_instruction = {\n 41 5? // push r12\n 0F 8? ?? ?? ?? FF // js loc_18000572F\n 0F 8? ?? ?? ?? FF // jns loc_18000572F\n (E8|E9) ?? ?? ?? (00|FF) // call | jmp\n }\n\n condition:\n #calc_addr_next_instruction > 8 and filesize < 10MB\n}\n", "rule_count": 1, "rule_names": [ "backdoor_shadowpad_obfuscation" ], "rule_creation_date": "2023-07-17", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.ShadowPad" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.004", "attack.t1071.001", "attack.t1055", "attack.t1071.002", "attack.t1105" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sharpdump_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585359Z", "creation_date": "2026-03-23T11:46:25.585361Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585367Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/GhostPack/SharpDump" ], "name": "sharpdump.yar", "content": "rule sharpdump {\n meta:\n title = \"SharpDump Tool\"\n id = \"11b18120-df94-49c8-a616-37f55fc504f7\"\n description = \"Detects Sharpdump, a C# tool that ports the functionality of PowerSploit's Out-Minidump.ps1 script. It enables the creation of minidumps of processes, such as LSASS, to extract sensitive information like credentials, and compresses the dumps into GZIP format for further analysis.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/GhostPack/SharpDump\"\n date = \"2022-09-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.003\"\n classification = \"Windows.Tool.SharpDump\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 2a80b75a42065edd12b30d09eabd1dfc2a4bd522a5ce964b2424b46267688809\n // 8e7eaf585d3bc9f87159ff49850b074c42a7b192ce6540b06ed04ded87ba0d92\n\n $s1 = \"SharpDump\" ascii\n $s2 = \"SharpDump\" wide\n $s3 = \"Please use \\\"SharpDump.exe [pid]\\\" format\" fullword wide\n $s4 = \"[*] Dumping {0} ({1}) to {2}\" fullword wide\n $s5 = \"[+] Dump successful\" fullword wide\n $s6 = \"[X] Not in high integrity, unable to MiniDump!\" fullword wide\n\n condition:\n uint16(0) == 0x5a4d and filesize < 600KB and 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "sharpdump" ], "rule_creation_date": "2022-09-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.SharpDump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sharphound3_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563333Z", "creation_date": "2026-03-23T11:46:25.563335Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563341Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/software/S0521/\nhttps://github.com/BloodHoundAD/SharpHound3" ], "name": "sharphound3.yar", "content": "rule sharphound3 {\n meta:\n title = \"SharpHound3 HackTool\"\n id = \"d1245878-035e-46fd-9eed-184d6f1cc675\"\n description = \"Detects SharpHound3, the data collection component of the BloodHound project.\\nSharpHound3 is used to gather information about an Active Directory environment, including user, computer, and group relationships, which can be exploited to identify potential attack vectors within the domain.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://attack.mitre.org/software/S0521/\\nhttps://github.com/BloodHoundAD/SharpHound3\"\n date = \"2022-01-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.s0521\"\n classification = \"Windows.HackTool.SharpHound3\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $clear_string_marker_exe_name = \"SharpHound.exe\" ascii\n $clear_string_marker_pdb_name = \"SharpHound.pdb\" ascii\n $clear_string_marker_invoke = \"InvokeSharpHound\" ascii\n $clear_string_marker_ldap_wrapper = \"SharpHound3.LdapWrappers\" ascii\n\n $string_marker_task_gpogrouptasks = \"SharpHound3.Tasks.GPOGroupTasks\" ascii\n $string_marker_task_computeravailabletasks = \"SharpHound3.Tasks.ComputerAvailableTasks\" ascii\n $string_marker_task_containertasks = \"SharpHound3.Tasks.ContainerTasks\" ascii\n $string_marker_task_groupenumerationtasks = \"SharpHound3.Tasks.GroupEnumerationTasks\" ascii\n $string_marker_task_localgrouptasks = \"SharpHound3.Tasks.LocalGroupTasks\" ascii\n $string_marker_task_outputtasks = \"SharpHound3.Tasks.OutputTasks\" ascii\n $string_marker_task_objectpropertytasks = \"SharpHound3.Tasks.ObjectPropertyTasks\" ascii\n $string_marker_task_acltasks = \"SharpHound3.Tasks.ACLTasks\" ascii\n $string_marker_task_spntasks = \"SharpHound3.Tasks.SPNTasks\" ascii\n\n $string_marker_log1 = \"[-] Cache Invalidated: 0 Objects in Cache\" wide\n $string_marker_log2 = \"[+] Cache File not Found: 0 Objects in cache\" wide\n $string_marker_log3 = \"[+] Cache File Found! Loaded {0} Objects in cache\" wide\n $string_marker_log4 = \"Initializing SharpHound at \" wide\n $string_marker_log5 = \"Loop specified without a duration. Defaulting to 2 hours!\" wide\n $string_marker_log6 = \"Unable to determine user's domain. Please manually specify it with the --domain flag\" wide\n $string_marker_log7 = \"You must specify both LdapUsername and LdapPassword if using these options!\" wide\n $string_marker_log8 = \"LDAP Connection Test Failed. Check if you're in a domain context!\" wide\n $string_marker_log9 = \"Skipping looping because loop duration has already passed\" wide\n $string_marker_log10 = \"SharpHound Enumeration Completed at \" wide\n $string_marker_log11 = \"! Happy Graphing!\" wide\n $string_marker_log12 = \"[+] Creating Schema map for domain \" wide\n $string_marker_log13 = \"[-] Removed LoggedOn Collection\" wide\n $string_marker_log14 = \"[-] Removed RDP Collection\" wide\n $string_marker_log15 = \"[-] Removed DCOM Collection\" wide\n $string_marker_log16 = \"[-] Removed PSRemote Collection\" wide\n $string_marker_log17 = \"[-] Removed LocalAdmin Collection\" wide\n $string_marker_log18 = \"[+] Added GPOLocalGroup\" wide\n $string_marker_log19 = \"-------Computer Status Count-------\" wide\n $string_marker_log20 = \"[+] Pre-populating Domain Controller SIDS\" wide\n $string_marker_log21 = \"[+] Finding Stealth Targets from LDAP Properties\" wide\n $string_marker_log22 = \"[-] Terminating Producer as cancellation was requested. Waiting for pipeline to finish\" wide\n\n // https://github.com/BloodHoundAD/SharpHound3/blob/7615860d963ba70751e1e5a00e02bb3fbca154c6/SharpHound3/Helpers.cs\n $sharp_hood_helper_getloopfilename = \"BloodHoundLoopResults.zip\" wide\n $sharp_hood_helper_null_key = \"NULLDOMAIN\" wide\n $sharp_hood_helper_groups1 = \"268435456\" wide\n $sharp_hood_helper_groups2 = \"268435457\" wide\n $sharp_hood_helper_groups3 = \"536870912\" wide\n $sharp_hood_helper_groups4 = \"536870913\" wide\n $sharp_hood_helper_computers = \"805306369\" wide\n $sharp_hood_helper_users = \"805306368\" wide\n\n condition:\n (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x4550) and (\n 4 of ($string_marker_task_*) or\n 8 of ($string_marker_log*) or\n all of ($clear_string_marker_*) or\n 7 of ($sharp_hood_helper_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "sharphound3" ], "rule_creation_date": "2022-01-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.SharpHound3" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sharpkatz_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585097Z", "creation_date": "2026-03-23T11:46:25.585099Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585104Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/b4rtik/SharpKatz" ], "name": "sharpkatz.yar", "content": "rule sharpkatz {\n meta:\n title = \"SharpKatz Tool\"\n id = \"f3214da1-ed59-4cf6-b4db-98d4652ec903\"\n description = \"Detects SharpKatz, a C# port of Mimikatz.\\nSharpKatz is a tool designed for credential dumping, specifically targeting the LSASS process and other Windows services to extract credentials. It is capable of capturing plaintext credentials, NTLM hashes, and Kerberos tickets.\\nThe tool is often used in red teaming and penetration testing to mimic adversary techniques for credential access.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/b4rtik/SharpKatz\"\n date = \"2021-07-09\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003;attack.t1078;attack.t1550.002\"\n classification = \"Windows.Tool.SharpKatz\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // https://github.com/b4rtik/SharpKatz\n $sharpkatz1_s1 = \"SharpKatz\" ascii\n $sharpkatz1_s2 = \"MSV1_0_PRIMARY_CREDENTIAL_10\" ascii\n $sharpkatz1_s3 = \"KIWI_KERBEROS_LOGON_SESSION_10\" ascii\n $sharpkatz1_s4 = \"KIWI_BASIC_SECURITY_LOGON_SESSION_DATA\" ascii\n $sharpkatz1_s5 = \"8568b4c1-2940-4f6c-bf4e-4383ef268be9\" ascii\n\n $sharpkatz2_s1 = \"[x] Error: Could not find offset to AES/3Des/IV keys\" wide\n $sharpkatz2_s2 = \"[*] Example: SharpKatz.exe --Command\" wide\n $sharpkatz2_s3 = \"e3514235-4b06-11d1-ab04-00c04fc2dcd2\" wide\n $sharpkatz2_s4 = \"[*] mode : replacing NTLM/RC4 key in a session\" wide\n $sharpkatz2_s5 = \"Primary:NTLM-Strong-NTOWF\" wide\n\n condition:\n uint16(0) == 0x5a4d and filesize < 300KB and (\n (4 of ($sharpkatz1_*)) or\n (4 of ($sharpkatz2_*))\n )\n}\n", "rule_count": 1, "rule_names": [ "sharpkatz" ], "rule_creation_date": "2021-07-09", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.SharpKatz" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1550.002", "attack.t1078", "attack.t1003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sharplaps_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584744Z", "creation_date": "2026-03-23T11:46:25.584746Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584752Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/swisskyrepo/SharpLAPS" ], "name": "sharplaps.yar", "content": "rule sharplaps {\n meta:\n title = \"SharpLAPS Tool\"\n id = \"09dd0c71-dce3-4523-ad1f-2c143f86be0f\"\n description = \"Detects SharpLAPS, a tool used to retrieve LAPS passwords from the Active Directory.\\nSharpLAPS is a tool designed to extract local administrator passwords stored by Microsoft's LAPS (Local Admin Password Solution) feature on domain-joined computers.\\nThe tool requires domain admin privileges or specific rights to query the Active Directory for sensitive information.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/swisskyrepo/SharpLAPS\"\n date = \"2023-07-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555\"\n classification = \"Windows.Tool.SharpLAPS\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // d4e30d80e0d2e1884270c75a2d13df486b54d0622925daaffa7ec78c942e3d45\n\n $s1 = \"LDAP://{0}:{1}\" wide fullword\n $s2 = \"[+] Using the following credentials\" wide fullword\n $s3 = \"[+] Extracting LAPS password from LDAP\" wide fullword\n $s4 = \"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=\" wide fullword\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "sharplaps" ], "rule_creation_date": "2023-07-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.SharpLAPS" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sharpnbtscan_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585133Z", "creation_date": "2026-03-23T11:46:25.585136Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585143Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BronzeTicket/SharpNBTScan\nhttps://cn-sec.com/archives/1266704.html\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/" ], "name": "sharpnbtscan.yar", "content": "rule sharpnbtscan {\n meta:\n title = \"SharpNBTScan NetBIOS Scanner\"\n id = \"67aa27cf-df0c-4b80-9486-fcc869c52020\"\n description = \"Detects SharpNBTScan, a NetBIOS scanning tool written in C#.\\nSharpNBTScan is used for enumerating NetBIOS names and gathering information about remote devices on a network.\\nAttackers may use this tool during the reconnaissance phase to gather intelligence on network devices.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/BronzeTicket/SharpNBTScan\\nhttps://cn-sec.com/archives/1266704.html\\nhttps://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/\"\n date = \"2024-10-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1046;attack.t1018;attack.reconnaissance;attack.t1595.001;attack.t1590.005\"\n classification = \"Windows.Tool.SharpNBTScan\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b1601a628a5658f44f668530710fd99302fcefe77ce12596d22b527ba1be7d2a\n // ef5aa4ea773f945f9636f371238f7b8c8c5ca77f7d64d8373fdc2e3e12f87d75\n // 0118e730c519c4bc5c5f2899dc2adc5c2b83664d12cb173b23cd1bb4107e3eb7\n // 1f845bb93a54177106e10034cb9453f71b5e5789417286912a3c710a9482438f\n\n $str_generic = \"SharpNBTScan\" ascii\n\n // https://cn-sec.com/archives/1266704.html\n $str_v1_1 = \"[*] Detecting Remote Computer of {0}\" wide fullword\n $str_v1_2 = \"[>] Name type: Unique name -> (Workstation/Redirector) -> Name: {0}<{1}>\" wide fullword\n $str_v1_3 = \"[>] Uint ID(MAC Address): {0}\" wide fullword\n $str_v1_4 = \"[+] Number of Names: {1}\" wide fullword\n $str_v1_5 = \"[!] Error: {0}\" wide fullword\n\n // https://github.com/BronzeTicket/SharpNBTScan\n $str_v2_1 = \"[*]Start udp client ...\" wide fullword\n $str_v2_2 = \"[+]Udp client will stop in 10 s ...\" wide fullword\n $str_v2_3 = \"[+] ip range {0} - {1}\" wide fullword\n $str_v2_4 = \"[-]usage: SharpNBTScan.exe TargetIp (e.g.: SharpNBTScan.exe 192.168.0.1/24)\" wide fullword\n $str_v2_5 = \"[!]Error: {0}\" wide fullword\n\n condition:\n uint16(0) == 0x5a4d and $str_generic and (3 of ($str_v1_*) or 3 of ($str_v2_*))\n}\n", "rule_count": 1, "rule_names": [ "sharpnbtscan" ], "rule_creation_date": "2024-10-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.SharpNBTScan" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1046", "attack.t1018", "attack.t1595.001", "attack.t1590.005" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sharp_secrets_dump_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581515Z", "creation_date": "2026-03-23T11:46:25.581517Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581523Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/laxa/SharpSecretsdump/tree/master\nhttps://attack.mitre.org/techniques/T1003/004/" ], "name": "sharp_secrets_dump.yar", "content": "rule hacktool_sharpsecretsdump {\n meta:\n title = \"SharpSecretsdump HackTool\"\n id = \"f14d494f-b925-465b-8562-0859c5984ba4\"\n description = \"Detects the execution of SharpSecretsdump, a .NET-based tool used to extract Windows credentials.\\nSharpSecretsdump is an implementation of Impacket's secretsdump.py, designed to run locally on Windows systems to extract LSA secrets and SAM hashes. This tool bypasses the need for remote registry access, making it harder to detect and useful for credential access attacks. It can dump credentials from the local system without requiring high integrity levels, making it a potent tool for adversaries to gather sensitive information.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/laxa/SharpSecretsdump/tree/master\\nhttps://attack.mitre.org/techniques/T1003/004/\"\n date = \"2024-05-07\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1003.004\"\n classification = \"Windows.HackTool.SharpSecretsdump\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // fd4dd7547120435cc209247d32520b8d997b7443ba9af21b1e981a4117fe0cb8\n\n $a1 = \"You need to be in high integrity to extract LSA secrets\" wide\n $a2 = \"[*] Target system bootKey: 0x\" wide\n $a3 = \"[!] Secret type not supported yet\" wide\n $a4 = \"[*] Dumping local SAM hashes\" wide\n $a5 = \"{0}\\\\{1}$:aad3b435b51404eeaad3b435b51404ee:{2}:::\" wide\n\n condition:\n 2 of ($a*)\n}\n", "rule_count": 1, "rule_names": [ "hacktool_sharpsecretsdump" ], "rule_creation_date": "2024-05-07", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.SharpSecretsdump" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1003.004" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-shellcode_generic_metasploit_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.579012Z", "creation_date": "2026-03-23T11:46:25.579014Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.579022Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/rapid7/metasploit-framework" ], "name": "shellcode_generic_metasploit.yar", "content": "rule shellcode_generic_metasploit {\n meta:\n title = \"Metasploit Generic Shellcode\"\n id = \"7ce015f9-3489-420c-9ce8-b21af28e5019\"\n description = \"Detects generic Metasploit shellcode activity.\\nThis rule targets patterns commonly associated with Metasploit shellcode, such as API resolution and process injection.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/rapid7/metasploit-framework\"\n date = \"2024-02-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055.002\"\n classification = \"Windows.Framework.Metasploit\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // ffff303484812d23b06f18aba1f6a43beae730268a02ee97560e7f9cad0f9701\n\n $stub_api_resolution_64bits = {\n 65 48 8b ?? 60 // mov rdx, qword [gs:rdx+0x60]\n 48 8b ?? 18 // mov rdx, qword [rdx+0x18]\n [0-2] // Place holder\n 48 8b ?? 20 // mov rdx, qword [rdx+0x20]\n [0-3] // Place holder\n ( 48 8b ?? 50 | 48 0f b7 4a 4a ) // mov rsi, qword [rdx+0x50]\n [0-3] // Place holder\n ( 48 8b ?? 50 | 48 0f b7 4a 4a ) // movzx rcx, word [rdx+0x4a]\n ?? 31 ?? // xor r9, r9 {0x0}\n [15-25] // Place holder\n 48 8b ?? 20 // mov rdx, qword [rdx+0x20]\n 8b ?? 3c // mov eax, dword [rdx+0x3c]\n }\n\n $stub_api_resolution_32bits = {\n 64 8b ?? 30 // mov edx, dword [fs:edx+0x30]\n 8b ?? 0c // mov edx, dword [edx+0xc]\n 8b ?? 14 // mov edx, dword [edx+0x14]\n [0-8] // placeholder\n ( 8b ?? 28 | 0f b7 4a 26 ) // mov esi, (dword [edx+0x28]/word [edx+0x26])\n [0-2] // placeholder\n ( 8b ?? 28 | 0f b7 4a 26 ) // movzx ecx, (dword [edx+0x28]/word [edx+0x26])\n 31 ?? // xor eax, eax {0x0}\n [15-25] // Place holder\n 8b ?? 10 // mov edx, dword [edx+0x10]\n [0-5] // Place holder\n 8b ?? 3c // mov eax, dword [edx+0x3c]\n [0-5] // Place holder\n 8b [1-2] 78 // mov eax, dword [eax+0x78]\n }\n condition:\n 1 of ($stub_*)\n}\n", "rule_count": 1, "rule_names": [ "shellcode_generic_metasploit" ], "rule_creation_date": "2024-02-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Metasploit" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1055.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sia_gpu_miner_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577418Z", "creation_date": "2026-03-23T11:46:25.577420Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577426Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/NebulousLabs/Sia-GPU-Miner" ], "name": "sia_gpu_miner.yar", "content": "rule sia_gpu_miner {\n meta:\n title = \"SIA GPU Miner\"\n id = \"5d30a2a2-c2d1-46a5-a76f-48cb6ab06098\"\n description = \"Detects the SIA GPU Miner, a cryptocurrency mining software designed for mining siacoins.\\nSIA GPU Miner is a GPU-based mining application that connects to the Sia network to perform Proof-of-Work calculations.\\nIt is often used for malicious purposes to monetize infected systems by utilizing their graphics processing power.\\nThe miner communicates with the Sia daemon (siad) to send hashing operations and receive work assignments.\\nIt accepts various command-line parameters to configure GPU usage, intensity, host, port, and other mining-related settings.\\nIt is recommended to disable unnecessary cryptocurrency mining activities on systems to mitigate the risk of abuse.\"\n references = \"https://github.com/NebulousLabs/Sia-GPU-Miner\"\n date = \"2024-07-23\"\n modified = \"2025-11-24\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1496\"\n classification = \"Linux.CryptoMiner.SiaGPUMiner\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 3c58f69d5bf12d6c3c37edba8fadd212e7aa3bbc413bceccd99480eba3584d09\n\n $f1 = \"Received corrupt target from Sia\" fullword ascii\n $f2 = \"./sia-gpu-miner.cl\" fullword ascii\n $f3 = \"Are you sure that siad is running?\" fullword ascii\n\n $usage_1 = \"C - cycles per iter: Number of kernel executions between Sia API calls and hash rate updates\" fullword ascii\n $usage_2 = \"A low C will cause instability. As a rule of thumb, the hashrate should only be updating a few times per second.\" fullword ascii\n $usage_3 = \"I - intensity: This is the amount of work sent to the GPU in one batch.\" fullword ascii\n $usage_4 = \"H - host: which host name to use when talking to the siad api. (default: %s)\" fullword ascii\n $usage_5 = \"P - port: which port to use when talking to the siad api. (e.g. -p :9980)\" fullword ascii\n $usage_6 = \"p - OpenCL platform ID: Just what it says on the tin. If you're finding no GPUs,\" fullword ascii\n $usage_7 = \"d - OpenCL device ID: Self-explanatory; it's the GPU index. Note that different\" fullword ascii\n\n $canary = \"62a45b722ec60b6d062087baa7ec0fab28c7d6b050b6f56df449e19ded926d73\" ascii\n\n condition:\n (any of ($f*) or 3 of ($usage_*)) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "sia_gpu_miner" ], "rule_creation_date": "2024-07-23", "rule_modified_date": "2025-11-24", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.CryptoMiner.SiaGPUMiner" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1496" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sigflip_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571842Z", "creation_date": "2026-03-23T11:46:25.571845Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571850Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://learn.microsoft.com/en-us/answers/questions/1182542/cve-2013-3900-winverifytrust-signature-validation\nhttps://github.com/med0x2e/SigFlip" ], "name": "sigflip.yar", "content": "import \"pe\"\n\nrule sigflip_drivers {\n meta:\n title = \"SigFlip Drivers (CVE 2013-3900)\"\n id = \"109a1a14-6c1f-46a2-8936-00b1f9b003a8\"\n description = \"Detects drivers with malformed signatures.\\nAttackers can exploit a vulnerability in Windows signature verification to change the hash of a driver while keeping its signature valid (CVE 2013-3900).\\nThis technique allows attackers to load malicious or vulnerable drivers, bypassing detection mechanisms that rely on hash-based identification.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://learn.microsoft.com/en-us/answers/questions/1182542/cve-2013-3900-winverifytrust-signature-validation\\nhttps://github.com/med0x2e/SigFlip\"\n date = \"2023-06-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1211\"\n classification = \"Windows.Generic.SigFlip\"\n context = \"process,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $pace = \"PACE Anti-Piracy1\" ascii fullword\n\n condition:\n pe.number_of_signatures >= 1 and\n pe.signatures[0].valid_on(pe.timestamp) and\n (\n uint16be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+8) == 0x3082 and\n for 1 i in ((uint16be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+10))+12..(uint32(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address))-1):\n (\n uint8be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+i) != 0x00\n ) or\n uint16be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+8) == 0x3083 and\n for 1 i in ((65536 * uint8(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+10) + uint16be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+11))+13..(uint32(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address))-1):\n (\n uint8be(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address+i) != 0x00\n )\n )\n and not $pace\n and pe.imports(\"ntoskrnl.exe\")\n}\n", "rule_count": 1, "rule_names": [ "sigflip_drivers" ], "rule_creation_date": "2023-06-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.SigFlip" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-skcrypter_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563652Z", "creation_date": "2026-03-23T11:46:25.563655Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563660Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/skadro-official/skCrypter" ], "name": "skcrypter.yar", "content": "rule skcrypter {\n meta:\n title = \"skCrypter Library\"\n id = \"934ccbf1-f09e-4e70-a0dd-bca2875bb433\"\n description = \"Detects the usage of skCrypter, a library used to encrypt strings at compile-time and decrypt them at runtime.\\nskCrypter is a library commonly used by malware authors to evade detection and hinder binary analysis by obfuscating their code\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/skadro-official/skCrypter\"\n date = \"2024-04-03\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1027\"\n classification = \"Windows.Generic.skCrypter\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 490f36cd2a3773554a3698ab96134398942d9d92673cdbbfb89e5b92a054c4d0\n // 4efa8380b2986ee710411df08dba27fef5dd2f80877959be74d3b850a371c623\n // 5f8ff572f6f1ed39121999a557c71e9364faa642648d8ae64d8e40de2a7b18b1\n // 79a4c04639a0a9983467370b38de262641da79ccd51a0cdcd53aba20158f1b3a\n // 87d7caf2e0c77e2f1b2a852183903acdd52551284f7a27e8712a40a2cf6764b0\n // d8591297cf8f7df51bc919acbca4e00d6e4f428b544778610a25e1fabc43ff32\n\n $crypt1 = {\n B8 ?? ?? ?? ?? // mov eax, 5397829Dh\n F7 EF // imul edi\n C1 FA 04 // sar edx, 4\n 8B C2 // mov eax, edx\n C1 E8 1F // shr eax, 1Fh\n 03 D0 // add edx, eax\n B8 01 00 00 00 // mov eax, 1\n 2A C2 // sub al, dl\n 0F BE C0 // movsx eax, al\n 6B C8 ?? // imul ecx, eax, 31h ; '1'\n 40 02 CF // add cl, dil\n 41 30 08 // xor [r8], cl\n FF C7 // inc edi\n 4D 8D 40 01 // lea r8, [r8+1]\n 83 FF ?? // cmp edi, 21h ; '!'\n 7C ?? // jl short loc_140075FB0\n }\n\n $crypt2 = {\n B8 ?? ?? ?? ?? // mov eax, 4EC4EC4Fh\n F7 EF // imul edi\n C1 FA 04 // sar edx, 4\n 8B C2 // mov eax, edx\n C1 E8 1F // shr eax, 1Fh\n 03 D0 // add edx, eax\n 0F BE C2 // movsx eax, dl\n 6B C8 ?? // imul ecx, eax, 34h ; '4'\n 40 0F B6 C7 // movzx eax, dil\n 2A C1 // sub al, cl\n 04 ?? // add al, 33h ; '3'\n 41 30 00 // xor [r8], al\n FF C7 // inc edi\n 4D 8D 40 01 // lea r8, [r8+1]\n 83 FF ?? // cmp edi, 21h ; '!'\n 7C ?? // jl short loc_140072380\n }\n\n $crypt3 = {\n B8 ?? ?? ?? ?? // mov eax, 0A0A0A0A1h\n F7 EF // imul edi\n 03 D7 // add edx, edi\n C1 FA 05 // sar edx, 5\n 8B C2 // mov eax, edx\n C1 E8 1F // shr eax, 1Fh\n 03 D0 // add edx, eax\n 0F BE C2 // movsx eax, dl\n 6B C8 ?? // imul ecx, eax, 33h ; '3'\n 40 0F B6 C7 // movzx eax, dil\n 2A C1 // sub al, cl\n 04 ?? // add al, 36h ; '6'\n 41 30 00 // xor [r8], al\n FF C7 // inc edi\n 4D 8D 40 01 // lea r8, [r8+1]\n 83 FF ?? // cmp edi, 21h ; '!'\n 7C ?? // jl short loc_1400736E0\n }\n\n $crypt4 = {\n B8 ?? ?? ?? ?? // mov eax, 92492493h\n 4D 8D 40 01 // lea r8, [r8+1]\n F7 EF // imul edi\n 03 D7 // add edx, edi\n C1 FA 05 // sar edx, 5\n 8B C2 // mov eax, edx\n C1 E8 1F // shr eax, 1Fh\n 03 D0 // add edx, eax\n 0F BE C2 // movsx eax, dl\n 6B C8 ?? // imul ecx, eax, 38h ; '8'\n 40 0F B6 C7 // movzx eax, dil\n FF C7 // inc edi\n 2A C1 // sub al, cl\n 04 ?? // add al, 37h ; '7'\n 41 30 40 FF // xor [r8-1], al\n 83 FF ?? // cmp edi, 13h\n 7C ?? // jl short loc_180018E30\n }\n\n $crypt5 = {\n B8 ?? ?? ?? ?? // mov eax, 8D3DCB09h\n 4D 8D 49 02 // lea r9, [r9+2]\n 41 F7 E8 // imul r8d\n 41 03 D0 // add edx, r8d\n C1 FA 05 // sar edx, 5\n 8B C2 // mov eax, edx\n C1 E8 1F // shr eax, 1Fh\n 03 D0 // add edx, eax\n 0F B7 C2 // movzx eax, dx\n 6B C8 ?? // imul ecx, eax, 3Ah ; ':'\n 41 0F B7 C0 // movzx eax, r8w\n 41 FF C0 // inc r8d\n 66 2B C1 // sub ax, cx\n 66 83 C0 ?? // add ax, 35h ; '5'\n 66 41 31 41 FE // xor [r9-2], ax\n 41 83 F8 ?? // cmp r8d, 0Eh\n 7C ?? // jl short loc_1400069F0\n }\n\n $generic_crypt1 = {\n C1 FA ?? // sar edx, 5\n 8B C2 // mov eax, edx\n C1 E8 1F // shr eax, 1Fh\n 03 D0 // add edx, eax\n 0F ?? ?? // movzx eax, dx\n 6B C8 ?? // imul ecx, eax, 3Ah ; ':'\n [15-30]\n 7C // jl\n }\n\n $generic_crypt2 = {\n F2 0F 70 C2 D8 // pshuflw xmm0, xmm2, 0D8h\n F3 0F 70 C8 D8 // pshufhw xmm1, xmm0, 0D8h\n 66 0F 70 D1 D8 // pshufd xmm2, xmm1, 0D8h\n }\n\n // Exclusion for FACEIT\n $faceit = \"FACEIT Anti-Cheat Service\" wide fullword\n\n // Exclusion for soffice (C:\\Program Files\\LibreOffice\\program\\swriter.exe -o)\n $soffice = \"\\\\workdir\\\\LinkTarget\\\\Executable\\\\soffice.bin.pdb\" ascii\n\n condition:\n #crypt1 > 5 or\n #crypt2 > 5 or\n #crypt3 > 5 or\n #crypt4 > 5 or\n #crypt5 > 5 or\n (\n #generic_crypt1 > 4 and\n #generic_crypt2 > 4\n )\n and not (\n ($faceit and filepath == \"C:\\\\Program Files\\\\FACEIT AC\\\\faceitservice.exe\") or\n ($soffice and filepath == \"C:\\\\Program Files\\\\LibreOffice\\\\program\\\\soffice.bin\") or\n ($soffice and filepath == \"C:\\\\Windows\\\\System32\\\\WerFault.exe\")\n )\n}\n", "rule_count": 1, "rule_names": [ "skcrypter" ], "rule_creation_date": "2024-04-03", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.skCrypter" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sliver_beacon_linux_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563945Z", "creation_date": "2026-03-23T11:46:25.563947Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563953Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BishopFox/sliver" ], "name": "sliver_beacon_linux.yar", "content": "rule sliver_beacon_bd38b5e0314b {\n meta:\n title = \"Sliver C2 Beacon (bd38b5e0314b)\"\n id = \"ad9f4a46-b8bf-4fb9-b6a2-bd38b5e0314b\"\n description = \"Detects the Sliver C2 Beacon with obfuscated symbols.\\nSliver is an open-source cross-platform adversary emulation framework.\\nThis rule identifies obfuscated code within specific functions used for communication and process management.\"\n references = \"https://github.com/BishopFox/sliver\"\n date = \"2024-02-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071;attack.t1059;attack.privilege_escalation;attack.t1548.002;attack.t1134;attack.defense_evasion;attack.t1569.002;attack.t1055.012\"\n classification = \"Linux.Framework.Sliver\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 124c0b1df0a003bf576fc40d0a3bd620c42f37e5984950cf8684600ae2707ae4 (manually generated, /w debug symbols)\n // 0ba74c30220c0599663f444e1bd63d572db01db34a3bb5b20d97284d3cba80ea (manually generated, stripped)\n // f5ab886589558a8a265c216f6754d1477c19ca46d8ed4d57a1ee975c590e4aab\n // 7bf41938e25df8385ad137cb33c5b6ef3479211ba237c4e4eaec4e3654eab00b\n // 76e1853b9a4e88cc0521df2815d6ba5d6ea5549c4477f8bdc43b9fc3ede32636\n // 98df535576faab0405a2eabcd1aac2c827a750d6d4c3d76a716c24353bedf0b5\n\n // github.com/bishopfox/sliver/implant/sliver/cryptography.RandomKey\n $fn_crypto_randomkey = {\n bb 40 00 00 // MOV param_2,0x40\n 00\n 48 89 d9 // MOV param_3,param_2\n e8 ?? ?? ?? // CALL runtime::runtime.makeslice\n ??\n 48 89 ?? ?? // MOV qword ptr [RSP + local_10],param_1\n ??\n bb 40 00 00 // MOV param_2,0x40\n 00\n 48 89 d9 // MOV param_3,param_2\n e8 ?? ?? ?? // CALL crypto/rand::crypto/rand.Read\n ??\n\n [0-1] // NOP (stripped binaries)\n 48 ?? ?? ?? ?? // MOV param_1,qword ptr [RSP + local_10]\n bb 40 00 00 // MOV param_2,0x40\n 00\n 48 89 d9 // MOV param_3,param_2\n e8 ?? ?? ?? // CALL crypto/sha256::crypto/sha256.Sum256\n ??\n\n 0f 10 ?? ?? // MOVUPS XMM0,xmmword ptr [RSP]=>local_88\n 0f 11 ?? ?? ?? // MOVUPS xmmword ptr [RSP + local_30[0]],XMM0\n 0f 10 ?? ?? ?? // MOVUPS XMM0,xmmword ptr [RSP + local_78[0]]\n 0f 11 ?? ?? ?? // MOVUPS xmmword ptr [RSP + local_20[0]],XMM0\n 44 0f ?? ?? ?? ?? // MOVUPS xmmword ptr [RSP + local_50[0]],XMM15\n 44 0f ?? ?? ?? ?? // MOVUPS xmmword ptr [RSP + local_40[0]],XMM15\n 0f 10 ?? ?? ?? // MOVUPS XMM0,xmmword ptr [RSP + local_30[0]]\n 0f 11 ?? ?? ?? // MOVUPS xmmword ptr [RSP + local_50[0]],XMM0\n 0f 10 ?? ?? ?? // MOVUPS XMM0,xmmword ptr [RSP + local_20[0]]\n 0f 11 ?? ?? ?? // MOVUPS xmmword ptr [RSP + local_40[0]],XMM0\n 0f 10 ?? ?? ?? // MOVUPS XMM0,xmmword ptr [RSP + local_50[0]]\n 0f 11 ?? ?? // MOVUPS xmmword ptr [RSP + param_10[0]],XMM0\n ?? ?? ?? ??\n 0f 10 ?? ?? ?? // MOVUPS XMM0,xmmword ptr [RSP + local_40[0]]\n 0f 11 ?? ?? // MOVUPS xmmword ptr [RSP + param_11[0]],XMM0\n a0 00 ?? ??\n 48 ?? ?? ?? // MOV RBP=>local_8,qword ptr [RSP + 0x80]\n ?? ?? ?? ??\n 48 81 c4 ?? // ADD RSP,0x88\n ?? ?? ??\n c3 // RET\n }\n\n // github.com/bishopfox/sliver/implant/sliver/cryptography.Encrypt\n $fn_crypto_encrypt = {\n 48 85 db // TEST param_2,param_2\n 0f 85 ?? // JNZ LAB_007f7a49\n ?? ?? ??\n [0-20]\n 48 89 44 // MOV qword ptr [RSP + local_20],param_1\n 24 ??\n [0-1] // NOP\n 48 8d 05 // LEA param_1,[bytes::bytes.Buffer___runtime.structt\n ?? ?? ?? ??\n e8 ?? ?? // CALL runtime::runtime.newobject undefined runtime.newobject(unde\n ?? ??\n 48 89 44 // MOV qword ptr [RSP + local_30],param_1\n 24 ??\n 48 8d 0d // LEA param_3,[DAT_00e3fd00] = ??\n ?? ?? ?? ??\n 48 89 08 // MOV qword ptr [param_1],param_3=>DAT_00e3fd00 = ??\n 44 0f 11 // MOVUPS xmmword ptr [RSP + local_18[0]],XMM15\n 7c 24 ??\n 48 8d 0d // LEA param_3,[*age.X25519Recipient__implements__age\n ?? ?? ?? ??\n 48 89 4c // MOV qword ptr [RSP + local_18[0]],param_3=>*age.X2\n 24 ??\n 48 8b 4c // MOV param_3,qword ptr [RSP + local_20]\n 24 ??\n 48 89 4c // MOV qword ptr [RSP + local_18[8]],param_3\n 24 ??\n 48 89 c3 // MOV param_2,param_1\n 48 8d 4c // LEA param_3=>local_18,[RSP + 0x68]\n 24 ??\n bf 01 00 // MOV param_4,0x1\n 00 00\n }\n\n // github.com/bishopfox/sliver/implant/sliver/screen.LinuxCapture\n $fn_feat_screen_linuxcapture = {\n e8 ?? ?? // CALL runtime::runtime.newobject undefined runtime.newobject(unde\n ?? ??\n 48 8b 54 // MOV RDX,qword ptr [RSP + local_40]\n 24 ??\n 48 85 d2 // TEST RDX,RDX\n 74 ?? // JZ LAB_0082da8f\n\n [0-20]\n\n 48 8b 48 ?? // MOV RCX,qword ptr [RAX + 0x8]\n 48 8b 10 // MOV RDX,qword ptr [RAX]\n 48 8b 70 ?? // MOV RSI,qword ptr [RAX + 0x10]\n 48 8b 40 ?? // MOV RAX,qword ptr [RAX + 0x18]\n [0-2] // NOP\n 48 39 c8 // CMP RAX,RCX\n 0f 87 ?? // JA LAB_0082db0d\n 00 00 00\n 48 29 c6 // SUB RSI,RAX\n 48 29 c1 // SUB RCX,RAX\n 48 89 f7 // MOV RDI,RSI\n 48 f7 de // NEG RSI\n 48 c1 fe 3f // SAR RSI,0x3f\n 48 21 f0 // AND RAX,RSI\n 48 01 d0 // ADD RAX,RDX\n 48 89 cb // MOV RBX,RCX\n 48 89 f9 // MOV RCX,RDI\n 48 8b 6c // MOV RBP=>local_8,qword ptr [RSP + 0x60]\n 24 ??\n 48 83 c4 ?? // ADD RSP,0x68\n c3 // RET\n }\n\n // github.com/bishopfox/sliver/implant/sliver/ps.Kill\n $fn_feat_ps_kill = {\n 49 3b 66 ?? // CMP RSP,qword ptr [R14 + 0x10]=>CURRENT_G.stackgua\n 76 ?? // JBE LAB_008306cf\n 48 83 ec ?? // SUB RSP,0x20\n 48 89 6c // MOV qword ptr [RSP + local_8],RBP\n 24 ??\n 48 8d 6c // LEA RBP=>local_8,[RSP + 0x18]\n 24 ??\n [0-1] // NOP\n e8 ?? ?? // CALL os::os.findProcess undefined os.findProcess(undefin\n ?? ??\n 48 85 db // TEST param_2,param_2\n 74 ?? // JZ LAB_008306af\n 48 89 d8 // MOV param_1,param_2\n 48 89 cb // MOV param_2,param_3\n 48 8b 6c // MOV RBP=>local_8,qword ptr [RSP + 0x18]\n 24 ??\n 48 83 c4 20 // ADD RSP,0x20\n c3 // RET\n 90 // NOP\n [0-10]\n 48 8b 1d // MOV param_2,qword ptr [->syscall.Signal__implement = 00aa4250\n ?? ?? ?? ??\n 48 8b 0d // MOV param_3,qword ptr [PTR_DAT_00dff3b8] = 00dc2700\n ?? ?? ?? ??\n [0-2] // NOP\n e8 ?? ?? // CALL os::os.(*Process).signal error os.(*Process).signal(os.Pr\n ?? ??\n 48 8b 6c // MOV RBP=>local_8,qword ptr [RSP + 0x18]\n 24 ??\n 48 83 c4 ?? // ADD RSP,0x20\n c3 // RET\n }\n\n condition:\n (all of ($fn_crypto_*)) or (all of ($fn_feat_*))\n}\n", "rule_count": 1, "rule_names": [ "sliver_beacon_bd38b5e0314b" ], "rule_creation_date": "2024-02-29", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Framework.Sliver" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071", "attack.t1059", "attack.t1134", "attack.t1569.002", "attack.t1548.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sliver_beacon_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577624Z", "creation_date": "2026-03-23T11:46:25.577626Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577631Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BishopFox/sliver" ], "name": "sliver_beacon.yar", "content": "rule sliver_beacon {\n meta:\n title = \"Sliver C2 Beacon - obfuscated symbols (dd070e40fdc8)\"\n id = \"5a02eef7-9c91-4499-9979-dd070e40fdc8\"\n description = \"Detects a Sliver C2 Beacon with obfuscated symbols.\\nSliver is an open-source cross-platform adversary emulation and red team framework designed to test security posture.\\nIt enables red teams to perform various attacks including process enumeration, persistence mechanisms, and data exfiltration.\\nThe framework supports multiple communication channels like DNS, mTLS, WireGuard, and HTTP, and can be customized through scripting.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activity. If possible, isolating the infected host during the investigation can help mitigate the risk of malicious activity.\"\n references = \"https://github.com/BishopFox/sliver\"\n date = \"2023-02-20\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071;attack.t1059;attack.privilege_escalation;attack.t1548.002;attack.t1134;attack.defense_evasion;attack.t1569.002;attack.t1055.012\"\n classification = \"Windows.Framework.Sliver\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1846c1db07d4f9a3a86605e38c0be5da38074b91cfafa1a72bccc693b06346e4\n // 3221de492e436a79655b4a82b72830a28de3aa417300fdf06e0b28202053ff3e\n // cd2f373af09895ac271b3172f645a15f9d3d0793c767279be25828ee7e4f8cd6\n // 49dda42f0da691c6ca67f9946ed76a98fc6a26c38cc76e74506c4718fa0895f7\n\n // sliver_cryptography_ECCEncryptToServer\n $crypto_1 = {\n 48 29 D1 // sub rcx, rdx\n 48 83 C1 ?? // add rcx, 10h\n 48 39 CB // cmp rbx, rcx\n 48 89 CE // mov rsi, rcx\n 48 0F 4C CB // cmovl rcx, rbx\n 48 F7 DE // neg rsi\n 48 C1 FE ?? // sar rsi, 3Fh\n 48 21 F2 // and rdx, rsi\n 48 8B ?? ?? ?? ?? ?? ?? // mov rbx, [rsp+98h+var_18]\n 48 01 DA // add rdx, rbx\n 48 39 D0 // cmp rax, rdx\n 74 0B // jz short loc_D45B7D\n 48 89 C3 // mov rbx, rax\n 48 89 D0 // mov rax, rdx\n E8 ?? ?? ?? ?? // call sub_45C760\n }\n\n // sliver_cryptography_RandomKey\n $crypto_2 = {\n BB 40 00 00 00 // mov ebx, 40h ; '@'\n 48 89 D9 // mov rcx, rbx\n E8 ?? ?? ?? ?? // call runtime_makeslice\n 48 89 ?? ?? ?? // mov [rsp+88h+var_10], rax\n BB 40 00 00 00 // mov ebx, 40h ; '@'\n 48 89 D9 // mov rcx, rbx\n E8 ?? ?? ?? ?? // call crypto_rand_Read\n 90 // nop\n 48 ?? ?? ?? ?? // mov rax, [rsp+88h+var_10]\n BB 40 00 00 00 // mov ebx, 40h ; '@'\n 48 89 D9 // mov rcx, rbx\n E8 ?? ?? ?? ?? // call crypto_sha256_Sum256\n 0F 10 ?? ?? // movups xmm0, [rsp+88h+var_88]\n 0F 11 ?? ?? ?? // movups [rsp+88h+var_50], xmm0\n 0F 10 ?? ?? ?? // movups xmm0, [rsp+88h+var_78]\n 0F 11 ?? ?? ?? // movups [rsp+88h+var_40], xmm0\n }\n\n // sliver_priv_TokenOwner\n $func_1 = {\n 48 85 C0 // test rax, rax\n 75 ?? // jnz short loc_87AC9B\n 48 8B ?? ?? ?? // mov rax, [rsp+30h+arg_0]\n 48 8B ?? ?? ?? // mov rbx, [rsp+30h+arg_8]\n 48 8B ?? ?? ?? // 'mov rcx, [rsp+30h+arg_10]\n E8 ?? ?? FF FF // call os_dirname\n 48 85 DB // test rbx, rbx\n 75 ?? // jnz short loc_87AC8F\n 48 63 D0 // movsxd rdx, eax\n 48 39 D0 // cmp rax, rdx\n 74 ?? // jz short loc_87AC81\n E8 89 ?? ?? ?? // call sub_88F3E0\n 48 89 ?? ?? ?? // mov [rsp+30h+var_18], rax\n 48 89 ?? ?? ?? // mov [rsp+30h+var_10], rbx\n 48 8B ?? ?? ?? // mov rax, [rsp+30h+var_18]\n E8 95 ?? ?? ?? // call runtime_convTstring\n 48 8D 1D ?? ?? ?? ?? // lea rbx, off_104C860\n 48 89 C1 // mov rcx, rax\n 31 C0 // xor eax, eax\n 48 8B ?? ?? ?? // mov rbp, [rsp+30h+var_8]\n 48 83 C4 ?? // add rsp, 30h\n C3 // retn\n }\n\n // sliver_screen_Screenshot\n $func_2 = {\n 88 4C ?? ?? // mov byte ptr [rsp+0C8h+var_72+5], cl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_76]\n 29 D3 // sub ebx, edx\n 88 5C ?? ?? // mov byte ptr [rsp+0C8h+var_72+6], bl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_77]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_78]\n 29 F2 // sub edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+7], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_8F]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_75]\n 01 F2 // add edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+8], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_89]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_9F]\n 31 F2 // xor edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+9], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_9C]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_AA]\n 29 F2 // sub edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+0Ah], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_85]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_91]\n 31 F2 // xor edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+0Bh], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_82]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_7C]\n 29 F2 // sub edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+0Ch], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_9A]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_99]\n 01 F2 // add edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+0Dh], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_9D]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_A6]\n 01 F2 // add edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+0Eh], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_A0]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_84]\n 01 F2 // add edx, esi\n 88 54 ?? ?? // mov byte ptr [rsp+0C8h+var_72+0Fh], dl\n 0F B6 ?? ?? ?? // movzx edx, [rsp+0C8h+var_A5]\n 0F B6 ?? ?? ?? // movzx esi, [rsp+0C8h+var_95]\n 29 F2 // sub edx, esi\n }\n\n condition:\n (1 of ($crypto_*) and 1 of ($func_*))\n}\n", "rule_count": 1, "rule_names": [ "sliver_beacon" ], "rule_creation_date": "2023-02-20", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Sliver" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071", "attack.t1059", "attack.t1134", "attack.t1569.002", "attack.t1548.002", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sliver_implant_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586432Z", "creation_date": "2026-03-23T11:46:25.586434Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586440Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BishopFox/sliver" ], "name": "sliver_implant.yar", "content": "rule sliver_implant {\n meta:\n title = \"Sliver Implant\"\n id = \"43803827-650c-445d-a8e1-951f1040446a\"\n description = \"Detects cross-platform Sliver implant.\\nSliver is an open source cross-platform adversary emulation/red team framework designed to test security by simulating real-world attacks.\\nIt enables red teaming and security testing by providing tools for process injection, persistence, and communication.\\nIt is recommended to perform a detailed investigation to uncover any executed malicious actions.\"\n references = \"https://github.com/BishopFox/sliver\"\n date = \"2022-10-14\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1055;attack.execution;attack.t1059.001;attack.t1059.003;attack.command_and_control;attack.t1071.001;attack.t1071.004;attack.t1090.001;attack.collection;attack.t1113\"\n classification = \"Framework.Sliver\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this samples:\n // 7296bb7fb5d5f35e0d190436df8d563c62159af679035c5d7bf905cd6b2f0a0a\n // 05461e1c2a2e581a7c30e14d04bd3d09670e281f9f7c60f4169e9614d22ce1b3\n // 5568131f894caf1217f4cbda3dd40c1f39e680ce7727ed4a767cd1986e7805f0\n\n $a1 = \"PeerFailureType\" fullword ascii\n $a2 = \"B/Z-github.com/bishopfox/sliver/protobuf/sliverpbb\" fullword ascii\n\n $b1 = \"BackdoorReq\" fullword ascii\n $b2 = \"WGTCPForwardersReq\" fullword ascii\n $b3 = \"WGTCPForwarder\" fullword ascii\n $b4 = \"PollIntervalReq\" fullword ascii\n $b5 = \"RportFwdStopListenerReq\" fullword ascii\n $b6 = \"RportFwdListenersReq\" fullword ascii\n $b7 = \"RPortfwdReq\" fullword ascii\n\n condition:\n all of ($a*) or all of ($b*)\n}\n", "rule_count": 1, "rule_names": [ "sliver_implant" ], "rule_creation_date": "2022-10-14", "rule_modified_date": "2025-02-27", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Framework.Sliver" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.execution", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1059.003", "attack.t1071.004", "attack.t1071.001", "attack.t1113", "attack.t1055", "attack.t1059.001", "attack.t1090.001" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-smbtouch_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583977Z", "creation_date": "2026-03-23T11:46:25.583979Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583985Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/iSafeBlue/Smbtouch-Scanner\nhttps://github.com/3gstudent/Smbtouch-Scanner" ], "name": "smbtouch.yar", "content": "rule smbtouch {\n meta:\n title = \"Smbtouch Scanner\"\n id = \"c0b0f8f6-0839-42dc-a229-9d47d87267e4\"\n description = \"Detects Smbtouch, an internal network vulnerability scanner.\\nSmbtouch is a tool that actively checks for various vulnerabilities on target machines using the SMB or NBT protocol.\\nIt is commonly used for reconnaissance and exploitation attempts, including testing for known vulnerabilities like EternalBlue.\\nThe tool attempts to exploit specific named pipes and checks for vulnerability indicators, such as the presence of specific exploit strings in memory.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/iSafeBlue/Smbtouch-Scanner\\nhttps://github.com/3gstudent/Smbtouch-Scanner\"\n date = \"2022-09-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.reconnaissance;attack.t1592.004;attack.t1595.002\"\n classification = \"Windows.Tool.SMBTouch\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a\n\n $smbtouch_s1 = \"[*] Trying pipes...\" fullword ascii\n $smbtouch_s2 = \"[+] Target is vulnerable to %d exploit%s\" fullword ascii\n $smbtouch_s3 = \"[-] Target is not vulnerable\" fullword ascii\n $smbtouch_s4 = \"[+] Touch completed successfully\" fullword ascii\n $smbtouch_s5 = \"Named pipe required for exploit\" fullword ascii\n $smbtouch_s6 = \"ETERNALBLUE\" fullword ascii\n $smbtouch_s7 = \"ETERNALSYNERGY\" fullword ascii\n $smbtouch_s8 = \"ETERNALROMANCE\" fullword ascii\n $smbtouch_s9 = \"ETERNALCHAMPION\" fullword ascii\n\n condition:\n uint16(0) == 0x5a4d and filesize < 200KB and all of ($smbtouch_*)\n}\n", "rule_count": 1, "rule_names": [ "smbtouch" ], "rule_creation_date": "2022-09-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.SMBTouch" ], "rule_tactic_tags": [], "rule_technique_tags": [ "attack.t1592.004", "attack.t1595.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-smoke_loader_memory_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582736Z", "creation_date": "2026-03-23T11:46:25.582740Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582749Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.youtube.com/watch?v=O69eMQ7NS8w\nhttps://attack.mitre.org/software/S0226/" ], "name": "smoke_loader_memory.yar", "content": "rule smoke_loader_memory_first_stage {\n meta:\n title = \"SmokeLoader First Stage\"\n id = \"f7cba4ca-d2d1-4d14-bee5-0e961b8f05f4\"\n description = \"Detects SmokeLoader in-memory patterns through its API hashing function, called before it injects itself into explorer.\\nSmokeLoader is a modular malware downloader first observed in 2011. It uses code obfuscation, API function resolution, and sandbox detection for evasion.\\nThe malware is designed to establish persistence and download additional payloads such as banking trojans or ransomware from a C2 server.\"\n references = \"https://www.youtube.com/watch?v=O69eMQ7NS8w\\nhttps://attack.mitre.org/software/S0226/\"\n date = \"2023-10-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0226;attack.defense_evasion;attack.t1140;attack.t1055.012;attack.t1497.001;attack.execution;attack.t1059.005;attack.persistence;attack.t1547\"\n classification = \"Windows.Loader.SmokeLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 013785c59843063e0c132de6cbdcee90dfdff23fa042bf42286a82283dbf45bf\n\n $resolve_fn = {\n C7 ?? ?? ?? 6B 65 72 6E // mov dword ptr [ebp+eax-30h], 6E72656Bh\n 8B ?? ?? // mov eax, [ebp-38h]\n 83 C0 04 // add eax, 4\n 89 ?? ?? // mov [ebp-38h], eax\n 8B ?? ?? // mov eax, [ebp-38h]\n C7 ?? ?? ?? 65 6C 33 32 // mov dword ptr [ebp+eax-30h], 32336C65h\n 8B ?? ?? // mov eax, [ebp-38h]\n 83 C0 04 // add eax, 4\n 89 ?? ?? // mov [ebp-38h], eax\n 8B ?? ?? // mov eax, [ebp-38h]\n C7 ?? ?? ?? 2E 64 6C 6C // mov dword ptr [ebp+eax-30h], 6C6C642Eh\n }\n\n // srand specific implementation in asm\n $srand = {\n 55 // push ebp\n 8B EC // mov ebp, esp\n 8B 4D 08 // mov ecx, [ebp+8]\n 8B 41 0C // mov eax, [ecx+0Ch]\n 69 C0 FD 43 03 00 // imul eax, 343FDh\n 05 C3 9E 26 00 // add eax, 269EC3h\n 89 41 0C // mov [ecx+0Ch], eax\n C1 E8 10 // shr eax, 10h\n 25 FF 7F 00 00 // and eax, 7FFFh\n 5D // pop ebp\n C3 // retn\n }\n\n $move_strings = {\n 8A 17 // mov dl, [edi]\n 88 10 // mov [eax], dl\n 8A 57 01 // mov dl, [edi+1]\n 88 50 01 // mov [eax+1], dl\n 83 C0 02 // add eax, 2\n 83 C7 02 // add edi, 2\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "smoke_loader_memory_first_stage" ], "rule_creation_date": "2023-10-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.SmokeLoader" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1140", "attack.t1497.001", "attack.t1059.005", "attack.t1547", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-smoke_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574491Z", "creation_date": "2026-03-23T11:46:25.574493Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574499Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.youtube.com/watch?v=O69eMQ7NS8w\nhttps://attack.mitre.org/software/S0226/" ], "name": "smoke_loader.yar", "content": "rule smoke_loader {\n meta:\n title = \"SmokeLoader\"\n id = \"5801152b-951b-4f83-8960-f0163f9ef66b\"\n description = \"Detects the SmokeLoader malware.\\nSmokeLoader is a modular malware downloader first observed in 2011. It uses code obfuscation, API function resolution, and sandbox detection for evasion.\\nThis rule identifies its presence in first-stage executables.\\nAfter execution, SmokeLoader establishes persistence and contacts a C2 server to download additional payloads like banking trojans or ransomware.\"\n references = \"https://www.youtube.com/watch?v=O69eMQ7NS8w\\nhttps://attack.mitre.org/software/S0226/\"\n date = \"2024-03-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.s0226;attack.defense_evasion;attack.t1140;attack.t1055.012;attack.t1497.001;attack.execution;attack.t1059.005;attack.persistence;attack.t1547\"\n classification = \"Windows.Loader.SmokeLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // be5ce235a69b87bbd080436bb83c7a502a53a0f18b2e1e158f6ae027a98abe8c\n // 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3\n // 4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f\n\n // First Stage main function is:\n // Allocates a buffer with LocalAlloc().\n // Changes permissions with VirtualProtect and jumps to it.\n\n // Some versions open named/anonymous pipes | checks for HTTP connections | Serial Ports\n\n $local_alloc = {\n a1???????? // mov eax, dword [data_1ef4de4]\n 50 // push eax {var_4}\n 6a00 // push 0x0 {var_8}\n ff?????????? // call dword [LocalAlloc]\n a3???????? // mov dword [data_1ef4b08], eax\n c3 // retn {__return_addr}\n }\n\n // mov dword [data_1ef4de8], 'k\\x00e' | mov dword [data_1ef4dec], 'r\\x00n'\n // mov dword [data_1ef4dec], 'r\\x00n' | mov dword [data_1ef4df0], 'e\\x00l'\n // mov dword [data_1ef4df0], 'e\\x00l' | mov dword [data_1ef4df4], '3\\x002'\n // mov dword [data_1ef4df4], '3\\x002' | mov dword [data_1ef4df8], '.\\x00d'\n // mov dword [data_1ef4df8], '.\\x00d' | mov dword [data_1ef4dfc], 'l\\x00l'\n // mov dword [data_1ef4dfc], 'l\\x00l' | mov dword [data_1ef4de8], 'k\\x00e'\n\n $k32_wcscpy = {\n (\n c705????????72006e00\n c705????????65006c00\n c705????????33003200\n c705????????2e006400\n c705????????6c006c00\n c705????????6b006500\n |\n c705????????6b006500\n c705????????72006e00\n c705????????65006c00\n c705????????33003200\n c705????????2e006400\n c705????????6c006c00\n )\n }\n\n // be5ce235a69b87bbd080436bb83c7a502a53a0f18b2e1e158f6ae027a98abe8c\n\n // int32_t var_8 = 0x20\n // int32_t var_8_1 = 0x40\n // uint32_t* dwSize = data_1ef4de4\n // void* lpAddress = data_1ef4b08\n // __builtin_wcscpy(dest: &data_1ef4de8, src: u\"kernel32.dll\")\n // void lpflOldProtect\n // return VirtualProtect(lpAddress, dwSize, flNewProtect: PAGE_EXECUTE_READWRITE, lpflOldProtect: &lpflOldProtect)\n\n $vprot_args1= {\n 8b15???????? // mov edx, dword [data_1ef4de4]\n a1???????? // mov eax, dword [data_1ef4b08]\n 33c9 // xor ecx, ecx {0x0}\n 66890d???????? // mov word [data_1ef4e00], cx {0x0}\n 8d4df8 // lea ecx, [ebp-0x8 {lpflOldProtect}]\n 51 // push ecx {lpflOldProtect} {var_10}\n 6a40 // push 0x40 {var_14}\n 52 // push edx {var_18}\n 50 // push eax {var_1c}\n }\n\n // 4841be428d00d29ab878fda23850d948bc2d12eefb31621c0272e301d95bbc7f\n\n // __builtin_wcscpy(dest: &data_440e58, src: u\"kernel32.dll\")\n // FARPROC eax_8 = GetProcAddress(hModule: LoadLibraryW(lpLibFileName: &data_440e58), lpProcName: \"VirtualProtect\")\n // int32_t edx_7 = data_4411dc\n // int32_t ecx = data_43ed5c\n // data_43d4e4 = eax_8\n // void var_294\n // return eax_8(ecx, edx_7, 0x40, &var_294)\n\n $vprot_args2 = {\n 68???????? // push data_437fc4 {\"VirtualProtect\"}\n 50 // push eax {var_2a0}\n ff?????????? // call dword [GetProcAddress]\n 8b15???????? // mov edx, dword [data_4411dc]\n 8d4c???? // lea ecx, [esp+0x4 {var_294}]\n 51 // push ecx {var_294} {var_29c}\n 8b0d???????? // mov ecx, dword [data_43ed5c]\n 6a40 // push 0x40\n 52 // push edx {var_2a4}\n 51 // push ecx {var_2a8}\n a3???????? // mov dword [data_43d4e4], eax\n ffd0 // call eax\n }\n\n\n // 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3\n\n // HINSTANCE hModule = GetModuleHandleA(lpModuleName: \"kernel32.dll\")\n // data_55e04c = hModule\n // __builtin_strncpy(dest: &data_424488, src: \"VirtualProtect\", n: 0xf)\n // data_55e040 = GetProcAddress(hModule, lpProcName: &data_424488)\n // int32_t var_8 = 0x20\n // void var_4\n // return data_55e040(data_55e048, data_55f46c, 0x40, &var_4)\n\n $vprot_stackstring = {\n 68???????? // push data_402ba8 {\"kernel32.dll\"}\n ff?????????? // call dword [GetModuleHandleA]\n b174 // mov cl, 0x74\n b272 // mov dl, 0x72\n 68???????? // push data_424488\n 50 // push eax {var_10}\n a34c?????? // mov dword [data_55e04c], eax\n c605??????0056 // mov byte [data_424488], 'V'\n c605??????0069 // mov byte [data_424489], 'i'\n 8815??????00 // mov byte [data_42448a], dl {'r'}\n c605??????0050 // mov byte [data_42448f], 'P'\n 880d??????00 // mov byte [data_424495], cl {'t'}\n c605??????0000 // mov byte [data_424496], 0x0\n 880d??????00 // mov byte [data_42448b], cl {0x74}\n c605??????0075 // mov byte [data_42448c], 0x75\n c605??????0061 // mov byte [data_42448d], 0x61\n c605??????006c // mov byte [data_42448e], 0x6c\n 8815??????00 // mov byte [data_424490], dl {0x72}\n c605??????006f // mov byte [data_424491], 0x6f\n 880d??????00 // mov byte [data_424492], cl {0x74}\n c605??????0065 // mov byte [data_424493], 0x65\n c605??????0063 // mov byte [data_424494], 0x63\n ff?????????? // call dword [GetProcAddress]\n }\n\n\n condition:\n $local_alloc and\n (\n $k32_wcscpy and (1 of ($vprot_args*)) or\n $vprot_stackstring\n )\n}\n", "rule_count": 1, "rule_names": [ "smoke_loader" ], "rule_creation_date": "2024-03-18", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.SmokeLoader" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1140", "attack.t1497.001", "attack.t1059.005", "attack.t1547", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-snaffler_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573694Z", "creation_date": "2026-03-23T11:46:25.573697Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573706Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/SnaffCon/Snaffler\nhttps://unit42.paloaltonetworks.com/muddled-libra/\nhttps://attack.mitre.org/techniques/T1087/\nhttps://attack.mitre.org/techniques/T1039/\nhttps://attack.mitre.org/techniques/T1552/" ], "name": "snaffler.yar", "content": "rule snaffler {\n meta:\n title = \"Snaffler Tool\"\n id = \"c70b8fc8-018d-4896-bdc6-9944b0c90c7c\"\n description = \"Detects Snaffler, a tool used by adversaries to identify potentially sensitive files and shares within Active Directory environments.\\nSnaffler is designed to locate files and resources of interest to attackers, particularly those containing credentials or other valuable information.\\nThe tool is often used in the context of credential access and discovery techniques, making it a key component in adversary toolkits.\\nIt is recommended to investigate the context around this alert to look for malicious actions and to determine if the usage of this tool is legitimate.\"\n references = \"https://github.com/SnaffCon/Snaffler\\nhttps://unit42.paloaltonetworks.com/muddled-libra/\\nhttps://attack.mitre.org/techniques/T1087/\\nhttps://attack.mitre.org/techniques/T1039/\\nhttps://attack.mitre.org/techniques/T1552/\"\n date = \"2022-10-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1087;attack.collection;attack.t1039;attack.credential_access;attack.t1552\"\n classification = \"Windows.Tool.Snaffler\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // e04ed4bfab5daa3f41b215e41131768a3bcae3694539544b8a8e547032ce14fa\n // 4ba38e0595f1ad81558e5424c3fc4c10aecdcc6af54eeea140f5553d0c098991\n // d964dafefe091f81aaf6f84a21614ff812a2bdf57a021076d221f15a9bb8ef41\n // 4a41e34267fc4fdf9c890e7de253d7a64fe127f9ac8741a0f83cfcda1b901c43\n\n // Snaffler uses a default ruleset as classifiers to find files.\n // The following strings match on some strings from these rules.\n $rules_1 = \"[[ClassifierRules]]\" fullword ascii\n $rules_2 = \"RuleName = \\\"DiscardByFileExtension\\\"\" fullword ascii\n $rules_3 = \"RuleName = \\\"KeepCSharpDbConnStringsYellow\\\"\" fullword ascii\n $rules_4 = \"RuleName = \\\"KeepAwsKeysInCode\\\"\"\n $rules_5 = \"WordListType = \\\"Regex\\\"\" fullword ascii\n $rules_6 = /Triage = \\\"(Red|Green)\\\"/ fullword ascii\n\n // The following strings are unicode but match.\n // Basic logo matching\n $logo_1 = \" .::::::.:::. :::. :::. .-:::::'.-:::::'::: .,:::::: :::::::..\" wide\n $logo_2 = \";;;` ``;;;;, `;;; ;;`;; ;;;'''' ;;;'''' ;;; ;;;;'''' ;;;;``;;;;\" wide\n $logo_3 = \"'[==/[[[[, [[[[[. '[[ ,[[ '[[, [[[,,== [[[,,== [[[ [[cccc [[[,/[[['\" wide\n $logo_4 = \" ''' $ $$$ 'Y$c$$c$$$cc$$$c`$$$'`` `$$$'`` $$' $$\\\"\\\" $$$$$$c\" wide\n $logo_5 = \" 88b dP 888 Y88 888 888,888 888 o88oo,.__888oo,__ 888b '88bo,\" wide\n\n // General strings\n $general_1 = \"Snaffler.Properties.Resources\" wide\n $general_2 = \"SnaffCore.Classifiers\" fullword ascii\n $general_3 = \"SnaffCore.Concurrency\" fullword ascii\n $general_4 = \"SnaffCore.Config\" fullword ascii\n\n // Strings for detection on older versions\n $older_1 = \"get_SnafflePath\" fullword ascii\n $older_2 = \"set_SnafflePath\" fullword ascii\n $older_3 = \"costura.snaffcore.pdb.compressed\" fullword ascii\n\n condition:\n uint16(0) == 0x5a4d and filesize < 1MB and (\n all of ($rules_*)\n or all of ($logo_*)\n or all of ($general_*)\n or (all of ($older_*) and 1 of ($general_*))\n )\n}\n", "rule_count": 1, "rule_names": [ "snaffler" ], "rule_creation_date": "2022-10-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Snaffler" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access", "attack.discovery" ], "rule_technique_tags": [ "attack.t1039", "attack.t1087", "attack.t1552" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-soaphound_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572313Z", "creation_date": "2026-03-23T11:46:25.572315Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572320Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/FalconForceTeam/SOAPHound" ], "name": "soaphound.yar", "content": "rule soaphound_generic {\n meta:\n title = \"SOAPHound HackTool\"\n id = \"d44dec15-0195-4fb4-b910-6291ca4a0612\"\n description = \"Detects SOAPHound, an Active Directory data collector using Active Directory Web Services protocol (ADWS).\\nSOAPHound is a tool designed to gather information from Active Directory environments by leveraging the ADWS protocol. It enables attackers to perform reconnaissance, map out directory structures, and potentially identify hidden relationships between objects, which can be exploited for lateral movement or privilege escalation within the Active Directory.\"\n references = \"https://github.com/FalconForceTeam/SOAPHound\"\n date = \"2024-01-26\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.discovery\"\n classification = \"Windows.HackTool.SOAPHound\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b049cd2650d343fca4cd8aada3fac4ba12583b7d4bc0a9d8b28e17e1cf550fb7\n\n $clear_string_marker_exe_name = \"SOAPHound.exe\" ascii\n $clear_string_marker_pdb_name = \"SOAPHound.pdb\" ascii\n $clear_string_marker_class_adws = \"SOAPHound.ADWS\" ascii\n $clear_string_marker_class_Enums = \"SOAPHound.Enums\" ascii\n $clear_string_marker_class_OutputTypes = \"SOAPHound.OutputTypes\" ascii\n $clear_string_marker_class_ProcessedByFody = \"SOAPHound_ProcessedByFody\" ascii\n $clear_string_marker_class_Processors = \"SOAPHound.Processors\" ascii\n\n // DNS (wide)\n $string_dns_1 = \"|_ DNS_RPC_RECORD_TS :\" wide\n $string_dns_2 = \"|_ DNS_RPC_RECORD_A :\" wide\n $string_dns_3 = \"|_ DNS_RPC_RECORD_NODE_NAME :\" wide\n $string_dns_4 = \"|_ DNS_RPC_RECORD_SRV\" wide\n $string_dns_5 = \"|_ DNS_RPC_RECORD_SOA\" wide\n $string_dns_6 = \"|_ DNS_RPC_RECORD_AAAA :\" wide\n $string_dns_7 = \"|_ Unimplemented DNS Record Type --->\" wide\n $string_dns_8 = \"|_ Failed to parse DNS entry..\" wide\n\n // Error (wide)\n $string_error_1 = \"No valid mode has been selected. Please execute --help to select a valid mode.\" wide\n $string_error_2 = \"Output directory is required. Use --outputdirectory\" wide\n $string_error_3 = \"User must be in the format domain\\\\user or user@domain\" wide\n $string_error_4 = \"Domain controller is missing, use --dc.\" wide\n $string_error_5 = \"Password is missing, use --password.\" wide\n $string_error_6 = \"Cache file name is missing, use --cachefilename.\" wide\n $string_error_7 = \"AutoSplit threshold is missing, use --threshold.\" wide\n $string_error_8 = \"Domain is missing and could not be determined automatically, use --domain.\" wide\n $string_error_9 = \"does not exist. Generate cache before executing this command.\" wide\n\n // misc_string (wide)\n $string_misc_1 = \"ADWS request with ldapbase (\" wide\n $string_misc_2 = \"and ldapproperties: [{0}]\" wide\n $string_misc_3 = \"Key = {0}, Value = {1}\" wide\n $string_misc_4 = \"(!soaphound=*)\" wide\n $string_misc_5 = \"(&(cn=*)(!(cn=a*))(!(cn=b*))(!(cn=c*))(!(cn=d*))(!(cn=e*))(!(cn=f*))(!(cn=g*))(!(cn=h*))(!(cn=i*))(!(cn=j*))(!(cn=k*))(!(cn=l*))(!(cn=m*))(!(cn=n*))(!(cn=o*))(!(cn=p*))(!(cn=q*))(!(cn=r*))(!(cn=s*))(!(cn=t*))(!(cn=u*))(!(cn=v*))(!(cn=w*))(!(cn=x*))(!(cn=y*))(!(cn=z*))(!(cn=0*))(!(cn=1*))(!(cn=2*))(!(cn=3*))(!(cn=4*))(!(cn=5*))(!(cn=6*))(!(cn=7*))(!(cn=8*))(!(cn=9*)))\" wide\n $string_misc_6 = \"_outputUsers.json\" wide\n $string_misc_7 = \"_outputComputers.json\" wide\n $string_misc_8 = \"_outputGroups.json\" wide\n $string_misc_9 = \"_outputDomains.json\" wide\n $string_misc_10 = \"_outputGPOs.json\" wide\n $string_misc_11 = \"_outputOUs.json\" wide\n $string_misc_12 = \"_outputContainers.json\" wide\n $string_misc_13 = \"Could not find endpoint with name '{0}'.\" wide\n\n condition:\n 6 of ($clear_string_marker_*) or\n 5 of ($string_dns_*) or\n 5 of ($string_error_*) or\n 8 of ($string_misc_*)\n}\n", "rule_count": 1, "rule_names": [ "soaphound_generic" ], "rule_creation_date": "2024-01-26", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.SOAPHound" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-socksoverrdp_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571944Z", "creation_date": "2026-03-23T11:46:25.571946Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571951Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/nccgroup/SocksOverRDP\nhttps://attack.mitre.org/techniques/T1572" ], "name": "socksoverrdp.yar", "content": "rule socks_over_rdp {\n meta:\n title = \"SockerOverRDP HackTool\"\n id = \"1caa5bcc-d13e-4520-b8e1-4173c3611431\"\n description = \"Detects SocksOverRDP, an RDP tunneling tool that can be used as a plugin to an RDP or Citrix server.\\nIf the DLL is registered (usually via \\\"regsvr32.exe\\\" with the DLL place in the \\\"%SystemRoot%\\\\system32\\\\\\\" or \\\"%SystemRoot%\\\\SysWoW64\\\\\\\" folder), the plugin will be executed and listen to the port specified in the \\\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\AddIns\\\\SocksOverRDP-Plugin\\\" registry path.\\nAdversaries may use the RDP protocol to communicate with their C&C to route traffic and as a way to circumvent network protections.\\nIt is recommended to inspect network traffic of the process, the registry paths mentioned above, the registry key, and any \\\"regsvr32.exe\\\" related alerts to determine if this plugin was installed maliciously.\"\n references = \"https://github.com/nccgroup/SocksOverRDP\\nhttps://attack.mitre.org/techniques/T1572\"\n date = \"2025-09-24\"\n modified = \"2025-09-30\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1572;attack.lateral_movement;attack.t1021.001\"\n classification = \"Windows.HackTool.SocksOverRDP\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 118fa37bf3ba4761b7a41c12bcad45edee2b0b56f7f884103bfafc081f39d70e\n // 7e4463a1220777b9d910f36d52701ef1e02aa44bd4e1172ba78b59296087690c\n // 3bf45b7cbc505b25fbbb2d461aeac2b69e4d4147e5a25170181c79da7b467966\n\n $s1 = \"!!! OVERFLOW HAPPENED %ld > %ld\" wide\n $s2 = \"{B8DC075B-7F8D-4B06-8733-7EB586CA06F0}\" wide\n $s3 = \"%08X: Last read, smaller or equal.\" wide\n\n condition:\n 2 of ($s*)\n}", "rule_count": 1, "rule_names": [ "socks_over_rdp" ], "rule_creation_date": "2025-09-24", "rule_modified_date": "2025-09-30", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.SocksOverRDP" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.lateral_movement" ], "rule_technique_tags": [ "attack.t1572", "attack.t1021.001" ], "rule_score": 70, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sparkrat_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564930Z", "creation_date": "2026-03-23T11:46:25.564932Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564938Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/XZB-1248/Spark/\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat\nhttps://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/" ], "name": "sparkrat.yar", "content": "rule spark_rat {\n meta:\n title = \"Spark RAT Client\"\n id = \"51d71395-e6da-469a-b380-d2645d755926\"\n description = \"Detects Spark RAT Client, an open source cross-platform Remote Access Tool (RAT), to remotely control computers.\\nThis tool has been abused by several threat actors in the past and is still in active development.\\nIt is recommended to analyze the context around this alert and investigate further suspicious actions or network connections.\"\n references = \"https://github.com/XZB-1248/Spark/\\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat\\nhttps://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/\"\n date = \"2024-11-14\"\n modified = \"2025-03-31\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1219\"\n classification = \"Trojan.SparkRAT\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6586c81f8171773604dfeb3bc2222cb3ccd6f817afcb65a4431581cedf2a1b66\n // 9cc563bebcafea7d3b95e92bc88ab4a86e66f0c4c413db6032883ecf4d5b6520\n // 43b828ac4517aafead8841d2f8965bceb1204534b95cbacf34c6df3ddd8f6e06\n // aaff0c76b5f5255aecdcb838d5fcdf3f3e5142e040f00ea6683c0d5535213f5f\n // 103c3465516b5b5edd7a493b0cb4eab1a31ca282d693f59e7d6f8fd97e3c436a\n // d5f2cefc53e8355fe26e8c87f6212abf3a345cd1b82af97ac0bc540fd9dd1ed7\n // e0b0fe364fe6118e0246d65eeb32a4b3d37c44737dd2aa8d2291af1482cbc99b\n // bc140d13eb3190d51c46ad5855f32f908b7617ab5b40d38b4e64914733beff85\n // ec349cfacc7658eed3640f1c475eb958c5f05bae7c2ed74d4cdb7493176daeba\n\n $generic_specific_s1 = \"SPARK COMMIT:\" ascii\n $generic_specific_s2 = \"/api/client/update\" ascii\n $generic_specific_s3 = \"/api/bridge/pull\" ascii\n $generic_specific_s4 = \"/api/bridge/push\" ascii\n $generic_loose_s1 = \"spark\" ascii nocase\n\n // https://github.com/XZB-1248/Spark/tree/8db2a7361bf649693824450cfcfd498ae51115a0/client/\n $path_s1 = \"/client/common\" ascii\n $path_s2 = \"/client/core\" ascii\n $path_s3 = \"/client/config\" ascii\n $path_s4 = \"/client/service/terminal\" ascii\n $path_s5 = \"/client/service/file\" ascii\n $path_s6 = \"/client/service/process\" ascii\n $path_s7 = \"/client/service/basic\" ascii\n $path_s8 = \"/client/service/desktop\" ascii\n $path_s9 = \"/client/service/screenshot\" ascii\n $path_s10 = \"/utils\" ascii\n $path_s11 = \"/modules\" ascii\n\n // https://github.com/XZB-1248/Spark/blob/8db2a7361bf649693824450cfcfd498ae51115a0/client/core/handler.go#L19\n $cmd_s1 = \"PING\" ascii fullword\n $cmd_s2 = \"LOCK\" ascii fullword\n $cmd_s3 = \"SHUTDOWN\" ascii fullword\n $cmd_s4 = \"TERMINAL_INIT\" ascii fullword\n $cmd_s5 = \"FILES_LIST\" ascii fullword\n $cmd_s6 = \"FILES_REMOVE\" ascii fullword\n $cmd_s7 = \"PROCESSES_LIST\" ascii fullword\n $cmd_s8 = \"PROCESS_KILL\" ascii fullword\n $cmd_s9 = \"DESKTOP_INIT\" ascii fullword\n $cmd_s10 = \"COMMAND_EXEC\" ascii fullword\n\n condition:\n (\n 3 of ($generic_specific_s*) and\n 5 of ($path_s*) and\n 5 of ($cmd_s*)\n ) or\n (\n 3 of ($generic_specific_s*) and\n all of ($generic_loose_s*) and\n 7 of ($path_s*)\n )\n}\n", "rule_count": 1, "rule_names": [ "spark_rat" ], "rule_creation_date": "2024-11-14", "rule_modified_date": "2025-03-31", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Trojan.SparkRAT" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1219" ], "rule_score": 70, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-spica_backdoor_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569551Z", "creation_date": "2026-03-23T11:46:25.569553Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569559Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" ], "name": "spica_backdoor.yar", "content": "rule spica_backdoor {\n meta:\n title = \"SPICA Backdoor\"\n id = \"4e939e36-5ba1-478d-a095-22c7cc7c08e0\"\n description = \"Detects the SPICA Backdoor used by a Russian threat group focused on credential phishing activities against high profile individuals.\\nThe SPICA backdoor is a sophisticated piece of malware designed to steal sensitive information.\\nIt is written in Rust and communicates with its command and control (C2) server using JSON over websockets.\"\n references = \"https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/\"\n date = \"2024-03-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.001;attack.persistence;attack.t1053.005;attack.credential_access;attack.t1606.001;attack.collection;attack.t1560;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Backdoor.Spica\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9\n\n $s1 = \"DNS resolution panicked\" ascii fullword\n $s2 = \"Failed to open the subkey after setting the value.\" ascii\n $s3 = \"task should never panic\" ascii fullword\n $s4 = \"agent\\\\src\\\\command\\\\shell.rs\" ascii fullword\n $s5 = \"/tnCalendarChecker/queryschtasksX\" ascii fullword\n $s6 = \"-Commandpowershell.exe\" ascii fullword\n $s7 = \"Card Holder: Bull Gayts\" ascii\n $s8 = \"SELECT action_url, username_value, password_value from logins where length(username_value) > 0 and length(password_value) > 0\" ascii\n $s9 = \"Uploadstruct UploadQuitDoxShellCookieTelegram\" ascii fullword\n $s10 = \"struct Download with 1 element\" ascii fullword\n\n condition:\n 5 of them\n}\n", "rule_count": 1, "rule_names": [ "spica_backdoor" ], "rule_creation_date": "2024-03-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.Spica" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1606.001", "attack.t1071.001", "attack.t1560", "attack.t1053.005", "attack.t1059.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-splinter_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582943Z", "creation_date": "2026-03-23T11:46:25.582945Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582950Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/" ], "name": "splinter.yar", "content": "rule splinter_strings {\n meta:\n title = \"Splinter Generic Strings\"\n id = \"68eec320-8890-458a-9baf-f91c401a0961\"\n description = \"Detects Splinter, a post-exploitation C2 framework written in Rust.\\nSplinter is designed to further exploit systems after initial access.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/\"\n date = \"2024-09-25\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1569.002;attack.t1218;attack.t1055.012\"\n classification = \"Windows.Trojan.Splinter\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 058b831099c93ba59538362b762940a18b0cf89d82ab0c166855f73150054b23\n // 13c98ff5f10a059a1b3096d4cc62bbac10a4fe9f4bbf2ddabad006d05dbbb382\n // 1510c94c0e5ca38447a54cb9957d70efaa649542cc8c7ff78998119dd8062fda\n // 188f4a191b85011772485f080ca0899c8c2da3c83155b0d0adec3a28754c9417\n // 357c12ac0083f8d9560e36fe92a1df4b514271755e2e6f8098a4a2084caae20c\n // 95609e1d54945cc987f01daf24b834dc070da9b1293b6d07fc5000e2e3dea5be\n // bb33720a6f6027c61f024586d542204035b02db0e460196b6948eca61574e2bc\n // cd3cd03d12e9fe14a99bd40d5218e035a4cedbcbb6c0f759ed042d26a90f466c\n // e73c4ef0f4aee5f9d19c00794bf97593a26f76b1c6ebecccc7d478c2f422ee63\n // fd150cee7ab1ea8ec38fc623ae268d2a8c19647075620d6b0ae153014810cfaf\n\n $s1 = \"\\\\splinter_core\\\\\" ascii\n $s2 = \"c2_password\" ascii\n $s3 = \"c2_server_address\" ascii\n $s4 = \"c2_port\" ascii\n $s5 = \"c2_user\" ascii\n\n condition:\n all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "splinter_strings" ], "rule_creation_date": "2024-09-25", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Splinter" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1218", "attack.t1055.012", "attack.t1569.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-spoolsample_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570792Z", "creation_date": "2026-03-23T11:46:25.570794Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570800Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1\nhttps://github.com/leechristensen/SpoolSample\nhttps://attack.mitre.org/techniques/T1187/" ], "name": "spoolsample.yar", "content": "rule spoolsample {\n meta:\n title = \"SpoolSample HackTool\"\n id = \"0896c363-3ede-4d2e-9449-565d7eed06c2\"\n description = \"Detects the SpoolSample PoC tool used to coerce Windows hosts to authenticate to other machines via the MS-RPRN RPC interface.\\nSpoolSample is a proof-of-concept tool that leverages the MS-RPRN (Printers Remote Protocol) interface to coerce authentication from Windows hosts. This technique is commonly used by adversaries to capture credentials or establish persistence. The tool sends crafted requests to target machines, which respond by authenticating to a specified server, potentially leading to credential capture.\"\n references = \"https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1\\nhttps://github.com/leechristensen/SpoolSample\\nhttps://attack.mitre.org/techniques/T1187/\"\n date = \"2023-11-14\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1087;attack.collection;attack.t1039;attack.credential_access;attack.t1552\"\n classification = \"Windows.HackTool.SpoolSample\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $s0 = \"Usage: ms-rprn.exe \\\\\\\\targetserver \\\\\\\\CaptureServer\" wide\n $s1 = \"TargetServer: %s, CaptureServer: %s\" wide\n $s2 = \"\\\\pipe\\\\spoolss\" wide\n $s3 = \"If coercing authentication to an NTLM challenge-response capture tool(e.g. responder/inveigh/MSF SMB capture), this is expected and indicates the coerced authentication worked.\" wide\n $s4 = \"RpcRemoteFindFirstPrinterChangeNotificationEx failed.\" wide\n $s5 = \"C:\\\\Users\\\\labuser\\\\Downloads\\\\SpoolSample-master\" ascii\n\n condition:\n 3 of ($s*)\n\n}\n", "rule_count": 1, "rule_names": [ "spoolsample" ], "rule_creation_date": "2023-11-14", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.SpoolSample" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access", "attack.discovery" ], "rule_technique_tags": [ "attack.t1039", "attack.t1087", "attack.t1552" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-spreader_samecoin_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569797Z", "creation_date": "2026-03-23T11:46:25.569799Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569805Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://twitter.com/NicoleFishi19/status/1756936882095534532" ], "name": "spreader_samecoin.yar", "content": "rule samecoin_campaign_tasksspreader {\n meta:\n title = \"SameCoin Tasks Spreader\"\n id = \"70add14b-0ea4-4280-95c0-e986e13fb6c3\"\n description = \"Detects strings related to SameCoin Loader's .NET Task Scheduler activity.\\nSameCoin is a malicious .NET-based framework used for persistence and lateral movement. This rule detects strings related to the creation and manipulation of scheduled tasks by the SameCoin Loader, which is often used to spread malicious activities across compromised systems. The loader uses task scheduling to maintain persistence and execute subsequent payloads.\\nIt is recommended to review the Task Scheduler logs for any unauthorized tasks.\"\n references = \"https://twitter.com/NicoleFishi19/status/1756936882095534532\"\n date = \"2024-02-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1053.005;attack.persistence;attack.defense_evasion;attack.t1036.004;attack.discovery;attack.t1018;attack.lateral_movement;attack.t1021\"\n classification = \"Windows.Malware.SameCoin\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7\n\n $dotNet = \".NETFramework,Version\" ascii fullword\n\n $a1 = \"System.DirectoryServices.ActiveDirectory\" ascii fullword\n $a2 = \"GetTypeFromProgID\" ascii fullword\n $a3 = \"DirectorySearcher\" ascii fullword\n $a4 = \"SearchResultCollection\" ascii fullword\n $a5 = \"UnaryOperation\" ascii fullword\n\n $b1 = \"$dc1b29f0-9a87-4383-ad8b-01285614def1\" ascii fullword\n $b2 = \"Windows Defender Agent\" ascii fullword\n $b3 = \"Windows Defender Agent.exe\" wide ascii fullword\n $b4 = /(\\\\)?C(:|\\$)\\\\Users\\\\Public\\\\Microsoft System Agent\\.exe/ wide fullword\n $b5 = \"MicrosoftEdgeUpdateTaskMachinesCores\" wide fullword\n $b6 = \"WindowsUpdate\" wide fullword\n\n $c1 = \"RegisterTaskDefinition\" wide fullword\n $c2 = \"DisallowStartIfOnBatteries\" wide fullword\n $c3 = \"StopIfGoingOnBatteries\" wide fullword\n $c4 = \"Schedule.Service\" wide fullword\n $c5 = \"\\\\Domain Users\" wide fullword\n $c6 = \"(objectClass=computer)\" wide fullword\n\n condition:\n filesize > 8KB and filesize < 40KB\n and (uint16be(0) == 0x4D5A)\n and $dotNet\n and (4 of ($a*))\n and (\n ((any of ($b*)) and (any of ($c*)))\n or (all of ($c*))\n )\n}\n", "rule_count": 1, "rule_names": [ "samecoin_campaign_tasksspreader" ], "rule_creation_date": "2024-02-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.SameCoin" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.discovery", "attack.execution", "attack.lateral_movement", "attack.persistence" ], "rule_technique_tags": [ "attack.t1018", "attack.t1036.004", "attack.t1053.005", "attack.t1021" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sprysocks_backdoor_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564416Z", "creation_date": "2026-03-23T11:46:25.564419Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564424Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html" ], "name": "sprysocks_backdoor.yar", "content": "rule sprysocks_backdoor {\n meta:\n title = \"SprySOCKS Backdoor\"\n id = \"6e6e8d44-5ee6-4b7d-8302-59b972166faf\"\n description = \"Detects the SprySOCKS payload used by a China-linked threat actor named Earth Lusca in 2023.\\nThis payload is a second stage, encrypted with an AES-ECB cipher, launch by a specific loader.\\nThis backdoor used an encrypting communication with the C&C server with a hard-coded AES-ECB password and can implements several commands such collecting system information, starting an interactive shell, listing network connections, creating SOCKS proxy, uploading and downloading files, and other basic file operations.\\n.This backdoor persists via chkconfig or systemd to start its loader as a service.\\nThe loader is based on the publicly available Linux ELF injector \\\"mandibule\\\" attributed to the China-linked threat actor Earth Lusca, active in 2023.\"\n references = \"https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\"\n date = \"2023-09-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.004;attack.collection;attack.t1119;attack.command_and_control;attack.t1573.002;attack.t1090.001\"\n classification = \"Linux.Backdoor.SprySOCKS\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // f8ba9179d8f34e2643ee4f8bc51c8af046e3762508a005a2d961154f639b2912\n\n $s1 = \"13CascadeConMgr\" ascii fullword\n $s2 = \"(%s)_Line:[%d]_Func:[%s] %s\" ascii fullword\n $s3 = \"cat /proc/cpuinfo|grep cpu\\\\ MHz|sed -e 's/.*:[^0-9]//'\" ascii fullword\n $s4 = \"CollectInfo\" ascii fullword\n $s5 = \"firewall-cmd --zone=public --permanent --add-port=%d/tcp\" ascii fullword\n $s6 = \"HISTFILE=/dev/null\" ascii fullword\n $s7 = \"__data|\" ascii fullword\n $s8 = \"00-50-56-c0-00-08BFEBFBFF00040671\" ascii fullword\n\n $packet = {\n 31 C0 // xor eax, eax\n 8B 42 08 // mov eax, [rdx+8]\n BA BC BC AC AC // mov edx, 0ACACBCBCh\n 48 C1 E0 20 // shl rax, 20h\n 48 09 C2 // or rdx, rax\n 49 89 D6 // mov r14, rdx\n E8 ?? ?? ?? ?? // call _malloc\n 48 85 C0 // test rax, rax\n }\n\n $machine_info_s1 = \"cat /etc/issue\" ascii fullword\n $machine_info_s2 = \"cat /etc/redhat-release\" ascii fullword\n $machine_info_s3 = \"%s (%s %s %s)\" ascii fullword\n $machine_info_uname = {\n E8 ?? ?? ?? FF // call _uname\n 48 63 74 24 ?? // movsxd rsi, [rsp+4B8h+var_48C]\n 48 83 EC 08 // sub rsp, 8\n 4C 8D 05 ?? ?? ?? 00 // lea r8, aSSSS\n 48 8D 84 24 ?? ?? 00 00 // lea rax, [rsp+4C0h+name.machine]\n 48 C7 C1 FF FF FF FF // mov rcx, 0FFFFFFFFFFFFFFFFh\n BA 01 00 00 00 // mov edx, 1\n 50 // push rax\n 48 8D 84 24 ?? ?? 00 00 // lea rax, [rsp+4C8h+name.release]\n 50 // push rax\n 48 8D 84 24 ?? ?? 00 00 // lea rax, [rsp+4D0h+name.nodename]\n 50 // push rax\n 48 8B 7C 24 ?? // mov rdi, [rsp+4D8h+var_498]\n 31 C0 // xor eax, eax\n 4C 8B 8C 24 ?? 00 00 00 // mov r9, [rsp+4D8h+var_418]\n E8 ?? ?? ?? FF // call ___snprintf_chk\n }\n\n condition:\n 7 of ($s*) or\n (1 of ($s*) and $packet) or\n all of ($machine_info_*)\n}\n", "rule_count": 1, "rule_names": [ "sprysocks_backdoor" ], "rule_creation_date": "2023-09-29", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Backdoor.SprySOCKS" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.execution" ], "rule_technique_tags": [ "attack.t1119", "attack.t1573.002", "attack.t1090.001", "attack.t1059.004" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sprysocks_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586510Z", "creation_date": "2026-03-23T11:46:25.586512Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586519Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html" ], "name": "sprysocks_loader.yar", "content": "rule sprysocks_loader {\n meta:\n title = \"SprySOCKS Loader\"\n id = \"975fe87d-dca2-4e2a-8063-9cb84bd1f1e4\"\n description = \"Detects the SprySOCKS Loader which loads and decrypts the second stage.\\nThe loader uses an AES-ECB cipher with a hard-coded password to decrypt the payload.\\nIt establishes persistence via chkconfig or systemd, running as a service.\\nNotably, this loader is based on the publicly available Linux ELF injector \\\"mandibule\\\" attributed to the China-linked threat actor Earth Lusca, active in 2023.\"\n references = \"https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html\"\n date = \"2023-09-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1055;attack.t1140;attack.persistence;attack.privilege_escalation;attack.t1543.002\"\n classification = \"Linux.Loader.SprySOCKS\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 65b27e84d9f22b41949e42e8c0b1e4b88c75211cbf94d5fd66edc4ebe21b7359\n\n $s1 = \"[-] file not ELF\" ascii fullword\n $s2 = \"> DecryptString failed\" ascii fullword\n $s3 = \"[+] _execve rm ok\" ascii fullword\n $s4 = \"[+] system suport chkconfig\" ascii fullword\n $s5 = \"getNameByErgodicPid\" ascii fullword\n\n $mkmom_end = {\n 48 8D 05 ?? ?? 00 00 // lea rax, aEndRodata\n 48 89 44 24 F8 // mov [rsp+var_8], rax\n 48 8B 44 24 F8 // mov rax, [rsp+var_8]\n 25 FF 0F 00 00 // and eax, 0FFFh\n (\n BA 00 10 00 00 // mov edx, 1000h\n 48 29 C2 // sub rdx, rax\n 48 89 D0 // mov rax, rdx\n |\n 48 89 C2 // mov rdx, rax\n B8 00 10 00 00 // mov eax, 1000h\n 48 29 D0 // sub rax, rdx\n )\n 48 01 44 24 F8 // add [rsp+var_8], rax\n 48 8B 44 24 F8 // mov rax, [rsp+var_8]\n C3 // retn\n }\n\n $_syscall = {\n 0F 05 // syscall\n 89 44 24 ?? // mov [rsp+ret], eax\n 8B 44 24 ?? // mov eax, [rsp+ret]\n C3 // retn\n }\n\n condition:\n uint16(0) == 0x457f and\n (\n 4 of ($s*) or\n 1 of ($s*) and\n (\n #_syscall > 4 or\n $mkmom_end\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "sprysocks_loader" ], "rule_creation_date": "2023-09-29", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Loader.SprySOCKS" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1543.002", "attack.t1140", "attack.t1055" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-spy_usb_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563683Z", "creation_date": "2026-03-23T11:46:25.563685Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563691Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\nhttps://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" ], "name": "spy_usb.yar", "content": "rule spy_usb_connection {\n meta:\n title = \"Spy USB Connection\"\n id = \"4d54137e-67f3-4d76-ab8f-cdcb85d73484\"\n description = \"Detects the Spy USB malware, known as Win32/USBStealer, used by the Sednit espionage group (APT28).\\nIt targets air-gapped networks by exploiting removable drives. The malware spreads between Internet-connected computers and isolated machines by using USB drives, which act as a bridge for exfiltrating sensitive files. It ensures stealth by hiding files and monitoring when the USB drives are inserted into vulnerable systems, allowing the attacker to collect cryptographic files and other important data without detection.\"\n date = \"2024-07-12\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1120;attack.collection;attack.t1025;attack.command_and_control;attack.t1092\"\n classification = \"Windows.Generic.SpyUsbConnection\"\n context = \"process,memory,thread,file.pe\"\n references = \"https://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/\\nhttps://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 92dcb0d8394d0df1064e68d90cd90a6ae5863e91f194cbaac85ec21c202f581f\n // 4e4606313c423b681e11110ca5ed3a2b2632ec6c556b7ab9642372ae709555f3\n // b1f2d461856bb6f2760785ee1af1a33c71f84986edf7322d3e9bd974ca95f92d\n // 44d3f3ed5571a723e8dd0dc5bc9581d30e285c012e65c4ca6b58931c527ff5ba\n // 72e40f60f5cf61bc47e101eced7b4935a80f1f210203e08651567fdec78dc646\n\n $s_USB_wait_for_usb_device_connection = {\n 2D 17 02 00 00 // sub eax, 217h WM_DEVICECHANGE\n [0-10] // push esi\n // mov esi, [ebp+lParam]\n // push edi\n // mov edi, [ebp+wParam]\n 75 ?? // jnz short loc_402258\n 81 [1-2] 00 80 00 00 // cmp edi, 8000h DBT_DEVICEARRIVAL\n 75 ?? // jnz short loc_402258\n 83 ?? ?? 02 // cmp dword ptr [esi+4], 2 DBT_DEVTYP_VOLUME\n 75 ?? // jnz short loc_402258\n [4] // movzx eax, word ptr [esi+10h]\n [2] 01 [0-1] // cmp eax, 1\n 74 ?? // jz short loc_402258\n [2] 02 [0-1] // cmp eax, 2\n 74 ?? // jz short loc_402258\n }\n $s_USB_GUID_DEVINTERFACE_DISK = { 07 63 F5 53 BF B6 D0 11 94 F2 00 A0 C9 1E FB 8B }\n\n condition:\n 2 of ($s_*)\n}\n", "rule_count": 1, "rule_names": [ "spy_usb_connection" ], "rule_creation_date": "2024-07-12", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.SpyUsbConnection" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.discovery" ], "rule_technique_tags": [ "attack.t1025", "attack.t1120", "attack.t1092" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sqlmaggie_mssql_backdoor_x64_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574930Z", "creation_date": "2026-03-23T11:46:25.574932Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574938Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\nhttps://attack.mitre.org/techniques/T1574/" ], "name": "sqlmaggie_mssql_backdoor_x64.yar", "content": "rule sqlmaggie_mssql_backdoor_6ea9a5b0a2c1 {\n meta:\n title = \"SQLMaggie Backdoor (6ea9a5b0a2c1)\"\n id = \"71e5ba4a-4576-4548-af8b-6ea9a5b0a2c1\"\n description = \"Detects the 64-bit version of the SQLMaggie backdoor associated with the Chinese-speaking threat actor named WIP-19.\\nSQLMaggie is a DLL used in Microsoft SQL Server to extend stored procedure functionality. This backdoor, developed by WinEggDrop, allows attackers to register the DLL and gain control over the affected machine. It is often used for internal reconnaissance and lateral movement within a network.\\nIt is recommended to isolate the affected machine and analyze network traffic for signs of command and control communication.\"\n references = \"https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\\nhttps://attack.mitre.org/techniques/T1574/\"\n date = \"2022-11-24\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1574;attack.defense_evasion;attack.t1027;attack.t1140;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Backdoor.SQLMaggie\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9f1fef88c8280f937de5e48226581b65cd2a2dafa284644053c89e7d425bc6a8\n // e6ab854cd19b43084920a2d422301d4cfab6a3efbde3a6d7653275ce4786dd26\n // eeb793d904be48934d728027dc9d96e3feea3ded1e97d7eceae3c19887bf8a38\n // c18beccc038e014fb97600ec2fc3bfffa463310483b1d13ccfd23a749bb6bb60\n // 04fbe5f96118f9a2abae85ef15cf0b8e24041343e3ff8480fcb7d367bfaf29b9\n // a375ae44c8ecb158895356d1519fe374dc99c4c6b13f826529c71fb1d47095c3\n\n $critical = \"By WinEggDrop\" ascii\n\n $mozilla_string = \"Mozilla/4.0 (compatible)\" ascii\n\n $proxy_bypass_1 = {\n 45 33 C9 // xor r9d, r9d\n 45 33 C0 // xor r8d, r8d ; lpszProxy\n 44 (89|39) 6C 24 ?? // mov [rsp+26D8h+dwFlags], r13d ; dwFlags\n 48 8D 0D ?? ?? ?? ?? // lea rcx, szAgent ; \"Mozilla/4.0 (compatible)\"\n 44 (89|39) 6C 24 ?? // cmp [rsp+26D8h+var_2668], r13d\n }\n\n $proxy_bypass_2 = {\n 45 33 C9 // xor r9d, r9d\n 45 33 C0 // xor r8d, r8d ; lpszProxy\n 44 (89|39) 6C 24 ?? // mov [rsp+26D8h+dwFlags], r13d ; dwFlags\n 44 (89|39) 6C 24 ?? // cmp [rsp+26D8h+var_2668], r13d\n 48 8D 0D ?? ?? ?? ?? // lea rcx, szAgent ; \"Mozilla/4.0 (compatible)\"\n }\n\n $proxy_bypass_3 = {\n 45 33 C9 // xor r9d, r9d\n 45 33 C0 // xor r8d, r8d ; lpszProxy\n 48 8D 0D ?? ?? ?? ?? // lea rcx, szAgent ; \"Mozilla/4.0 (compatible)\"\n 44 (89|39) 6C 24 ?? // mov [rsp+26D8h+dwFlags], r13d ; dwFlags\n 44 (89|39) 6C 24 ?? // cmp [rsp+26D8h+var_2668], r13d\n }\n\n $network_conn_1 = {\n 4C 8B C7 // mov r8, rdi ; Size\n 33 D2 // xor edx, edx ; Val\n C7 44 24 48 50 00 00 00 // mov [rsp+26D8h+var_2690], 50h ; 'P'\n 44 88 AC 24 80 02 00 00 // mov [rsp+26D8h+Source], r13b\n E8 ?? ?? ?? ?? // call memset\n }\n\n $network_conn_2 = {\n 33 D2 // xor edx, edx ; Val\n 41 B8 07 02 00 00 // mov r8d, 207h ; Size\n 49 8B ED // mov rbp, r13\n 49 8B F5 // mov rsi, r13\n 4C 89 6C 24 50 // mov [rsp+26D8h+hFile], r13\n }\n\n $network_conn_3 = {\n 48 89 84 24 ?? ?? ?? ?? // mov [rsp+26D8h+var_28], rax\n 45 33 ED // xor r13d, r13d\n 48 8B D9 // mov rbx, rcx\n BF 03 01 00 00 // mov edi, 103h\n 48 8D 8C 24 ?? ?? ?? ?? // lea rcx, [rsp+26D8h+var_2137] ; void *\n 33 D2 // xor edx, edx ; Val\n }\n\n\n condition:\n uint16(0) == 0x5a4d and (\n ($critical)\n or (all of ($network_conn_*) and (1 of ($proxy_bypass_*) and $mozilla_string))\n )\n}\n", "rule_count": 1, "rule_names": [ "sqlmaggie_mssql_backdoor_6ea9a5b0a2c1" ], "rule_creation_date": "2022-11-24", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.SQLMaggie" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1574", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sqlmaggie_mssql_backdoor_x86_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574827Z", "creation_date": "2026-03-23T11:46:25.574829Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574834Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1574/\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/" ], "name": "sqlmaggie_mssql_backdoor_x86.yar", "content": "rule sqlmaggie_mssql_backdoor_022f7a7eb068 {\n meta:\n title = \"SQLMaggie Backdoor (022f7a7eb068)\"\n id = \"233b0bc8-e696-4205-b070-022f7a7eb068\"\n description = \"Detects the x86 variant of the SQLMaggie backdoor associated with WIP-19, developed by WinEggDrop.\\nSQLMaggie is a DLL that provides extended stored procedure functions for MSSQL servers. Once registered, it allows attackers to gain control of the machine and conduct internal reconnaissance.\"\n references = \"https://attack.mitre.org/techniques/T1574/\\nhttps://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\"\n date = \"2022-11-24\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1574;attack.defense_evasion;attack.t1027;attack.t1140;attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Backdoor.SQLMaggie\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // c8704751e7af3d63bf0811049a75e9a81233f038695c3f97d3c0bfc465d7d6b4\n // 2d29776b4e3809fd5dd7bfc03f28ecc22a4260f1777e0be82b5f030573e27765\n // 8a5f10ababc234288f68243a3bc7c3349884e5f236a150ae134bb923db60fbd2\n // 214a9f7c0b066857f00a7eb5dc6a7ae2616c764596905bcaaf641e32db862260\n // 358247e97e0758b5d211a1691800276ec3b8fed7dff575986d4b3ed0f426a113\n // c8704751e7af3d63bf0811049a75e9a81233f038695c3f97d3c0bfc465d7d6b4\n\n $critical = \"By WinEggDrop\" ascii\n\n $mozilla_string = \"Mozilla/4.0 (compatible)\" ascii\n\n $proxy_bypass = {\n 68 ?? ?? ?? ?? // push offset szAgent ; \"Mozilla/4.0 (compatible)\"\n FF ?? ?? ?? ?? ?? // call ds:InternetOpenA\n 89 45 9C // mov [ebp+25CCh+hInternet], eax\n 3B C3 // cmp eax, ebx\n }\n\n $network_conn_1 = {\n 57 // push edi ; Size\n 8D 85 C5 24 00 00 // lea eax, [ebp+25CCh+var_107]\n 53 // push ebx ; Val\n 50 // push eax ; void *\n C7 45 80 50 00 00 00 // mov dword ptr [ebp+25CCh+nServerPort], 50h ; 'P'\n 88 9D C4 24 00 00 // mov [ebp+25CCh+Source], bl\n E8 ?? ?? ?? ?? // call _memset\n }\n\n $network_conn_2 = {\n 83 4D A4 FF // or [ebp+25CCh+hFile], 0FFFFFFFFh\n 68 07 02 00 00 // push 207h ; Size\n 8D 85 BD ?? ?? ?? // lea eax, [ebp+25CCh+var_30F]\n 53 // push ebx ; Val\n 50 // push eax ; void *\n }\n\n $network_conn_3 = {\n 53 // push ebx\n 56 // push esi\n 8B B5 ?? ?? ?? ?? // mov esi, [ebp+25CCh+lpThreadParameter]\n 57 // push edi\n 33 DB // xor ebx, ebx\n BF 03 01 00 00 // mov edi, 103h\n 57 // push edi ; Size\n 8D 85 ?? ?? ?? ?? // lea eax, [ebp+25CCh+var_413]\n 53 // push ebx ; Val\n 50 // push eax ; void *\n }\n\n condition:\n uint16(0) == 0x5a4d and (\n ($critical)\n or ((all of ($network_conn_*)) and $proxy_bypass and $mozilla_string)\n )\n}\n", "rule_count": 1, "rule_names": [ "sqlmaggie_mssql_backdoor_022f7a7eb068" ], "rule_creation_date": "2022-11-24", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.SQLMaggie" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1140", "attack.t1071.001", "attack.t1574", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-srdi_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582781Z", "creation_date": "2026-03-23T11:46:25.582785Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582791Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/monoxgas/sRDI\nhttps://www.elastic.co/fr/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack" ], "name": "srdi_loader.yar", "content": "rule srdi_loader {\n meta:\n title = \"sRDI Shellcode Loader\"\n id = \"fcdba4b4-7ca6-4c9b-bf84-db7b66f9f1dd\"\n description = \"Detects the sRDI shellcode loader, a tool used to generate shellcodes.\\nsRDI is a shellcode loader designed to convert DLL files into position-independent shellcode.\\nIt functions as a fully-featured PE (Portable Executable) loader, supporting proper section permissions, TLS callbacks, and various sanity checks.\\nThis tool is capable of executing shellcode directly in memory, making it particularly useful for both legitimate reverse engineering purposes and malicious activities.\\nsRDI's design allows it to bypass certain security measures by avoiding traditional file-based payloads.\"\n references = \"https://github.com/monoxgas/sRDI\\nhttps://www.elastic.co/fr/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack\"\n date = \"2023-03-31\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1106;attack.defense_evasion;attack.privilege_escalation;attack.t1055.001;attack.t1055.002\"\n classification = \"Windows.Loader.sRDI\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 6ce5b6b4cdd6290d396465a1624d489c7afd2259a4d69b73c6b0ba0e5ad4e4ad\n\n $srdi_x64_v1 = {\n E8 00 00 00 00 // call $+5\n 59 // pop rcx\n 49 89 C8 // mov r8, rcx\n BA ?? ?? ?? ?? // mov edx, 10h\n 49 81 ?? ?? ?? ?? ?? // add r8, 2B2414h\n 41 B9 ?? ?? ?? ?? // mov r9d, 4\n 56 // push rsi\n 48 89 E6 // mov rsi, rsp\n 48 83 E4 F0 // and rsp, 0FFFFFFFFFFFFFFF0h\n 48 83 EC 30 // sub rsp, 30h\n 48 89 4C 24 28 // mov [rsp+38h+var_10], rcx\n 48 81 ?? ?? ?? ?? ?? // add rcx, (offset unk_B19 - offset loc_5)\n C7 44 24 20 ?? ?? ?? ?? // mov [rsp+38h+var_18], 0\n E8 ?? 00 00 00 // call sub_45\n 48 89 F4 // mov rsp, rsi\n 5E // pop rsi\n C3 // retn\n }\n\n $srdi_x64_v2 = {\n E8 00 00 00 00 // call $+5\n 59 // pop rcx\n 49 89 C8 // mov r8, rcx\n 48 81 ?? ?? ?? ?? ?? // add rcx, \n BA ?? ?? ?? ?? // mov edx, 10h\n 49 81 ?? ?? ?? ?? ?? // add r8, 2B2414h\n 41 B9 ?? ?? ?? ?? // mov r9d, 4\n 56 // push rsi\n 48 89 E6 // mov rsi, rsp\n 48 83 E4 F0 // and rsp, 0FFFFFFFFFFFFFFF0h\n 48 83 EC 30 // sub rsp, 30h\n C7 44 24 20 ?? ?? ?? ?? // mov [rsp+38h+var_18], 0\n E8 ?? 00 00 00 // call sub_45\n 48 89 F4 // mov rsp, rsi\n 5E // pop rsi\n C3 // retn\n }\n\n $srdi_x64_v3 = {\n E8 00 00 00 00 // call $+5\n 59 // pop rcx\n 49 C2 ?? ?? // retnq 0C389h\n 88 ?? C2 // mov [rax-3Eh], cl\n 81 C3 ?? ?? ?? ?? // add ebx, 65881h\n 00 C2 // add dl, al\n BA ?? ?? ?? ?? // mov edx, 0B4C39AC3h\n 58 // pop rax\n C3 // retn\n }\n\n // Exclusion for McAfee\n $mcafee1 = \"EpMPApi.dll\" wide fullword\n $mcafee2 = \"EpMPThe.dll\" wide fullword\n // \\solution\\build\\x64\\Release\\mfeepmpk_regular_payload.pdb\n //$mcafee3 = \"\\\\solution\\\\build\\\\x64\\\\Release\\\\mfeepmpk_regular_payload.pdb\" ascii\n $mcafee3 = \"mfeepmpk\" ascii\n\n $inj_thread_mcafee = \"C:\\\\Program Files\\\\McAfee\\\\Endpoint Security\\\\Threat Prevention\\\\Ips\\\\EpMPApi.dll\" wide\n $str_mcafee_func_1 = \"Initialize\" ascii\n $str_mcafee_func_2 = \"Finalize\" ascii\n\n condition:\n 1 of ($srdi*) and not (all of ($mcafee*) or ($inj_thread_mcafee and 1 of ($str_mcafee_func_*)))\n}\n", "rule_count": 1, "rule_names": [ "srdi_loader" ], "rule_creation_date": "2023-03-31", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.sRDI" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1106", "attack.t1055.002", "attack.t1055.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-stealc_stealer_1f199c029af8_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589547Z", "creation_date": "2026-03-23T11:46:25.589549Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589555Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\nhttps://www.morphisec.com/blog/morphisec-thwarts-russian-linked-stealc-v2-campaign-targeting-blender-users-via-malicious-blend-files/\nhttps://attack.mitre.org/techniques/T1555/" ], "name": "stealc_stealer_1f199c029af8.yar", "content": "rule stealc_stealer_1f199c029af8 {\n meta:\n title = \"Stealc Stealer (1f199c029af8)\"\n id = \"0d530a83-d23e-477b-8b52-1f199c029af8\"\n description = \"Detects Stealc Infostealer.\\nStealc is an information-stealing malware sold as Malware-as-a-Service that targets sensitive data from web browsers, cryptocurrency wallets, and various applications, drawing inspiration from established stealers like Vidar and Raccoon.\\nIt is recommended to verify the process for its legitimacy and establish the origin of the executable.\"\n references = \"https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\\nhttps://www.morphisec.com/blog/morphisec-thwarts-russian-linked-stealc-v2-campaign-targeting-blender-users-via-malicious-blend-files/\\nhttps://attack.mitre.org/techniques/T1555/\"\n date = \"2025-11-28\"\n modified = \"2025-12-09\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555.003\"\n classification = \"Windows.Stealer.Stealc\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a9f542ca311da1aa2b06f2fb9d5f057a957ef7e668f7a4f282590a17ffba64ba\n // a701b7e680b278806721030b625b715c5912a9474acc09fb6a323d528509a75b\n\n $a1 = \"logins.json\" ascii fullword\n $a2 = \"passwords.txt\" ascii fullword\n $a3 = \"Process List:\" ascii fullword\n $a4 = \"start_path\" ascii fullword\n $a5 = \"encrypted_key\" ascii fullword\n $a6 = \"SteamPath\" ascii fullword\n $a7 = \"system_info.txt\" ascii fullword\n $a8 = \"C:\\\\ProgramData\\\\\" ascii fullword\n\n $b1 = \"steal_outlook\" ascii fullword\n $b2 = \"parse_cookies\" ascii fullword\n $b3 = \"parse_logins\" ascii fullword\n $b4 = \"take_screenshot\" ascii fullword\n $b5 = \"steal_steam\" ascii fullword\n $b6 = \"parse_webdata\" ascii fullword\n\n $c1 = \"- HWID:\" ascii\n $c2 = \"- Local Time:\" ascii\n $c3 = \"- IP: IP?\" ascii\n $c4 = \"- Country: ISO?\\\\n\\\\nSystem Summary:\" ascii\n\n condition:\n (4 of ($a*) and 3 of ($b*)) or 3 of ($c*)\n}\n", "rule_count": 1, "rule_names": [ "stealc_stealer_1f199c029af8" ], "rule_creation_date": "2025-11-28", "rule_modified_date": "2025-12-09", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Stealc" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-stealc_stealer_b5a4c2aea9fe_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.589577Z", "creation_date": "2026-03-23T11:46:25.589579Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.589585Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\nhttps://attack.mitre.org/techniques/T1555/" ], "name": "stealc_stealer_b5a4c2aea9fe.yar", "content": "rule stealc_stealer_b5a4c2aea9fe {\n meta:\n title = \"Stealc Stealer (b5a4c2aea9fe)\"\n id = \"a30b8945-b463-4775-9911-b5a4c2aea9fe\"\n description = \"Detects Stealc Infostealer.\\nStealc is an information-stealing malware sold as Malware-as-a-Service that targets sensitive data from web browsers, cryptocurrency wallets, and various applications, drawing inspiration from established stealers like Vidar and Raccoon.\\nIt is recommended to verify the process for its legitimacy and establish the origin of the executable.\"\n references = \"https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/\\nhttps://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/\\nhttps://attack.mitre.org/techniques/T1555/\"\n date = \"2024-10-28\"\n modified = \"2025-12-09\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555.003\"\n classification = \"Windows.Stealer.Stealc\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 1c3199a7e3bd6da6647a260d168700d456402a9d751bc26b5a8e1874a035298b\n // a001a71205b22e3bb39a9e586bb587b95f459c04eb1ef43d08e4420d1760b878\n // ddc8b1f032cf7b0a6dcbb64557ebdeaee842417f0f862f4bf0e0554596e789b7\n // 1c235a0fa8e6f71633f46d0f4e0825d214a10fea93cb500fdaa78c4a08829121\n\n $a = \"ChromeFuckNewCookies\" ascii fullword\n\n $b1 = \"steam_tokens.txt\" ascii fullword\n $b2 = \"\\\\Monero\\\\wallet.keys\" ascii fullword\n $b3 = \"IsDebuggerPresent\" ascii fullword\n $b4 = \"The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti\" ascii fullword\n $b5 = \"-nop -c \\\"iex(New-Object Net.WebClient).DownloadString('\"\n\n // HLOCAL result = LocalAlloc(uFlags: LMEM_ZEROINIT, uBytes: arg3 + 1) // This may also be a HeapAlloc call.\n // *(result + arg3) = 0\n //\n // for (int32_t i = 0; i u< arg3; i += 1)\n // *(result + i) = *(arg1 + i) ^ arg2[modu.dp.d(0:i, strlen(_Str: arg2))]\n //\n // return result // If it's a HeapAlloc call, there is a VPROTECT call here.\n\n $string_dec_xor_variant1 = {\n 55 // push ebp {__saved_ebp}\n 8bec // mov ebp, esp {__saved_ebp}\n 83ec?? // sub esp, 0x8\n 53 // push ebx {__saved_ebx}\n 8b(45|4d|55)10 // mov (eax|ecx|edx), dword [ebp+0x10 {arg3}]\n 83c001 // add eax, 0x1\n 50 // push eax {var_14}\n // ====== VARIANT 1 =======\n // push 0x40 {var_18}\n // call dword [LocalAlloc]\n // ====== VARIANT 2 =======\n // push 0x0 {var_1c}\n // call dword [GetProcessHeap]\n // push eax {var_20}\n // call dword [HeapAlloc]\n (\n 6a40\n ff15????????\n |\n 6a00\n ff15??????00\n 50\n ff15??????00\n )\n 89(45|4d|55)?? // mov dword [ebp-0x4 {var_8}], (eax|ecx|edx)\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x4 {var_8}]\n 03(45|4d|55)10 // add (eax|ecx|edx), dword [ebp+0x10 {arg3}]\n ?????? // mov byte [ecx], 0x0\n c745??00000000 // mov dword [ebp-0x8 {i}], 0x0\n [2-6] // jmp ????\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x8 {i}]\n 83c201 // add edx, 0x1\n 89(45|4d|55)?? // mov dword [ebp-0x8 {i}], (eax|ecx|edx)\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x8 {i}]\n 3b(45|4d|55)10 // cmp (eax|ecx|edx), dword [ebp+0x10 {arg3}]\n [2-6] // jae ????\n 8b(45|4d|55)08 // mov (eax|ecx|edx), dword [ebp+0x8 {arg1}]\n 03(45|4d|55)?? // add (eax|ecx|edx), dword [ebp-0x8 {i}]\n 0fbe(19|1a|1b) // movsx ebx, byte [(ecx|edx|ebx)]\n 8b(45|4d|55)0c // mov (eax|ecx|edx), dword [ebp+0xc {arg2}]\n 52 // push edx {var_14_1}\n ff15???????? // call dword [strlen]\n 83c404 // add esp, 0x4\n ???? // mov ecx, eax\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x8 {i}]\n [4] // xor edx, edx {0x0}\n // div ecx\n 8b(45|4d|55)0c // mov (eax|ecx|edx), dword [ebp+0xc {arg2}]\n [6] // movsx ecx, byte [eax+edx]\n // xor ebx, ecx\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x4 {var_8}]\n 03(45|4d|55)?? // add (eax|ecx|edx), dword [ebp-0x8 {i}]\n ???? // mov byte [edx], bl\n [2-6] // jmp ????\n // VirtualProtect if VARIANT2, return if VARIANT1\n // ====== RET ======\n // mov eax, dword [ebp-0x4 {var_8}]\n // pop ebx {__saved_ebx}\n // mov esp, ebp\n // pop ebp {__saved_ebp}\n // retn {__return_addr}\n // ====== VPROT ======\n // mov dword [ebp-0x4 {lpflOldProtect}], 0x0\n // lea eax, [ebp-0x4 {lpflOldProtect}]\n // push eax {lpflOldProtect} {var_18_2}\n // push 0x100 {var_1c}\n // push 0x4\n // mov ecx, dword [ebp-0x8 {var_c}]\n // push ecx {var_24}\n // call dword [VirtualProtect]\n // mov eax, dword [ebp-0x8 {var_c}]\n // pop ebx {__saved_ebx}\n // mov esp, ebp\n // pop ebp {__saved_ebp}\n (\n 8b(45|4d|55)??\n 5b\n 8be5\n 5d\n c3\n |\n c745??00000000\n 8d(45|4d|55)??\n 50\n 6800010000\n 6a04\n 8b(45|4d|55)??\n 51\n ff15??????00\n 8b(45|4d|55)??\n 5b\n 8be5\n 5d\n c3\n )\n\n }\n\n // Essentially the same as the above call, except there are garbage strlen calls above blocks of instructions.\n $string_dec_xor_variant2 = {\n 55 // push ebp {__saved_ebp}\n 8bec // mov ebp, esp {__saved_ebp}\n 83ec?? // sub esp, 0x8\n 53 // push ebx {__saved_ebx}\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 8b(45|4d|55)10 // mov (eax|ecx|edx), dword [ebp+0x10 {arg3}]\n 83c001 // add eax, 0x1\n 50 // push eax {var_14}\n // ====== VARIANT 1 =======\n // push 0x40 {var_18}\n // call dword [LocalAlloc]\n // ====== VARIANT 2 =======\n // push 0x0 {var_1c}\n // call dword [GetProcessHeap]\n // push eax {var_20}\n // call dword [HeapAlloc]\n (\n 6a40\n ff15????????\n |\n 6a00\n ff15??????00\n 50\n ff15??????00\n )\n 89(45|4d|55)?? // mov dword [ebp-0x4 {var_8}], (eax|ecx|edx)\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x4 {var_8}]\n 03(45|4d|55)10 // add (eax|ecx|edx), dword [ebp+0x10 {arg3}]\n ????00 // mov byte [ecx], 0x0\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n c745??00000000 // mov dword [ebp-0x8 {i}], 0x0\n [2-6] // jmp ????\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x8 {i}]\n 83??01 // add edx, 0x1\n 89(45|4d|55)?? // mov dword [ebp-0x8 {i}], (eax|ecx|edx)\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x8 {i}]\n 3b(45|4d|55)10 // cmp (eax|ecx|edx), dword [ebp+0x10 {arg3}]\n [2-6] // jae ????\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 8b(45|4d|55)08 // mov (eax|ecx|edx), dword [ebp+0x8 {arg1}]\n 03(45|4d|55)?? // add (eax|ecx|edx), dword [ebp-0x8 {i}]\n 0fbe(19|1a|1b) // movsx ebx, byte [(ecx|edx|ebx)]\n 8b(45|4d|55)0c // mov (eax|ecx|edx), dword [ebp+0xc {arg2}]\n 52 // push edx {var_14_1}\n ff15???????? // call dword [strlen]\n 83c404 // add esp, 0x4\n ???? // mov ecx, eax\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x8 {i}]\n [4] // xor edx, edx {0x0}\n // div ecx\n 8b(45|4d|55)0c // mov (eax|ecx|edx), dword [ebp+0xc {arg2}]\n [6] // movsx ecx, byte [eax+edx]\n // xor ebx, ecx\n 8b(45|4d|55)?? // mov (eax|ecx|edx), dword [ebp-0x4 {var_8}]\n 03(45|4d|55)?? // add (eax|ecx|edx), dword [ebp-0x8 {i}]\n ???? // mov byte [edx], bl\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n [2-6] // jmp ????\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n 68[4] // push data_?????? {\"The Opus Theatre was founded by …\"}\n ff15??????00 // call dword [lstrlenA]\n // VirtualProtect if VARIANT2, return if VARIANT1\n // ====== RET ======\n // mov eax, dword [ebp-0x4 {var_8}]\n // pop ebx {__saved_ebx}\n // mov esp, ebp\n // pop ebp {__saved_ebp}\n // retn {__return_addr}\n // ====== VPROT ======\n // mov dword [ebp-0x4 {lpflOldProtect}], 0x0\n // lea eax, [ebp-0x4 {lpflOldProtect}]\n // push eax {lpflOldProtect} {var_18_2}\n // push 0x100 {var_1c}\n // push 0x4\n // mov ecx, dword [ebp-0x8 {var_c}]\n // push ecx {var_24}\n // call dword [VirtualProtect]\n // mov eax, dword [ebp-0x8 {var_c}]\n // pop ebx {__saved_ebx}\n // mov esp, ebp\n // pop ebp {__saved_ebp}\n (\n 8b(45|4d|55)??\n 5b\n 8be5\n 5d\n c3\n |\n c745??00000000\n 8d(45|4d|55)??\n 50\n 6800010000\n 6a04\n 8b(45|4d|55)??\n 51\n ff15??????00\n 8b(45|4d|55)??\n 5b\n 8be5\n 5d\n c3\n )\n }\n\n condition:\n $a or 3 of ($b*) or 1 of ($string_dec_xor_variant*)\n}\n", "rule_count": 1, "rule_names": [ "stealc_stealer_b5a4c2aea9fe" ], "rule_creation_date": "2024-10-28", "rule_modified_date": "2025-12-09", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Stealc" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.003" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-stealer_apt28_credomap_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569275Z", "creation_date": "2026-03-23T11:46:25.569277Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569283Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://securityscorecard.com/research/apt28s-stealer-called-credomap" ], "name": "stealer_apt28_credomap.yar", "content": "rule stealer_apt28_credomap {\n meta:\n title = \"APT28 Stealer CredoMap\"\n id = \"d24ecbc8-12b7-4865-a3fc-90ae7e324e02\"\n description = \"Detects the CredoMap stealer.\\nCredoMap is a credential stealer developed by the Russian APT28/Sofacy/Fancy Bear threat group. It is primarily used to target individuals and organizations, particularly in Ukraine, as part of ongoing geopolitical cyber activities.\\nThe stealer is designed to collect sensitive information such as cookies, usernames, and passwords stored in browsers.\"\n references = \"https://securityscorecard.com/research/apt28s-stealer-called-credomap\"\n date = \"2022-10-09\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.t1119;attack.t1185;attack.exfiltration;attack.t1020\"\n classification = \"Windows.Stealer.CredoMap\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933\n\n $s1 = \"\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies\" fullword wide\n $s2 = \"Chrome not found\" fullword wide\n $s3 = \"SELECT host_key, name, encrypted_value FROM cookies\" fullword wide\n $s4 = \"key4.db\" fullword wide\n $s5 = \"\\\\cookies.sqlite\" fullword wide\n $s6 = \"SELECT * FROM moz_cookies\" fullword wide\n $s7 = \"SELECT action_url, username_value, password_value FROM logins\" fullword wide\n\n condition:\n uint16(0) == 0x5a4d and filesize < 9MB and 5 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "stealer_apt28_credomap" ], "rule_creation_date": "2022-10-09", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.CredoMap" ], "rule_tactic_tags": [ "attack.collection", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1119", "attack.t1185", "attack.t1020" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-straitbizarre_implant_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575066Z", "creation_date": "2026-03-23T11:46:25.575068Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575073Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://medium.com/@botherder/everything-we-know-of-nsa-and-five-eyes-malware-e8eac172d3b5" ], "name": "straitbizarre_implant.yar", "content": "rule straitbizarre_implant {\n meta:\n title = \"StraitBizarre Implant\"\n id = \"c6a7b703-8001-4d6e-94dc-f25568ebd12d\"\n description = \"Detects the StraitBizarre (aka SBZ) malware implant, a sophisticated backdoor tool developed by the APT Equation Group. StraitBizarre is primarily used for cyber espionage and has been observed targeting Windows-based systems. The malware establishes persistence and communicates with its command and control servers using a variety of methods, including DNS, HTTP, and other custom protocols. It is known for its modular architecture, which allows it to adapt to different environments and maintain long-term presence on infected systems.\"\n references = \"https://medium.com/@botherder/everything-we-know-of-nsa-and-five-eyes-malware-e8eac172d3b5\"\n date = \"2024-07-01\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.exfiltration;attack.t1041\"\n classification = \"Windows.Backdoor.StraitBizarre\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // f0285338e59322079bafe5780e1a26ef0d5d62cc0138b0725bd7a37084d03204\n\n $x1 = {\n 8B C7 // mov eax, edi\n C1 E8 0E // shr eax, 0Eh\n 24 0F // and al, 0Fh\n 0C 90 // or al, 90h\n 30 03 // xor [rbx], al\n 48 FF C3 // inc rbx\n 48 83 E9 01 // sub rcx, 1\n 75 ?? // jnz short loc_7FFF2A3EF528\n }\n\n $x2 = {\n 33 D2 // xor edx, edx\n 41 8B C1 // mov eax, r9d\n 41 F7 34 18 // div dword ptr [r8+rbx]\n 8B CA // mov ecx, edx\n 49 03 C8 // add rcx, r8\n 8A 4C 19 04 // mov cl, [rcx+rbx+4]\n 41 32 0B // xor cl, [r11]\n 41 32 C9 // xor cl, r9b\n 41 FF C1 // inc r9d\n 41 88 0B // mov [r11], cl\n 49 FF C3 // inc r11\n 45 3B CA // cmp r9d, r10d\n 72 ?? // jb short loc_7FFF2A3E9A04\n }\n\n // DEOBFUSCATE1\n $x3 = {\n 8A 13 // mov dl, [rbx]\n 41 8B C3 // mov eax, r11d\n 41 FF C3 // inc r11d\n 83 E0 0F // and eax, 0Fh\n 8A 0C 04 // mov cl, [rsp+rax+18h+var_18]\n 02 CA // add cl, dl\n 44 02 C1 // add r8b, cl\n 41 0F B6 C8 // movzx ecx, r8b\n 42 8A 44 09 02 // mov al, [rcx+r9+2]\n 88 03 // mov [rbx], al\n 48 FF C3 // inc rbx\n 42 88 54 09 02 // mov [rcx+r9+2], dl\n 44 3B DF // cmp r11d, edi\n 72 ?? // jb short loc_7FFF2A3F0FC4\n }\n\n // DEOBFUSCATE2\n $x4 = {\n 41 FE C1 // inc r9b\n 41 0F B6 D1 // movzx edx, r9b\n 46 8A 44 12 02 // mov r8b, [rdx+r10+2]\n 41 02 D8 // add bl, r8b\n 0F B6 C3 // movzx eax, bl\n 42 8A 4C 10 02 // mov cl, [rax+r10+2]\n 46 88 44 10 02 // mov [rax+r10+2], r8b\n 42 88 4C 12 02 // mov [rdx+r10+2], cl\n 41 02 C8 // add cl, r8b\n 0F B6 C1 // movzx eax, cl\n 42 8A 4C 10 02 // mov cl, [rax+r10+2]\n 32 0E // xor cl, [rsi]\n 48 FF C6 // inc rsi\n 88 0F // mov [rdi], cl\n 48 FF C7 // inc rdi\n 41 83 C3 FF // add r11d, 0FFFFFFFFh\n 75 ?? // jnz short loc_7FFF2A3F0F11\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "straitbizarre_implant" ], "rule_creation_date": "2024-07-01", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.StraitBizarre" ], "rule_tactic_tags": [ "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1041" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-suborner_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571380Z", "creation_date": "2026-03-23T11:46:25.571382Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571388Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/r4wd3r/Suborner" ], "name": "suborner.yar", "content": "rule suborner {\n meta:\n title = \"Suborner Tool\"\n id = \"b40c4f4b-5255-4888-b226-ddf85c6cd492\"\n description = \"Detects Suborner, a tool designed to create invisible accounts on a Windows host, bypassing noisy APIs such as netapi32 or the net user command.\\nSuborner enables attackers to create accounts without triggering common detection mechanisms, allowing for stealthy persistence. It achieves this by leveraging NTLM hash duplication and RID hijacking to impersonate existing users. The tool is particularly useful for adversaries aiming to maintain persistence without being detected by standard logging and monitoring solutions.\\nIt is recommended to review newly created accounts and verify that all user accounts are authorized.\"\n references = \"https://github.com/r4wd3r/Suborner\"\n date = \"2022-11-14\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1134.001;attack.t1078.003\"\n classification = \"Windows.Tool.Suborner\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 476da34ddbb3bb27b60898e26fdc41b8dd01216b800f879e25fdd9d2c182af29\n\n $s1 = \"ridhijack\" fullword wide\n $s2 = \"NT Key about to MD5: {0}\" fullword wide\n $s3 = \"Value written to V.NTLMHash:\" fullword wide\n $s4 = \"The Invisible Account Forger\" fullword wide\n $s5 = \"Error calculating the SAM Key\" fullword wide\n $s6 = \"Error: You need SYSTEM privileges to suborn Windows :(\" fullword wide\n\n condition:\n 4 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "suborner" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.Suborner" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1134.001", "attack.t1078.003" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-superman_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567947Z", "creation_date": "2026-03-23T11:46:25.567949Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567954Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/b1-team/superman/\nhttps://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "superman.yar", "content": "rule superman {\n meta:\n title = \"Superman HackTool\"\n id = \"43437884-fa45-43fc-8920-5a6d827fbdb7\"\n description = \"Detects Superman, a HackTool designed to terminate protected processes using a vulnerable driver.\\nSuperman operates by loading the gmer64.sys driver, which it uses to establish communication with a device named \\\\\\\\.\\\\superman. The tool sends specific IOCTL codes (0x4768C004 and 0x4768C094) to the device to achieve its functionality.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/b1-team/superman/\\nhttps://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n os = \"Windows\"\n classification = \"Windows.HackTool.superman\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 32051f61c8d6d1d9bb19fd225ff3a3a2f6c06673f92398cf7178f235ecf3abf2\n\n $device = \"\\\\\\\\.\\\\superman\" wide ascii\n $winapi_01 = \"CreateFile\" wide ascii\n $winapi_02 = \"DeviceIoControl\" wide ascii\n $winapi_03 = \"ControlService\" wide ascii\n $winapi_04 = \"CreateService\" wide ascii\n $winapi_05 = \"OpenSCManager\" wide ascii\n $winapi_06 = \"OpenService\" wide ascii\n $winapi_07 = \"StartService\" wide ascii\n $IOCTL_init = { (98 76 C0 04|04 C0 76 98) }\n $IOCTL_kill = { (98 76 C0 94|94 C0 76 98) }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "superman" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.superman" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-supply_chain_npm_package_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573292Z", "creation_date": "2026-03-23T11:46:25.573295Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573300Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages" ], "name": "supply_chain_npm_package.yar", "content": "rule npm_supply_chain_25 {\n meta:\n title = \"NPM Package Infected by Supply Chain\"\n id = \"2ef05358-5983-4721-968d-fa7dbd699213\"\n description = \"Detects an infected NPM package, related to supply chain attack affected multiple NPM packages in september 2025, that can be used to exfiltrate credentials.\\nIt is recommended to investigate network traffic for potential exfiltration.\"\n references = \"https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages\\nhttps://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages\"\n date = \"2025-09-17\"\n modified = \"2025-09-23\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.t1217;attack.execution;attack.t1059.002;attack.collection;attack.t1056.002;attack.credential_access;attack.t1555.003\"\n classification = \"Windows.Stealer.NPMSupplyChain\"\n context = \"process,memory,file\"\n os = \"Windows,Linux,MacOS\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n // Detection for this sample:\n // dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c\n\n $x1 = \"if (plat === \\\"linux\\\") return \\\"https://github.com/trufflesecurity/trufflehog/releases\" ascii wide\n $x2 = \"FILE_NAME=\\\".github/workflows/shai-hulud-workflow.yml\\\"\" ascii wide\n\n $sa1 = \"curl -d \\\"$CONTENTS\\\" https://webhook.site/\" ascii wide\n $sa2 = \"curl -s -X POST -d \\\"$CONTENTS\\\" \\\"https://webhook.site/\" ascii wide\n\n $sb1 = \"echo \\\"$CONTENTS\\\" | base64 -w 0\" ascii wide\n $sb2 = \"/user/repos?affiliation=owner,collaborator,organization_member&since=2025-01-01T00:00:00Z&per_page=100\" ascii wide\n\n condition:\n any of ($x*) or (1 of ($sa*) and 1 of ($sb*))\n}\n", "rule_count": 1, "rule_names": [ "npm_supply_chain_25" ], "rule_creation_date": "2025-09-17", "rule_modified_date": "2025-09-23", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "Windows.Stealer.NPMSupplyChain" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access", "attack.discovery", "attack.execution" ], "rule_technique_tags": [ "attack.t1056.002", "attack.t1555.003", "attack.t1059.002", "attack.t1082", "attack.t1217" ], "rule_score": 70, "rule_context": [ "memory", "file", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-suspicious_tiny_elf_68991a23f1d2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575927Z", "creation_date": "2026-03-23T11:46:25.575929Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575935Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux\nhttps://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html" ], "name": "suspicious_tiny_elf_68991a23f1d2.yar", "content": "rule suspicious_tiny_elf_68991a23f1d2 {\n meta:\n title = \"Suspicious Tiny ELF Files (68991a23f1d2)\"\n id = \"7553d96b-ceef-4b5a-ba60-68991a23f1d2\"\n description = \"Detects suspicious tiny 32-bit elf files.\\nThese files are often associated with the Shikitega malware targeting Linux systems using a polymorphic encoder.\\nShikitega employs a multistage infection chain, downloading and executing a Metasploit Meterpreter, exploiting vulnerabilities, adding persistence via crontab, and running a cryptominer.\\nThis detection can also identify payloads generated by the msfvenom command.\\nIt is recommended to analyze such files for known Shikitega patterns or Metasploit-related artifacts.\"\n references = \"https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux\\nhttps://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html\"\n date = \"2022-09-08\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1071.001;attack.t1571;attack.t1573.001;attack.privilege_escalation;attack.t1068;attack.persistence;attack.t1053.003\"\n classification = \"Linux.Malware.Generic\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 70\n confidence = \"strong\"\n\n // Detection for these samples:\n // 0233dcf6417ab33b48e7b54878893800d268b9b6e5ca6ad852693174226e3bed\n // 130888cb6930500cf65fc43522e2836d21529cab9291c8073873ad7a90c1fbc5\n // 29aafbfd93c96b37866a89841752f29b55badba386840355b682b1853efafcb8\n // 4ed78c4e90ca692f05189b80ce150f6337d237aaa846e0adf7d8097fcebacfe7\n // 6b514e9a30cbb4d6691dd0ebdeec73762a488884eb0f67f8594e07d356e3d275\n // 7c70716a66db674e56f6e791fb73f6ce62ca1ddd8b8a51c74fc7a4ae6ad1b3ad\n // 8462d0d14c4186978715ad5fa90cbb679c8ff7995bcefa6f9e11b16e5ad63732\n // b9db845097bbf1d2e3b2c0a4a7ca93b0dc80a8c9e8dbbc3d09ef77590c13d331\n // d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374\n // d5bd2b6b86ce14fbad5442a0211d4cb1d56b6c75f0b3d78ad8b8dd82483ff4f8\n // e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d\n // ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d\n // f7f105c0c669771daa6b469de9f99596647759d9dd16d0620be90005992128eb\n // fc97a8992fa2fe3fd98afddcd03f2fc8f1502dd679a32d1348a9ed5b208c4765\n\n condition:\n uint32be(0) == 0x7f454c46 and // elf magic\n uint32be(0x4) == 0x01010100 and // processeur architecture\n uint32be(0x10) == 0x02000300 and // object file type and required architecture\n uint32be(0x14) == 0x01000000 and // file version\n uint32be(0x18) == 0x54800408 and // program entry point\n uint32be(0x1c) == 0x34000000 and // program header table position\n uint32be(0x20) == 0x00000000 and // section header table position\n uint32be(0x24) == 0x00000000 and // flags (architecture dependent)\n uint32be(0x28) == 0x34002000 and // elf header size\n uint32be(0x2C) == 0x01000000 and // size of an entry and number of entries in the program header table\n uint32be(0x30) == 0x00000000 and // size of an entry and number of entries in the section header table\n filesize < 2KB\n}\n", "rule_count": 1, "rule_names": [ "suspicious_tiny_elf_68991a23f1d2" ], "rule_creation_date": "2022-09-08", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Malware.Generic" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1053.003", "attack.t1027", "attack.t1573.001", "attack.t1068", "attack.t1571" ], "rule_score": 70, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-suspicious_tiny_elf_b7b4b0348e6c_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586569Z", "creation_date": "2026-03-23T11:46:25.586572Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586577Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux\nhttps://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html" ], "name": "suspicious_tiny_elf_b7b4b0348e6c.yar", "content": "rule suspicious_tiny_elf_b7b4b0348e6c {\n meta:\n title = \"Suspicious Tiny ELF Files (b7b4b0348e6c)\"\n id = \"58a5c07b-5ce6-4e29-b151-b7b4b0348e6c\"\n description = \"Detects suspicious tiny elf files.\\nThese files are often associated with the Shikitega malware targeting Linux systems using a polymorphic encoder.\\nShikitega employs a multistage infection chain, downloading and executing a Metasploit Meterpreter, exploiting vulnerabilities, adding persistence via crontab, and running a cryptominer.\\nThis detection can also identify payloads generated by the msfvenom command.\\nIt is recommended to analyze such files for known Shikitega patterns or Metasploit-related artifacts.\"\n references = \"https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux\\nhttps://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html\"\n date = \"2022-10-18\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1071.001;attack.t1571;attack.t1573.001;attack.privilege_escalation;attack.t1068;attack.persistence;attack.t1053.003\"\n classification = \"Linux.Malware.Generic\"\n context = \"process,file.elf\"\n os = \"Linux\"\n score = 70\n confidence = \"strong\"\n\n // Detection for these samples:\n // fd03186ed631d003aa931f8ebcd126d87b30ce360244f037f353c668f84331d9\n // 318e45113df5bd62d165dbc7ebc728d0a37aa7b398267b9e44a903b24c590a89\n // 2427f804f43f31b414ebe2d579e561ebe626ff9d1d40d327a260bed2ed2703e2\n // 1427c49ab11c272ba0a3d4e106beedc43dedafdb080e3a2e92424eb30962154a\n // 72006974ee1df528c145dd885d4e5807a16623b1341f44ba6c2a4ac38dc4a475\n // 2bc80b20d8b0011d69289b9de50a7ad613434c6ad2cd742258cb6f985d72e2fe\n\n\n condition:\n uint32be(0) == 0x7f454c46 and // elf magic\n uint32be(0x4) == 0x02010100 and // processeur architecture\n uint32be(0x10) == 0x02003e00 and // object file type and required architecture\n uint32be(0x14) == 0x01000000 and // file version\n uint32be(0x18) == 0x78004000 and // program entry point\n uint32be(0x1c) == 0x00000000 and // program entry point\n uint32be(0x20) == 0x40000000 and // program header table position\n uint32be(0x24) == 0x00000000 and // program header table position\n uint32be(0x28) == 0x00000000 and // section header table position\n uint32be(0x2C) == 0x00000000 and // section header table position\n uint32be(0x30) == 0x00000000 and // flags (architecture dependent)\n uint32be(0x34) == 0x40003800 and // elf header size\n uint32be(0x38) == 0x01000000 and // size of an entry and number of entries in the program header table\n uint32be(0x3C) == 0x00000000 and // size of an entry and number of entries in the section header table\n filesize < 2KB\n}\n", "rule_count": 1, "rule_names": [ "suspicious_tiny_elf_b7b4b0348e6c" ], "rule_creation_date": "2022-10-18", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Malware.Generic" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1053.003", "attack.t1027", "attack.t1573.001", "attack.t1068", "attack.t1571" ], "rule_score": 70, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-sweetpotato_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581543Z", "creation_date": "2026-03-23T11:46:25.581545Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581551Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/CCob/SweetPotato/\nhttps://jlajara.gitlab.io/Potatoes_Windows_Privesc\nhttps://attack.mitre.org/techniques/T1068/" ], "name": "sweetpotato.yar", "content": "rule sweetpotato {\n meta:\n title = \"SweetPotato HackTool\"\n id = \"658873d8-0fa6-4722-9916-7fe800f95917\"\n description = \"Detects the SweetPotato HackTool.\\nSweetPotato is a tool that enables privilege escalation from service accounts to SYSTEM by exploiting various techniques such as JuciyPotato, PetitPotam, EfsPotato, and PrintSpoofer.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/CCob/SweetPotato/\\nhttps://jlajara.gitlab.io/Potatoes_Windows_Privesc\\nhttps://attack.mitre.org/techniques/T1068/\"\n date = \"2023-11-28\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068\"\n classification = \"Windows.HackTool.SweetPotato\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 32a80b4a25e7f42dd080aedc8917ec64cf90fea97dfd1ba1650aff08578e43cd\n // f59cf5fa13e50f0f925fc8cf91c8b8ff7bcf5a82da56e9a64e8f2bacedf66ec0\n\n $s1 = \"[+] Attempting NP impersonation using method EfsRpc to launch\" fullword wide\n $s2 = \"[+] Server connected to our evil RPC pipe\" fullword wide\n $s3 = \"[+] Triggering name pipe access on evil PIPE\" fullword wide\n $s4 = \"[+] Attempting NP impersonation using method PrintSpoofer to launch\" fullword wide\n $s6 = \"[+] Intercepted and authenticated successfully, launching program\" fullword wide\n $s7 = \"[+] Attempting {0} with CLID {1} on port {2} using method {3} to launch {4}\" fullword wide\n $s8 = \"1bf9c10f-6f89-4520-9d2e-aaf17d17ba5e\" ascii\n\n $canary = \"60eaebb5ce5dcbc136682a45b3f252cd8a203e34fbb8d2cfdd09c852bf079f1e11b872d8a34c24e9e78b0736a8dee0448c87ac300fa3bff26fb4a7e060795632\"\n\n condition:\n 1 of ($s*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "sweetpotato" ], "rule_creation_date": "2023-11-28", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.SweetPotato" ], "rule_tactic_tags": [ "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1068" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-swiftbelt_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566602Z", "creation_date": "2026-03-23T11:46:25.566604Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566609Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/cedowens/SwiftBelt/tree/master\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\nhttps://www.sentinelone.com/blog/jokerspy-unknown-adversary-targeting-organizations-with-multi-stage-macos-malware/" ], "name": "swiftbelt.yar", "content": "rule swiftbelt {\n meta:\n title = \"SwiftBelt HackTool\"\n id = \"cefdefca-0349-48db-8599-2b6cdaa0ea61\"\n description = \"Detects SwiftBelt, a tool designed to perform various enumerations on macOS hosts.\\nSwiftBelt can, among other things, identify security tools installed on the system and read Slack, Stickie Notes and browsers credentials.\"\n references = \"https://github.com/cedowens/SwiftBelt/tree/master\\nhttps://www.elastic.co/security-labs/inital-research-of-jokerspy\\nhttps://www.sentinelone.com/blog/jokerspy-unknown-adversary-targeting-organizations-with-multi-stage-macos-malware/\"\n date = \"2025-10-10\"\n modified = \"2025-11-24\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1087;attack.t1217;attack.t1518;attack.t1082;attack.t1007\"\n classification = \"Windows.HackTool.SwiftBelt\"\n context = \"process,memory,file.macho\"\n os = \"MacOS\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1\n\n $canary = \"e6098219db746bd2a8472615a95acc17f0bad0715548be209667b10cdc9092f4\" ascii\n\n $s1 = \"SwiftBelt: A MacOS enumerator similar to @harmjoy's Seatbelt. Does not use any command line utilities\" ascii fullword\n $s2 = \"/SwiftBelt/Sources/SwiftBelt/main.swift\" ascii\n $s3 = \"[-] Firefox places.sqlite database not found for user\" ascii fullword\n $s4 = \"[-] Chrome History database not found for user\" ascii fullword\n $s5 = \"[+] NoMAD found so host is likely joined to AD\" ascii fullword\n\n condition:\n 2 of ($s*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "swiftbelt" ], "rule_creation_date": "2025-10-10", "rule_modified_date": "2025-11-24", "rule_os": [ "macos" ], "rule_classifications": [ "Windows.HackTool.SwiftBelt" ], "rule_tactic_tags": [ "attack.discovery" ], "rule_technique_tags": [ "attack.t1518", "attack.t1217", "attack.t1082", "attack.t1087", "attack.t1007" ], "rule_score": 100, "rule_context": [ "memory", "file.macho", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-symbiote_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564292Z", "creation_date": "2026-03-23T11:46:25.564296Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564305Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat" ], "name": "symbiote.yar", "content": "rule linux_symbiote {\n meta:\n title = \"Symbiote Rootkit\"\n id = \"962ad473-7427-4430-b7d5-6c0c3ed7abf6\"\n description = \"Detects the Symbiote rootkit, a highly evasive Linux-based malware.\\nSymbiote is designed to provide attackers with persistent access to infected systems. It uses BPF packet filters to monitor and manipulate network traffic, and employs DNS exfiltration techniques to communicate with command-and-control servers.\\nThe malware injects itself into legitimate processes, making it difficult to detect using traditional methods.\"\n references = \"https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat\"\n date = \"2022-06-10\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1572;attack.credential_access;attack.t1056.004\"\n classification = \"Linux.Rootkit.Symbiote\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Version 1: no bpf and dns tunneling\n // 121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924\n\n $s_v1_1 = \"/proc/self/fd/%d\" fullword ascii\n $s_v1_2 = \"/usr/include/linux/usb/usb.h\" fullword ascii\n $s_v1_3 = \"/usr/bin/ssh\" fullword ascii\n $s_v1_4 = \"/usr/bin/scp\" fullword ascii\n $s_v1_5 = \"kerneldev.so\" fullword ascii\n $s_v1_6 = \"/tmp/resolv.conf\" fullword ascii\n $s_v1_7 = \"%d.%u.%s.%s\" fullword ascii\n\n\n // Version 2: long bpf, rc4 to hide strings and no dns tunneling\n // f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c\n\n // These snippets are common to version 2 and 3\n $bpf_snippet_1 = { 28 00 00 00 0c 00 00 00 } // ether frame type\n $bpf_snippet_2 = { 06 00 00 00 00 00 00 00 } // packet drop\n $bpf_snippet_3 = { 28 00 00 00 36 00 00 00 } // load tcp src port into register\n $bpf_snippet_4 = { 28 00 00 00 38 00 00 00 } // load tcp dst port into register\n $bpf_snippet_5 = { 30 00 00 00 14 00 00 00 } // load ipv2 header\n\n\n // Version 3: shorter bpf, dns tunneling and rc4 to hide strings\n // ec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180\n // a0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6\n\n $s_v3_1 = \"download_script\" fullword ascii\n $s_v3_2 = \"prepare_pipe\" fullword ascii\n $s_v3_3 = \"%d.%zu.%s.%s\" fullword ascii // DNS tunneling formatting\n\n\n // Common to version 1, 2 and 3\n // 121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924\n // a0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6\n // ec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180\n // f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c\n\n $op_rc4_key_scheduling = {\n 8B 45 ?? // mov eax, [rbp+var_10]\n 48 98 // cdqe\n 0F B6 84 05 ?? ?? ?? ?? // movzx eax, [rbp+rax+S]\n 0F B6 C0 // movzx eax, al\n 89 C1 // mov ecx, eax\n 03 4D ?? // add ecx, [rbp+j_1]\n 8B 45 ?? // mov eax, [rbp+var_10]\n 89 C2 // mov edx, eax\n C1 FA 1F // sar edx, 1Fh\n F7 7D ?? // idiv [rbp+keylength]\n 89 D0 // mov eax, edx\n 48 98 // cdqe\n 48 03 85 ?? ?? ?? ?? // add rax, [rbp+s]\n 0F B6 00 // movzx eax, byte ptr [rax]\n 0F B6 C0 // movzx eax, al\n 8D 14 01 // lea edx, [rcx+rax]\n 89 D0 // mov eax, edx\n C1 F8 1F // sar eax, 1Fh\n C1 E8 18 // shr eax, 18h\n 01 C2 // add edx, eax\n 81 E2 FF 00 00 00 // and edx, 0FFh\n 89 D1 // mov ecx, edx\n 29 C1 // sub ecx, eax\n 89 C8 // mov eax, ecx\n 89 45 ?? // mov [rbp+j_1], eax\n }\n\n $op_port_generation = {\n 48 8B 45 ?? // mov rax, [rbp+var_18]\n 48 8D 48 03 // lea rcx, [rax+3]\n 8B 45 ?? // mov eax, [rbp+var_1C]\n 8D 50 ?? // lea edx, [rax+0Fh]\n 85 C0 // test eax, eax\n 0F 48 C2 // cmovs eax, edx\n C1 F8 04 // sar eax, 4\n 89 C2 // mov edx, eax\n C1 FA 1F // sar edx, 1Fh\n C1 EA 1C // shr edx, 1Ch\n 01 D0 // add eax, edx\n 83 E0 0F // and eax, 0Fh\n 29 D0 // sub eax, edx\n 48 98 // cdqe\n 48 03 45 ?? // add rax, [rbp+var_8]\n 0F B6 00 // movzx eax, byte ptr [rax]\n 88 01 // mov [rcx], al\n }\n\n $op_check_file_hidden = {\n 8B 55 ?? // mov edx, [rbp+var_4]\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:fth_ptr\n 48 63 D2 // movsxd rdx, edx\n 48 C1 E2 04 // shl rdx, 4\n 8B 44 02 08 // mov eax, [rdx+rax+8]\n 48 63 D0 // movsxd rdx, eax ; n\n 8B 4D ?? // mov ecx, [rbp+var_4]\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:fth_ptr\n 48 63 C9 // movsxd rcx, ecx\n 48 C1 E1 04 // shl rcx, 4\n 48 8B 0C 01 // mov rcx, [rcx+rax]\n 48 8D 45 ?? // lea rax, [rbp+dest]\n 48 89 CE // mov rsi, rcx ; src\n 48 89 C7 // mov rdi, rax ; dest\n E8 ?? ?? FF FF // call _memcpy\n 8B 55 FC // mov edx, [rbp+var_4]\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:fth_ptr\n 48 63 D2 // movsxd rdx, edx\n 48 C1 E2 04 // shl rdx, 4\n 8B 44 02 08 // mov eax, [rdx+rax+8]\n 48 98 // cdqe\n C6 44 05 ?? 00 // mov [rbp+rax+dest], 0\n 8B 55 ?? // mov edx, [rbp+var_4]\n 48 8B 05 ?? ?? ?? ?? // mov rax, cs:fth_ptr\n 48 63 D2 // movsxd rdx, edx\n 48 C1 E2 04 // shl rdx, 4\n 8B 54 02 08 // mov edx, [rdx+rax+8]\n 48 8D 45 ?? // lea rax, [rbp+dest]\n 48 89 C6 // mov rsi, rax\n 48 8D 3D ?? ?? ?? ?? // lea rdi, rc4_key2\n E8 ?? ?? FF FF // call rc4\n 48 8D 55 ?? // lea rdx, [rbp+dest]\n 48 8B 45 ?? // mov rax, [rbp+s1]\n 48 89 D6 // mov rsi, rdx ; s2\n 48 89 C7 // mov rdi, rax ; s1\n E8 ?? ?? FF FF // call _strcmp\n }\n\n condition:\n (3 of ($op_*)) // detection of versions with strings removed\n or (2 of ($op_*) and 5 of ($s_v1_*)) // detection of v1\n or (2 of ($op_*) and 4 of ($bpf_snippet_*)) // detection of v2\n or (2 of ($op_*) and 4 of ($bpf_snippet_*) and 2 of ($s_v3_*)) // detection of v3\n}\n", "rule_count": 1, "rule_names": [ "linux_symbiote" ], "rule_creation_date": "2022-06-10", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Rootkit.Symbiote" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access" ], "rule_technique_tags": [ "attack.t1572", "attack.t1056.004" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-systembc_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.578163Z", "creation_date": "2026-03-23T11:46:25.578165Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.578171Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\nhttps://news.sophos.com/en-us/2020/12/16/systembc/\nhttps://asec.ahnlab.com/en/33600/" ], "name": "systembc.yar", "content": "rule systembc {\n meta:\n title = \"SystemBC Malware\"\n id = \"576b969b-fdfe-4a14-88c3-a9b6100267d4\"\n description = \"Detects the SystemBC malware.\\nSystemBC, also known as \\\"socks5 backconnect system\\\", is a proxy and Remote Administrative Tool (RAT) used to deploy malicious payloads.\\nIt sets up a SOCKS5 proxy to communicate with a Command and Control (C2) server controlled by attackers.\\nThis tool was first discovered in 2019 and is often used during ransomware attacks.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\\nhttps://news.sophos.com/en-us/2020/12/16/systembc/\\nhttps://asec.ahnlab.com/en/33600/\"\n date = \"2023-03-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1090;attack.t1573.001;attack.t1571\"\n classification = \"Windows.Malware.SystemBC\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a62751453618735964f32c88d8dbf08d5e27d17b3109a2bb48a15f4ad661a372\n // 6db824ea5f4d66e385965fcdab37fe9e15a3212bc4ce0c3caf5b726736610e1f\n // 782a48821d88060adf0f7ef3e8759fee3ddad49e942daad18c5af8ae0e9eb51e\n // 1aef94e54c1af9a8d0c4fa4cbdc602c025a2b10a097e87184ceb89e124d26e6a\n // 4562f90572d3ddcdf92f3310f1b5b563dcbffa575d72e3cd82eeacbd79f6c30f\n // d5ee05aa9a00d9a0058ef255a19f2521855df841bfa78750b16d38e0b59cd1fd\n\n $s1 = \"wsock32.dll\" ascii fullword\n $s2 = \"socks64.dll\" ascii fullword\n $s3 = \"BEGINDATA\" ascii fullword\n $s4 = \"HOST1:\" ascii\n $s5 = \"HOST2:\" ascii\n $s6 = \"PORT1:\" ascii\n $s7 = \"TOR:\" ascii fullword\n $s8 = \"GET %s HTTP/1.0\" ascii fullword\n\n $begindata_32 = {\n 55 // push ebp\n 8B EC // mov ebp, esp\n 60 // pusha\n 81 7D 08 ?? ?? ?? ?? // cmp [ebp+arg_0], offset aBegindata ; \"BEGINDATA\"\n 72 21 // jb short loc_402BE8\n 81 7D 08 ?? ?? ?? ?? // cmp [ebp+arg_0], offset dword_405081\n 77 18 // ja short loc_402BE8\n 81 3D ?? ?? ?? ?? 78 6F 72 64 // cmp dword_405081, 64726F78h\n 75 3F // jnz short loc_402C1B\n 81 3D ?? ?? ?? ?? 61 74 61 00 // cmp dword_405085, 617461h\n 75 33 // jnz short loc_402C1B\n\n // loc_402BE8:\n 83 7D 10 00 // cmp [ebp+arg_8], 0\n 74 28 // jz short loc_402C16\n 83 7D 0C 00 // cmp [ebp+arg_4], 0\n 74 06 // jz short loc_402BFA\n 83 7D 0C FF // cmp [ebp+arg_4], 0FFFFFFFFh\n 75 0E // jnz short loc_402C08\n\n // loc_402BFA:\n FF 75 08 // push [ebp+arg_0]\n E8 ?? ?? 00 00 // call sub_402CE4\n 89 45 0C // mov [ebp+arg_4], eax\n FF 45 0C // inc [ebp+arg_4]\n\n // loc_402C08:\n FF 75 0C // push [ebp+arg_4]\n FF 75 10 // push [ebp+arg_8]\n FF 75 08 // push [ebp+arg_0]\n E8 ?? ?? FF FF // call sub_406449\n }\n\n $begindata_64 = {\n 55 // push rbp\n 48 8B EC // mov rbp, rsp\n 50 // push rax\n 53 // push rbx\n 57 // push rdi\n 56 // push rsi\n 41 54 // push r12\n 41 55 // push r13\n 41 56 // push r14\n 41 57 // push r15\n 48 8D 05 ?? ?? ?? ?? // lea rax, aBegindata ; \"BEGINDATA\"\n 48 8D 15 ?? ?? ?? ?? // lea rdx, dword_180006089\n 48 39 45 10 // cmp [rbp+arg_0], rax\n 72 1E // jb short loc_180002EE1\n 48 39 55 10 // cmp [rbp+arg_0], rdx\n 77 18 // ja short loc_180002EE1\n 81 3D ?? ?? ?? ?? 78 6F 72 64 // cmp cs:dword_180006089, 64726F78h\n 75 58 // jnz short loc_180002F2D\n 81 3D ?? ?? ?? ?? 61 74 61 00 // cmp cs:dword_18000608D, 617461h\n 75 4C // jnz short loc_180002F2D\n\n // loc_180002EE1:\n 48 83 7D 20 00 // cmp [rbp+arg_10], 0\n 74 40 // jz short loc_180002F28\n 48 83 7D 18 00 // cmp [rbp+arg_8], 0\n 74 07 // jz short loc_180002EF6\n 48 83 7D 18 FF // cmp [rbp+arg_8], 0FFFFFFFFFFFFFFFFh\n 75 19 // jnz short loc_180002F0F\n\n // loc_180002EF6:\n 48 83 EC 20 // sub rsp, 20h\n 48 8B 4D 10 // mov rcx, [rbp+arg_0]\n E8 ?? ?? 00 00 // call sub_180003C77\n 48 83 C4 20 // add rsp, 20h\n 48 89 45 18 // mov [rbp+arg_8], rax\n 48 FF 45 18 // inc [rbp+arg_8]\n }\n\n $x1 = \"CreateThread\" ascii fullword\n $x2 = \"VirtualAlloc\" ascii fullword\n $x3 = \"ioctlsocket\" ascii fullword\n $x4 = \"wsock32.dll\" ascii fullword\n $x5 = \"socks64.dll\" ascii fullword\n $x6 = \"ws2_32.dll\" ascii fullword\n\n // CreateThread\n // Variable initialization\n $thread32_1 = {\n 8B 4D F4 // mov ecx, [ebp+var_C]\n 8B 55 FC // mov edx, [ebp+var_4]\n 8B 04 8A // mov eax, [edx+ecx*4]\n 89 45 E8 // mov [ebp+var_18], eax\n 8B 02 // mov eax, [edx]\n 89 45 F8 // mov [ebp+var_8], eax\n 88 4D D0 // mov [ebp+var_30], cl\n 66 C7 45 D1 0A 00 // mov [ebp+var_2F], 0Ah\n C6 45 D3 05 // mov [ebp+var_2D], 5\n C6 45 D4 01 // mov [ebp+var_2C], 1\n C6 45 D5 00 // mov [ebp+var_2B], 0\n C6 45 D6 01 // mov [ebp+var_2A], 1\n C6 45 D7 00 // mov [ebp+var_29], 0\n C6 45 D8 00 // mov [ebp+var_28], 0\n C6 45 D9 00 // mov [ebp+var_27], 0\n C6 45 DA 00 // mov [ebp+var_26], 0\n C6 45 DB 00 // mov [ebp+var_25], 0\n C6 45 DC 00 // mov [ebp+var_24], 0\n 66 C7 45 ?? 02 00 // mov [ebp+var_40], 2\n 80 7E 07 03 // cmp byte ptr [esi+7], 3\n }\n\n $thread64_1 = {\n 48 83 C4 20 // add rsp, 20h\n 88 9D 70 FF FF FF // mov [rbp+var_90], bl\n 66 C7 85 71 FF FF FF 0A 00 // mov [rbp+var_8F], 0Ah\n C6 85 73 FF FF FF 05 // mov [rbp+var_8D], 5\n C6 85 74 FF FF FF 01 // mov [rbp+var_8C], 1\n C6 85 75 FF FF FF 00 // mov [rbp+var_8B], 0\n C6 85 76 FF FF FF 01 // mov [rbp+var_8A], 1\n C6 85 77 FF FF FF 00 // mov [rbp+var_89], 0\n C6 85 78 FF FF FF 00 // mov [rbp+var_88], 0\n C6 85 79 FF FF FF 00 // mov [rbp+var_87], 0\n C6 85 7A FF FF FF 00 // mov [rbp+var_86], 0\n C6 85 7B FF FF FF 00 // mov [rbp+var_85], 0\n C6 85 7C FF FF FF 00 // mov [rbp+var_84], 0\n 66 C7 85 ?? FF FF FF 02 00 // mov [rbp+name.sa_family], 2\n 80 7E 07 03 // cmp byte ptr [rsi+7], 3\n }\n\n // WSAIoctl\n $thread32_2 = {\n C7 (45|85) [1-4] 01 00 00 00 // mov [ebp+var_80], 1\n C7 (45|85) [1-4] 60 EA 00 00 // mov [ebp+var_7C], 0EA60h\n C7 (45|85) [1-4] 10 27 00 00 // mov [ebp+var_78], 2710h\n 6A 00 // push 0\n 6A 00 // push 0\n 8D 85 ?? FF FF FF // lea eax, [ebp+var_84]\n 50 // push eax\n 6A 00 // push 0\n 6A 00 // push 0\n 6A 0C // push 0Ch\n 8D (45|85) [1-4] // lea eax, [ebp+var_80]\n 50 // push eax\n 68 04 00 00 98 // push 98000004h\n FF 75 E8 // push [ebp+var_18]\n }\n\n $thread64_2 = {\n 48 83 C4 20 // add rsp, 20h\n C7 85 ?? ?? FF FF 01 00 00 00 // mov [rbp+vInBuffer], 1\n C7 85 ?? ?? FF FF 60 EA 00 00 // mov [rbp+var_12C], 0EA60h\n C7 85 ?? ?? FF FF 10 27 00 00 // mov [rbp+var_128], 2710h\n 48 83 EC 50 // sub rsp, 50h\n 48 8B 4D 98 // mov rcx, [rbp+s]\n 48 BA 04 00 00 98 00 00 00 00 // mov rdx, 98000004h\n 4C 8D 85 ?? ?? FF FF // lea r8, [rbp+vInBuffer]\n 49 C7 C1 0C 00 00 00 // mov r9, 0Ch\n 48 C7 44 24 ?? 00 00 00 00 // mov [rsp+190h+lpvOutBuffer], 0\n 48 C7 44 24 ?? 00 00 00 00 // mov qword ptr [rsp+190h+cbOutBuffer], 0\n 48 8D 85 ?? ?? FF FF // lea rax, [rbp+cbBytesReturned]\n 48 89 44 24 ?? // mov [rsp+190h+lpcbBytesReturned], rax\n 48 C7 44 24 ?? 00 00 00 00 // mov [rsp+190h+lpOverlapped], 0\n 48 C7 44 24 ?? 00 00 00 00 // mov [rsp+190h+timeout], 0\n }\n\n condition:\n 7 of ($s*) or\n 1 of ($begindata_*) or\n 5 of ($x*) and (all of ($thread32_*) or all of ($thread64_*))\n}\n", "rule_count": 1, "rule_names": [ "systembc" ], "rule_creation_date": "2023-03-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.SystemBC" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1090", "attack.t1573.001", "attack.t1571" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-syswhispers2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "moderate", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585753Z", "creation_date": "2026-03-23T11:46:25.585757Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585765Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "moderate", "rule_confidence_override": null, "references": [ "https://github.com/jthuraisamy/SysWhispers2" ], "name": "syswhispers2.yar", "content": "rule syswhispers2 {\n meta:\n title = \"SysWhispers2 Syscall Stubs\"\n id = \"3ee39874-62c8-4632-928b-6fe1772358ab\"\n description = \"Detects SysWhispers2, a tool for evading AV/EDR systems by generating header and assembly files that allow implants to make direct system calls, bypassing security hooks. It supports all core syscalls and helps red teamers create stealthier attacks by using syscall address sorting techniques for reduced detection.\"\n references = \"https://github.com/jthuraisamy/SysWhispers2\"\n date = \"2021-02-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.007\"\n classification = \"Windows.Generic.SysWhispers2\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"moderate\"\n\n strings:\n // Detection for these samples:\n // b55d89e7b215f138d44560e56146b2b26297992de088b3af08ed368c84d90ea9\n // e1370e9afb0bd1e7fb4cb11779a39b6b2d2e0f99fc2cd6137b2c813a3cd54b70\n\n $sys_whispers2_stub1 = {\n // Save registers.\n 51 // push rcx\n 52 // push rdx\n 41 50 // push r8\n 41 51 // push r9\n\n B9 ?? ?? ?? ?? // mov ecx, 0xXXX (Syscall Function Hash)\n E8 ?? ?? ?? ?? // call 0xXXXX (SW2_GetSyscallNumber)\n\n // Restore registers.\n 41 59 // pop r9\n 41 58 // pop r8\n 5A // pop rdx\n 59 // pop rcx\n 4C 8B D1 // mov r10, rcx\n ( 0F 05 | CD 2E | 0F 34 ) // syscall | int 2eh | sysenter\n C3 // retn\n }\n\n $sys_whispers2_stub2 = {\n 48 89 4C 24 08 // mov [rsp+arg_0], rcx\n 48 89 54 24 10 // mov [rsp+arg_8], rdx\n 4C 89 44 24 18 // mov [rsp+arg_10], r8\n 4C 89 4C 24 20 // mov [rsp+arg_18], r9\n 48 83 EC 28 // sub rsp, 28h\n (\n B9 ?? ?? ?? ?? | // mov ecx, 9D95891Eh\n 8B 0D ?? ?? ?? ?? // mov ecx, cs:dword_140165000\n )\n E8 ?? ?? ?? ?? // call sub_401793\n 48 83 C4 28 // add rsp, 28h\n 48 8B 4C 24 08 // mov rcx, [rsp+arg_0]\n 48 8B 54 24 10 // mov rdx, [rsp+arg_8]\n 4C 8B 44 24 18 // mov r8, [rsp+arg_10]\n 4C 8B 4C 24 20 // mov r9, [rsp+arg_18]\n (\n 49 89 CA | // mov r10, rcx\n 4C 8B D1 // mov r10, rcx\n )\n (\n 90 0F 05 | // nop + syscall\n 0F 05 // syscall\n )\n C3 // retn\n }\n\n condition:\n #sys_whispers2_stub1 >= 4 or $sys_whispers2_stub2\n}\n", "rule_count": 1, "rule_names": [ "syswhispers2" ], "rule_creation_date": "2021-02-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.SysWhispers2" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.007" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-syswhispers3winhttp_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582813Z", "creation_date": "2026-03-23T11:46:25.582815Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582821Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/huaigu4ng/SysWhispers3WinHttp" ], "name": "syswhispers3winhttp.yar", "content": "rule syswhispers3winhttp {\n meta:\n title = \"SysWhispers3WinHttp Loader\"\n id = \"ee149929-ce5f-4d16-8079-e0519867a4f2\"\n description = \"Detects SysWhispers3WinHttp, a Windows-based C2 loader developed as part of the SysWhispers3 project.\\nThis loader injects malicious code into processes by leveraging direct system calls to establish communication with a C2 server via WinHttp.\\nSysWhispers3WinHttp is designed to fetch and execute remote commands, making it a sophisticated tool for persistence and command execution.\\nThe detection mechanism identifies specific patterns in memory, including the use of the WinHttpOpen function and distinctive memory operations that mimic legitimate API calls.\"\n references = \"https://github.com/huaigu4ng/SysWhispers3WinHttp\"\n date = \"2023-09-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.Loader.SysWhispers3WinHttp\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 5ffe67ef3724c9370cadd535dcf3bf45921babdffbfa0625aa6ed1ddea41b056\n // 41a1d5f987d5a66bcccc878fd5dbde50776648b779d0bf4b53aab9d1d20fe369\n\n $winhttp = \"WinHttpOpen\" ascii fullword\n\n $VxMoveMemory = {\n 48 89 C8 // mov rax, rcx\n 48 39 D1 // cmp rcx, rdx\n 73 1E // jnb short loc_4019E6\n 4D 85 C0 // test r8, r8\n 74 18 // jz short locret_4019E5\n 41 B9 00 00 00 00 // mov r9d, 0\n\n // loc_4019D3:\n 42 0F B6 0C 0A // movzx ecx, byte ptr [rdx+r9]\n 42 88 0C 08 // mov [rax+r9], cl\n 49 83 C1 01 // add r9, 1\n 4D 39 C8 // cmp r8, r9\n 75 EE // jnz short loc_4019D3\n\n // locret_4019E5:\n C3 // retn\n\n // loc_4019E6:\n 4D 8D 48 FF // lea r9, [r8-1]\n 4D 85 C0 // test r8, r8\n 74 F6 // jz short locret_4019E5\n\n // loc_4019EF:\n 42 0F B6 0C 0A // movzx ecx, byte ptr [rdx+r9]\n 42 88 0C 08 // mov [rax+r9], cl\n 49 83 E9 01 // sub r9, 1\n 49 83 F9 FF // cmp r9, 0FFFFFFFFFFFFFFFFh\n 75 ED // jnz short loc_4019EF\n EB E1 // jmp short locret_4019E5\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "syswhispers3winhttp" ], "rule_creation_date": "2023-09-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.SysWhispers3WinHttp" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-takemyrdp_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584687Z", "creation_date": "2026-03-23T11:46:25.584689Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584695Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/TheD1rkMtr/TakeMyRDP\nhttps://github.com/nocerainfosec/TakeMyRDP2.0" ], "name": "takemyrdp.yar", "content": "rule TakeMyRDP {\n meta:\n title = \"TakeMyRDP HackTool\"\n id = \"f5aa7960-b555-4dc3-a5d7-e9d0e3d1417c\"\n description = \"Detects the TakeMyRDP HackTool.\\nTakeMyRDP is a keystroke logging tool designed to capture keyboard inputs within specific RDP-related processes. It establishes a low-level keyboard hook to monitor and record keystrokes in contexts such as Remote Desktop Protocol (RDP) sessions, particularly targeting processes like mstsc.exe and CredentialUIBroker.exe. The tool captures sensitive information like credentials and session activity.\"\n references = \"https://github.com/TheD1rkMtr/TakeMyRDP\\nhttps://github.com/nocerainfosec/TakeMyRDP2.0\"\n date = \"2023-07-10\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.credential_access;attack.t1056.001\"\n classification = \"Windows.HackTool.TakeMyRDP\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a77c4bf1deda81c4b3b1e40e5e8efa041a0f9cc0e6024812cfa3eb8d37133fc6\n // 7567fdc1b82f607d8a6db1a670797dc32326689394e0e59e0ca42a04d94fdb71\n\n $s1 = \"\" ascii fullword\n $s2 = \"SetWindowsHookExW\" ascii fullword\n $s3 = \"TranslateMessage\" ascii fullword\n $s4 = \"GetForegroundWindow\" ascii fullword\n $s5 = \"DispatchMessageW\" ascii fullword\n $s6 = \"CallNextHookEx\" ascii fullword\n $s7 = \"GetKeyState\" ascii fullword\n $s8 = \"GetWindowThreadProcessId\" ascii fullword\n\n $processes = {\n 6D 00 73 00 74 00 73 00 63 00 2E 00 65 00 78 00 // text \"UTF-16LE\", 'mstsc.exe',0\n 65 00 00 00 00 00 00 00\n 43 00 72 00 65 00 64 00 65 00 6E 00 74 00 69 00 // text \"UTF-16LE\", 'CredentialUIBroker.exe',0\n 61 00 6C 00 55 00 49 00 42 00 72 00 6F 00 6B 00\n 65 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00\n 3C // db '',0\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "TakeMyRDP" ], "rule_creation_date": "2023-07-10", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.TakeMyRDP" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access" ], "rule_technique_tags": [ "attack.t1056.001" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-tdsskiller_binary_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584893Z", "creation_date": "2026-03-23T11:46:25.584895Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584900Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/lockbit-ransomware-silently-disables-edr-using-tdsskiller\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "tdsskiller_binary.yar", "content": "import \"pe\"\n\nrule tdsskiller_binary {\n meta:\n title = \"TDSSKiller Binary\"\n id = \"9f3b4393-e5f1-4740-bb9d-140dcb7b75c4\"\n description = \"Detects TDSSKiller, a legitimate tool developed by Kaspersky for detecting and removing rootkits.\\nThis tool is capable of disabling stubborn malicious processes through command prompt execution.\\nIt is notable for being abused by the LockBit 3.0 Ransomware group to terminate EDR processes.\"\n references = \"https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/lockbit-ransomware-silently-disables-edr-using-tdsskiller\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2023-07-27\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001\"\n classification = \"Windows.Tool.TDSSkiller\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 71fab17a59b474e6ff3a8c5fb9b46cadfc6226c6a100c84944cbc7ccda151075\n // 2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009\n // 50eb691e88c7eac7952ad408e7cc08759fb84e8776cde35d3919a76ce9797f8e\n\n $pdb_path = \"C:\\\\Perforce\\\\All\\\\virlab\\\\anti_rootkit\\\\research\\\\KlDropper\\\\Release\\\\KlDropper.pdb\" ascii fullword\n $canary = \"1cba4afc8b8ae7334527ac8ceb94c8f8e08367799856c45b61ceb2bd69d75893\"\n\n condition:\n ((\n $pdb_path and not (\n pe.version_info[\"OriginalFilename\"] != \"SalityKiller.exe\" or\n pe.version_info[\"OriginalFilename\"] != \"ZbotKiller.exe\" or\n pe.version_info[\"OriginalFilename\"] != \"VirutKiller.exe\" or\n pe.version_info[\"OriginalFilename\"] != \"RannohDecryptor.exe\"\n )\n )\n or pe.version_info[\"OriginalFilename\"] == \"TDSSKiller.exe\")\n and not $canary\n}\n", "rule_count": 1, "rule_names": [ "tdsskiller_binary" ], "rule_creation_date": "2023-07-27", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.TDSSkiller" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-tdsskiller_minidriver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.571562Z", "creation_date": "2026-03-23T11:46:25.571564Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.571570Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/lockbit-ransomware-silently-disables-edr-using-tdsskiller\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "tdsskiller_minidriver.yar", "content": "import \"pe\"\n\nrule tdsskiller_minidriver {\n meta:\n title = \"TDSSKiller Driver\"\n id = \"b49bb317-1fa3-41d8-89ab-717039123918\"\n description = \"Detects TDSSKiller's driver, a legitimate tool developed by Kaspersky for detecting and removing rootkits.\\nThis tool is capable of disabling stubborn malicious processes through command prompt execution.\\nIt is notable for being abused by the LockBit 3.0 Ransomware group to terminate EDR processes.\"\n references = \"https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/lockbit-ransomware-silently-disables-edr-using-tdsskiller\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2023-07-27\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001\"\n classification = \"Windows.Tool.TDSSkiller\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 3efdfb47b0556e97256447f7d619a293d713327496a9524bfbe6a3294e9a7df4\n\n $s1 = \"Copyright (c) Kaspersky Lab, Yury Parshin\" wide fullword\n $s2 = \"Kaspersky Lab Mini Driver\" wide fullword\n $s3 = \"klmd.sys\" wide fullword\n $s4 = \"C:\\\\Perforce\\\\PARSHIN-TDSSKiller-3.1\\\\out_x64\\\\WNet Release\\\\klmd_wnet_x64_release.pdb\" ascii fullword\n $s5 = \"Kaspersky Lab0\" ascii fullword\n $s6 = \"Kaspersky Lab1\" ascii fullword\n\n $canary = \"c27cde14c23c360cefd1901eae32de6a9b73bcb13c5f653f7473bf2acfbe53b1\"\n\n condition:\n 5 of ($s*) and not $canary\n}\n", "rule_count": 1, "rule_names": [ "tdsskiller_minidriver" ], "rule_creation_date": "2023-07-27", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.TDSSkiller" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-terminator_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567977Z", "creation_date": "2026-03-23T11:46:25.567979Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567984Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ZeroMemoryEx/Terminator/\nhttps://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "terminator.yar", "content": "rule terminator {\n meta:\n title = \"Terminator HackTool\"\n id = \"ebd55991-2d88-41ed-918d-004115a26d52\"\n description = \"Detects Terminator, a HackTool that uses the zam64.sys driver to terminate protected processes.\\nTerminator is a tool designed to kill specific processes by leveraging a vulnerable driver. It loads the zam64.sys driver into memory and uses it to target and terminate the specified processes. This activity is typically associated with attempts to disrupt or disable security mechanisms.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/ZeroMemoryEx/Terminator/\\nhttps://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n os = \"Windows\"\n classification = \"Windows.HackTool.Terminator\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 1b796310af83a4f0b6a6ff33638e638f08ec5749e474aee998861467adc71284\n\n $s_device = \"\\\\\\\\.\\\\ZemanaAntiMalware\" wide ascii\n $s_winapi_01 = \"CreateFile\" wide ascii\n $s_winapi_02 = \"DeviceIoControl\" wide ascii\n $s_winapi_03 = \"CreateToolhelp32Snapshot\" wide ascii\n $s_winapi_04 = \"Process32First\" wide ascii\n $s_winapi_05 = \"Process32Next\" wide ascii\n $s_winapi_06 = \"OpenSCManager\" wide ascii\n $s_winapi_07 = \"OpenService\" wide ascii\n $s_winapi_08 = \"StartService\" wide ascii\n $s_winapi_09 = \"CreateService\" wide ascii\n $s_IOCTL_kill = { (80 00 20 48|48 20 00 80) }\n $s_IOCTL_init = { (80 00 20 10|10 20 00 80) }\n $filter_domain_01 = \"zamcloud\" wide ascii\n $filter_domain_02 = \"zemana.com\" wide ascii\n\n condition:\n all of ($s_*)\n and not (1 of ($filter_*))\n}\n", "rule_count": 1, "rule_names": [ "terminator" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Terminator" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-tfsysmon-killer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567570Z", "creation_date": "2026-03-23T11:46:25.567572Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567577Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "tfsysmon-killer.yar", "content": "rule tfsysmon_killer {\n meta:\n title = \"TfSysMon-Killer HackTool\"\n id = \"9588b75a-94f4-4240-a71c-5f890fdac2f8\"\n description = \"Detects the TfSysMon-Killer HackTool.\\nTfSysMon-Killer is a tool designed to terminate protected processes by exploiting a vulnerability in the SysMon.sys driver. It operates by loading the SysMon.sys driver into memory and utilizing its functions to kill specified processes.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n os = \"Windows\"\n classification = \"Windows.HackTool.TfSysMonKiller\"\n context = \"process,memory,thread,file.pe\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 00de8cb8675b4fe6f675935b32b1a9b9cf8fcb6131eaaaf8c7d73f90b6064f5f\n\n $device = \"\\\\\\\\.\\\\TfSysMon\" wide ascii\n $winapi_01 = \"CreateFile\" wide ascii\n $winapi_02 = \"DeviceIoControl\" wide ascii\n $winapi_03 = \"CreateToolhelp32Snapshot\" wide ascii\n $winapi_04 = \"Process32First\" wide ascii\n $winapi_05 = \"Process32Next\" wide ascii\n $winapi_06 = \"OpenSCManager\" wide ascii\n $winapi_07 = \"OpenService\" wide ascii\n $winapi_08 = \"StartService\" wide ascii\n $winapi_09 = \"CreateService\" wide ascii\n $IOCTL_kill = { (B4 A0 04 04|04 04 A0 B4) }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "tfsysmon_killer" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.TfSysMonKiller" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-thread_context_hijacking_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586159Z", "creation_date": "2026-03-23T11:46:25.586162Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586183Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://research.checkpoint.com/2025/waiting-thread-hijacking/\nhttps://github.com/hasherezade/waiting_thread_hijacking" ], "name": "thread_context_hijacking.yar", "content": "rule generic_thread_hijacking_stub {\n meta:\n title = \"Generic Thread Hijacking Stub\"\n id = \"a2c75caa-12ac-4503-bbe6-3fb0b345238e\"\n description = \"Detects a default shellcode stub used for Waiting Thread Injection.\\nWaiting Thread Injection is a technique consisting of overwriting the return address of a given thread that is a on a waiting state; when the affected thread is resumed, control flow will be hijacked and the shellcode will be executed before restoring the original thread context.\\nThis shellcode stub handles saving the entire context of a given waiting thread, so the execution flow can be hijacked safely for executing shellcode before returning control.\\nIt is recommended to dump the process and the given thread for further analysis and investigate any other alerts on the given machine to determine maliciousness.\"\n references = \"https://research.checkpoint.com/2025/waiting-thread-hijacking/\\nhttps://github.com/hasherezade/waiting_thread_hijacking\"\n date = \"2025-04-15\"\n modified = \"2025-04-22\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140\"\n classification = \"Windows.Generic.WaitingThreadInjection\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n\n $hijacking_stub = {\n 9C // pushf\n 50 // push rax\n 51 // push rcx\n 52 // push rdx\n 53 // push rbx\n 55 // push rbp\n 56 // push rsi\n 57 // push rdi\n 41 50 // push r8\n 41 51 // push r9\n 41 52 // push r10\n 41 53 // push r11\n 41 54 // push r12\n 41 55 // push r13\n 41 56 // push r14\n 41 57 // push r15\n E8 [4] // call 0x4010ea\n 41 5F // pop r15\n 41 5E // pop r14\n 41 5D // pop r13\n 41 5C // pop r12\n 41 5B // pop r11\n 41 5A // pop r10\n 41 59 // pop r9\n 41 58 // pop r8\n 5F // pop rdi\n 5E // pop rsi\n 5D // pop rbp\n 5B // pop rbx\n 5A // pop rdx\n 59 // pop rcx\n 58 // pop rax\n (66 9D | 9D) // popf\n E? // jmp 0xffff\n // Shellcode sits here\n }\n\n condition:\n $hijacking_stub\n}\n", "rule_count": 1, "rule_names": [ "generic_thread_hijacking_stub" ], "rule_creation_date": "2025-04-15", "rule_modified_date": "2025-04-22", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Generic.WaitingThreadInjection" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-tofsee_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.580784Z", "creation_date": "2026-03-23T11:46:25.580786Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.580792Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/tofsee-malware/" ], "name": "tofsee.yar", "content": "rule tofsee {\n meta:\n title = \"Tofsee C2\"\n id = \"b03a674f-994c-4ddc-bdcf-23e5772b5325\"\n description = \"Detects the Tofsee C2 and Spambot modular framework.\\nTofsee is a modular spambot primarily written in C++, is designed to perform a variety of malicious activities including sending spam emails, conducting DDoS attacks, mining cryptocurrency, and stealing account credentials. It features a modular architecture that allows it to download additional components from its command-and-control (C2) server to extend its capabilities, securing network exchanges via XOR-based encryption and often using port 443 to blend in with legitimate SSL traffic.\\nIt is recommended to investigate activity surrounding this binary to determine maliciousness, infection vector and actions taken by the attacker. Since Tofsee uses non-standard protocols, verify DPI information to determine if traffic is using port 443 with non-HTTP communication.\"\n references = \"https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining\\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/tofsee-malware/\"\n date = \"2025-10-09\"\n modified = \"2025-10-13\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001;attack.t1041;attack.t1027;attack.credential_access;attack.t1552.004\"\n classification = \"Windows.Framework.Tofsee\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6a7bec4ec7be69e7517f06cd3a969c601d2d03cc46efbece88a13f34d5aa9df6\n // 5986dfd6db9fb6ca666d5a55f527e81682f95aa4c2d5a96e773a1ef104202ce1\n // bf6d1b4d4024a1c1e0225b84428229e8b016254668b783ead7f83d3476cf23c7\n // f3c1eae26c8b86d3b14593b3702ce9e49e86ebc47ed170d8dfca79490d908c6a\n\n // Exception handler logging\n $s1 = \"\\n_ax=%p\\t_bx=%p\\t_cx=%p\\t_dx=%p\\t_si=%p\\t_di=%p\\t_bp=%p\\t_sp=%p\\n\" ascii fullword\n // Configuration parsing\n $s2 = \"except_info\" ascii fullword\n $s3 = \"localcfg\" ascii fullword\n $s4 = \"lid_file_upd\" ascii fullword\n $s5 = \"loader_id\" ascii fullword\n\n // char* decrypt_string(char* arg1, int32_t arg2, int32_t arg3, char arg4, char arg5)\n // char* eax = arg1\n // int32_t i_1 = arg3\n // char ecx = 1\n // if (i_1 != 0)\n // char* esi_2 = arg2 - eax\n // int32_t i\n // do\n // *eax = *(esi_2 + eax) ^ arg4\n // char edx = ecx + arg5\n // ecx = neg.b(ecx)\n // arg4 += edx\n // eax = &eax[1]\n // i = i_1\n // i_1 -= 1\n // while (i != 1)\n // return arg1\n\n // Since this is a modular function, offsets are the same across samples.\n $decryption_stub = {\n 2B F0 // sub esi, eax\n 8A 14 06 // mov dl, byte [esi+eax]\n 32 55 14 // xor dl, byte [ebp+0x14 {arg4}]\n 88 10 // mov byte [eax], dl\n 8A D1 // mov dl, cl\n 02 55 18 // add dl, byte [ebp+0x18 {arg5}]\n F6 D9 // neg cl\n 00 55 14 // add byte [ebp+0x14 {arg4}], dl\n 40 // inc eax\n 4F // dec edi\n }\n\n // Initializing unique Mutex of type \"Global\\\", this assures the malware only runs one instance of itself.\n // arg1 >= 0x60 -> Only run on builds greater than Windows Vista+\n // if (arg1 u>= 0x60 && arg6 != 0)\n // seed_random()\n // var_14 = &data_412e08\n // var_18 = &var_1c0\n // strcpy_safe(var_18, var_14)\n // var_1c = 0xc8\n // var_20 = 0xe4\n // strcat_safe(&var_1c0,\n // decrypt_string(&data_4122f8, 0x41090c, 0xc, var_20.b, var_1c.b))\n // var_14 = &var_1c0\n // var_18 = 0xc8\n // var_1c = 0xe4\n // var_20 = 0x82\n // var_18 = decrypt_string(&data_4122f8, 0x410888, var_20, var_1c.b, var_18.b)\n // void var_64\n // var_1c = &var_64 + arg_14 - 0x95c\n // wsprintfA(param0: var_1c, param1: var_18, var_14)\n // var_20 = 0x100\n // memset(&data_4122f8, 0, var_20)\n\n // Since this is a modular function, offsets are the same across samples.\n $unique_mutex_creation = {\n E8 [4-7] // call seed_random\n // push eax {var_14} {data_412e08}\n 8D [4-7] // lea eax, [ebp-0x15c {var_1c0}]\n // push eax {var_1c0} {var_18}\n E8 [4-8] // call strcpy_safe\n // push ebx {var_1c} {0xc8}\n // push edi {var_20} {0xe4}\n 6A 0C // push 0xc {var_24_2}\n 68 0C 09 41 00 // push 0x41090c {var_28_2}\n ?? // push esi {var_2c_2} {data_4122f8}\n E8 [4] // call decrypt_string\n 50 // push eax {var_30_3}\n 8D [5] // lea eax, [ebp-0x15c {var_1c0}]\n 50 // push eax {var_1c0} {var_34_3}\n E8 [4-6] // call strcat_safe\n 83 C4 24 // add esp, 0x24\n 8D [4-6] // lea eax, [ebp-0x15c {var_1c0}]\n ?? // push eax {var_1c0} {var_14}\n ?? // push ebx {var_18} {0xc8}\n ?? // push edi {var_1c} {0xe4}\n 68 82 00 00 00 // push 0x82 {var_20}\n 68 88 08 41 00 // push 0x410888 {var_24_3}\n ?? // push esi {var_28_3} {data_4122f8}\n E8 [4-6] // call decrypt_string\n 83 C4 14 // add esp, 0x14\n 50 // push eax {var_18}\n 8B 45 78 // mov eax, dword [ebp+0x78 {arg_14}]\n 8D [4-6] // lea eax, [ebp+eax-0x95c] {var_64}\n 50 // push eax {var_1c}\n [6] // call dword [wsprintfA]\n 68 00 01 00 00 // push 0x100 {var_20}\n 6A 00 // push 0x0 {var_24_4}\n ?? // push esi {var_28_4} {data_4122f8}\n E8 [4-6] // call memset\n 83 C4 18 // add esp, 0x18\n }\n\n condition:\n $decryption_stub or $unique_mutex_creation or all of ($s*)\n}", "rule_count": 1, "rule_names": [ "tofsee" ], "rule_creation_date": "2025-10-09", "rule_modified_date": "2025-10-13", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Tofsee" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access" ], "rule_technique_tags": [ "attack.t1027", "attack.t1071.001", "attack.t1041", "attack.t1552.004" ], "rule_score": 100, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-token_universe_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585039Z", "creation_date": "2026-03-23T11:46:25.585041Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585047Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/diversenok/TokenUniverse" ], "name": "token_universe.yar", "content": "rule token_universe {\n meta:\n title = \"TokenUniverse Tool\"\n id = \"7ff054c5-b591-4771-a87b-e120d17ecc6c\"\n description = \"Detects TokenUniverse, an advanced tool for experimenting and researching Windows security mechanisms.\\nThis tool provides capabilities for exploring and manipulating Windows access tokens, allowing researchers and attackers alike to study and exploit token-based operations. The rule identifies specific patterns associated with TokenUniverse's activity, including its main window, token manipulation attempts, and related processes.\"\n references = \"https://github.com/diversenok/TokenUniverse\"\n date = \"2024-04-22\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.credential_access;attack.t1134\"\n classification = \"Windows.Tool.TokenUniverse\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 8c1f1449e7022f3e418e31f6f1afea1dfb87164532e7d2ee13f6b656a3ffb61d\n // 49d7196deb0e6177523f5988739638a99e17337485fe4abe37ef4d507f41e554\n // 5faadce24f84e811913afc85c57fa4fb9ea4a24eda4f6b4376e833b4a0f947a8\n // 017cb1033e39a9ca31fc76b2b40fd1916a6f27f370c37b331060f920900370db\n // 562fcd8100440be5e26692ee510edf61609837fd25b8cccc9ce3aab2db50736d\n\n $s1 = \"Token Universe :: Main Window\" ascii fullword\n $s2 = \"%Found 0 opened handles in 0 processes\" ascii fullword\n $s3 = \"{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}\" wide fullword\n $s4 = \"%s (*.%s)|*.%1:s\" wide fullword\n $s5 = \"Linked token for\" wide fullword\n $s6 = \"Stay On &Top\" wide fullword\n $s7 = \"TokenUniverseSvc\" wide fullword\n $s8 = \"Custom SID recognizer returned nil\" wide fullword\n $s9 = \"/delegate /plus\" wide fullword\n $s10 = \"Using token: \" wide fullword\n\n $git = \"https://github.com/diversenok/TokenUniverse\" wide fullword\n\n condition:\n 6 of ($s*) or\n ($git and 2 of ($s*))\n}\n", "rule_count": 1, "rule_names": [ "token_universe" ], "rule_creation_date": "2024-04-22", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.TokenUniverse" ], "rule_tactic_tags": [ "attack.credential_access", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1134" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-tonshell_trojan_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583000Z", "creation_date": "2026-03-23T11:46:25.583002Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583008Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.toneshell\nhttps://attack.mitre.org/groups/G0129/\nhttps://twitter.com/dez_/status/1765041607328624791" ], "name": "tonshell_trojan.yar", "content": "rule tonshell_trojan {\n meta:\n title = \"TonShell Trojan\"\n id = \"a0b8b0db-d890-48ed-9a67-07fe49e69279\"\n description = \"Detects the TonShell trojan used by the Mustang Panda group.\\nTonShell is a trojan that creates persistence on the system and communicates with a C2 server. It is known for its use of DLL side-loading techniques for initial deployment and persistence mechanisms.\\nThis malware family is often used in targeted attacks and can execute arbitrary commands received from its command and control server.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.toneshell\\nhttps://attack.mitre.org/groups/G0129/\\nhttps://twitter.com/dez_/status/1765041607328624791\"\n date = \"2024-03-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.g0129;attack.defense_evasion;attack.t1027.007;attack.t1140;attack.command_and_control;attack.t1071.001;attack.t1573.001\"\n classification = \"Windows.Trojan.TonShell\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 9c18852f7f92d2f7084bc5d385e642c93b3a59bd0a6e02b29d7d28a2019e7dba\n // 5cd4003ccaa479734c7f5a01c8ff95891831a29d857757bbd7fe4294f3c5c126\n\n $start = {\n 55 // push ebp\n 8B EC // mov ebp, esp\n 56 // push esi\n 8B 75 08 // mov esi, [ebp+arg_0]\n 57 // push edi\n 33 FF // xor edi, edi\n 39 BE 08 06 00 00 // cmp [esi+608h], edi\n 74 44 // jz short loc_10001076\n\n // loc_10001032:\n 8B 46 18 // mov eax, [esi+18h]\n 47 // inc edi\n 68 E8 03 00 00 // push 3E8h\n FF D0 // call eax\n 83 FF 1E // cmp edi, 1Eh\n 72 2B // jb short loc_1000106D\n 69 86 04 06 00 00 FD 43 03 00 // imul eax, [esi+604h], 343FDh\n BA 01 00 00 00 // mov edx, 1\n 6A 00 // push 0\n 6A 00 // push 0\n }\n\n $hashing = {\n 69 C0 31 5E C8 00 // imul eax, 0C85E31h\n 8D 52 01 // lea edx, [edx+1]\n 0F BE C9 // movsx ecx, cl\n 03 C1 // add eax, ecx\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "tonshell_trojan" ], "rule_creation_date": "2024-03-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.TonShell" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1140", "attack.t1027.007", "attack.t1071.001", "attack.t1573.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-transparent_tribe_loader_3656ff28afac_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564048Z", "creation_date": "2026-03-23T11:46:25.564052Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564061Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://x.com/Cyberteam008/status/1902571329410171200\nhttps://attack.mitre.org/groups/G0134/" ], "name": "transparent_tribe_loader_3656ff28afac.yar", "content": "rule transparent_tribe_loader_3656ff28afac {\n meta:\n title = \"Transparent Tribe Loader (3656ff28afac)\"\n id = \"1b68f330-c08a-4889-943f-3656ff28afac\"\n description = \"Detects the strings of a loader used by APT-36 (aka Transparent Tribe).\\nTransparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.\\nIt is recommended to investigate actions that were performed by the related process.\"\n references = \"https://x.com/Cyberteam008/status/1902571329410171200\\nhttps://attack.mitre.org/groups/G0134/\"\n date = \"2025-04-01\"\n modified = \"2025-07-07\"\n author = \"HarfangLab\"\n tags = \"attack.persistence;attack.t1053.003;attack.defense_evasion;attack.t1027.013;attack.command_and_control;attack.t1102\"\n classification = \"Linux.Loader.TransparentTribe\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // a0379f4a616926ac0806738dc1bb729d862ca956d774ec474747b3f1584400ea\n // 1bc95f36527efda255cf2ae39c15ed3778dedfe59eb594ebe0e57a7904c860f5\n // b77b1975417c0a76f6b017cf6d6e22420bf9bc5f9b705798c715cb5265a3203a\n\n $go_binary = \"Go buildinf:\" ascii fullword\n\n $s1 = \"https://drive.google.com/uc?export=download&id=\" ascii\n $s2 = \"Your File Access Code is:\" fullword ascii\n $s3 = \"Boss Not Connected to Internet. Please open on Internet PC or contact IT Administrator.\" ascii\n $s4 = \"Error adding gnu entry to .bashrc:\" ascii\n $s5 = \"nohup sh -c 'cd \" ascii\n $s6 = \"* * * * * bash -i -c 'source ~/.bashrc'\" ascii\n $s7 = \"Error adding cron job:\" ascii\n\n condition:\n $go_binary and (4 of ($s*))\n}\n", "rule_count": 1, "rule_names": [ "transparent_tribe_loader_3656ff28afac" ], "rule_creation_date": "2025-04-01", "rule_modified_date": "2025-07-07", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Loader.TransparentTribe" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.persistence" ], "rule_technique_tags": [ "attack.t1053.003", "attack.t1027.013", "attack.t1102" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-trickgate_packer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568576Z", "creation_date": "2026-03-23T11:46:25.568578Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568584Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1027/002/\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/05/revisiting-the-nsis-based-crypter\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/" ], "name": "trickgate_packer.yar", "content": "rule trickgate_decryption_function {\n meta:\n title = \"TrickGate Shellcode\"\n id = \"2224f08d-c9fa-462c-94b9-7a2d89d6e434\"\n description = \"Detects the TrickGate Shellcode decryption sequence.\\nTrickGate has been attributed by Checkpoint Research as a PaaS (Packer-as-a-Service) that uses different techniques to pack and deliver malware.\\nThis rule specifically targets the second stage shellcode decryption function for versions using NSIS installers, as seen in campaigns from 2017 to 2022.\"\n references = \"https://attack.mitre.org/techniques/T1027/002/\\nhttps://www.malwarebytes.com/blog/threat-intelligence/2021/05/revisiting-the-nsis-based-crypter\\nhttps://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/\"\n date = \"2023-02-13\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.002\"\n classification = \"Windows.Packer.TrickGate\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 6c0f5a9bf9bfd84be91f3d84335b63ac95ac2b227fedc5de439971577328ac30\n // 507dbfd6aa22a40c64e153af688a18c03616e3473eee95f5312f6e9b2b3beb5a\n\n $virtual_alloc_setup = {\n C7 04 24 ?? ?? ?? ?? // mov [esp+74h+lpAddress], 0 ; lpAddress\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+74h+dwSize], 3D0900h ; dwSize\n C7 44 24 ?? ?? ?? ?? ?? // mov [esp+74h+flAllocationType], 3000h ; flAllocationType\n C7 44 24 ?? (40 | 80 | 04 | 08) ?? ?? ?? // mov [esp+74h+flProtect], 40h ; '@' ; flProtect https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection-constants\n FF ?? ?? ?? ?? ?? // call ds:VirtualAlloc\n }\n\n $decryption_function = {\n 83 F2 ?? // xor edx, 1Eh\n 88 14 08 // mov [eax+ecx], dl\n 8B ?? ?? // mov eax, [ebp+lpBuffer]\n 8B ?? ?? // mov ecx, [ebp+var_50]\n 0F BE 14 08 // movsx edx, byte ptr [eax+ecx]\n 81 F2 ?? 00 00 00 // xor edx, 0B8h\n 88 14 08 // mov [eax+ecx], dl\n 8B ?? ?? // mov eax, [ebp+lpBuffer]\n 8B ?? ?? // mov ecx, [ebp+var_50]\n 0F BE 14 08 // movsx edx, byte ptr [eax+ecx]\n }\n\n\n condition:\n $decryption_function and $virtual_alloc_setup\n}\n", "rule_count": 1, "rule_names": [ "trickgate_decryption_function" ], "rule_creation_date": "2023-02-13", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Packer.TrickGate" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-tshd_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564693Z", "creation_date": "2026-03-23T11:46:25.564695Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564701Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/creaktive/tsh\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/" ], "name": "tshd.yar", "content": "rule tshd_tool {\n meta:\n title = \"TSHd Tool\"\n id = \"022cee49-d43f-496e-9ab5-94ac274ae384\"\n description = \"Detects TSHd x64, an open-source shell server for UNIX systems.\\nTSHd is known to be used by the LightBasin teams as a reverse shell and includes internal AES encryption for packet protection.\\nThis rule specifically targets the Linux version of TSHd.\\nIt is recommended to monitor for TSHd-related processes and connections in your environment.\"\n references = \"https://github.com/creaktive/tsh\\nhttps://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/\"\n date = \"2021-10-21\"\n modified = \"2025-03-12\"\n author = \"HarfangLab\"\n tags = \"attack.exfiltration;attack.t1041;attack.execution;attack.t1059\"\n classification = \"Linux.Tool.TSHd\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $clear_marker_1 = \"Usage: %s [ -c [ connect_back_host ] ] [ -s secret ] [ -p port ]\" ascii\n\n // --- Markers for -O1 compilation ---\n // tshd.c:693\n // /bin/sh string creation\n $hex_marker_1 = {\n C6 00 2F // mov byte ptr [rax], 2Fh ; '/'\n C6 40 ?? 2F // mov byte ptr [rax + 0x??], 2Fh ; '/'\n C6 40 ?? 62 // mov byte ptr [rax + 0x??], 62h ; 'b'\n C6 40 ?? 73 // mov byte ptr [rax + 0x??], 73h ; 's'\n C6 40 ?? 69 // mov byte ptr [rax + 0x??], 69h ; 'i'\n C6 40 ?? 68 // mov byte ptr [rax + 0x??], 68h ; 'h'\n C6 40 ?? 6E // mov byte ptr [rax + 0x??], 6Eh ; 'n'\n C6 40 ?? 00 // mov byte ptr [rax + 0x??], 0\n }\n\n // tshd.c:572\n // TERM= string creation\n $hex_marker_2 = {\n C6 00 54 // mov byte ptr [rax], 54h ; 'T'\n C6 40 ?? 4D // mov byte ptr [rax+3], 4Dh ; 'M'\n C6 40 ?? 45 // mov byte ptr [rax+1], 45h ; 'E'\n C6 40 ?? 3D // mov byte ptr [rax+4], 3Dh ; '='\n C6 40 ?? 52 // mov byte ptr [rax+2], 52h ; 'R'\n }\n\n // tshd.c:546\n // HISTFILE= string creation\n $hex_marker_3 = {\n C6 00 48 // mov byte ptr [rax], 48h ; 'H'\n C6 40 ?? 49 // mov byte ptr [rax+5], 49h ; 'I'\n C6 40 ?? 49 // mov byte ptr [rax+1], 49h ; 'I'\n C6 40 ?? 4C // mov byte ptr [rax+6], 4Ch ; 'L'\n C6 40 ?? 53 // mov byte ptr [rax+2], 53h ; 'S'\n C6 40 ?? 45 // mov byte ptr [rax+7], 45h ; 'E'\n C6 40 ?? 54 // mov byte ptr [rax+3], 54h ; 'T'\n C6 40 ?? 3D // mov byte ptr [rax+8], 3Dh ; '='\n C6 40 ?? 46 // mov byte ptr [rax+4], 46h ; 'F'\n C6 40 ?? 00 // mov byte ptr [rax+9], 0\n }\n\n // tshd.c:200\n // reconnect socket creation\n $hex_marker_4 = {\n E8 ?? ?? ?? ?? // call _sleep ; sleeps for reconnect delay\n ( BA 00 00 00 00 | 31 D2 ) // mov edx, 0 | xor edx, edx\n BE 01 00 00 00 // mov esi, 1\n BF 02 00 00 00 // mov edi, 2\n E8 ?? ?? ?? ?? // call _socket ; socket recreation\n 89 C? // mov ebx, eax\n 85 C0 // test eax, eax ; test for successful socket creation\n }\n\n // aes.c:312\n // part of 128bits AES key schedule\n $hex_marker_5 = {\n 48 8B 48 ?? // mov rcx, [rax+28h]\n 48 8B 10 // mov rdx, [rax]\n 49 33 10 // xor rdx, [r8]\n 44 0F B6 D1 // movzx r10d, cl\n 4E 8B 14 D6 // mov r10, [rsi+r10*8]\n 49 C1 E2 08 // shl r10, 8\n 4C 31 D2 // xor rdx, r10\n 41 89 CA // mov r10d, ecx\n 41 C1 EA 18 // shr r10d, 18h\n 4D 63 D2 // movsxd r10, r10d\n 4A 33 14 D6 // xor rdx, [rsi+r10*8]\n 49 89 CA // mov r10, rcx\n 49 C1 EA 10 // shr r10, 10h\n 45 0F B6 D2 // movzx r10d, r10b\n 4E 8B 14 D6 // mov r10, [rsi+r10*8]\n 49 C1 E2 18 // shl r10, 18h\n 4C 31 D2 // xor rdx, r10\n 0F B6 DD // movzx ebx, ch\n 4C 8B 14 DE // mov r10, [rsi+rbx*8]\n 49 C1 E2 10 // shl r10, 10h\n 4C 31 D2 // xor rdx, r10\n 48 89 50 ?? // mov [rax+30h], rdx\n 48 33 50 ?? // xor rdx, [rax+8]\n 48 89 50 ?? // mov [rax+38h], rdx\n 48 33 50 ?? // xor rdx, [rax+10h]\n 48 89 50 ?? // mov [rax+40h], rdx\n 48 33 50 ?? // xor rdx, [rax+18h]\n 48 89 50 ?? // mov [rax+48h], rdx\n 48 33 50 ?? // xor rdx, [rax+20h]\n 48 89 50 ?? // mov [rax+50h], rdx\n 48 31 CA // xor rdx, rcx\n 48 89 50 ?? // mov [rax+58h], rdx\n }\n\n // --- Markers for -O3 compilation ---\n // HISTFILE= string creation\n $hex_marker_6 = {\n 48 B8 48 49 53 54 46 49 4C 45 // mov rax, 'ELIFTSIH'\n 48 8D 5C 24 ?? // lea rbx, [rsp+0E8h+var_DC]\n 48 89 07 // mov [rdi], rax\n B8 3D 00 00 00 // mov eax, 3Dh ; '='\n 66 89 47 ?? // mov [rdi+8], ax\n }\n\n // /bin/sh string creation\n $hex_marker_7 = {\n 48 B8 2F 62 69 6E 2F 73 68 00 // mov rax, 'hs/nib/'\n 48 8D 77 ?? // lea rsi, [rdi+5]\n 45 31 C0 // xor r8d, r8d\n 4C 89 E1 // mov rcx, r12\n 48 89 07 // mov [rdi], rax\n }\n\n // TERM= string creation\n $hex_marker_8 = {\n C7 00 54 45 52 4D // mov dword ptr [rax], 'MRET'\n 4C 89 EE // mov rsi, r13 ; src\n 49 8D 7C 24 ?? // lea rdi, [r12+5] ; dest\n C6 40 ?? 3D // mov byte ptr [rax+4], 3Dh ; '='\n 8B 44 24 ?? // mov eax, [rsp+0E8h+var_DC]\n }\n\n // part of aes 256 key schedule with -O3 optimisation\n $hex_marker_9 = {\n 49 C1 E2 08 // shl r10, 8\n 4E 33 14 F8 // xor r10, [rax+r15*8]\n 49 31 D2 // xor r10, rdx\n 48 89 DA // mov rdx, rbx\n 48 C1 EA 10 // shr rdx, 10h\n 0F B6 D2 // movzx edx, dl\n 48 8B 14 D0 // mov rdx, [rax+rdx*8]\n 48 C1 E2 18 // shl rdx, 18h\n 4C 31 D2 // xor rdx, r10\n 4C 8B 14 F8 // mov r10, [rax+rdi*8]\n 49 C1 E2 10 // shl r10, 10h\n 4C 31 D2 // xor rdx, r10\n 49 33 53 ?? // xor rdx, [r11-8]\n 48 31 D5 // xor rbp, rdx\n 48 89 56 ?? // mov [rsi-40h], rdx\n 49 31 EC // xor r12, rbp\n 48 89 6E ?? // mov [rsi-38h], rbp\n 4C 31 E1 // xor rcx, r12\n 4C 89 66 ?? // mov [rsi-30h], r12\n 41 89 CA // mov r10d, ecx\n 44 0F B6 F9 // movzx r15d, cl\n 0F B6 FD // movzx edi, ch\n 48 89 4E ?? // mov [rsi-28h], rcx\n 41 C1 EA 18 // shr r10d, 18h\n 4E 33 04 F8 // xor r8, [rax+r15*8]\n 4E 8B 14 D0 // mov r10, [rax+r10*8]\n 49 C1 E2 18 // shl r10, 18h\n 4D 31 C2 // xor r10, r8\n 49 89 C8 // mov r8, rcx\n 49 C1 E8 10 // shr r8, 10h\n 45 0F B6 C0 // movzx r8d, r8b\n 4E 8B 04 C0 // mov r8, [rax+r8*8]\n 49 C1 E0 10 // shl r8, 10h\n 4D 31 D0 // xor r8, r10\n 4C 8B 14 F8 // mov r10, [rax+rdi*8]\n 48 8D 3D ?? ?? ?? ?? // lea rdi, unk_A078\n 49 C1 E2 08 // shl r10, 8\n 4D 31 D0 // xor r8, r10\n 4D 31 C5 // xor r13, r8\n 4C 89 46 ?? // mov [rsi-20h], r8\n 4D 31 EE // xor r14, r13\n 4C 89 6E ?? // mov [rsi-18h], r13\n 4C 31 F3 // xor rbx, r14\n 4C 89 76 ?? // mov [rsi-10h], r14\n 48 89 5E ?? // mov [rsi-8], rbx\n }\n\n condition:\n uint32(0) == 0x464C457F and filesize < 100KB and (($clear_marker_1 and 3 of ($hex_marker_*)) or 4 of ($hex_marker_*))\n}\n", "rule_count": 1, "rule_names": [ "tshd_tool" ], "rule_creation_date": "2021-10-21", "rule_modified_date": "2025-03-12", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Tool.TSHd" ], "rule_tactic_tags": [ "attack.execution", "attack.exfiltration" ], "rule_technique_tags": [ "attack.t1059", "attack.t1041" ], "rule_score": 70, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-unknown_keylogger_bbb04dc29a85_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566305Z", "creation_date": "2026-03-23T11:46:25.566308Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566317Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal Research" ], "name": "unknown_keylogger_bbb04dc29a85.yar", "content": "rule unknown_keylogger_bbb04dc29a85 {\n meta:\n title = \"Unknown Keylogger (bbb04dc29a85)\"\n id = \"3878e784-a19f-4a7c-b634-bbb04dc29a85\"\n description = \"Detects unknown Keylogger.\\nAdversaries may log user keystrokes to intercept credentials.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"Internal Research\"\n date = \"2025-11-19\"\n modified = \"2025-11-20\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.credential_access;attack.t1056.001\"\n classification = \"Windows.Keylogger.Unknown\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // da38f4cf0597cfe77af1fad67444cd123aa5106270b89e963f0f8c2635fc1c28\n\n $strings1 = \"bad layout :/\" ascii fullword\n $strings2 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Keyboard Layouts\" ascii fullword\n $strings3 = \"{ \\\"time\\\": %d, \\\"klid\\\": \\\"%s\\\", \\\"keyup\\\": %d, \\\"sc\\\": %d, \\\"e0\\\": %d, \\\"e1\\\": %d, \\\"vk\\\": %d, \\\"vkn\\\": \\\"%s\\\" }\" ascii fullword\n $strings4 = \"%s%d%d.log\" ascii fullword\n $strings5 = \"myspecialkeyyyy\" ascii fullword\n\n $state = {\n 89 C8 // mov eax, ecx\n 45 8A 14 08 // mov r10b, [r8+rcx]\n 99 // cdq\n F7 FB // idiv ebx\n 48 63 D2 // movsxd rdx, edx\n 0F BE 04 16 // movsx eax, byte ptr [rsi+rdx]\n 41 0F B6 D2 // movzx edx, r10b\n 44 01 CA // add edx, r9d\n 01 D0 // add eax, edx\n 99 // cdq\n 41 F7 FB // idiv r11d\n 48 63 C2 // movsxd rax, edx\n 49 89 C1 // mov r9, rax\n 4C 01 C0 // add rax, r8\n 8A 10 // mov dl, [rax]\n 41 88 14 08 // mov [r8+rcx], dl\n 48 FF C1 // inc rcx\n 44 88 10 // mov [rax], r10b\n 48 81 F9 00 01 00 00 // cmp rcx, 100h\n 75 ?? // jnz short loc_14000B869\n }\n\n condition:\n 4 of ($strings*) or $state\n}\n", "rule_count": 1, "rule_names": [ "unknown_keylogger_bbb04dc29a85" ], "rule_creation_date": "2025-11-19", "rule_modified_date": "2025-11-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Keylogger.Unknown" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access" ], "rule_technique_tags": [ "attack.t1056.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-unknown_trojan_02d60f98fde4_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566191Z", "creation_date": "2026-03-23T11:46:25.566195Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566201Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal Research" ], "name": "unknown_trojan_02d60f98fde4.yar", "content": "rule unknown_trojan_02d60f98fde4 {\n meta:\n title = \"Unknown Trojan (02d60f98fde4)\"\n id = \"ec5d9f8e-c6b0-4b13-9a6d-02d60f98fde4\"\n description = \"Detects unknown remote access tool (RAT).\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"Internal Research\"\n date = \"2025-11-18\"\n modified = \"2025-11-19\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.privilege_escalation;attack.t1134.001;attack.command_and_control;attack.t1132.001;attack.t1071.001\"\n classification = \"Windows.Trojan.Unknown\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 419b0d03d3639bbd86b7b71e0ec090aa10938f1576d81a7ef4c5810ae21ca2ee\n // 605b0a0134b0d9f08f1c1815e6086ac673c655dcebd82609475496723ca2deeb\n\n $string1 = \"Bypass traverse checking\" ascii fullword\n $string2 = \"Remove computer from docking station\" ascii fullword\n $string3 = \"PRIVILEGES INFORMATION\" ascii fullword\n $string4 = \"Force shutdown from a remote system\" ascii fullword\n $string5 = \"Obtain an impersonation token for another user in the same session\" ascii fullword\n\n $function1 = \"UTILS_get_command_prompt\" ascii fullword\n $function2 = \"UTILS_get_impersonated_user_and_sid\" ascii fullword\n $function3 = \"drunk_strdup\" ascii fullword\n $function4 = \"drunk_cacheenv\" ascii fullword\n $function5 = \"NETWORK_get_next_packet\" ascii fullword\n\n $json1 = \"{\\\"status\\\":\\\"READY_FOR_INPUT\\\",\\\"prompt\\\":\\\"%s\\\"}\"\n $json2 = \"{\\\"status\\\":\\\"COMMAND_OUTPUT\\\",\\\"content\\\":\\\"%s\\\"}\"\n $json3 = \"{\\\"status\\\":\\\"READY_FOR_DOWNLOAD\\\",\\\"local_filepath\\\":\\\"%s\\\",\\\"filelen\\\":%lld}\"\n $json4 = \"[+] prompt: %s\"\n $json5 = \"[!] Invalid packet type: %d\"\n\n // get_priv()\n $get_priv = {\n 8B 85 9C 06 00 00 // mov eax, [rbp+6C0h+var_24]\n 48 98 // cdqe\n 48 C1 E0 04 // shl rax, 4\n 48 8D 80 B0 06 00 00 // lea rax, [rax+6B0h]\n 48 01 E8 // add rax, rbp\n 48 2D D0 05 00 00 // sub rax, 5D0h\n 48 8B 00 // mov rax, [rax]\n 48 8D 55 D0 // lea rdx, [rbp+6C0h+Name]\n 48 89 C1 // mov rcx, rax\n E8 ?? ?? ?? ?? // call drunk_strcmp\n 85 C0 // test eax, eax\n }\n\n // JSON_parse_packet()\n $json_parse_packet = {\n 48 8B 85 E8 00 00 00 // mov rax, [rbp+120h+var_38]\n 48 8B 48 08 // mov rcx, [rax+8]\n 48 8B 95 00 01 00 00 // mov rdx, [rbp+120h+var_20]\n 48 89 D0 // mov rax, rdx\n 48 01 C0 // add rax, rax\n 48 01 D0 // add rax, rdx\n 48 C1 E0 03 // shl rax, 3\n 48 01 C1 // add rcx, rax\n 48 8B 01 // mov rax, [rcx]\n 48 8B 51 08 // mov rdx, [rcx+8]\n 48 89 45 A0 // mov [rbp+120h+var_180], rax\n 48 89 55 A8 // mov [rbp+120h+var_178], rdx\n 48 8B 41 10 // mov rax, [rcx+10h]\n 48 89 45 B0 // mov [rbp+120h+var_170], rax\n 48 8B 45 A8 // mov rax, [rbp+120h+var_178]\n 48 89 85 C8 00 00 00 // mov [rbp+120h+var_58], rax\n 48 8B 85 00 01 00 00 // mov rax, [rbp+120h+var_20]\n 48 8D 14 C5 00 00 00 00 // lea rdx, ds:0[rax*8]\n 48 8B 85 D8 00 00 00 // mov rax, [rbp+120h+var_48]\n 48 8D 1C 02 // lea rbx, [rdx+rax]\n 48 8B 85 C8 00 00 00 // mov rax, [rbp+120h+var_58]\n 48 89 C1 // mov rcx, rax\n E8 // call drunk_strdup\n }\n\n condition:\n all of ($string*) or\n 3 of ($function*) or\n 3 of ($json*) or\n $get_priv or\n $json_parse_packet\n}\n", "rule_count": 1, "rule_names": [ "unknown_trojan_02d60f98fde4" ], "rule_creation_date": "2025-11-18", "rule_modified_date": "2025-11-19", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Unknown" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1071.001", "attack.t1132.001", "attack.t1134.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-upx_modified_0df8b9726b10_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586695Z", "creation_date": "2026-03-23T11:46:25.586697Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586703Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html\nhttps://github.com/NozomiNetworks/upx-recovery-tool\nhttps://attack.mitre.org/techniques/T1027/002/" ], "name": "upx_modified_0df8b9726b10.yar", "content": "rule upx_modified_0df8b9726b10 {\n meta:\n title = \"Modified UPX-packed Binary (0df8b9726b10)\"\n id = \"f1034293-63c3-4ed1-83bb-0df8b9726b10\"\n description = \"Detects modified UPX-packed 64-bit binaries.\\nThis rule identifies binaries packed with non-standard UPX versions, which are often used by adversaries to evade analysis and detection.\\nNon-standard UPX packing can prevent automated unpacking tools from extracting the original payload, as seen in campaigns like Mirai.\"\n references = \"https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html\\nhttps://github.com/NozomiNetworks/upx-recovery-tool\\nhttps://attack.mitre.org/techniques/T1027/002/\"\n date = \"2024-09-12\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.002\"\n classification = \"Linux.Generic.UPXModified\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049\n // 4a719439027a279b14a05d650691bed6e0a437ae87fb55895406616a55c6c720\n // f6036209fb853abeae000802cbd724fcc4bf6e8586a299a1459f87f46c23d2ad\n // 3ef65ce27d39b037d75bdc16b197e04f3b391f76c2da5f2f755e2ded38bb9078\n\n $ep_0 = {\n E8 ?? ?? ?? ?? // call loc_10B760\n 55 // push rbp\n 53 // push rbx\n 51 // push rcx\n 52 // push rdx\n 48 01 FE // add rsi, rdi\n 56 // push rsi\n 48 89 FE // mov rsi, rdi\n 48 89 D7 // mov rdi, rdx\n 31 DB // xor ebx, ebx\n 31 C9 // xor ecx, ecx\n 48 83 CD FF // or rbp, 0FFFFFFFFFFFFFFFFh\n E8 ?? ?? ?? ?? // call sub_10B600\n }\n\n $ep_1 = {\n E8 ?? ?? ?? ?? // call loc_4B5A68\n 55 // push rbp\n 53 // push rbx\n 51 // push rcx\n 52 // push rdx\n 48 01 FE // add rsi, rdi\n 56 // push rsi\n 41 80 F8 0E // cmp r8b, 0Eh\n 0F ?? ?? ?? ?? ?? // jnz loc_4B599B\n 55 // push rbp\n 48 89 E5 // mov rbp, rsp\n 44 8B 09 // mov r9d, [rcx]\n }\n\n condition:\n uint32(0)== 0x464c457f and\n for any i in (0 .. uint16(0x38)) : (\n 0x00000005 == uint32(uint32(0x20) + (uint16(0x38) * i) + 4) and\n for any of ($ep_*):($ at uint32(0x18) - uint32(uint32(0x20) + (uint16(0x36) * i) + 16))\n )\n and\n (\n uint32(filesize - 0x24) == uint32(uint16(0x38) * uint16(0x36) + uint16(0x34) + 4) and\n not 0x21585055 == uint32(uint16(0x38) * uint16(0x36) + uint16(0x34) + 4)\n )\n}\n", "rule_count": 1, "rule_names": [ "upx_modified_0df8b9726b10" ], "rule_creation_date": "2024-09-12", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Generic.UPXModified" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.002" ], "rule_score": 70, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-upx_modified_87e12265bc58_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576947Z", "creation_date": "2026-03-23T11:46:25.576949Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576955Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html\nhttps://github.com/NozomiNetworks/upx-recovery-tool\nhttps://attack.mitre.org/techniques/T1027/002/" ], "name": "upx_modified_87e12265bc58.yar", "content": "rule upx_modified_87e12265bc58 {\n meta:\n title = \"Modified UPX-packed Binary (87e12265bc58)\"\n id = \"cd466c14-57e0-49c1-8315-87e12265bc58\"\n description = \"Detects modified UPX-packed 32-bit binaries.\\nThis rule identifies binaries packed with non-standard UPX versions, which are often used by adversaries to evade analysis and detection.\\nNon-standard UPX packing can prevent automated unpacking tools from extracting the original payload, as seen in campaigns like Mirai.\"\n references = \"https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html\\nhttps://github.com/NozomiNetworks/upx-recovery-tool\\nhttps://attack.mitre.org/techniques/T1027/002/\"\n date = \"2024-09-12\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027.002\"\n classification = \"Linux.Generic.UPXModified\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 4e0bd6c7edffb147bfc03ec5acecefd01afde6990f9f36b02b53e780509c1ef5\n // fa6e9fa320810064fe960965c5e6cb549c8edbb920ccbe54d5aab19c3d1f2299\n // e9fd0bd2f053aadcfb23a23f0bb0effe60c22d06f9ecb2a35a49f6f0aec38173\n // e22ddcc0bc26fbee04307d635fdb430445512e7f63df1de7643ecbc4f6aba6f8\n\n $ep = {\n 50 // push eax\n E8 ?? ?? ?? ?? // call loc_8061420\n EB 0E // jmp short loc_806127E\n 5A // pop edx\n 58 // pop eax\n 59 // pop ecx\n 97 // xchg eax, edi\n 60 // pusha\n 8A 54 24 20 // mov dl, [esp+20h]\n E9 ?? ?? ?? ?? // jmp loc_806136B\n\n // loc_806127E:\n 60 // pusha\n }\n\n condition:\n uint32(0)==0x464c457f and\n for any i in (0 .. uint16(0x2C)) : (\n 0x00000005 == uint32(uint32(0x1C) + (uint16(0x2A) * i) + 24) and\n $ep at uint32(0x18) - uint32(uint32(0x1C) + (uint16(0x2A) * i) + 8)\n )\n and\n (\n uint32(filesize - 0x24) == uint32(uint16(0x2C) * uint16(0x2A) + uint16(0x28) + 4) and\n not 0x21585055 == uint32(uint16(0x2C) * uint16(0x2A) + uint16(0x28) + 4)\n )\n}\n", "rule_count": 1, "rule_names": [ "upx_modified_87e12265bc58" ], "rule_creation_date": "2024-09-12", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Generic.UPXModified" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1027.002" ], "rule_score": 70, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-venomproxy_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573360Z", "creation_date": "2026-03-23T11:46:25.573362Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573368Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/Dliv3/Venom\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms\nhttps://attack.mitre.org/techniques/T1090/003/" ], "name": "venomproxy.yar", "content": "rule venomproxy {\n meta:\n title = \"Venom Proxy\"\n id = \"6823ef1b-1469-4539-860e-4d2f39ac24a2\"\n description = \"Detects the Venom Proxy Hacktool, a multi-hop proxy used by penetration testers.\\nIt is designed to proxy network traffic through multiple internal layers, particularly targeting IoT devices with limited resources.\\nIt is recommended to investigate the context around the usage of this tool to determine whether its presence on the host is legitimate.\"\n references = \"https://github.com/Dliv3/Venom\\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms\\nhttps://attack.mitre.org/techniques/T1090/003/\"\n date = \"2024-01-08\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1090.003\"\n os = \"Windows,Linux,MacOS\"\n classification = \"HackTool.VenomProxy\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 3916ba913e4d9a46cfce437b18735bbb5cc119cc97970946a1ac4eab6ab39230\n // ab43a5e96e31fd9a2ac604c063b402cbf329e0bf842fa5073c74d3f756a06f94\n\n $venom = \"github.com/Dliv3/Venom\" ascii wide\n\n condition:\n #venom > 3\n}\n", "rule_count": 1, "rule_names": [ "venomproxy" ], "rule_creation_date": "2024-01-08", "rule_modified_date": "2025-03-04", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "HackTool.VenomProxy" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1090.003" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-vidar_stealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577779Z", "creation_date": "2026-03-23T11:46:25.577781Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577787Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1587/001/\nhttps://attack.mitre.org/techniques/T1539/\nhttps://attack.mitre.org/techniques/T1087/\nhttps://attack.mitre.org/techniques/T1095/\nhttps://twitter.com/GossiTheDog/status/1582690317886578688" ], "name": "vidar_stealer.yar", "content": "rule vidar_stealer {\n meta:\n title = \"Vidar Stealer\"\n id = \"90f2167f-c143-4e5f-adfb-330bd8bfc585\"\n description = \"Detects the Vidar Stealer.\\nVidar is a sophisticated credential stealer that targets banking credentials, cryptocurrency wallets, and browser-based authentication information. It employs various techniques to extract sensitive data from infected systems, including direct process injection and browser-based attacks.\\nVidar is known to use obfuscation techniques to avoid detection and operates with a modular structure that enhances its capabilities.\\nIt is recommended to perform a thorough investigation to identify any stolen credentials as well as to force a reset of the user's domain credentials.\"\n references = \"https://attack.mitre.org/techniques/T1587/001/\\nhttps://attack.mitre.org/techniques/T1539/\\nhttps://attack.mitre.org/techniques/T1087/\\nhttps://attack.mitre.org/techniques/T1095/\\nhttps://twitter.com/GossiTheDog/status/1582690317886578688\"\n date = \"2022-10-20\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1587.001;attack.t1539;attack.t1087;attack.t1095\"\n classification = \"Windows.Stealer.Vidar\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 725ca9e0571a6651e1bcf7dcf5d921fb004e753d67bfd135bd61f178b8aa5e4c\n // 69626fbeef10445942c756a5cf325ff0f5ae7b571b436ab169d0680bd3d945c2\n\n $crypto_1 = \"Leap Terra\" fullword\n $crypto_2 = \"Martian Wallet\" fullword\n $crypto_3 = \"Petra Wallet\" fullword\n $crypto_4 = \"Pontem Wallet\" fullword\n $crypto_5 = \"GeroWallet\" fullword\n $crypto_6 = \"OKX Web3 Wallet\" fullword\n\n $paths_1 = \"*wallet*.dat\" fullword\n $paths_2 = \"\\\\Autofill\\\\%s_%s.txt\" fullword\n $paths_3 = \"\\\\History\\\\%s_%s.txt\" fullword\n $paths_4 = \"\\\\Downloads\\\\%s_%s.txt\" fullword\n $paths_5 = \"%s\\\\%s\\\\%s\\\\chrome-extension_%s_0.indexeddb.leveldb\" fullword\n\n $strings_1 = \"delays.tmp\" wide fullword\n $strings_2 = \"avghookx.dll\" wide fullword\n $strings_3 = \"https://t.me/\" ascii\n $strings_4 = \"https://steamcommunity.com/profiles/\" ascii\n $strings_5 = \"Content-Disposition: form-data; name=\\\"token\\\"\" ascii fullword\n $strings_6 = \"Work Dir: In memory\" ascii fullword\n\n $config = {\n 5b 48 61 72 64 77 61 72 65 5d 0a 00 01 // [Hardware]\n 50 72 6f 63 65 73 73 6f 72 3a 20 00 01 // Processor:\n 43 6f 72 65 73 3a 20 00 01 // Cores:\n 54 68 72 65 61 64 73 3a 20 00 01 // Threads:\n 52 41 4d 3a 20 00 01 // RAM:\n 56 69 64 65 6f 43 61 72 64 3a 20 00 01 // VideoCard:\n 5b 50 72 6f 63 65 73 73 65 73 5d 00 01 // [Processes]\n 5b 53 6f 66 74 77 61 72 65 5d 00 01 // [Software]\n 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 74 78 74 00 01 // information.txt\n }\n\n condition:\n (2 of ($crypto_*) and 2 of ($paths_*)) or\n (2 of ($crypto_*) and 4 of ($strings_*)) or\n (all of ($strings_*)) or\n (\n $config and\n (\n 2 of ($crypto_*) or\n 2 of ($paths_*) or\n 2 of ($strings_*)\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "vidar_stealer" ], "rule_creation_date": "2022-10-20", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.Vidar" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1539", "attack.t1095", "attack.t1587.001", "attack.t1087" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-viotto_keylogger_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569052Z", "creation_date": "2026-03-23T11:46:25.569054Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569060Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://breakingsecurity.net/viottokeylogger/\nhttps://attack.mitre.org/techniques/T1056/001/" ], "name": "viotto_keylogger.yar", "content": "rule viotto_keylogger {\n meta:\n title = \"Viotto Keylogger\"\n id = \"4bc8a45f-6c3e-447a-bb79-d82b509faa89\"\n description = \"Detects the Viotto keylogger.\\nViotto is a sophisticated keylogger designed for Windows that captures keystrokes, clipboard data, and system activity. It is capable of recording sensitive information such as login credentials, banking details, and other keystroke data, which can then be exfiltrated for malicious purposes.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://breakingsecurity.net/viottokeylogger/\\nhttps://attack.mitre.org/techniques/T1056/001/\"\n date = \"2023-11-02\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.credential_access;attack.t1056.001\"\n classification = \"Windows.Keylogger.Viotto\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 74997d3d414d1db55e5c45766801d75fe6939c3fee5caf35daec55f249af990a\n\n $s1 = \"Keylogger initialization failure: error\" ascii fullword\n $s2 = \"{User was idle for\" ascii fullword\n $s3 = \"* ViottoKeylogger v\" ascii fullword\n $s4 = \"Keylogger Started\" wide fullword\n $s5 = \"[%04i/%02i/%02i %02i:%02i:%02i\" wide fullword\n\n condition:\n 4 of them\n}\n", "rule_count": 1, "rule_names": [ "viotto_keylogger" ], "rule_creation_date": "2023-11-02", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Keylogger.Viotto" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access" ], "rule_technique_tags": [ "attack.t1056.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-viragt64-Killer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576081Z", "creation_date": "2026-03-23T11:46:25.576083Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576089Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/BlackSnufkin/BYOVD/tree/main/Viragt64-Killer/\nhttps://www.loldrivers.io/drivers/7edb5602-239f-460a-89d6-363ff1059765/\nhttps://attack.mitre.org/techniques/T1562/001/" ], "name": "viragt64-Killer.yar", "content": "rule viragt64_killer {\n meta:\n title = \"Viragt64-Killer HackTool\"\n id = \"cc70eb8a-14b9-4613-8083-218119e876dc\"\n description = \"Detects Viragt64-Killer, a tool that uses the viragt64.sys vulnerable driver to terminate protected processes.\\nThis tool loads the driver and utilizes its capabilities to specifically target and kill the specified processes, potentially evading security measures by terminating protected or critical system processes.\\nIt is recommended to isolate the affected system and perform a detailed investigation to identify any unauthorized process termination and to remediate the root cause.\"\n references = \"https://github.com/BlackSnufkin/BYOVD/tree/main/Viragt64-Killer/\\nhttps://www.loldrivers.io/drivers/7edb5602-239f-460a-89d6-363ff1059765/\\nhttps://attack.mitre.org/techniques/T1562/001/\"\n date = \"2024-02-21\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1562.001;attack.t1211\"\n classification = \"Windows.HackTool.Viragt64Killer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 0ba8546c6f8e7838c7c9b7d94a72641d49809c9d3ac7592157e1b994dcc07659\n\n $device = \"\\\\\\\\.\\\\viragtlt\" wide ascii\n $winapi_01 = \"CreateFile\" wide ascii\n $winapi_02 = \"DeviceIoControl\" wide ascii\n $winapi_03 = \"CreateToolhelp32Snapshot\" wide ascii\n $winapi_04 = \"Process32First\" wide ascii\n $winapi_05 = \"Process32Next\" wide ascii\n $winapi_06 = \"OpenSCManager\" wide ascii\n $winapi_07 = \"OpenService\" wide ascii\n $winapi_08 = \"StartService\" wide ascii\n $winapi_09 = \"CreateService\" wide ascii\n $IOCTL_kill = { (82 73 00 30|30 00 73 82) }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "viragt64_killer" ], "rule_creation_date": "2024-02-21", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Viragt64Killer" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1562.001", "attack.t1211" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-vlany_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572403Z", "creation_date": "2026-03-23T11:46:25.572405Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572411Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/mempodippy/vlany/" ], "name": "vlany.yar", "content": "rule linux_library_rootkit_vlany {\n meta:\n title = \"Vlany Rootkit\"\n id = \"ba361fba-c795-4a9a-8562-5d2debba71d8\"\n description = \"Detects the Vlany Rootkit.\\nVlany is a userland rootkit that uses LD_PRELOAD to inject malicious payloads by hijacking environment variables used by the dynamic linker to load shared libraries.\\nThis enables attackers to intercept and control most function calls, establishing persistence and elevation of privilege on the system.\"\n references = \"https://github.com/mempodippy/vlany/\"\n date = \"2023-12-12\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.004;attack.persistence;attack.t1574.006;attack.defense_evasion;attack.t1014;attack.t1070;attack.t1564;attack.credential_access;attack.t1556;attack.command_and_control;attack.t1095\"\n classification = \"Linux.Rootkit.Vlany\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $a0 = \"VLANY_USER\" ascii\n $a1 = \"VLANY_PASSWORD\" ascii\n $a2 = \"HIDDEN_XATTR_1_STR\" ascii\n $a3 = \"FAKEMAPS_FILE\" ascii\n $a4 = \"[vlany] pam_authenticate()\" ascii\n $a5 = \"old_pam_authenticate\" ascii\n $a6 = \"old_pam_acct_mgmt\" ascii\n $a7 = \"pbackconnect\" ascii\n $a8 = \"[+] shell dropped\" ascii\n $a9 = \"Temporary backdoor message.\" ascii\n $a10 = \"hidden_xattr\" ascii\n $a11 = \"old_fgetflags\" ascii\n\n condition:\n (uint32be(0) == 0x7F454c46) // ELF\n and ((uint16be(0x10) == 0x03) or (uint16(0x10) == 0x03)) // ET_DYN\n and (2 of them)\n}\n", "rule_count": 1, "rule_names": [ "linux_library_rootkit_vlany" ], "rule_creation_date": "2023-12-12", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Rootkit.Vlany" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1095", "attack.t1070", "attack.t1564", "attack.t1014", "attack.t1556", "attack.t1574.006", "attack.t1059.004" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-vshell_downloader_46ce68b2fb8d_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582842Z", "creation_date": "2026-03-23T11:46:25.582845Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582850Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "name": "vshell_downloader_46ce68b2fb8d.yar", "content": "rule vshell_downloader_46ce68b2fb8d {\n meta:\n title = \"Vshell Downloader (46ce68b2fb8d)\"\n id = \"bd5e5f23-c32a-4b33-919d-46ce68b2fb8d\"\n description = \"Detects VShell downloader, an open-source Remote Access Tool (RAT), that has been publicly available on GitHub.\\nVShell is a remote administration tool that has been used by threat actors to establish stealthy, persistent access during malicious operations and is often associated with Chinese threat actors.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\"\n date = \"2025-07-02\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1219;attack.t1071.001;attack.t1105\"\n classification = \"Windows.Trojan.Vshell\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 139fda35b488f78815c5e2ba7cda1ee344bd62619849618302445956100fc604\n\n $init_socket_data = {\n C1 E8 08 // shr eax, 8\n 88 44 24 11 // mov [esp+1B8h+var_1A7], al\n 8B C1 // mov eax, ecx\n C1 E8 10 // shr eax, 10h\n 88 44 24 12 // mov [esp+1B8h+var_1A6], al\n 0F B6 44 24 1A // movzx eax, [esp+1B8h+name.sa_data]\n 88 44 24 14 // mov [esp+1B8h+var_1A4], al\n 8B 44 24 1A // mov eax, dword ptr [esp+1B8h+name.sa_data]\n C1 E8 08 // shr eax, 8\n 6A 00 // push 0\n 88 44 24 19 // mov [esp+1BCh+var_1A3], al\n 8D 44 24 14 // lea eax, [esp+1BCh+buf]\n 6A 06 // push 6\n 50 // push eax\n C1 E9 18 // shr ecx, 18h\n }\n\n $recv_64k_bytes = {\n // loc_401102:\n 03 F0 // add esi, eax\n 6A 00 // push 0\n 68 00 40 06 00 // push 64000h\n 8D 04 1E // lea eax, [esi+ebx]\n 50 // push eax\n 57 // push edi\n FF 15 ?? ?? ?? ?? // call ds:recv\n 83 F8 01 // cmp eax, 1\n 7D ?? // jge short loc_401102\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "vshell_downloader_46ce68b2fb8d" ], "rule_creation_date": "2025-07-02", "rule_modified_date": "2025-11-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Vshell" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1219", "attack.t1071.001", "attack.t1105", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-vshell_downloader_63bd2fe02318_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572223Z", "creation_date": "2026-03-23T11:46:25.572225Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572231Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "name": "vshell_downloader_63bd2fe02318.yar", "content": "rule vshell_downloader_63bd2fe02318 {\n meta:\n title = \"Vshell Downloader (63bd2fe02318)\"\n id = \"53ecdf51-5ba7-4769-ae4e-63bd2fe02318\"\n description = \"Detects VShell downloader, an open-source Remote Access Tool (RAT), that has been publicly available on GitHub.\\nVShell is a remote administration tool that has been used by threat actors to establish stealthy, persistent access during malicious operations and is often associated with Chinese threat actors.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\"\n date = \"2025-07-02\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1219;attack.t1071.001;attack.t1105\"\n classification = \"Linux.Trojan.Vshell\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // facafec4183ca19a003b941f3c668917a3b5ab891e7c939d1e6fc37692416942\n // 135225af2c69619d31526f7cf7618ea7571d4600bb0f4a24beaa77c4724ec7c5\n // f453e109e0842a47be594413ba98c33f2a9026ce84c9d1f538a050ec5f0fb508\n // 99aa496fa2b51134124756de663cf8bfd28b91b514e7cb605e53a86db168a1a2\n // 4c0ace878616b963dd6ed320ace24309eaeacfc143255d1639d83130a244719c\n // 5b1866237c1e4d47e51d76d5209450e17f39d6f50e5877d721eb4669f3812d61\n\n $init_socket_data = {\n C1 E8 08 // shr eax, 8\n 88 85 ?? EF FF FF // mov byte ptr [rbp+var_1016+1], al\n 8B 85 ?? EF FF FF // mov eax, dword ptr [rbp+var_1040+4]\n C1 E8 10 // shr eax, 10h\n 88 85 ?? EF FF FF // mov byte ptr [rbp+var_1016+2], al\n 8B 85 ?? EF FF FF // mov eax, dword ptr [rbp+var_1040+4]\n C1 E8 18 // shr eax, 18h\n 88 85 ?? EF FF FF // mov byte ptr [rbp+var_1016+3], al\n 0F B7 85 ?? EF FF FF // movzx eax, word ptr [rbp+var_1040+2]\n 88 85 ?? EF FF FF // mov byte ptr [rbp+var_1012], al\n 0F B7 85 ?? EF FF FF // movzx eax, word ptr [rbp+var_1040+2]\n 66 C1 E8 08 // shr ax, 8\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "vshell_downloader_63bd2fe02318" ], "rule_creation_date": "2025-07-02", "rule_modified_date": "2025-11-04", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Trojan.Vshell" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1219", "attack.t1071.001", "attack.t1105", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-vshell_downloader_a1357f63e730_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575166Z", "creation_date": "2026-03-23T11:46:25.575168Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575174Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "name": "vshell_downloader_a1357f63e730.yar", "content": "rule vshell_downloader_a1357f63e730 {\n meta:\n title = \"Vshell Downloader (a1357f63e730)\"\n id = \"2b0f39b1-874b-4aa9-8406-a1357f63e730\"\n description = \"Detects VShell downloader, an open-source Remote Access Tool (RAT), that has been publicly available on GitHub.\\nVShell is a remote administration tool that has been used by threat actors to establish stealthy, persistent access during malicious operations and is often associated with Chinese threat actors.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\"\n date = \"2025-07-02\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1219;attack.t1071.001;attack.t1105\"\n classification = \"Windows.Trojan.Vshell\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ac46402b0cc22ff88c9dca8c1ab129e167b100622c08efae2196f9bf2dfe0f7e\n // 27e442e87c58cd7eb5fd126cc4b208eeffdd7fbb284548d215f07511f7922934\n\n $init_socket_data = {\n C1 E8 08 // shr eax, 8\n 88 84 24 E1 01 00 00 // mov [rsp+1D8h+arg_1], al\n 8B C1 // mov eax, ecx\n C1 E8 10 // shr eax, 10h\n 45 8D 41 06 // lea r8d, [r9+6]\n 88 84 24 E2 01 00 00 // mov [rsp+1D8h+arg_2], al\n 0F B6 44 24 22 // movzx eax, [rsp+1D8h+name.sa_data]\n 88 84 24 E4 01 00 00 // mov [rsp+1D8h+arg_4], al\n 0F B7 44 24 22 // movzx eax, word ptr [rsp+1D8h+name.sa_data]\n C1 E9 18 // shr ecx, 18h\n }\n\n $recv_64k_bytes = {\n // loc_140001150:\n 03 F8 // add edi, eax\n 45 33 C9 // xor r9d, r9d\n 8B D7 // mov edx, edi\n 41 B8 00 40 06 00 // mov r8d, 64000h\n 48 03 D6 // add rdx, rsi\n 48 8B CB // mov rcx, rbx\n FF 15 ?? ?? ?? ?? // call cs:recv\n 83 F8 01 // cmp eax, 1\n 7D ?? // jge short loc_140001150\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "vshell_downloader_a1357f63e730" ], "rule_creation_date": "2025-07-02", "rule_modified_date": "2025-11-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Vshell" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1219", "attack.t1071.001", "attack.t1105", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-vshell_shellcode_54c28b4f1adb_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576722Z", "creation_date": "2026-03-23T11:46:25.576724Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576730Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "name": "vshell_shellcode_54c28b4f1adb.yar", "content": "rule vshell_shellcode_54c28b4f1adb {\n meta:\n title = \"Vshell Shellcode (54c28b4f1adb)\"\n id = \"eba199b3-a446-4c06-aa53-54c28b4f1adb\"\n description = \"Detects VShell shellcode, an open-source Remote Access Tool (RAT), that has been publicly available on GitHub.\\nVShell is a remote administration tool that has been used by threat actors to establish stealthy, persistent access during malicious operations and is often associated with Chinese threat actors.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\"\n date = \"2025-07-02\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1219;attack.t1071.001;attack.t1105\"\n classification = \"Windows.Trojan.Vshell\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // cb1a8963f14fe84b38e9ca66bc838cd7b6725c491155615ca0e9d11a03618982\n\n $init_socket_data = {\n // loc_66:\n 6A 10 // push 10h\n 8D 44 24 1C // lea eax, [esp+1E4h+var_1C8]\n 50 // push eax\n 56 // push esi\n FF ?? ?? ?? // call [esp+1ECh+var_19C]\n 85 C0 // test eax, eax\n 75 ?? // jnz short loc_66\n }\n\n $virtualprotect_rwx = {\n FF ?? ?? ?? // call [esp+1F0h+var_198]\n 6A 40 // push 40h\n 68 00 10 00 00 // push 1000h\n 68 80 C3 C9 01 // push 1C9C380h\n 53 // push ebx\n FF ?? ?? ?? // call [esp+1F0h+var_1B0]\n 33 FF // xor edi, edi\n 8B D8 // mov ebx, eax\n 57 // push edi\n 68 00 40 06 00 // push 64000h\n 53 // push ebx\n EB ?? // jmp short loc_FB\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "vshell_shellcode_54c28b4f1adb" ], "rule_creation_date": "2025-07-02", "rule_modified_date": "2025-11-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Vshell" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1105", "attack.t1219", "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-vshell_shellcode_cc755ed58072_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582914Z", "creation_date": "2026-03-23T11:46:25.582916Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582921Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "name": "vshell_shellcode_cc755ed58072.yar", "content": "rule vshell_shellcode_cc755ed58072 {\n meta:\n title = \"Vshell Shellcode (cc755ed58072)\"\n id = \"c52c8577-f4ad-4ac7-bab2-cc755ed58072\"\n description = \"Detects VShell shellcode, an open-source Remote Access Tool (RAT), that has been publicly available on GitHub.\\nVShell is a remote administration tool that has been used by threat actors to establish stealthy, persistent access during malicious operations and is often associated with Chinese threat actors.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\"\n date = \"2025-07-02\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1219;attack.t1071.001;attack.t1105\"\n classification = \"Windows.Trojan.Vshell\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 214ba85cb1b8edaca33a8d06b775fd40f4d19353b9356877fc74fcab66ff8749\n\n $connect_syscall = {\n // loc_113:\n 41 B8 10 00 00 00 // mov r8d, 10h\n 48 8D 54 24 50 // lea rdx, [rsp+230h+var_1E0]\n 48 8B CB // mov rcx, rbx\n 41 FF ?? // call r14\n 85 C0 // test eax, eax\n 75 ?? // jnz short loc_113\n }\n\n $virtualprotect_rwx = {\n 41 FF ?? // call r12\n 33 C9 // xor ecx, ecx\n BA 80 C3 C9 01 // mov edx, 1C9C380h\n 41 B8 00 10 00 00 // mov r8d, 1000h\n 44 8D 49 40 // lea r9d, [rcx+40h]\n 41 FF ?? // call r13\n 48 8B F0 // mov rsi, rax\n 48 8B D0 // mov rdx, rax\n 41 BE 00 40 06 00 // mov r14d, 64000h\n EB ?? // jmp short loc_1C9\n }\n\n condition:\n all of them\n}\n", "rule_count": 1, "rule_names": [ "vshell_shellcode_cc755ed58072" ], "rule_creation_date": "2025-07-02", "rule_modified_date": "2025-11-04", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Vshell" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1105", "attack.t1219", "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-vshell_trojan_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586940Z", "creation_date": "2026-03-23T11:46:25.586942Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586947Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/" ], "name": "vshell_trojan.yar", "content": "rule vshell_trojan {\n meta:\n title = \"Vshell Trojan\"\n id = \"639dea78-cd79-4c4d-b1c3-b67300a18541\"\n description = \"Detects VShell, an open-source Remote Access Tool (RAT), that has been publicly available on GitHub.\\nVShell is a remote administration tool that has been used by threat actors to establish stealthy, persistent access during malicious operations and is often associated with Chinese threat actors.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell\\nhttps://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/\"\n date = \"2025-07-02\"\n modified = \"2025-11-04\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1027;attack.command_and_control;attack.t1219;attack.t1071.001;attack.t1105\"\n classification = \"Trojan.Vshell\"\n context = \"process,memory,thread,file.pe,file.elf\"\n os = \"Windows,Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 26f5f162ed45f85b614b8bae26aae924562810481398eccfd3938455d45356da\n // f2faebe77bb6418a6b4d4b598f69d99b41a6f7a6bb89dad20397e602f00131fd\n // 808f7a0c1fab653db89758b7b1e8db36a576cd4a9754ef6f4287ea95c3dffb32\n\n $a1 = \"json:\\\"vkey\\\"\" ascii fullword\n $a2 = \"SendVshell\" ascii fullword\n $a3 = \"*conn.VshellBody\" ascii fullword\n $a4 = \"gin-gonic/lib/conn.(*Conn).GetLinkInfo\" ascii fullword\n $a5 = \"gin-gonic/lib/conn.(*Conn).SendVshell\" ascii fullword\n $a6 = \"vendor/golang.org/x/net/http/httpproxy.(*Config).ProxyFunc\" ascii fullword\n\n $b1 = \"json:\\\"vkey\\\"\" ascii fullword\n $b2 = \"genconfig.ClientCfg/Typegenconfig.ClientCfg/Vkey\" ascii\n $b3 = \"non-empty stringnon-empty string Vkey\" ascii\n $b4 = \"WebUserName\" ascii fullword\n $b5 = \"ConfigConnAllow\" ascii fullword\n $b6 = \"MaxTunnelNum\" ascii fullword\n\n condition:\n all of ($a*) or all of ($b*)\n}\n", "rule_count": 1, "rule_names": [ "vshell_trojan" ], "rule_creation_date": "2025-07-02", "rule_modified_date": "2025-11-04", "rule_os": [ "windows", "linux" ], "rule_classifications": [ "Trojan.Vshell" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1219", "attack.t1071.001", "attack.t1105", "attack.t1027" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-warmcookie_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.575095Z", "creation_date": "2026-03-23T11:46:25.575097Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.575103Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.elastic.co/security-labs/dipping-into-danger" ], "name": "warmcookie.yar", "content": "rule warmcookie {\n meta:\n title = \"WarmCookie Backdoor\"\n id = \"cd4872ed-82d9-470f-b4e9-ae053615167b\"\n description = \"Detects the WarmCookie backdoor.\\nWarmCookie is a backdoor that leverages rundll32.exe and specific system API calls to maintain persistence and communicate with its command and control server.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.elastic.co/security-labs/dipping-into-danger\"\n date = \"2024-10-01\"\n modified = \"2025-07-07\"\n author = \"HarfangLab\"\n tags = \"attack.collection;attack.credential_access;attack.t1056.001\"\n classification = \"Windows.Backdoor.WarmCookie\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 36b43e8350bc4890bbba8c1be515fd4e7468ef932dd1c73b3244575f1197075a\n // ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13\n // 44faed020d5d8b29918a3f02d757b2cfada67574cf9e02748ea7f75ba5878907\n // 9d4c80ea1d6d1ce11f9bb79d7a5a4ddfcea9f20ffe039db7215e9c57fc183476\n\n $a1 = \"release.dll\" ascii fullword\n $a2 = \"\\\"Main Invoked.\\\"\" ascii fullword\n $a3 = \"\\\"Main Returned.\\\"\" ascii fullword\n $a4 = \"SystemFunction036\" ascii fullword\n\n $b5 = \"GetTempPathW\" ascii fullword\n $b6 = \"CreateThread\" ascii fullword\n\n $c1 = {20 83 B8 ED}\n $c2 = \"GetVolumeInformationW\" ascii fullword\n\n $d1 = \"\\\"%ls\\\",%ls %ls\" wide fullword\n $d2 = \"%ls\\\\%ls \\\"%ls\\\",\" wide fullword\n\n $e1 = \"\\\"%S\\\",%S %S\" wide fullword\n $e2 = \"Start\" wide fullword\n $e3 = \"rundll32.exe\" wide fullword\n\n $f1 = \"\\\"%ls\\\",%ls %ls\" wide\n $f2 = \"%-*.*S\" wide fullword\n $f3 = \"f(null)\" wide fullword\n\n $x1 = {\n 4C 89 C8 // mov rax, r9\n 31 D2 // xor edx, edx\n 42 8A 5C 09 02 // mov bl, [rcx+r9+2]\n 49 F7 F0 // div r8\n 41 8A 04 13 // mov al, [r11+rdx]\n 01 D8 // add eax, ebx\n 41 01 C2 // add r10d, eax\n 41 0F B6 C2 // movzx eax, r10b\n 8A 54 01 02 // mov dl, [rcx+rax+2]\n 42 88 54 09 02 // mov [rcx+r9+2], dl\n 49 FF C1 // inc r9\n 88 5C 01 02 // mov [rcx+rax+2], bl\n 49 81 F9 00 01 00 00 // cmp r9, 100h\n }\n\n $x2 = {\n 42 0F B6 54 04 32 // movzx edx, [rsp+r8+158h+var_126]\n 49 8B C0 // mov rax, r8\n 83 E0 03 // and eax, 3\n 0F B6 4C 04 20 // movzx ecx, byte ptr [rsp+rax+158h+var_138]\n 02 CA // add cl, dl\n 44 02 D1 // add r10b, cl\n 48 8D 4C 24 32 // lea rcx, [rsp+158h+var_126]\n 41 0F B6 C2 // movzx eax, r10b\n 48 03 C8 // add rcx, rax\n 0F B6 01 // movzx eax, byte ptr [rcx]\n 42 88 44 04 32 // mov [rsp+r8+158h+var_126], al\n 49 FF C0 // inc r8\n 88 11 // mov [rcx], dl\n 49 81 F8 00 01 00 00 // cmp r8, 100h\n }\n\n $x3 = {\n // loc_1800063AC:\n 48 81 7C 24 28 00 01 00 00 // cmp [rsp+38h+var_10], 100h\n 73 1A // jnb short loc_1800063D1\n 48 8B 44 24 28 // mov rax, [rsp+38h+var_10]\n 48 8B 4C 24 40 // mov rcx, [rsp+38h+arg_0]\n 48 03 C8 // add rcx, rax\n 48 8B C1 // mov rax, rcx\n 0F B6 4C 24 28 // movzx ecx, byte ptr [rsp+38h+var_10]\n 88 48 02 // mov [rax+2], cl\n EB CE // jmp short loc_18000639F\n\n // loc_1800063D1:\n C6 44 24 20 00 // mov [rsp+38h+var_18], 0\n 48 C7 44 24 28 00 00 00 00 // mov [rsp+38h+var_10], 0\n EB 0D // jmp short loc_1800063EE\n\n // loc_1800063E1:\n 48 8B 44 24 28 // mov rax, [rsp+38h+var_10]\n 48 FF C0 // inc rax\n 48 89 44 24 28 // mov [rsp+38h+var_10], rax\n }\n\n condition:\n 1 of ($x*) or\n uint16(0) == 0x5A4D and\n filesize < 300KB and (\n (all of ($a*) and 1 of ($b*)) or\n all of ($c*) and\n (\n all of ($d*) or\n all of ($e*) or\n all of ($f*)\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "warmcookie" ], "rule_creation_date": "2024-10-01", "rule_modified_date": "2025-07-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Backdoor.WarmCookie" ], "rule_tactic_tags": [ "attack.collection", "attack.credential_access" ], "rule_technique_tags": [ "attack.t1056.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-webclient_started_tool_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.566371Z", "creation_date": "2026-03-23T11:46:25.566373Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.566378Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/eversinc33/SharpStartWebclient\nhttps://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/webclient" ], "name": "webclient_started_tool.yar", "content": "import \"pe\"\n\nrule webclient_started_tool {\n meta:\n title = \"WebClient Started Tool\"\n id = \"d77f197f-2253-48ee-993e-43a56dab9aec\"\n description = \"Detects a tool used to start the WebClient service which can be leveraged in Active Directory environments for authentication-related behaviors and potential coercion techniques.\\nIt is recommended to investigate the execution context and surrounding detections to assess whether the detected binary or process is linked with malicious activities.\"\n references = \"https://github.com/eversinc33/SharpStartWebclient\\nhttps://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/webclient\"\n date = \"2025-11-19\"\n modified = \"2025-11-20\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1569.002;attack.credential_access;attack.t1187\"\n classification = \"Windows.Tool.WebClient\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // f868503c7b966530cc05e5829683589aee3c8e2e89c2980309a551c954af1b83\n // 59374abf21295adb63c2aac85a9930e9273d4b1e9f1ada0627376591b3070821\n\n $s1 = \"EVENT_DESCRIPTOR\" ascii fullword\n $s2 = \"EventRegister\" ascii fullword\n $s3 = \"EventWrite\" ascii fullword\n $s4 = \"EventUnregister\" ascii fullword\n\n $guid = {\n 1200 // ldloca.s V_0\n 2084D6B622 // ldc.i4 582407812\n 2063FA0000 // ldc.i4 64099\n 2078450000 // ldc.i4 17784\n 2087000000 // ldc.i4 135\n 20C9000000 // ldc.i4 201\n 20EF000000 // ldc.i4 239\n 20FC000000 // ldc.i4 252\n 20BE000000 // ldc.i4 190\n 1F66 // ldc.i4.s 102\n 1F43 // ldc.i4.s 67\n 20C7000000 // ldc.i4 199\n }\n\n condition:\n pe.imports (\"mscoree.dll\",\"_CorExeMain\") and all of them and filesize < 10KB\n}\n", "rule_count": 1, "rule_names": [ "webclient_started_tool" ], "rule_creation_date": "2025-11-19", "rule_modified_date": "2025-11-20", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.WebClient" ], "rule_tactic_tags": [ "attack.credential_access", "attack.execution" ], "rule_technique_tags": [ "attack.t1187", "attack.t1569.002" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-weyhro_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588660Z", "creation_date": "2026-03-23T11:46:25.588663Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588668Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://lumma-labs.com/weyhro-c2-because-ransomware-wasnt-paying-the-bills-anymore-b136fd7ef100" ], "name": "weyhro.yar", "content": "import \"pe\"\n\nrule Weyhro {\n meta:\n title = \"Weyhro C2\"\n id = \"76a04ced-d839-4ba8-b0c7-86e5763e1c3a\"\n description = \"Detects Weyhro C2, a sophisticated modular command-and-control (C2) toolkit marketed on cybercrime forums by a threat actor associated with the Weyhro ransomware group.\\nThe agent provides remote shell access, SOCKS5 proxying, hidden VNC with session capture (including browser cookies and passwords), file management (upload/download), and credential extraction.\\nWhile emphasizing defense evasion through polymorphic code, AES encryption, hook removal, AMSI/ETW patching, and memory-only execution. It enables attackers to establish persistence, evade modern AV/EDR, and support full spectrum intrusion operations — from initial access through lateral movement and target engagement — on compromised networks.\\nIt is recommended to investigate the context around this alert for signs of unauthorized access, remote control activity or exfiltration.\"\n references = \"https://lumma-labs.com/weyhro-c2-because-ransomware-wasnt-paying-the-bills-anymore-b136fd7ef100\"\n date = \"2026-01-06\"\n modified = \"2026-02-03\"\n author = \"HarfangLab\"\n tags = \"attack.initial_access;attack.t1078;attack.execution;attack.t1059.003;attack.persistence;attack.t1543.003;attack.credential_access;attack.t1003.003;attack.lateral_movement;attack.t1021.002;attack.command_and_control;attack.t1090.002;attack.t1105;attack.defense_evasion;attack.t1562.001;attack.t1140;attack.collection;attack.exfiltration\"\n classification = \"Windows.Framework.Weyhro\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ec4ab4e4d700c9e5fdda59eb879a2bf18d0eefd825539d64677144d43a744cee\n // 357e649b3b03ffe0d083092c0ed870c5185d64f14f5735ae43a8343269488dc3\n\n $stub_decrypt00 = {\n 45 31 E9 // xor r9d, r13d\n 41 C1 C1 10 // rol r9d, 10h\n 44 01 CB // add ebx, r9d\n 31 DE // xor esi, ebx\n C1 C6 0C // rol esi, 0Ch\n 41 01 F5 // add r13d, esi\n 45 31 E9 // xor r9d, r13d\n 41 C1 C1 08 // rol r9d, 8\n 44 01 CB // add ebx, r9d\n 31 DE // xor esi, ebx\n C1 C6 07 // rol esi, 7\n 45 01 FC // add r12d, r15d\n 44 31 E2 // xor edx, r12d\n C1 C2 10 // rol edx, 10h\n 41 01 D3 // add r11d, edx\n 45 31 DF // xor r15d, r11d\n 41 C1 C7 0C // rol r15d, 0Ch\n 45 01 FC // add r12d, r15d\n 44 31 E2 // xor edx, r12d\n C1 C2 08 // rol edx, 8\n 41 01 D3 // add r11d, edx\n\n }\n $stub_decrypt01 = {\n 41 01 CB // add r11d, ecx\n 45 31 DA // xor r10d, r11d\n 41 C1 C2 0C // rol r10d, 0Ch\n 44 01 D7 // add edi, r10d\n 31 F9 // xor ecx, edi\n C1 C1 08 // rol ecx, 8\n 41 01 CB // add r11d, ecx\n 45 31 DA // xor r10d, r11d\n 41 C1 C2 07 // rol r10d, 7\n 44 01 C5 // add ebp, r8d\n 31 E8 // xor eax, ebp\n C1 C0 10 // rol eax, 10h\n 41 01 C6 // add r14d, eax\n 45 31 F0 // xor r8d, r14d\n 41 C1 C0 0C // rol r8d, 0Ch\n 44 01 C5 // add ebp, r8d\n 31 E8 // xor eax, ebp\n C1 C0 08 // rol eax, 8\n 41 01 C6 // add r14d, eax\n 45 31 F0 // xor r8d, r14d\n 41 C1 C0 07 // rol r8d, 7\n 45 01 FD // add r13d, r15d\n 44 31 E8 // xor eax, r13d\n C1 C0 10 // rol eax, 10h\n 41 01 C3 // add r11d, eax\n 45 31 DF // xor r15d, r11d\n 41 C1 C7 0C // rol r15d, 0Ch\n 45 01 FD // add r13d, r15d\n 44 31 E8 // xor eax, r13d\n C1 C0 08 // rol eax, 8\n 41 01 C3 // add r11d, eax\n }\n $stub_decrypt02 = {\n 41 C1 C7 07 // rol r15d, 7\n 45 01 D4 // add r12d, r10d\n 45 31 E1 // xor r9d, r12d\n 41 C1 C1 10 // rol r9d, 10h\n 45 01 CE // add r14d, r9d\n 45 31 F2 // xor r10d, r14d\n 41 C1 C2 0C // rol r10d, 0Ch\n 45 01 D4 // add r12d, r10d\n 45 31 E1 // xor r9d, r12d\n 41 C1 C1 08 // rol r9d, 8\n 45 01 CE // add r14d, r9d\n 45 31 F2 // xor r10d, r14d\n 41 C1 C2 07 // rol r10d, 7\n 44 01 C7 // add edi, r8d\n 31 FA // xor edx, edi\n C1 C2 10 // rol edx, 10h\n 01 D3 // add ebx, edx\n 41 31 D8 // xor r8d, ebx\n 41 C1 C0 0C // rol r8d, 0Ch\n 44 01 C7 // add edi, r8d\n 31 FA // xor edx, edi\n C1 C2 08 // rol edx, 8\n 01 D3 // add ebx, edx\n 41 31 D8 // xor r8d, ebx\n 41 C1 C0 07 // rol r8d, 7\n 01 F5 // add ebp, esi\n 31 E9 // xor ecx, ebp\n C1 C1 10 // rol ecx, 10h\n 41 01 CB // add r11d, ecx\n 44 31 DE // xor esi, r11d\n C1 C6 0C // rol esi, 0Ch\n 01 F5 // add ebp, esi\n 31 E9 // xor ecx, ebp\n C1 C1 08 // rol ecx, 8\n 41 01 CB // add r11d, ecx\n 44 31 DE // xor esi, r11d\n C1 C6 07 // rol esi, 7\n }\n $stub_parsePE_00 = {\n 45 8D 7E BF // lea r15d, [r14-41h]\n 45 89 F4 // mov r12d, r14d\n 41 83 CC 20 // or r12d, 20h\n 66 41 83 FF 1A // cmp r15w, 1Ah\n 45 0F 43 E6 // cmovnb r12d, r14d\n 44 0F B6 F5 // movzx r14d, bpl\n 40 80 C5 BF // add bpl, 0BFh\n 45 89 F7 // mov r15d, r14d\n 41 83 CF 20 // or r15d, 20h\n 40 80 FD 1A // cmp bpl, 1Ah\n 45 0F 43 FE // cmovnb r15d, r14d\n }\n $stub_parsePE_01 = {\n 65 48 8B 04 25 60 00 00 00 // mov rax, gs:60h\n 48 85 C0 // test rax, rax\n 0F 84 [2-4] // jz loc_7FF71F8B6874\n 4C 8B 40 18 // mov r8, [rax+18h]\n 4D 85 C0 // test r8, r8\n 0F 84 [2-4] // jz loc_7FF71F8B6874\n 49 83 C0 20 // add r8, 20h ; ' '\n 4C 8D 0C 12 // lea r9, [rdx+rdx]\n 31 C0 // xor eax, eax\n 4D 89 C2 // mov r10, r8\n }\n\n $string_debug_00 = \"[>] Remap ntdll.dll (SEC_IMAGE)\" ascii fullword\n $string_debug_01 = \"[!] Failed to remap clean ntdll.dll\" ascii fullword\n $string_debug_02 = \"[+] Clean ntdll.dll mapped at\" ascii fullword\n $string_debug_03 = \"[>] Patching ETW/AMSI via dynamic syscalls\" ascii fullword\n $string_debug_04 = \"[LOG] patch_etw: ntdll_base \" ascii fullword\n $string_debug_05 = \"[LOG] patch_etw result:\" ascii fullword\n $string_debug_06 = \"[!] ETW patch failed\" ascii fullword\n $string_debug_07 = \"[+] ETW patched successfully (on-demand syscalls)\" ascii fullword\n $string_debug_08 = \"[LOG] AMSI base found:\" ascii fullword\n $string_debug_09 = \"[LOG] patch_amsi: amsi_base\" ascii fullword\n $string_debug_10 = \"[LOG] patch_amsi result:\" ascii fullword\n $string_debug_11 = \"[!] AMSI patch failed\" ascii fullword\n $string_debug_12 = \"[+] AMSI patched successfully\" ascii fullword\n $string_debug_13 = \"[~] AMSI patch skipped: amsi.dll not loaded\" ascii fullword\n $string_debug_14 = \"[>] Self-unhook ntdll.dll\" ascii fullword\n $string_debug_15 = \"[~] Inline unhook skipped (no hooks detected or no clean ntdll)\" ascii fullword\n $string_debug_16 = \"[>] Performing inline unhook\" ascii fullword\n $string_debug_17 = \"[!] Inline unhook failed\" ascii fullword\n $string_debug_18 = \"[+] Inline unhook successful,\" ascii fullword\n $string_debug_19 = \"[~] IAT unhook skipped (no hooks detected or no clean ntdll)\" ascii fullword\n $string_debug_20 = \"[>] Performing IAT unhook\" ascii fullword\n $string_debug_21 = \"[!] IAT unhook failed\" ascii fullword\n $string_debug_22 = \"[+] IAT unhook successful,\" ascii fullword\n $string_debug_23 = \"Unknown[!] IAT Hooked:\" ascii fullword\n\n condition:\n pe.imphash() == \"838daa497c64fed9e2aec62c82ef841d\"\n or 1 of ($stub*)\n or 5 of ($string*)\n}", "rule_count": 1, "rule_names": [ "Weyhro" ], "rule_creation_date": "2026-01-06", "rule_modified_date": "2026-02-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Framework.Weyhro" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.credential_access", "attack.defense_evasion", "attack.execution", "attack.exfiltration", "attack.initial_access", "attack.lateral_movement", "attack.persistence" ], "rule_technique_tags": [ "attack.t1021.002", "attack.t1059.003", "attack.t1140", "attack.t1078", "attack.t1105", "attack.t1543.003", "attack.t1003.003", "attack.t1562.001", "attack.t1090.002" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-whispergate_stage1_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583487Z", "creation_date": "2026-03-23T11:46:25.583488Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583494Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" ], "name": "whispergate_stage1.yar", "content": "rule whispergate_stage1 {\n meta:\n title = \"WhisperGate Wiper Stage 1\"\n id = \"828b5b4c-021c-401c-adc5-15197daf5151\"\n description = \"Detects the first stage of the WhisperGate wiper malware used in targeted cyberattacks against Ukrainian organizations in February 2022.\\nWhisperGate is a destructive malware that initially corrupts the Master Boot Record (MBR) to display a fake ransom note, demanding payment in cryptocurrency before performing data wiping operations.\\nIt is recommended to isolate the affected system, and conduct a thorough investigation to determine the origin of the execution of the malware.\"\n references = \"https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\"\n date = \"2022-03-07\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.002\"\n classification = \"Windows.Wiper.WhisperGate\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // b50fb20396458aec55216cc9f5212162b3459bc769a38e050d4d8c22649888ae\n // a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92\n\n $s1 = \"Your hard drive has been corrupted.\" ascii\n $s2 = \"In case you want to recover all hard drives\" ascii\n $s3 = \"of your organization,\" ascii\n $s4 = \"You should pay us $10k via bitcoin wallet\" ascii\n $s5 = \"\\\\\\\\.\\\\PhysicalDrive0\" fullword wide\n\n $mbr = {\n EB 00 // jmp short $+3\n 8C C8 // mov eax, cs\n 8E D8 // mov ds, eax\n BE 88 7C E8 00 // mov esi, 0E87C88h\n 00 50 FC // add [eax-4], dl\n 8A 04 3C // mov al, [esp+edi]\n 00 74 06 E8 // add [esi+eax-18h], dh\n 05 00 46 EB F4 // add eax, 0F4EB4600h\n EB 05 // jmp short loc_404041\n B4 0E // mov ah, 0Eh\n CD 10 // int 10h\n C3 // retn\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 1MB and 3 of ($s*) and $mbr\n}\n", "rule_count": 1, "rule_names": [ "whispergate_stage1" ], "rule_creation_date": "2022-03-07", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Wiper.WhisperGate" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1485", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-whispergate_stage2_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569183Z", "creation_date": "2026-03-23T11:46:25.569185Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569190Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" ], "name": "whispergate_stage2.yar", "content": "rule whispergate_stage2 {\n meta:\n title = \"WhisperGate Wiper Stage 2\"\n id = \"e9d83364-b9e8-460a-9cde-f2441cf47122\"\n description = \"Detects the first stage of the WhisperGate wiper malware used in targeted cyberattacks against Ukrainian organizations in February 2022.\\nWhisperGate is a destructive malware that initially corrupts the Master Boot Record (MBR) to display a fake ransom note, demanding payment in cryptocurrency before performing data wiping operations.\\nIt is recommended to isolate the affected system, and conduct a thorough investigation to determine the origin of the execution of the malware.\"\n references = \"https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\"\n date = \"2022-03-07\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.002\"\n classification = \"Windows.Wiper.WhisperGate\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78\n\n $s1 = \"https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg\" fullword wide\n $s2 = \"DxownxloxadDxatxxax\" fullword wide\n $s3 = \"{89a366a7-2270-4665-8440-cb5a27ea74fd}\" ascii\n $s4 = \"Ylfwdwgmpilzyaph\" fullword wide\n\n condition:\n uint16(0) == 0x5A4D and filesize < 1MB and 3 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "whispergate_stage2" ], "rule_creation_date": "2022-03-07", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Wiper.WhisperGate" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1485", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-whispergate_stage3_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574768Z", "creation_date": "2026-03-23T11:46:25.574770Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574776Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" ], "name": "whispergate_stage3.yar", "content": "rule whispergate_stage3 {\n meta:\n title = \"WhisperGate Wiper Stage 3\"\n id = \"95266e0a-a989-4b22-bbae-79635b91e774\"\n description = \"Detects the first stage of the WhisperGate wiper malware used in targeted cyberattacks against Ukrainian organizations in February 2022.\\nWhisperGate is a destructive malware that initially corrupts the Master Boot Record (MBR) to display a fake ransom note, demanding payment in cryptocurrency before performing data wiping operations.\\nIt is recommended to isolate the affected system, and conduct a thorough investigation to determine the origin of the execution of the malware.\"\n references = \"https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\"\n date = \"2022-03-07\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.002\"\n classification = \"Windows.Wiper.WhisperGate\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d\n\n $s1 = \"Frkmlkdkdubkznbkmcf\" fullword wide\n $s2 = \"7c8cb5598e724d34384cce7402b11f0e\" fullword wide\n\n // Hard-coded array of .NET assembly embedded within the DLL.\n $asm = {\n b4 a2 9d 8c 55 f1 b9 30 17 f0\n c0 98 e2 f3 7c c8 09 30 8f 5d\n d5 3a 59 fc 3b f3 3e 29 4f 5e\n ec d9 e6 2f 0d c1 f5 16 0b e1\n 5f 2d 29 46 11 16 cd 88 fd 93\n f7 c2 c9 1a e8 65 66 d9 93 fd\n ae 3f 1b 22 72 ba ba a5 77 d3\n ce 49 c8 ec 7c 87 3e 0c aa 05\n df d5 68 24 4b 0e f6 42 a8 c8\n 1d d9 13 bb 2f b7 6f 84 34 b4\n e0 11 1d 1b cd 57 5d f2 54 f6\n cd ad 17 f6 16 63 9a 3e af 66\n 44 c0 4a 9e e2 e1 3e c2\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 1MB and 2 of ($s*) and $asm\n}\n", "rule_count": 1, "rule_names": [ "whispergate_stage3" ], "rule_creation_date": "2022-03-07", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Wiper.WhisperGate" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1485", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wiki_loader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.590296Z", "creation_date": "2026-03-23T11:46:25.590298Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.590303Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://twitter.com/Cryptolaemus1/status/1785401749022335359\nhttps://attack.mitre.org/techniques/T1140/\nhttps://attack.mitre.org/techniques/T1055/012/\nhttps://attack.mitre.org/techniques/T1497/001/" ], "name": "wiki_loader.yar", "content": "rule wiki_loader {\n meta:\n title = \"WikiLoader\"\n id = \"e6fda6d5-d9e4-4d1f-94d5-9af140e84d34\"\n description = \"Detects WikiLoader, a sophisticated Windows-based downloader malware.\\nWikiLoader is designed to install secondary malware payloads on compromised systems.\\nIt employs advanced evasion techniques, including custom direct and indirect syscalls, string obfuscation, and Control Flow Guard (CFG) manipulation, to avoid detection and analysis.\"\n references = \"https://twitter.com/Cryptolaemus1/status/1785401749022335359\\nhttps://attack.mitre.org/techniques/T1140/\\nhttps://attack.mitre.org/techniques/T1055/012/\\nhttps://attack.mitre.org/techniques/T1497/001/\"\n date = \"2024-05-02\"\n modified = \"2026-02-11\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1140;attack.t1055.012;attack.t1497.001;attack.execution;attack.t1059.005;attack.persistence;attack.t1547\"\n classification = \"Windows.Loader.WikiLoader\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665\n // 880ab4ff495259f9f9ed395da29c009494c8243a987b55c6f08ed3bca6a76849\n\n // WikiLoader-specific stack string obfuscation (variant 1)\n $op_1 = {\n B0 ?? // mov al, 18h\n 04 ?? // add al, 2Bh ; '+'\n 88 07 // mov [rdi], al\n B0 ?? // mov al, 1Dh\n 04 ?? // add al, 55h ; 'U'\n 88 47 01 // mov [rdi+1], al\n B0 ?? // mov al, 0Eh\n 04 ?? // add al, 57h ; 'W'\n 88 47 02 // mov [rdi+2], al\n B0 ?? // mov al, 2Ah ; '*'\n 04 ?? // add al, 37h ; '7'\n 88 47 03 // mov [rdi+3], al\n B0 ?? // mov al, 47h ; 'G'\n 04 ?? // add al, 2Dh ; '-'\n 88 47 04 // mov [rdi+4], al\n }\n\n // WikiLoader-specific stack string obfuscation (variant 2)\n $op_2 = {\n 88 07 // mov [rdi], al\n (B0 ?? | B0 ?? FE C0 ) // mov al, 69h ; 'i'\n 88 47 01 // mov [rdi+1], al\n (B0 ?? | B0 ?? FE C0 ) // mov al, 6Eh ; 'n'\n 88 47 02 // mov [rdi+2], al\n (B0 ?? | B0 ?? FE C0 ) // mov al, 67h ; 'g'\n 88 47 03 // mov [rdi+3], al\n (B0 ?? | B0 ?? FE C0 ) // mov al, 6Dh ; 'm'\n 88 47 04 // mov [rdi+4], al\n }\n\n // Exclusions to limit false positive\n // xul.dll (Firefox Nightly):\n // 6635469812f56555b3c0a01338a7c8460a7b849057bb1c4ec5c3309472872d3c\n $filter_mozilla_1 = \"xul.pdb\" ascii fullword\n $filter_mozilla_2 = \"@mozilla.org/crashservice;1\" ascii fullword\n $filter_mozilla_3 = \"MOZ_CRASH(Can't allocate mozilla::ReentrantMonitor)\" ascii fullword\n\n condition:\n (for any of ($op_*) : ( # > 1 )) and not\n (\n all of ($filter_mozilla_*) or\n filepath matches /.*\\\\Firefox Nightly\\\\firefox.exe/\n )\n}\n", "rule_count": 1, "rule_names": [ "wiki_loader" ], "rule_creation_date": "2024-05-02", "rule_modified_date": "2026-02-11", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.WikiLoader" ], "rule_tactic_tags": [ "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1140", "attack.t1497.001", "attack.t1059.005", "attack.t1547", "attack.t1055.012" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_hacktool_chrome_passwords_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585164Z", "creation_date": "2026-03-23T11:46:25.585166Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585172Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md#atomic-test-1---run-chrome-password-collector" ], "name": "windows_hacktool_chrome_passwords.yar", "content": "rule chrome_passwords {\n meta:\n title = \"ChromePassword HackTool\"\n id = \"c3cb0bba-41eb-4127-bb18-d2039893d922\"\n description = \"Detects Chrome passwords dumping tool.\\nThis tool is designed to extract sensitive information such as passwords stored in the Chrome browser. The tool accesses specific files in the Chrome user data directory, typically located in the AppData folder, to retrieve credentials. It queries the Chrome SQLite database using SQL commands to extract login credentials and encrypted cookies.\"\n references = \"https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf\\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md#atomic-test-1---run-chrome-password-collector\"\n date = \"2022-05-05\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555.003\"\n classification = \"Windows.HackTool.ChromePassword\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // 3247d21bc9bbbd8df670a82e24be754a2d58d2511ee64aff0a1e3756cd288236\n\n $s1 = \"SELECT action_url, username_value, password_value FROM logins\" fullword ascii\n $s2 = \"SELECT HOST_KEY,path,encrypted_value from cookies\" fullword ascii\n $s3 = \"\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\\" fullword ascii\n $s4 = \"Copying db ...\" fullword ascii\n $s5 = \"passwordsDB\" fullword ascii\n $s6 = \"DB connection closed properly\" fullword ascii\n\n condition:\n (uint16(0) == 0x5a4d) and filesize < 1MB and all of them\n}\n", "rule_count": 1, "rule_names": [ "chrome_passwords" ], "rule_creation_date": "2022-05-05", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.ChromePassword" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.003" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_hacktool_covenant_brute_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584773Z", "creation_date": "2026-03-23T11:46:25.584775Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584780Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1071/001/\nhttps://github.com/cobbr/Covenant" ], "name": "windows_hacktool_covenant_brute.yar", "content": "rule windows_hacktool_covenant_brute {\n meta:\n title = \"Covenant Brute Binary Launcher\"\n id = \"166fc9b1-7457-4f91-bb9c-a57faddad7a2\"\n description = \"Detects the Covenant Brute Binary Launcher.\\nCovenant is a .NET command and control framework that aims to highlight the attack surface of .NET. This rule detects the execution of its brute binary launcher, which is used to execute staged payloads. The framework is designed to test the security posture by exploiting various .NET vulnerabilities.\\nIt is recommended to isolate the affected host and investigate network traffic for potential command and control communication.\"\n references = \"https://attack.mitre.org/techniques/T1071/001/\\nhttps://github.com/cobbr/Covenant\"\n date = \"2021-11-17\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.HackTool.Covenant\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $strings1 = \"ExecuteStager\" ascii\n $strings2 = \"GruntStager\" ascii\n $strings3 = \"{{\\\"GUID\\\":\\\"{0}\\\",\\\"Type\\\":{1},\\\"Meta\\\":\\\"{2}\\\",\\\"IV\\\":\\\"{3}\\\",\\\"EncryptedMessage\\\":\\\"{4}\\\",\\\"HMAC\\\":\\\"{5}\\\"}}\" wide\n $strings4 = \"(?'group0'.*)\" wide\n\n condition:\n uint16(0) == 0x5a4d and filesize > 20MB and filesize < 50MB and (\n (all of ($strings*))\n )\n}\n", "rule_count": 1, "rule_names": [ "windows_hacktool_covenant_brute" ], "rule_creation_date": "2021-11-17", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Covenant" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_hacktool_covenant_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563474Z", "creation_date": "2026-03-23T11:46:25.563477Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563486Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1071/001/\nhttps://github.com/cobbr/Covenant" ], "name": "windows_hacktool_covenant.yar", "content": "rule windows_hacktool_covenant {\n meta:\n title = \"Covenant Binary Launcher\"\n id = \"67e603f6-1e89-4df8-9f32-bb6b966b472c\"\n description = \"Detects the Covenant Binary Launcher.\\nCovenant is a .NET command and control framework used for red teaming and penetration testing. This rule identifies the framework's activity by detecting specific .NET executables with known C2-related strings and obfuscated communication patterns.\\nIt is recommended to investigate network traffic for potential C2 communication.\"\n references = \"https://attack.mitre.org/techniques/T1071/001/\\nhttps://github.com/cobbr/Covenant\"\n date = \"2021-11-17\"\n modified = \"2025-03-03\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.001\"\n classification = \"Windows.HackTool.Covenant\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $strings1 = \"ExecuteStager\" ascii\n $strings2 = \"GruntStager\" ascii\n $strings3 = \"{{\\\"GUID\\\":\\\"{0}\\\",\\\"Type\\\":{1},\\\"Meta\\\":\\\"{2}\\\",\\\"IV\\\":\\\"{3}\\\",\\\"EncryptedMessage\\\":\\\"{4}\\\",\\\"HMAC\\\":\\\"{5}\\\"}}\" wide\n $strings4 = \"(?'group0'.*)\" wide\n\n // function ExecuteStager()\n\n /*\n 0x00000274 730D000006 IL_0000: newobj instance void GruntStager.GruntStager/'<>c__DisplayClass3_0'::.ctor()\n 0x00000279 0A IL_0005: stloc.0\n 0x0000027A 7201000070 IL_0006: ldstr \"http://192.168.56.101:8080\"\n 0x0000027F 17 IL_000B: ldc.i4.1\n 0x00000280 8D1A000001 IL_000C: newarr [mscorlib]System.Char\n 0x00000285 25 IL_0011: dup\n 0x00000286 16 IL_0012: ldc.i4.0\n 0x00000287 1F2C IL_0013: ldc.i4.s 44\n 0x00000289 9D IL_0015: stelem.i2\n 0x0000028A 280700000A IL_0016: call instance string[] [mscorlib]System.String::Split(char[])\n 0x0000028F 280100002B IL_001B: call class [mscorlib]System.Collections.Generic.List`1 [System.Core]System.Linq.Enumerable::ToList(class [mscorlib]System.Collections.Generic.IEnumerable`1)\n 0x00000294 0B IL_0020: stloc.1\n 0x00000295 06 IL_0021: ldloc.0\n 0x00000296 7237000070 IL_0022: ldstr \"\"\n 0x0000029B 7D03000004 IL_0027: stfld string GruntStager.GruntStager/'<>c__DisplayClass3_0'::CovenantCertHash\n 0x000002A0 7239000070 IL_002C: ldstr \"VXNlci1BZ2VudA==,Q29va2ll\"\n 0x000002A5 17 IL_0031: ldc.i4.1\n 0x000002A6 8D1A000001 IL_0032: newarr [mscorlib]System.Char\n 0x000002AB 25 IL_0037: dup\n 0x000002AC 16 IL_0038: ldc.i4.0\n 0x000002AD 1F2C IL_0039: ldc.i4.s 44\n 0x000002AF 9D IL_003B: stelem.i2\n 0x000002B0 280700000A IL_003C: call instance string[] [mscorlib]System.String::Split(char[])\n 0x000002B5 280100002B IL_0041: call class [mscorlib]System.Collections.Generic.List`1 [System.Core]System.Linq.Enumerable::ToList(class [mscorlib]System.Collections.Generic.IEnumerable`1)\n 0x000002BA 7E06000004 IL_0046: ldsfld class [System.Core]System.Func`2 GruntStager.GruntStager/'<>c'::'<>9__3_0'\n 0x000002BF 25 IL_004B: dup\n 0x000002C0 2D17 IL_004C: brtrue.s IL_0065\n 0x000002C2 26 IL_004E: pop\n */\n $msil_http = {\n 73 [4] // newobj instance void GruntStager.GruntStager/'<>c__DisplayClass3_0'::.ctor()\n 0A // stloc.0\n 72 [4] // ldstr \"http://192.168.56.101:8080\"\n 17 // ldc.i4.1\n 8D [4] // newarr [mscorlib]System.Char\n 25 // dup\n 16 // ldc.i4.0\n 1F 2C // ldc.i4.s 44\n 9D // stelem.i2\n 28 [4] // call instance string[] [mscorlib]System.String::Split(char[])\n 28 [4] // call class [mscorlib]System.Collections.Generic.List`1 [System.Core]System.Linq.Enumerable::ToList(class [mscorlib]System.Collections.Generic.IEnumerable`1)\n 0B // stloc.1\n 06 // ldloc.0\n 72 [4] // ldstr \"\"\n 7D [4] // stfld string GruntStager.GruntStager/'<>c__DisplayClass3_0'::CovenantCertHash\n 72 [4] // ldstr \"VXNlci1BZ2VudA==,Q29va2ll\"\n 17 // ldc.i4.1\n 8D [4] // newarr [mscorlib]System.Char\n 25 // dup\n 16 // ldc.i4.0\n 1F 2C // ldc.i4.s 44\n 9D // stelem.i2\n 28 [4] // call instance string[] [mscorlib]System.String::Split(char[])\n 28 [4] // call class [mscorlib]System.Collections.Generic.List`1 [System.Core]System.Linq.Enumerable::ToList(class [mscorlib]System.Collections.Generic.IEnumerable`1)\n 7E [4] // ldsfld\n 25 // dup\n 2D 17 // brtrue.s\n 26 // pop\n }\n\n /*\n 0x00000274 7201000070 IL_0000: ldstr \"i=a19ea23062db990386a3a478cb89d52e&data={0}&session=75db-99b1-25fe4e9afbe58696-320bea73\"\n 0x00000279 280600000A IL_0005: call string [mscorlib]System.Environment::get_NewLine()\n 0x0000027E 72B2000070 IL_000A: ldstr \"\\n\"\n 0x00000283 280700000A IL_000F: call instance string [mscorlib]System.String::Replace(string, string)\n 0x00000288 0A IL_0014: stloc.0\n 0x00000289 72B6000070 IL_0015: ldstr \"\\n \\n Hello World!\\n \\n \\n

Hello World!

\\n // Hello World! {0}\\n \\n\"\n 0x0000028E 280600000A IL_001A: call string [mscorlib]System.Environment::get_NewLine()\n 0x00000293 72B2000070 IL_001F: ldstr \"\\n\"\n 0x00000298 280700000A IL_0024: call instance string [mscorlib]System.String::Replace(string, string)\n 0x0000029D 0B IL_0029: stloc.1\n 0x0000029E 72E9010070 IL_002A: ldstr \"gruntsvc\"\n 0x000002A3 0C IL_002F: stloc.2\n 0x000002A4 72FB010070 IL_0030: ldstr \"382f94aac1\"\n 0x000002A9 0D IL_0035: stloc.3\n 0x000002AA 280800000A IL_0036: call valuetype [mscorlib]System.Guid [mscorlib]System.Guid::NewGuid()\n 0x000002AF 1322 IL_003B: stloc.s V_34\n 0x000002B1 1222 IL_003D: ldloca.s V_34\n 0x000002B3 FE160C000001 IL_003F: constrained. [mscorlib]System.Guid\n 0x000002B9 6F0900000A IL_0045: callvirt instance string [mscorlib]System.Object::ToString()\n 0x000002BE 7211020070 IL_004A: ldstr \"-\"\n 0x000002C3 7215020070 IL_004F: ldstr \"\"\n 0x000002C8 6F0700000A IL_0054: callvirt instance string [mscorlib]System.String::Replace(string, string)\n 0x000002CD 16 IL_0059: ldc.i4.0\n 0x000002CE 1F0A IL_005A: ldc.i4.s 10\n 0x000002D0 6F0A00000A IL_005C: callvirt instance string [mscorlib]System.String::Substring(int32, int32)\n 0x000002D5 1304 IL_0061: stloc.s V_4\n 0x000002D7 7217020070 IL_0063: ldstr \"8QQIxBwir7uLNN9P4V7k890bUL9QukjzVSIA+8IvBEY=\"\n 0x000002DC 280B00000A IL_0068: call uint8[] [mscorlib]System.Convert::FromBase64String(string)\n 0x000002E1 1305 IL_006D: stloc.s V_5\n */\n $msil_smb = {\n 72 [4] // ldstr \"i=a19ea23062db990386a3a478cb89d52e&data={0}&session=75db-99b1-25fe4e9afbe58696-320bea73\"\n 28 [4] // call string [mscorlib]System.Environment::get_NewLine()\n 72 [4] // ldstr \"\\n\"\n 28 [4] // call instance string [mscorlib]System.String::Replace(string, string)\n 0A // stloc.0\n 72 [4] // ldstr \"\\n \\n Hello World!\\n \\n \\n

Hello World!

\\n // Hello World! {0}\\n \\n\"\n 28 [4] // call string [mscorlib]System.Environment::get_NewLine()\n 72 [4] // ldstr \"\\n\"\n 28 [4] // call instance string [mscorlib]System.String::Replace(string, string)\n 0B // stloc.1\n 72 [4] // ldstr \"gruntsvc\"\n 0C // stloc.2\n 72 [4] // ldstr \"382f94aac1\"\n 0D // stloc.3\n 28 [4] // call valuetype [mscorlib]System.Guid [mscorlib]System.Guid::NewGuid()\n 13 22 // stloc.s V_34\n 12 22 // ldloca.s V_34\n FE [5] // constrained. [mscorlib]System.Guid\n 6F [4] // callvirt instance string [mscorlib]System.Object::ToString()\n 72 [4] // ldstr \"-\"\n 72 [4] // ldstr \"\"\n 6F [4] // callvirt instance string [mscorlib]System.String::Replace(string, string)\n 16 // ldc.i4.0\n 1F 0A // ldc.i4.s 10\n 6F [4] // callvirt instance string [mscorlib]System.String::Substring(int32, int32)\n 13 04 // stloc.s V_4\n 72 [4] // ldstr \"8QQIxBwir7uLNN9P4V7k890bUL9QukjzVSIA+8IvBEY=\"\n 28 [4] // call uint8[] [mscorlib]System.Convert::FromBase64String(string)\n 13 05 // stloc.s V_5\n }\n\n condition:\n uint16(0) == 0x5a4d and filesize < 50KB and (\n (all of ($strings*)) or ($msil_http) or ($msil_smb)\n )\n}\n", "rule_count": 1, "rule_names": [ "windows_hacktool_covenant" ], "rule_creation_date": "2021-11-17", "rule_modified_date": "2025-03-03", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.Covenant" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_keylogger_screencapdll_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583388Z", "creation_date": "2026-03-23T11:46:25.583391Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583398Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/" ], "name": "windows_keylogger_screencapdll.yar", "content": "rule windows_keylogger_screencapdll {\n meta:\n title = \"ScreenCapDll Keylogger and Screen Recorder\"\n id = \"5017f379-68a3-41a1-9d58-223b6795170c\"\n description = \"Detects the ScreenCapDll keylogger and screen recorder.\\nScreenCapDll is a keylogging and screen recording malware associated with the WIP19 threat group.\\nThis malware is known for its ability to capture keystrokes and record screen activity, which can be used for unauthorized access and espionage.\\nWIP19 is a Chinese-speaking advanced persistent threat (APT) group that targets IT service providers and telecommunication companies. The group is known for using signed malware to maintain persistence and carry out espionage activities.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/\"\n date = \"2022-11-22\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1056.001\"\n classification = \"Windows.Keylogger.ScreenCapDLL\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 421b71ac924938e9b47291f38233d9e4b8116c1f4ec8db523d229535c8c12212\n // 4d36c9713955062e870b29aadeee7a3e9f064041e4a74e349ce58e3937c7526e\n // 2511271a0ec23acb028ec678fcf301ac4befa14c79daf308919082569e68acf5\n // 72353ee98cd3926d8f14d5b7118b7bb0465f72ca9e3d28397a1bcf2cb0fc3edb\n\n $dll_name_1 = \"ScreenCapDll_x64.dll\" ascii\n $dll_name_2 = \"ScreenCapDll.dll\" ascii\n\n $archive_names_1 = \"%s\\\\%s_%d_%d_%d_%d_%d_%d.AVI\" ascii\n $archive_names_2 = \"%s\\\\%s_%d_%d_%d_%d_%d_%d.RAR\" ascii\n $archive_names_3 = \"%s a -hp%s -m5 \\\"%s\\\" \\\"%s\" ascii\n $archive_names_4 = \"%s\\\\%s_%04d%02d%02d.ax\" ascii\n\n condition:\n uint16(0) == 0x5a4d and (\n 1 of ($dll_name_*) or 3 of ($archive_names_*)\n )\n}\n", "rule_count": 1, "rule_names": [ "windows_keylogger_screencapdll" ], "rule_creation_date": "2022-11-22", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Keylogger.ScreenCapDLL" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1056.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_malware_loader_termite_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.577917Z", "creation_date": "2026-03-23T11:46:25.577919Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.577924Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware" ], "name": "windows_malware_loader_termite.yar", "content": "rule termite_loader {\n meta:\n title = \"Termite Loader\"\n id = \"362c275a-503b-44d5-b3c4-57992782df74\"\n description = \"Detects the malicious malware loader Termite.\\nTermite is a malware loader identified by Mandiant that contains encrypted shellcode. It is used by several malicious groups, including UNC2596, to inject malicious code into legitimate processes. This loader is often used for persistence and lateral movement within a compromised environment.\\nIt is recommended to isolate the affected process and check for any signs of suspicious code injection.\"\n references = \"https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware\"\n date = \"2022-09-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.001\"\n classification = \"Windows.Loader.Termite\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Decryption loop used in a lot of samples\n\n // Detection for EXE sample :\n $op1 = {\n 33 D2 // xor edx, edx\n 33 C0 // xor eax, eax\n 33 C2 // xor eax, edx\n 0F B7 01 // movzx eax, word ptr [ecx]\n 66 2B 05 [4] // sub ax, word_401052\n 66 F7 35 [4] // div word_401054\n 8B D2 // mov edx, edx\n 88 06 // mov [esi], al\n 8B D2 // mov edx, edx\n 46 // inc esi\n 8B D2 // mov edx, edx\n 43 // inc ebx\n 8B D2 // mov edx, edx\n 83 C1 02 // add ecx, 2\n 4F // dec edi\n 8B D7 // mov edx, edi\n 85 FA // test edx, edi\n\n }\n\n // Detection for this sample:\n // 1842ddc55b4bf9c71606451d404a21f7f3da8e54c56318010c80ba4f571bd8f5\n $op2 = {\n 33 D2 // xor edx, edx\n 8B 01 // mov eax, [ecx]\n 33 D2 // xor edx, edx\n 2B 05 [4] // sub eax, ds:dword_402004\n 33 D2 // xor edx, edx\n F7 35 [4] // div ds:dword_402008\n 33 D2 // xor edx, edx\n 88 06 // mov [esi], al\n 33 D2 // xor edx, edx\n 46 // inc esi\n 33 D2 // xor edx, edx\n 43 // inc ebx\n 33 D2 // xor edx, edx\n 83 C1 04 // add ecx, 4\n 33 D2 // xor edx, edx\n 3B DF // cmp ebx, edi\n }\n\n // Detection for this sample:\n // 811bb84e1e9f59279f844a040bf68d25ad29a756fbc07cffd7308f8490a15329\n $op3 = {\n 51 // push ecx\n 8B C8 // mov ecx, eax\n 33 DB // xor ebx, ebx\n 8B 01 // mov eax, [ecx]\n 33 D2 // xor edx, edx\n 2B 05 [4] // sub eax, ds:dword_402004\n F7 35 [4] // div ds:dword_402008\n 88 06 // mov [esi], al\n 46 // inc esi\n 43 // inc ebx\n 83 C1 04 // add ecx, 4\n 3B DF // cmp ebx, edi\n 7C E5 // jl short loc_4010A5\n 59 // pop ecx\n }\n\n // Detection for this sample:\n // 7f357ab4ac225e14a6967f89f20926e9e0db15dca5b8fe058c120a365570b783\n $op4 = {\n 8B 2D [4] // mov ebp, dword ptr ds:byte_40A034+10h\n 8B FA // mov edi, edx\n 89 1C 24 // mov [esp+14h+var_14], ebx\n 33 F6 // xor esi, esi\n 85 D2 // test edx, edx\n 7E 16 // jle short loc_4090CE\n 8B CB // mov ecx, ebx\n 8B D8 // mov ebx, eax\n 8B 03 // mov eax, [ebx]\n 33 D2 // xor edx, edx\n F7 F5 // div ebp\n 41 // inc ecx\n 83 C3 04 // add ebx, 4\n 46 // inc esi\n 88 51 FF // mov [ecx-1], dl\n 3B F7 // cmp esi, edi\n 7C EE // jl short loc_4090BC\n 8B 04 24 // mov eax, [esp+14h+var_14]\n 89 2D // mov dword ptr ds:byte_40A034+10h, ebp\n }\n\n // Detection for this sample:\n // d1e14b5f02fb020db4e215cb5c3abc6a7b1589443bccd6f03b77ee124ca72b5c\n $op5 = {\n 33 D2 // xor edx, edx\n 0F B7 01 // movzx eax, word ptr [ecx]\n 33 D2 // xor edx, edx\n 66 2B 05 [4] // sub ax, word_401052\n 33 D2 // xor edx, edx\n 66 F7 35 [4] // div word_401054\n 33 D2 // xor edx, edx\n 88 06 // mov [esi], al\n 33 D2 // xor edx, edx\n 46 // inc esi\n 33 D2 // xor edx, edx\n 43 // inc ebx\n 33 D2 // xor edx, edx\n 83 C1 02 // add ecx, 2\n 33 D2 // xor edx, edx\n 3B DF // cmp ebx, edi\n }\n\n // Detection for this sample:\n // 7b2144f2b5d722a1a8a0c47a43ecaf029b434bfb34a5cffe651fda2adf401131\n $op6 = {\n 8B 2D [4] // mov ebp, dword ptr ds:byte_40A034+10h\n 89 04 24 // mov [esp+18h+var_18], eax\n 8B FA // mov edi, edx\n 8B C3 // mov eax, ebx\n 89 5C 24 04 // mov [esp+18h+var_14], ebx\n 33 F6 // xor esi, esi\n 85 D2 // test edx, edx\n 7E 17 // jle short loc_4090C5\n 8B CB // mov ecx, ebx\n 8B 1C 24 // mov ebx, [esp+18h+var_18]\n 8B 03 // mov eax, [ebx]\n 33 D2 // xor edx, edx\n F7 F5 // div ebp\n 41 // inc ecx\n 83 C3 04 // add ebx, 4\n 46 // inc esi\n 88 51 FF // mov [ecx-1], dl\n 3B F7 // cmp esi, edi\n 7C EE // jl short loc_4090B3\n 8B 44 24 04 // mov eax, [esp+18h+var_14]\n 89 2D // mov dword ptr ds:byte_40A034+10h, ebp\n }\n\n condition:\n any of them\n\n}\n", "rule_count": 1, "rule_names": [ "termite_loader" ], "rule_creation_date": "2022-09-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Loader.Termite" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1059.001" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_malware_powershell_launcher_a0fa8f48772b_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.585251Z", "creation_date": "2026-03-23T11:46:25.585253Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.585259Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "Internal Research" ], "name": "windows_malware_powershell_launcher_a0fa8f48772b.yar", "content": "rule malware_unknown_powershell_launcher_a0fa8f48772b {\n meta:\n title = \"PowerShell Launcher (a0fa8f48772b)\"\n id = \"2a47f9c6-0b0c-46db-9171-a0fa8f48772b\"\n description = \"Detects a malicious launcher sample that launch PowerShell.\\nThis rule identifies a malicious PowerShell launcher known to attempt execution via PowerShell scripts or related tools.\\nIt is recommended to investigate PowerShell event for suspicious activities.\"\n references = \"Internal Research\"\n date = \"2021-12-20\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.001\"\n classification = \"Windows.Malware.UnknownPowershellLauncher\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Suspicious APIs imported\n $api_import1 = \"RtlVirtualUnwind\" ascii\n $api_import2 = \"CorBindToRuntimeEx\" ascii\n $api_import3 = \"CoCreateInstance\" ascii\n $api_import4 = \"CoInitialize\" ascii\n $api_import5 = \"CoUninitialize\" ascii\n\n // Suspicious strings related\n $sus_string1 = \"%systemroot%\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell_ise.exe\" wide\n $sus_string2 = \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Accessories\\\\Windows PowerShell\\\\Windows PowerShell (x86).lnk\" wide\n $sus_string3 = \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Accessories\\\\Windows PowerShell\\\\Windows PowerShell.lnk\" wide\n $sus_string4 = \"%windir%\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\" wide\n $sus_string5 = \"WindowsPowerShellHelp.chm\" wide\n $sus_string6 = \"%systemroot%\\\\hh.exe\" wide\n\n // Powershell Unmanaged Entrypoint\n $powershell_unamanged_entry = \"Microsoft.PowerShell.UnmanagedPSEntry\" wide\n\n $wks_clr_binding = {\n 45 8D 45 ?? // lea r8d, [r13 + 0xXX]\n 48 8D 15 ?? ?? ?? ?? // lea rdx, [rip + 0xXXXXXXXX] // 'wks'\n 48 8B CB // mov rcx, rbx\n E8 ?? ?? ?? ?? // call CorBindToRuntimeEx\n 3D 00 17 13 80 // cmp eax, CLR_E_SHIM_RUNTIMELOAD\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 200KB and ((all of ($sus_string*) and $powershell_unamanged_entry) or (all of ($api_import*) and 2 of ($sus_string*) and $powershell_unamanged_entry and $wks_clr_binding))\n}\n", "rule_count": 1, "rule_names": [ "malware_unknown_powershell_launcher_a0fa8f48772b" ], "rule_creation_date": "2021-12-20", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Malware.UnknownPowershellLauncher" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1059.001" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_trojan_chromeloader_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569368Z", "creation_date": "2026-03-23T11:46:25.569370Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569376Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension" ], "name": "windows_trojan_chromeloader.yar", "content": "rule chromeloader {\n meta:\n title = \"ChromeLoader Malware\"\n id = \"981d0da6-5454-45fe-a2ee-a18b1058ae35\"\n description = \"Detects ChromeLoader Malware.\\nChromeLoader is a malware designed to compromise popular browsers such as Google Chrome. It modifies browser settings to redirect traffic to malicious advertising sites and can hijack browsers to steal sensitive information like passwords.\"\n references = \"https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension\"\n date = \"2022-11-10\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059;attack.persistence;attack.t1112;attack.t1176\"\n classification = \"Windows.Trojan.ChromeLoader\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd\n\n $s1 = \"Z:\\\\bundle_installer\\\\CS_installer\\\\obj\\\\Release\\\\net48\\\\win7-x86\\\\CS_installer.pdb\" ascii\n $s2 = \"powershell -ExecutionPolicy Bypass -WindowStyle Hidden -E\" ascii wide\n $s3 = \"Install Error, incompatible system\" ascii wide\n $s4 = \"ChromeLoader\" ascii wide\n $s5 = \"CS_installer.exe\" ascii wide\n $s6 = \"$taskName = \\\"ChromeLoader\\\"\" wide base64wide base64\n $s7 = \"if($_ -Match \\\"load-extension\\\")\" wide base64wide base64\n $s8 = \"(Get-WmiObject Win32_Process -Filter \\\"name='chrome.exe'\\\") | Select-Object CommandLine | ForEach-Object\" wide base64wide base64\n\n condition:\n uint16(0) == 0x5a4d and 6 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "chromeloader" ], "rule_creation_date": "2022-11-10", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.ChromeLoader" ], "rule_tactic_tags": [ "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1059", "attack.t1176", "attack.t1112" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_trojan_cyclops_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.568815Z", "creation_date": "2026-03-23T11:46:25.568817Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.568822Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten\nhttps://attack.mitre.org/techniques/T1071/004/" ], "name": "windows_trojan_cyclops.yar", "content": "rule charmingkitten_cyclops {\n meta:\n title = \"Cyclops Trojan\"\n id = \"bb25e38e-52ff-496d-87bc-6b9e848c81de\"\n description = \"Detects the Cyclops Trojan.\\nCyclops is a Golang-based malware associated with the Charming Kitten threat group. Charming Kitten, also known as APT 35, Phosphorus, Parastoo, and Newscaster, is a suspected Iranian-linked actor targeting government, defense technology, military, and diplomatic sectors. The group is known for sophisticated cyber espionage activities.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten\\nhttps://attack.mitre.org/techniques/T1071/004/\"\n date = \"2024-07-31\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1071.004\"\n classification = \"Windows.Trojan.Cyclops\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64,arm,arm64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69\n\n $go = \" Go build ID: \\\"\" ascii\n $a1 = \"dep\\tback-service\\t(devel)\" ascii fullword\n $a2 = \"/brain-loader-enc.go\\x00\" ascii\n $a3 = \"back-service/go-mux/api\" ascii\n $a4 = \"/JD-M42KItJncJfqb38qh/\" ascii\n\n condition:\n filesize > 2MB and filesize < 20MB\n and (uint16(0) == 0x5A4D)\n and $go\n and (2 of ($a*))\n}\n", "rule_count": 1, "rule_names": [ "charmingkitten_cyclops" ], "rule_creation_date": "2024-07-31", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Cyclops" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1071.004" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_trojan_dllpasswordfilterimplant_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.587972Z", "creation_date": "2026-03-23T11:46:25.587974Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.587980Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/GoSecure/DLLPasswordFilterImplant" ], "name": "windows_trojan_dllpasswordfilterimplant.yar", "content": "rule LSA_DLLPasswordFilterImplant {\n meta:\n title = \"LSA Notification Package (DLLPasswordFilterImplant.dll)\"\n id = \"90be38e5-3c61-4e34-8039-3139310adda6\"\n description = \"Detects the DLLPasswordFilterImplant project, a suspicious LSA Notification Package.\\nThis project demonstrates how an attacker can inject a malicious DLL into the Local Security Authority (LSA) subsystem to capture user credentials during authentication. The LSA Notification Package can be used to intercept sensitive information, such as passwords, at the time of authentication.\\nIt is recommended to perform a thorough investigation of LSA-related processes and registry entries.\"\n references = \"https://github.com/GoSecure/DLLPasswordFilterImplant\"\n date = \"2022-05-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1556.002\"\n classification = \"Windows.Trojan.LSAPackage\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // 9bb375cbc99beb2420a600555e14724b19a36a85fa320037bb9927d6ece195d2\n\n $s1 = \"BCRYPT_SUCCESS(res) || !\\\"BCryptOpenAlgorithmProvider\\\"\" fullword wide\n $s2 = \"buffer && buffer->data\" fullword wide\n $s3 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\" fullword wide\n $s4 = \"InitializeChangeNotify\" fullword ascii\n $s5 = \"PasswordChangeNotify\" fullword ascii\n $s6 = \"PasswordFilter\" fullword ascii\n $s7 = \"%wZ:%wZ\" fullword ascii\n\n condition:\n (uint16(0) == 0x5a4d) and filesize < 2MB and all of them\n}\n", "rule_count": 1, "rule_names": [ "LSA_DLLPasswordFilterImplant" ], "rule_creation_date": "2022-05-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.LSAPackage" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1556.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_trojan_oceanmap_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583843Z", "creation_date": "2026-03-23T11:46:25.583845Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583851Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cert.gov.ua/article/6276894\nhttps://attack.mitre.org/techniques/T1059/003\nhttps://attack.mitre.org/techniques/T1071/003" ], "name": "windows_trojan_oceanmap.yar", "content": "rule masepie_campaign_oceanmap {\n meta:\n title = \"OCEANMAP RAT\"\n id = \"a1706a25-e2e8-459f-a6d0-d61c98475dee\"\n description = \"Detects the OCEANMAP RAT.\\nOCEANMAP is a RAT-type implant discovered by CERT-UA. It uses IMAP/S as a command and control channel. The rule identifies IMAP commands and indicators related to credential handling and process management.\\nIt is recommended to isolate the affected system and investigate network traffic for IMAP-based C2 communication.\"\n references = \"https://cert.gov.ua/article/6276894\\nhttps://attack.mitre.org/techniques/T1059/003\\nhttps://attack.mitre.org/techniques/T1071/003\"\n date = \"2024-01-26\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.003;attack.command_and_control;attack.t1071.003\"\n classification = \"Windows.Trojan.OCEANMAP\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04\n // 50b000a7d61885591ba4ec9df1a0a223dbceb1ac2facafcef3d65c8cbbd64d46\n\n $dotNet = \".NETFramework,Version\" ascii fullword\n\n $a1 = \"$ SELECT INBOX.Drafts\" wide fullword\n $a2 = \"$ SELECT Drafts\" wide fullword\n $a3 = \"$ UID SEARCH subject \\\"\" wide fullword\n $a4 = \"$ APPEND INBOX {\" wide fullword\n $a5 = \"+FLAGS (\\\\Deleted)\" wide fullword\n $a6 = \"$ EXPUNGE\" wide fullword\n $a7 = \"BODY.PEEK[text]\" wide fullword\n\n $t1 = \"change_time\" ascii fullword\n $t2 = \"ReplaceBytes\" ascii fullword\n $t3 = \"fcreds\" ascii fullword\n $t4 = \"screds\" ascii fullword\n $t5 = \"r_creds\" ascii fullword\n $t6 = \"comp_id\" ascii fullword\n $t7 = \"changesecond\" wide fullword\n $t8 = \"taskkill /F /PID\" wide fullword\n $t9 = \"cmd.exe\" wide fullword\n\n condition:\n filesize > 8KB and filesize < 100KB\n and (uint16be(0) == 0x4D5A)\n and $dotNet\n and (3 of ($a*))\n and (2 of ($t*))\n}\n", "rule_count": 1, "rule_names": [ "masepie_campaign_oceanmap" ], "rule_creation_date": "2024-01-26", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.OCEANMAP" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.execution" ], "rule_technique_tags": [ "attack.t1071.003", "attack.t1059.003" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_trojan_putty_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.569398Z", "creation_date": "2026-03-23T11:46:25.569400Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.569406Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" ], "name": "windows_trojan_putty.yar", "content": "import \"pe\"\n\nrule trojanized_putty {\n meta:\n title = \"Trojanized PuTTY\"\n id = \"de7a91bc-d607-47c9-bac4-22020ed64a9b\"\n description = \"Detects a trojanized version of PuTTY used by the UNC4034 threat actor.\\nThis rule identifies a malicious variant of the PuTTY remote access tool, specifically associated with the UNC4034 threat actor. The trojanized PuTTY was observed in a July 2022 campaign where it was used to drop a malicious payload to disk before executing it.\\nIt is recommended to analyze the payload file for malicious content.\"\n references = \"https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\"\n date = \"2022-09-27\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1204.002\"\n classification = \"Windows.Trojan.PuTTY\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n condition:\n // Detection for these samples:\n // 1492fa04475b89484b5b0a02e6ba3e52544c264c294b57210404b96b65e63266\n // cf22964951352c62d553b228cf4d2d9efe1ccb51729418c45dc48801d36f69b4\n // a14a74c3a56fa40bc87bd997cddbbd2239f505a4a29d1d4e0ea6ed51d2574159\n // 35b3aa459b7f7d1bf7351bb3a3e37b544ad6056152ac2fc6dc525b70b1d46154\n // d62d2888067b3dab7d93cba362202c4a17c086c531949b071f9758866b4c9d6b\n // a88998b7b275d866ea3aec24b45488299384a2d8e0f2db60447f26bd550856ce\n\n (uint16(0) == 0x5a4d) and\n filesize < 8MB and\n filesize > 2MB and\n pe.version_info[\"OriginalFilename\"] == \"PuTTY\" and\n pe.number_of_signatures == 0 and\n for any i in (0 .. pe.number_of_sections) : (\n pe.sections[i].name == \".data\" and pe.sections[i].raw_data_size > 200KB\n )\n}\n", "rule_count": 1, "rule_names": [ "trojanized_putty" ], "rule_creation_date": "2022-09-27", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.PuTTY" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1204.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-windows_trojan_securefilter_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583886Z", "creation_date": "2026-03-23T11:46:25.583888Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583893Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/" ], "name": "windows_trojan_securefilter.yar", "content": "rule LSA_SecureFilter {\n meta:\n title = \"LSA Notification Package (SecureFilter.dll)\"\n id = \"f5376de6-1851-45d6-9af5-696c050c2127\"\n description = \"Detects the malicious LSA Notification Package SecureFilter.dll associated with Moshen Dragon, a China-linked APT group. This DLL is designed to intercept user authentication processes and steal credentials.\"\n references = \"https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/\"\n date = \"2022-05-05\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1556.002\"\n classification = \"Windows.Trojan.LSAPackage\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample :\n // c249fca04f5f362bb43731b5ae9e7e85a76f6c1472e1c41c40496ab05b513230\n\n $s1 = \"InitializeChangeNotify\" fullword ascii\n $s2 = \"PasswordChangeNotify\" fullword ascii\n $s3 = \"PasswordFilter\" fullword ascii\n $s4 = \"%wZ :: %wZ\" fullword wide\n\n condition:\n (uint16(0) == 0x5a4d) and filesize < 50KB and all of them\n}\n", "rule_count": 1, "rule_names": [ "LSA_SecureFilter" ], "rule_creation_date": "2022-05-05", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.LSAPackage" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1556.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wingtbcli_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.570825Z", "creation_date": "2026-03-23T11:46:25.570827Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.570833Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\nhttps://asec.ahnlab.com/en/87804/\nhttps://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks" ], "name": "wingtbcli.yar", "content": "rule wingtb_cli {\n meta:\n title = \"WingtbCLI HackTool\"\n id = \"5c34dabc-eeb7-4122-9c71-5856c23b4e2b\"\n description = \"Detects WingtbCLI.exe, a tool used to interact with an hidden rootkit driver.\\nThis driver is specialized in process, registry key, file and directory hidding and its main role is to conceal a malicious IIS module from security products.\\nThis tool is used to interact with this driver to specify the objects to hide.\\nIt is recommended to analyze the context around this alert and investigate further suspicious actions.\"\n references = \"https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\\nhttps://asec.ahnlab.com/en/87804/\\nhttps://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks\"\n date = \"2025-09-02\"\n modified = \"2025-10-24\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1564.001;attack.t1562\"\n classification = \"Windows.HackTool.WingtbCLI\"\n context = \"process,memory,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc\n\n $debug_message00 = \"Error, invalid target ruleid for command 'unprotect'\" wide\n $debug_message01 = \"Internal error, invalid type for command 'unprotect'\" wide\n $debug_message02 = \"Error, command 'unprotect' rejected\" wide\n $debug_message03 = \"Command 'unprotect' successful\" wide\n $debug_message04 = \"Error, invalid target pid for command 'query'\" wide\n $debug_message05 = \"Error, invalid object type for command 'query'\" wide\n $debug_message06 = \"Error, query state rejected\" wide\n $debug_message07 = \"Error, query ignored state rejected\" wide\n $debug_message08 = \"Error, query protected state rejected\" wide\n $debug_message09 = \"Error, query hidden state rejected\" wide\n $debug_message10 = \"Error, mismatched argument #1 for command 'unprotect'\" wide\n $debug_message11 = \"Error, mismatched argument #2 for command 'unprotect'\" wide\n $debug_message12 = \"Error, invalid target ruleid for command 'unprotect'\" wide\n $debug_message13 = \"Internal error, invalid type for command 'unprotect'\" wide\n $debug_message14 = \"Error, mismatched argument #1 for command 'protect'\" wide\n $debug_message15 = \"Error, invalid object type in command 'protect'\" wide\n $debug_message16 = \"Internal error, invalid type for command 'protect'\" wide\n $debug_message17 = \"Error, command 'protect' rejected\" wide\n $debug_message18 = \"Command 'protect' successful\" wide\n $debug_message19 = \"Error, install/uninstall mode isn't supported for this command\" wide\n $debug_message20 = \"Error, mismatched argument #1 for command 'unignore'\" wide\n $debug_message21 = \"Error, mismatched argument #2 for command 'unignore'\" wide\n $debug_message22 = \"Error, invalid target ruleid for command 'unignore'\" wide\n $debug_message23 = \"Error, mismatched argument #1 for command 'unhide'\" wide\n $debug_message24 = \"Error, mismatched argument #2 for command 'unhide'\" wide\n $debug_message25 = \"Error, invalid argument for command 'unhide'\" wide\n $debug_message26 = \"Error, invalid target objid for command 'unhide'\" wide\n $debug_message27 = \"Internal error #1, invalid type for command 'unhide'\" wide\n $debug_message28 = \"Internal error #2, invalid type for command 'unhide'\" wide\n $debug_message29 = \"Error, command 'unhide' rejected\" wide\n $debug_message30 = \"Command 'unhide' successful\" wide\n $debug_message31 = \"Error, invalid argument for command 'hide'\" wide\n $debug_message32 = \"Internal error, invalid type for command 'hide'\" wide\n $debug_message33 = \"Error, command 'hide' rejected\" wide\n $debug_message34 = \"Command 'hide' successful\" wide\n $debug_message35 = \"Error, mismatched argument #1 for command 'delete'\" wide\n $debug_message36 = \"Error, mismatched argument #2 for command 'delete'\" wide\n $debug_message37 = \"Error, invalid target pid for command\" wide\n\n condition:\n 10 of ($debug*)\n}\n", "rule_count": 1, "rule_names": [ "wingtb_cli" ], "rule_creation_date": "2025-09-02", "rule_modified_date": "2025-10-24", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.WingtbCLI" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1562" ], "rule_score": 70, "rule_context": [ "file.pe", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wingtb_rootkit_driver_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.576753Z", "creation_date": "2026-03-23T11:46:25.576755Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.576760Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\nhttps://asec.ahnlab.com/en/87804/\nhttps://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks" ], "name": "wingtb_rootkit_driver.yar", "content": "rule wingtb_rootkit_driver {\n meta:\n title = \"Wingtb Rootkit Driver\"\n id = \"23bdff04-a77c-4e1a-8ef0-9645e976fa63\"\n description = \"Detects a hidden rootkit driver written in C++ and called Winkbj.sys.\\nThis driver is specialized in process, registry key, file and directory hidding and its main role is to conceal a malicious IIS module from security products.\\nA specific binary named WingtbCLI.exe is used to interact with this driver to specify the objects to hide.\\nIt is recommended to analyze the context around this alert and investigate further suspicious actions or network connections.\"\n references = \"https://harfanglab.io/insidethelab/rudepanda-owns-iis-servers-like-2003/\\nhttps://asec.ahnlab.com/en/87804/\\nhttps://threats.wiz.io/all-incidents/larva-25003-iis-native-module-malware-used-in-targeted-web-server-attacks\"\n date = \"2025-09-02\"\n modified = \"2025-10-24\"\n author = \"HarfangLab\"\n tags = \"attack.defense_evasion;attack.t1564.001;attack.t1562\"\n classification = \"Windows.Rootkit.WingtbDriver\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1\n // 88fd3c428493d5f7d47a468df985c5010c02d71c647ff5474214a8f03d213268\n\n $debug_msg00 = \"CleanFileFullDirectoryInformation\"\n $debug_msg01 = \"CleanFileBothDirectoryInformation\"\n $debug_msg02 = \"CleanFileDirectoryInformation\"\n $debug_msg03 = \"CleanFileIdFullDirectoryInformation\"\n $debug_msg04 = \"CleanFileIdBothDirectoryInformation\"\n $debug_msg05 = \"CleanFileNamesInformation\"\n $debug_msg06 = \"InitAddHiddenFile\"\n $debug_msg07 = \"AddHiddenFile\"\n $debug_msg08 = \"RemoveHiddenFile\"\n $debug_msg09 = \"RemoveAllHiddenFiles\"\n $debug_msg10 = \"InitAddHiddenDir\"\n $debug_msg11 = \"AddHiddenDir\"\n $debug_msg12 = \"RemoveHiddenDir\"\n $debug_msg13 = \"RemoveAllHiddenDirs\"\n $debug_msg14 = \"Added hidden file:%wZ\"\n $debug_msg15 = \"Adding hidden file failed with code:%08x, path:%wZ\"\n $debug_msg16 = \"Can't remove hidden file, code:%08x, id:%lld\"\n $debug_msg17 = \"All hidden files are removed\"\n $debug_msg18 = \"Can't remove all hidden files, code:%08x\"\n $debug_msg19 = \"Added hidden dir:%wZ\"\n $debug_msg20 = \"Adding hidden dir failed with code:%08x, path:%wZ\"\n $debug_msg21 = \"Can't remove hidden dir, code:%08x, id:%lld\"\n $debug_msg22 = \"All hidden dirs are removed\"\n $debug_msg23 = \"Can't remove all hidden dirs, code:%08x\"\n $debug_msg24 = \"Process object operation, destPid:%Iu, srcTid:%Iu, oper: %s, space: %s\"\n $debug_msg25 = \"Allow protected process access from %Iu to %Iu\"\n $debug_msg26 = \"Disallow protected process access from %Iu to %Iu\"\n $debug_msg27 = \"Thread object operation, destPid:%Iu, destTid:%Iu, srcPid:%Iu, oper:%s, space:%s\"\n $debug_msg28 = \"Allow protected thread access from %Iu to %Iu\"\n $debug_msg29 = \"Disallow protected thread access from %Iu to %Iu\"\n $debug_msg30 = \"Error, can't get active process links list, eprocess:%p\"\n $debug_msg31 = \"Error, can't find active system process\"\n $debug_msg32 = \"PID %Iu has been removed from PspCidTable, entry:%p, object:%p, access:%08x\"\n $debug_msg33 = \"PID %Iu has been restored to PspCidTable, entry:%p, object:%p, access:%08x\"\n $debug_msg34 = \"Warning, can't add process(pid:%Iu) to process table\"\n $debug_msg35 = \"Warning, can't remove process(pid:%Iu) from process table\"\n $debug_msg36 = \"Registry key is hidden: %wZ\"\n $debug_msg37 = \"Registry key is going to be hidden in: %wZ (inc: %d)\"\n $debug_msg38 = \"Registry value is going to be hidden in: %wZ (inc: %d)\"\n $debug_msg39 = \"Registry value has been hidden: %wZ\\\\%wZ (inc: %d)\"\n\n condition:\n 5 of ($debug_msg*)\n}\n", "rule_count": 1, "rule_names": [ "wingtb_rootkit_driver" ], "rule_creation_date": "2025-09-02", "rule_modified_date": "2025-10-24", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Rootkit.WingtbDriver" ], "rule_tactic_tags": [ "attack.defense_evasion" ], "rule_technique_tags": [ "attack.t1564.001", "attack.t1562" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-winpeas_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.563414Z", "creation_date": "2026-03-23T11:46:25.563417Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.563426Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1082/\nhttps://attack.mitre.org/techniques/T1592/\nhttps://attack.mitre.org/tactics/TA0004/\nhttps://github.com/carlospolop/PEASS-ng/tree/master/winPEAS" ], "name": "winpeas.yar", "content": "rule winpeas_binaries {\n meta:\n title = \"WinPEAS Tool\"\n id = \"3282873a-3d94-4c4d-a315-5fc362d43d95\"\n description = \"Detects WinPEAS precompiled binaries.\\nWinPEAS is a popular open-source enumeration tool for privilege escalation. This tool can be used by attackers to enumerate privilege escalation vectors on a host.\\nIt is recommended to investigate the context around the execution of WinPEAS as well as to look for further malicious actions on the host.\"\n references = \"https://attack.mitre.org/techniques/T1082/\\nhttps://attack.mitre.org/techniques/T1592/\\nhttps://attack.mitre.org/tactics/TA0004/\\nhttps://github.com/carlospolop/PEASS-ng/tree/master/winPEAS\"\n date = \"2022-10-19\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.reconnaissance;attack.t1592.001;attack.t1592.002;attack.t1592.004;attack.privilege_escalation\"\n classification = \"Windows.Tool.WinPEAS\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86,x64\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples :\n // 911b27e9c68ba088aeef0b8042155332973a592346d92e5c4dafbdef4555ab42\n // 680fb130d71da2d424488e0a34d188e5045d43d79278767d5bb35e694c7b9926\n // 1a2d90a23fd42c352a89507306d91908fd318f9a2c63c2005d2125191bd5609f\n // b6a7bd6e96b3acb6cc248b736ceb8feb392cfbbe8f71417c731a43ad34e35b61\n // c49455b579f01a01dd8b1f6d37419238abd9e720bc4ed355d38fe3999321b917\n // 470a29e8a06dfb6db4c057b30d0866ebb538a3525342e7a5468141a8659f39e8\n\n $ascii_pea_1 = \" {0}(({1}#######(,.***.,(###################(..***.{2}*******{0}(((((\" wide ascii\n $ascii_pea_2 = \" {0}(({1}#######*(#####((##################((######/({2}*****{0}(((((\" wide ascii\n $ascii_pea_3 = \" {0}(({1}###################(/***********(##############({0})(((((\" wide ascii\n $ascii_pea_4 = \" {0}((({1}#####################/*******(################{0})((((((\" wide ascii\n $ascii_pea_5 = \" {0}(((({1}############################################{0})((((((\" wide ascii\n\n $hacktricks_link = \"https://book.hacktricks.xyz/\" ascii\n $internal_struct = \"winPEAS.\" ascii\n\n $cve_pocs_1 = \"https://exploit-db.com/exploits/46718\" fullword ascii\n $cve_pocs_2 = \"https://github.com/apt69/COMahawk\" fullword ascii\n $cve_pocs_3 = \"https://github.com/danigargu/CVE-2020-0796 (smbghost)\" fullword ascii\n $cve_pocs_4 = \"https://github.com/padovah4ck/\" ascii\n $cve_pocs_5 = \"https://github.com/rogue-kdc/CVE-2019-0841\" fullword ascii\n $cve_pocs_6 = \"https://github.com/S3cur3Th1sSh1t/SharpByeBear\" fullword ascii\n\n $general_1 = \"DwinPEAS.Info.FilesInfo.Office.Office+d__1\" fullword ascii\n $general_2 = \"If enabled, plain-text crds could be stored in LSAS\" fullword ascii\n $general_3 = \"norton_internet_secu_3.0_407.exe\" fullword ascii\n $general_4 = \"NTLM relay might be possible - other users authenticate to this machine using NTLM!\" fullword ascii\n $general_5 = \"QwinPEAS.KnownFileCreds.SecurityPackages.SecurityPackages+d__5\" fullword ascii\n\n condition:\n (uint16(0) == 0x5A4D and filesize < 3MB) and (\n all of ($ascii_pea_*) // ascii peas smile\n or #hacktricks_link > 2 // 3 or more hacktricks links\n or #internal_struct > 5 // More than 5 internal structs\n or 3 of ($cve_pocs_*) // 1/2 of CVE poc links\n or 3 of ($general_*) // 1/2 of general strings\n )\n}\n", "rule_count": 1, "rule_names": [ "winpeas_binaries" ], "rule_creation_date": "2022-10-19", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Tool.WinPEAS" ], "rule_tactic_tags": [ "attack.discovery", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1592.004", "attack.t1592.002", "attack.t1592.001", "attack.t1082" ], "rule_score": 70, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wiper_caddywiper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583544Z", "creation_date": "2026-03-23T11:46:25.583546Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583552Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/" ], "name": "wiper_caddywiper.yar", "content": "rule caddy_wiper {\n meta:\n title = \"CaddyWiper\"\n id = \"4094e73d-8c7f-48fc-add6-e5ec31fe5fb1\"\n description = \"Detects CaddyWiper malware.\\nCaddyWiper is a destructive malware linked to cyberattacks targeting systems in Ukraine. It specifically targets user files and other storage devices, tampering with drive partitions to render them inaccessible.\\nThe malware is known for its ability to overwrite file systems, leading to potential data loss and system instability.\\nIt is recommended to isolate the affected system and conduct a thorough investigation of file system integrity, as well as to search for others signs of wiping activity throughout the rest of the IT.\"\n references = \"https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/\"\n date = \"2022-03-15\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.001;attack.t1561.002\"\n classification = \"Windows.Wiper.CaddyWiper\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples :\n // 1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176\n // a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\n // f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902\n // ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72\n\n // Check if filesize < 10M to prevent huge writes\n $o1 = {\n 83 ?? ?? ?? FF FF 00 // cmp [ebp+fileSize], 0\n 73 ?? // jnb short loc_4029B8\n E9 ?? ?? 00 00 // jmp loc_402A51\n 81 ?? ?? ?? FF FF 00 00 A0 00 // cmp [ebp+fileSize], 0A00000h\n 76 ?? // jbe short loc_4029CE\n C7 ?? ?? ?? FF FF 00 00 A0 00 // mov [ebp+fileSize], 0A00000h\n }\n\n // Call to DeviceIoControl to tamper with partition layout\n $o2 = {\n 6A 00 // push 0\n 8D ?? ?? ?? FF FF // lea eax, [ebp+bytesReturned]\n 50 // push eax\n 6A 00 // push 0\n 6A 00 // push 0\n 68 80 07 00 00 // push 780h\n 8D ?? ?? ?? FF FF // lea ecx, [ebp+inBuffer]\n 51 // push ecx\n 68 54 C0 07 00 // push 7C054h --> IOCTL_DISK_SET_DRIVE_LAYOUT_EX\n 8B ?? ?? // mov edx, [ebp+physicalDriverHandle]\n 52 // push edx\n FF ?? ?? // call [ebp+DeviceIoControlFunc]\n }\n\n // Checks for custom file attributes\n $o3 = {\n 8B ?? ?? ?? FF FF // mov ecx, [ebp+firstFileData.dwFileAttributes]\n 83 E1 10 // and ecx, 10h\n 0F ?? ?? 00 00 00 // jz loc_402913\n 0F ?? ?? ?? ?? FF FF // movsx edx, [ebp+firstFileData.cFileName]\n 83 FA 2E // cmp edx, 2Eh ; '.'\n 75 ?? // jnz short loc_40289E\n 0F ?? ?? ?? ?? FF FF // movsx eax, [ebp+firstFileData.cFileName+1]\n 85 C0 // test eax, eax\n 74 ?? // jz short loc_402899\n 0F ?? ?? ?? ?? FF FF // movsx ecx, [ebp+firstFileData.cFileName+1]\n 83 F9 2E // cmp ecx, 2Eh ; '.'\n 75 ?? // jnz short loc_40289E\n E9 ?? ?? 00 00 // jmp loc_402A51\n 8B ?? ?? ?? FF FF // mov edx, [ebp+firstFileData.dwFileAttributes]\n 83 E2 02 // and edx, 2\n 75 0B // jnz short loc_4028B4\n 8B ?? ?? ?? FF FF // mov eax, [ebp+firstFileData.dwFileAttributes]\n 83 E0 04 // and eax, 4\n 74 ?? // jz short loc_4028B9\n E9 ?? ?? 00 00 // jmp loc_402A51\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 100KB and all of them\n}\n", "rule_count": 1, "rule_names": [ "caddy_wiper" ], "rule_creation_date": "2022-03-15", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Wiper.CaddyWiper" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1561.001", "attack.t1485", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wiper_doublezero_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574797Z", "creation_date": "2026-03-23T11:46:25.574800Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574805Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://cert.gov.ua/article/38088" ], "name": "wiper_doublezero.yar", "content": "rule doublezero_wiper {\n meta:\n title = \"DoubleZero Wiper\"\n id = \"32020d90-2056-48e1-9c20-4cffcbaa5096\"\n description = \"Detects the destructive .NET DoubleZero malware involved in Ukraine cyberattacks in March 2022.\\nDoubleZero is a file-wiper malware that specifically targets user files and disks by overwriting them with zeros. The malware is known for its destructive nature and was used in cyberattacks against Ukrainian targets. It operates by seeking out specific directories and files to erase, leading to permanent data loss if not promptly addressed.\\nIt is recommended to isolate the affected system and conduct a thorough investigation to identify and preserve any remaining data.\"\n references = \"https://cert.gov.ua/article/38088\"\n date = \"2022-03-23\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.001;attack.t1561.002\"\n classification = \"Windows.Wiper.DoubleZero\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection of these samples:\n // 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe\n // 30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a\n\n $s1 = \"FsctlSetZeroData\" ascii fullword\n $s2 = \"IOControlCode\" ascii fullword\n $s3 = \"DriveInfo\" ascii fullword\n $s4 = \"lsass\" wide\n $s5 = \"\\\\Users\\\\\\\\.*?\\\\\\\\Local Settings.*\" wide\n $s6 = \"\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Application Data.*\" wide\n $s7 = \"\\\\Users\\\\\\\\.*?\\\\\\\\Start Menu.*\" wide\n $s8 = \"\\\\Users\\\\\\\\.*?\\\\\\\\Application Data.*\" wide\n $s9 = \"\\\\ProgramData\\\\\\\\Microsoft.*\" wide\n $s10 = \"\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft.*\" wide\n $s11 = \"\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft.*\" wide\n\n // Call to NtFsControlFile with parameter FSCTL_SET_ZERO_DATA\n $fsctlsetzero = {\n 20 C8800900 // IL_07CE: ldc.i4 622792 --> FSCTL_SET_ZERO_DATA\n 6A // IL_07D3: conv.i8\n 11 ?? // IL_07D4: ldloc.s V_16\n 11 ?? // IL_07D6: ldloc.s V_13\n 8C [4] // IL_07D8: box NtDllClass/\n 28 [4] // IL_07DD: call int32 [mscorlib]System.Runtime.InteropServices.Marshal::SizeOf(object)\n 6A // IL_07E2: conv.i8\n 7E [4] // IL_07E3: ldsfld native int [mscorlib]System.IntPtr::Zero\n 1F 0D // IL_07E8: ldc.i4.s 13\n 8D [4] // IL_07EA: newarr [mscorlib]System.Int32\n 25 // IL_07EF: dup\n D0 [4] // IL_07F0: ldtoken field valuetype ''/'__StaticArrayInitTypeSize=52' ''::CCA3D9F1787DF013972C4E7ED1C166D84D31B5CA\n 28 [4] // IL_07F5: call void [mscorlib]System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(class [mscorlib]System.Array, valuetype [mscorlib]System.RuntimeFieldHandle)\n 16 // IL_07FA: ldc.i4.0\n 16 // IL_07FB: ldc.i4.0\n 28 [4] // IL_07FC: call int32 CryptoClass::GetBuffer(int32[], int32, int32)\n 6A // IL_0801: conv.i8\n 28 // IL_0802: call uint32 NtDllClass::NtFsControlFile(class [mscorlib]\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 800KB and 10 of ($s*) and $fsctlsetzero\n}\n", "rule_count": 1, "rule_names": [ "doublezero_wiper" ], "rule_creation_date": "2022-03-23", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Wiper.DoubleZero" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1561.001", "attack.t1485", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wiper_hermeticwiper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.573187Z", "creation_date": "2026-03-23T11:46:25.573190Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.573199Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia" ], "name": "wiper_hermeticwiper.yar", "content": "rule hermetic_wiper {\n meta:\n title = \"HermeticWiper\"\n id = \"38ac4ed6-de36-4387-8b16-f8a6a1dae3f4\"\n description = \"Detects the HermeticWiper malware involved in Ukraine cyberattacks.\\nHermeticWiper is a destructive malware known for targeting the Master Boot Record (MBR) and system files. It was used in cyberattacks against Ukrainian infrastructure in February 2022. The malware modifies the MBR to prevent the operating system from booting successfully and is designed to erase critical system partitions and files, rendering the system inoperable.\\nIt is recommended to isolate the affected systems and to conduct a thorough investigation to determine the origin of the execution of the malware.\"\n references = \"https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\"\n date = \"2022-02-24\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.002\"\n classification = \"Windows.Wiper.HermeticWiper\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Strings for all samples\n\n $s1 = \"\\\\\\\\.\\\\EPMNTDRV\\\\\" wide\n $s2 = \"\\\\\\\\?\\\\C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\" fullword wide\n $s3 = \"$INDEX_ALLOCATION\" fullword wide\n\n $s4 = \"ENIGMA\" fullword ascii\n $s5 = \"Hermetica Digital Ltd\" ascii\n\n $s6 = \"DRV_X64\" fullword wide\n $s7 = \"DRV_X86\" fullword wide\n $s8 = \"DRV_XP_X64\" fullword wide\n $s9 = \"DRV_XP_X86\" fullword wide\n\n // Detection for these samples :\n // c0e0583350f86705a51ca2db9b2d6f77de9129411429eee2bdcfc8aab7f21571\n // 4aa186b5fdcc8248a9672bf21241f77dd395872ec4876c90af5d27ae565e4cb7\n // 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\n // 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\n // 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf\n // 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767\n // 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397\n // 291ae59b6edfea6b8555d25714383d1aa343ee23095ba041f197c5bd0cbc0e67\n // ba2888c4eb49268c9594d9837c08affc884172f0e6fc9f988b54a73844bf9152\n // d52113cf2b938447293b195ecfc2b3c9fa61bfab787b6723fc13972b72f90bd5\n // 0d53608c4f7d408e454eafa52b764d8d2bc154d704953c550a29011f759cda2f\n // e259bfd145e3b290f0e205b7177bb6e659e3af236f2aaad8ba57c2d927776018\n\n // bit of code for the random filename generation\n // based on the current process id.\n $o1 = {\n FF ?? ?? ?? ?? ?? // call ds:GetCurrentProcessId\n 8B F8 // mov edi, eax\n 33 D2 // xor edx, edx\n 6A 04 // push 4 ; cchDestBuffSize\n 68 ?? ?? ?? ?? // push offset pszSrc ; \"drv\"\n 8D 47 01 // lea eax, [edi+1]\n F7 F6 // div esi\n 8B CA // mov ecx, edx\n 33 D2 // xor edx, edx\n 8B C1 // mov eax, ecx\n F7 F6 // div esi\n 8B F2 // mov esi, edx\n 33 D2 // xor edx, edx\n 8B C6 // mov eax, esi\n C1 E0 10 // shl eax, 10h\n 03 C1 // add eax, ecx\n F7 ?? ?? // div [ebp+var_10]\n 0F B7 ?? ?? ?? // movzx eax, word ptr [ebp+edx*2+alphabet]\n 33 D2 // xor edx, edx\n 66 89 03 // mov [ebx], ax\n 8D 04 39 // lea eax, [ecx+edi]\n B9 F1 FF 00 00 // mov ecx, 0FFF1h\n F7 F1 // div ecx\n 8B CA // mov ecx, edx\n 33 D2 // xor edx, edx\n 8D 04 0E // lea eax, [esi+ecx]\n BE F1 FF 00 00 // mov esi, 0FFF1h\n F7 F6 // div esi\n C1 E2 10 // shl edx, 10h\n 8D 04 11 // lea eax, [ecx+edx]\n 33 D2 // xor edx, edx\n B9 1A 00 00 00 // mov ecx, 1Ah\n F7 F1 // div ecx\n 8D 4B 02 // lea ecx, [ebx+2]\n 51 // push ecx ; pszDest\n 0F B7 ?? ?? ?? // movzx eax, word ptr [ebp+edx*2+alphabet]\n 66 89 01 // mov [ecx], ax\n FF ?? ?? ?? ?? ?? // call ds:StrCatBuffW\n 33 C0 // xor eax, eax\n 66 89 43 0C // mov [ebx+0Ch], ax\n }\n\n // Detection for these samples :\n // e7d77ec65309dbff48fe5792defe2e6fafb50f5e5dd95ab03528e6f12c893e3d\n // 1df677af28eb2e393169cf37e3a55a3ab1ef7afdce724d65b8872a7ab87b2640\n // 4351c16a3756328d9ce2ef588e77084b134f6659bf84f4efb5eac80924d636d4\n // c0e0583350f86705a51ca2db9b2d6f77de9129411429eee2bdcfc8aab7f21571\n\n // Enigma Protector decrypt code\n $o2 = {\n B8 ?? ?? ?? 00 // mov eax, 37E0D0h\n 03 C5 // add eax, ebp\n 81 C0 ?? 00 00 00 // add eax, 93h ; '“'\n B9 ?? ?? 00 00 // mov ecx, 5B6h\n BA ?? ?? ?? ?? // mov edx, 0CBABD56h\n // loc_77E154: ; CODE XREF: .data:0077E158↓j\n 30 10 // xor [eax], dl\n 40 // inc eax\n 49 // dec ecx\n 0F 85 F6 FF FF FF // jnz loc_77E154\n E9 04 00 00 00 // jmp loc_77E167\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 2MB and 6 of ($s*) and 1 of ($o*)\n}\n", "rule_count": 1, "rule_names": [ "hermetic_wiper" ], "rule_creation_date": "2022-02-24", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Wiper.HermeticWiper" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1485", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wiper_isaacwiper_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583516Z", "creation_date": "2026-03-23T11:46:25.583518Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583523Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/" ], "name": "wiper_isaacwiper.yar", "content": "rule isaac_wiper {\n meta:\n title = \"IsaacWiper\"\n id = \"be96c5da-a49a-42fb-ba9a-75b72ef22be7\"\n description = \"Detects the destructive IsaacWiper malware involved in Ukraine cyberattacks in February 2022.\\nIsaacWiper is a wiper malware that specifically targets physical and logical drives on affected systems. The malware writes 64kB of random data at offset 0, rendering the drives unreadable and causing significant data corruption.\\nIt is recommended to isolate the affected system and to conduct a thorough investigation to determine the origin of the execution of the malware.\"\n references = \"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\"\n date = \"2022-03-15\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1485;attack.t1561.001;attack.t1561.002\"\n classification = \"Windows.Wiper.IsaacWiper\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033\n // 7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0\n\n $s1 = \"C:\\\\ProgramData\\\\log.txt\" fullword wide\n $s2 = \"getting drives...\" fullword wide\n $s3 = \"physical drives:\" fullword wide\n $s4 = \"-- system physical drive\" fullword wide\n $s5 = \"-- physical drive\" fullword wide\n $s6 = \"logical drives:\" fullword wide\n $s7 = \"-- system logical drive:\" fullword wide\n $s8 = \"-- logical drive:\" fullword wide\n $s9 = \"start erasing physical drives...\" fullword wide\n $s10 = \"-- FAILED\" fullword wide\n $s11 = \"physical drive\" fullword wide\n $s12 = \"-- start erasing logical drive\" fullword wide\n $s13 = \"start erasing system physical drive...\" fullword wide\n $s14 = \"system physical drive -- FAILED\" fullword wide\n $s15 = \"start erasing system logical drive\" fullword wide\n\n // Mersenne twister initialisation\n $o1 = {\n FF ?? ?? ?? ?? ?? // call ds:GetTickCount\n 89 ?? ?? ?? FF FF // mov [ebp+var_9F0], eax\n B8 01 00 00 00 // mov eax, 1\n 0F ?? ?? ?? 00 00 00 00 // nop dword ptr [eax+eax+00000000h]\n 8B ?? ?? ?? ?? FF FF // mov ecx, [ebp+eax*4+var_9F4]\n 8B D1 // mov edx, ecx\n C1 EA 1E // shr edx, 1Eh\n 33 D1 // xor edx, ecx\n 69 CA 65 89 07 6C // imul ecx, edx, 6C078965h\n 03 C8 // add ecx, eax\n 89 ?? ?? ?? ?? FF FF // mov [ebp+eax*4+var_9F0], ecx\n 40 // inc eax\n 3D 70 02 00 00 // cmp eax, 270h\n }\n\n // Mersenne twister generation\n $o2 = {\n C1 E8 0B // shr eax, 0Bh\n 42 // inc edx\n 33 C8 // xor ecx, eax\n 89 ?? ?? // mov [ebp+var_30], edx\n 8B C1 // mov eax, ecx\n 25 AD 58 3A FF // and eax, 0FF3A58ADh\n C1 E0 07 // shl eax, 7\n 33 C8 // xor ecx, eax\n 8B C1 // mov eax, ecx\n 25 8C DF FF FF // and eax, 0FFFFDF8Ch\n C1 E0 0F // shl eax, 0Fh\n 33 C8 // xor ecx, eax\n 8B C1 // mov eax, ecx\n C1 E8 12 // shr eax, 12h\n 33 C1 // xor eax, ecx\n }\n\n // Check for specific file attribute\n $o3 = {\n 8B ?? ?? ?? FF FF // mov eax, [ebp+FindFileData.dwFileAttributes]\n C1 E8 04 // shr eax, 4\n F6 D0 // not al\n A8 01 // test al, 1\n 8D ?? ?? ?? FF FF // lea eax, [ebp+FindFileData.cFileName]\n 0F ?? ?? ?? 00 00 // jz loc_100038DD\n 66 ?? ?? ?? ?? FF FF 00 // cmp [ebp+FindFileData.cFileName], 0\n 74 ?? // jz short loc_1000383C\n }\n\n condition:\n uint16(0) == 0x5A4D and filesize < 400KB and 10 of ($s*) and 2 of ($o*)\n}\n", "rule_count": 1, "rule_names": [ "isaac_wiper" ], "rule_creation_date": "2022-03-15", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Wiper.IsaacWiper" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1561.001", "attack.t1485", "attack.t1561.002" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wiper_samecoin_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583574Z", "creation_date": "2026-03-23T11:46:25.583575Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583581Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://twitter.com/NicoleFishi19/status/1756936882095534532" ], "name": "wiper_samecoin.yar", "content": "rule samecoin_campaign_wiper {\n meta:\n title = \"SameCoin Wiper\"\n id = \"fbd7e36e-3068-4223-8fec-b006a0e62524\"\n description = \"Detects the SameCoin wiper, a file-wiping malware associated with the TA3700 threat group.\\nSameCoin is known to overwrite specific files located in the Windows directory, potentially causing system instability.\\nIt is recommended to isolate the affected system and to start forensics to determine the origin of the execution of the malware.\"\n references = \"https://twitter.com/NicoleFishi19/status/1756936882095534532\"\n date = \"2024-02-14\"\n modified = \"2025-03-06\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1083;attack.impact;attack.t1485\"\n classification = \"Windows.Wiper.SameCoin\"\n context = \"process,file.pe\"\n os = \"Windows\"\n arch = \"x86\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89\n\n $code = { 68 57 04 00 00 50 E8 } // push 1111; push eax; call\n $wl_1 = \"C:\\\\Users\\\\Public\\\\Microsoft Connection Agent.jpg\" ascii\n $wl_2 = \"C:\\\\Users\\\\Public\\\\Video.mp4\" ascii\n $wl_3 = \"C:\\\\Users\\\\Public\\\\Microsoft System Agent.exe\" ascii\n $wl_4 = \"C:\\\\Users\\\\Public\\\\Microsoft System Manager.exe\" ascii\n $wl_5 = \"C:\\\\Users\\\\Public\\\\Windows Defender Agent.exe\" ascii\n\n condition:\n uint16(0) == 0x5A4D and filesize < 200KB and\n $code and 3 of ($wl_*)\n}\n", "rule_count": 1, "rule_names": [ "samecoin_campaign_wiper" ], "rule_creation_date": "2024-02-14", "rule_modified_date": "2025-03-06", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Wiper.SameCoin" ], "rule_tactic_tags": [ "attack.discovery", "attack.impact" ], "rule_technique_tags": [ "attack.t1083", "attack.t1485" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wmeye_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.588378Z", "creation_date": "2026-03-23T11:46:25.588380Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.588385Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/pwn1sher/WMEye" ], "name": "wmeye.yar", "content": "rule wmeye {\n meta:\n title = \"WMEye HackTool\"\n id = \"0aa40ad2-a09c-469a-879d-843de43d1b95\"\n description = \"Detects the WMEye hacktool.\\nWMEye is a tool designed for fileless lateral movement and persistence using WMI and MSBuild. It creates WMI remote classes and filters to trigger payload execution, and uses Win32_Process Create to build payloads on target hosts.\\nIt is recommended to investigate WMI activity for potential lateral movement and to look for further malicious actions on the host.\"\n references = \"https://github.com/pwn1sher/WMEye\"\n date = \"2022-10-27\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1047\"\n classification = \"Windows.HackTool.WMEye\"\n context = \"process,file.pe\"\n arch = \"x86,x64\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 9eba1ff7ed0fe8411c7dc2a5289554a08d795f6ea96d2202dfd3b1fdb47b3075\n\n $s1 = \"TriggerFileUpload\" fullword ascii\n $s2 = \"ExecutePayload\" fullword ascii\n $s3 = \"SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA \\\"Win32_Process\\\" AND TargetInstance.Name = \\\"powershell.exe\\\"\" fullword wide\n $s4 = \"[X] Uploading Shellcode into target\" fullword wide\n $s5 = \"[*] Event consumer created.\" fullword wide\n $s6 = \"C:\\\\magic.xml\" fullword wide\n $s7 = \"[X] ShellCode Property Created\" fullword wide\n\n condition:\n uint16(0) == 0x5a4d and filesize < 100KB and 4 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "wmeye" ], "rule_creation_date": "2022-10-27", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.WMEye" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1047" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wmiexec_pro_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.582208Z", "creation_date": "2026-03-23T11:46:25.582210Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.582215Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/XiaoliChan/wmiexec-Pro/" ], "name": "wmiexec_pro.yar", "content": "rule wmiexec_pro {\n meta:\n title = \"WMIExecPro Python HackTool\"\n id = \"61b5c37f-1ad8-4466-9c67-6b85651673c5\"\n description = \"Detects WMIExec-pro Python HackTool.\\nWMIExec-pro is a set of Python scripts designed to execute commands via the Windows Management Instrumentation (WMI) protocol. The tool includes various scripts for different purposes such as command execution, process enumeration, AMSI bypass, file transfer, and service manipulation. It allows attackers to perform remote command execution, data exfiltration, and system configuration changes.\\nIt is recommended to dump the affected process and perform a thorough investigation to identify any unauthorized changes or data exfiltration activities.\"\n references = \"https://github.com/XiaoliChan/wmiexec-Pro/\"\n date = \"2023-09-01\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1047;attack.t1053.005\"\n classification = \"Windows.HackTool.WMIExecPro\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 21ff03a4678145ae21e9af3e5392123c9de6d26c6c56cf5c359b63112aa5ef4a\n\n // enumerate.py\n $s1 = \"Enumerate system info\" ascii\n $s2 = \"Doing basic enumeration\" ascii\n\n // amsi.py\n $s3 = \"Bypass AMSI with registry key \\\"AmsiEnable\\\".\" ascii\n $s4 = \"Enable AMSI bypass\" ascii\n $s5 = \"Disable AMSI bypass\" ascii\n\n // exec_command.py\n $s6 = \"Execute command in with/without output way.\"\n $s7 = \"Launch a semi-interactive shell\" ascii\n $s8 = \"fy command to execute\" ascii\n $s9 = \"Execute command for old system versio nunder NT6.\" ascii\n $s10 = \"Command execute with output (default is no output)\" ascii\n $s11 = \"Save command output to file (not support silent mode)\" ascii\n $s12 = \"Remove temporary class for command result storage\" ascii\n\n // filetransfer.py\n $s13 = \"Upload/Download file through wmi class.\" ascii\n $s14 = \"Upload file.\" ascii\n $s15 = \"Download file.\" ascii\n $s16 = \"Source file with fully path (include filename)\" ascii\n $s17 = \"Dest file with fully path (include filename)\" ascii\n $s18 = \"Remove temporary class for storage binary data\" ascii\n\n // rdp.py\n $s19 = \"Enable/Disable Remote desktop service.\" ascii\n $s20 = \"Enable RDP service\" ascii\n $s21 = \"Enable Restricted Admin Mode for PTH\" ascii\n $s22 = \"Disable RDP service\" ascii\n $s23 = \"Disable Restricted Admin Mode\" ascii\n $s24 = \"Enable/Disable RDP for old system versio nunder NT6.\" ascii\n\n // winrm.py\n $s25 = \"Enable/Disable WINRM service.\" ascii\n $s26 = \"Enable WINRM service\" ascii\n $s27 = \"Disable WINRM service\" ascii\n\n // firewall.py\n $s28 = \"Firewall abusing.\" ascii\n $s29 = \"Search rules associate with the port.\" ascii\n $s30 = \"Dump all firewall rules to file as json format.\" ascii\n $s31 = \"Specify firewall rule instance id to do operation in \\\"-rule-op\\\"\" ascii\n $s32 = \"Action of firewall rule which you specify.\" ascii\n $s33 = \"Use it on your own risk if you try to do this one.\" ascii\n\n condition:\n 10 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "wmiexec_pro" ], "rule_creation_date": "2023-09-01", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.WMIExecPro" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1047", "attack.t1053.005" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-wmiexec_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.581973Z", "creation_date": "2026-03-23T11:46:25.581976Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.581985Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/WKL-Sec/WMIExec/tree/main" ], "name": "wmiexec.yar", "content": "rule wmiexec {\n meta:\n title = \"WMIExec Python HackTool\"\n id = \"65db29cf-fc11-4c83-a64f-c5db6dc14921\"\n description = \"Detects the execution of WMIExec, a set of Python scripts designed to enable command execution via the Windows Management Instrumentation (WMI) protocol.\\nWMIExec is a tool that allows attackers to execute commands on remote systems using WMI, a distributed component object model (DCOM) service. This rule identifies the activity by detecting specific patterns in process execution and network communication attempts associated with WMIExec.\\nIt is recommended to dump the affected process and investigate WMI activity for potential malicious communication.\"\n references = \"https://github.com/WKL-Sec/WMIExec/tree/main\"\n date = \"2023-09-01\"\n modified = \"2025-03-18\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1047;attack.t1053.005\"\n classification = \"Windows.HackTool.WMIExec\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ddc34a6013c879cc644bce1fb23e52312e890c783eead6009633436fb1478454\n // ef3e251f57f4ef72a417f39441c7f7fe62f4fbe60493affa4409513710ace1c0\n\n $common = \"kleiton0x7e\" ascii\n\n $schtasks_1 = \"[+] Command will be executed on\" ascii\n $schtasks_2 = \"Failed to connect to the remote WMI namespace:\" fullword ascii\n $schtasks_3 = \"[+] Command executed successfully. Job ID:\" fullword ascii\n\n $w32process_1 = \" | curl -X POST -k -H 'Content-Type: text/plain' --data-binary @-\" ascii\n $w32process_2 = \"[+] Command executed successfully. Process ID:\" ascii\n\n condition:\n $common and (all of ($schtasks_*) or all of ($w32process_*))\n}\n", "rule_count": 1, "rule_names": [ "wmiexec" ], "rule_creation_date": "2023-09-01", "rule_modified_date": "2025-03-18", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.HackTool.WMIExec" ], "rule_tactic_tags": [ "attack.execution" ], "rule_technique_tags": [ "attack.t1047", "attack.t1053.005" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-xenorat_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.567392Z", "creation_date": "2026-03-23T11:46:25.567394Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.567399Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/moom825/xeno-rat/\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat" ], "name": "xenorat.yar", "content": "rule xeno_rat {\n meta:\n title = \"Xeno RAT\"\n id = \"0275a808-0da9-4d55-a0e7-b4ae5266d314\"\n description = \"Detects the Xeno RAT Client, an open-source Remote Access Tool (RAT) written in C#.\\nXeno RAT is designed to provide remote control capabilities for computers. This tool has been abused by various threat actors for malicious activities, including unauthorized access and data exfiltration. The malware establishes communication channels and can perform actions such as process enumeration and persistence mechanisms.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://github.com/moom825/xeno-rat/\\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat\"\n date = \"2024-11-15\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.command_and_control;attack.t1219\"\n classification = \"Windows.Trojan.XenoRAT\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 388d80a52076aa1f8329606606b21086eddf22d051624057b329c9250489f0c7\n // 7b1b1f0b3e2428bb69a5c61fdbc573fd7e0a8ef27094ca1504c7fac173ff0a8e\n // 45d32d2bcbd32fe8ca74472498a2a7429d1ce6fd5ea7283892ed81f128ca8ca1\n // a613c952168c9a5fb4bd937d036857f1759a0dde6019f147d41df1ccf3aeedf7\n // eef18c81faeee1877aa9cd8d8aef18b643a434fd3da221cc724070ec863e5fcd\n // 4079c8b353cbed438c29fe62ff7315fea2a90ff3cc16055801939f647d2f2d26\n // 9037601de282b706cf457116b42b3d36e3ccd7842b13b08efced4337230ced80\n\n $generic_s1 = \"SELECT * FROM AntivirusProduct\" wide fullword\n $generic_s2 = \"SELECT * FROM Win32_OperatingSystem\" wide fullword\n $generic_s3 = \"CreateEncryptor\" wide fullword\n $generic_s4 = \"nothingset\" wide fullword\n $generic_s5 = \"\\\\root\\\\SecurityCenter2\" wide fullword\n $generic_s6 = \"/query /v /fo csv\" wide fullword\n $generic_s7 = \"/C choice /C Y /N /D Y /T 3 & Del\" wide fullword\n $generic_s8 = \"/query /v /fo csv\" base64 // base64 encoded in newer versions\n $generic_s9 = \"/C choice /C Y /N /D Y /T 3 & Del\" base64 // base64 encoded in newer versions\n\n $specific_s1 = \"XenoUpdateManager\" wide fullword\n $specific_s2 = \"xeno rat client\" wide fullword\n $specific_s3 = \"xeno_rat_\" wide nocase\n\n // https://github.com/moom825/xeno-rat/blob/eb8edbd58a52c0646214c4c1c85414d25e085d86/xeno%20rat%20client/Utils.cs#L88\n $stub_isadmin = {\n 16 // ldc.i4 0x0\n 0A // stloc local0\n [0-2]\n 28 [4] // call [shell32.IsUserAnAdmin]\n 0A // stloc local0\n [0-2]\n DE 03 // leave.s .1\n 26 // pop\n [0-2]\n DE 00 // leave.s .1\n [1-5]\n 2A // ret\n }\n\n // https://github.com/moom825/xeno-rat/blob/eb8edbd58a52c0646214c4c1c85414d25e085d86/xeno%20rat%20client/Utils.cs#L98\n $stub_getantivirus = {\n 73 [4] // newobj [System.Collections.GenericList`1.ctor]\n [0-2]\n 72 [4] // ldstr \"\\\\\\\\\"\n 28 [4] // call [System.Environment.get_MachineName]\n 72 [4] // ldstr \"\\\\root\\\\SecurityCenter2\"\n 28 [4] // call [System.String.Concat]\n [0-2]\n 72 [4] // ldstr \"SELECT * FROM AntivirusProduct\"\n 73 [4] // newobj [System.Management.ManagementObjectSearcher.ctor]\n 0B // stloc local1\n [0-2]\n 07 // ldloc local1\n 6F [4] // callvirt [System.Management.ManagementObjectSearcher.get]\n 6F [4] // callvirt [System.Management.ManagementObjectCollection.GetEnumerator]\n 0C // stloc local2\n 2B ?? // br.s .3\n 08 // ldloc local2\n 6F [4] // callvirt [System.Management.ManagementObjectCollection.ManagementObjectEnumerator.get_Current]\n [0-5]\n 72 [4] // ldstr \"displayName\"\n 6F [4] // callvirt [System.ManagementBaseObject.GetPropertyValue]\n 6F // callvirt [System.Object.ToString]\n }\n\n // https://github.com/moom825/xeno-rat/blob/eb8edbd58a52c0646214c4c1c85414d25e085d86/xeno%20rat%20client/Utils.cs#L56\n $stub_active_window_caption = {\n 7E [4] // ldsfld [System.String.Empty]\n 0A // stloc local0\n 28 [4] // call [user32.GetForegroundWindow]\n 0B // stloc local1\n 07 // ldloc local1\n 28 [4] // call [user32.GetWindowTextLength]\n 17 // ldc.i4 0x1\n 58 // add\n 0C // stloc local2\n 08 // ldloc local2\n 73 [4] // newobj [System.Text.StringBuilder.ctor]\n 0D // stloc local3\n 07 // ldloc local1\n 09 // ldloc local3\n 08 // ldloc local2\n 28 [4] // call [user32.GetWindowText]\n 16 // ldc.i4 0x0\n [2-10]\n 6F // callvirt [System.Object.ToString]\n }\n\n condition:\n uint16(0) == 0x5a4d and\n (\n all of ($stub_*) or\n (\n 4 of ($generic_s*) and\n 1 of ($specific_s*)\n )\n )\n}\n", "rule_count": 1, "rule_names": [ "xeno_rat" ], "rule_creation_date": "2024-11-15", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.XenoRAT" ], "rule_tactic_tags": [ "attack.command_and_control" ], "rule_technique_tags": [ "attack.t1219" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-xenostealer_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "high", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.572532Z", "creation_date": "2026-03-23T11:46:25.572534Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.572540Z", "rule_level": "high", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/moom825/XenoStealer\nhttps://www.elastic.co/security-labs/katz-and-mouse-game\nhttps://attack.mitre.org/techniques/T1555/" ], "name": "xenostealer.yar", "content": "rule xenostealer {\n meta:\n title = \"XenoStealer Infostealer\"\n id = \"6ed58aee-da9f-4d6a-b6a4-391c641c8d44\"\n description = \"Detects XenoStealer Infostealer.\\nXenoStealer is an information-stealing malware sold as Malware-as-a-Service that targets sensitive data from web browsers, cryptocurrency wallets, and various applications, drawing inspiration from established stealers like Vidar and Raccoon.\\nIt is recommended to verify the process for its legitimacy and establish the origin of the executable.\"\n references = \"https://github.com/moom825/XenoStealer\\nhttps://www.elastic.co/security-labs/katz-and-mouse-game\\nhttps://attack.mitre.org/techniques/T1555/\"\n date = \"2025-05-06\"\n modified = \"2025-07-02\"\n author = \"HarfangLab\"\n tags = \"attack.credential_access;attack.t1555.003\"\n classification = \"Windows.Stealer.XenoStealer\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 70\n confidence = \"strong\"\n\n strings:\n $stub_injectassemblyx64 = {\n 55 48 89 E5 48 83 EC 40 49 89 CC 41 FF 54 24 10 48 89 C1 BA 08 00 00 00 41 B8 00 04 00 00 41 FF 14 24 48 89 C3 49 8B 04 24 48 89 83 90 01 00 00 49 8B 44 24 08 48 89 83 98 01 00 00 49 8B 44 24 10 48 89 83 A0 01 00 00 49 8B 44 24 18 48 89 83 A8 01 00 00 49 8B 44 24 20 48 89 83 B0 01 00 00 49 8B 44 24 28 48 89 83 D0 00 00 00 49 8B 44 24 30 48 89 83 D8 00 00 00 4C 89 E0 48 83 C0 40 48 89 83 58 02 00 00 4C 89 E0 48 83 C0 40 49 03 44 24 38 48 83 C0 08 48 89 83 60 02 00 00 E8 8B 06 00 00 48 83 F8 00 0F 84 EC 03 00 00 48 89 5B 08 E8 41 04 00 00 48 89 43 10 E8 81 04 00 00 48 89 43 18 48 8B 4B 10 48 8B 53 18 4C 8B 43 08 FF 93 F8 01 00 00 48 83 F8 00 0F 85 BA 03 00 00 48 8B 03 48 8B 00 48 8B 40 28 48 89 43 20 48 89 D8 48 83 C0 28 48 89 43 30 48 8B 0B 48 8B 53 30 FF 53 20 48 83 F8 00 0F 85 8D 03 00 00 E8 78 04 00 00 48 89 43 38 48 89 D8 48 83 C0 40 48 89 43 48 48 89 D8 48 83 C0 50 48 89 43 58 48 8B 43 28 48 8B 00 48 8B 40 18 48 89 43 60 48 8B 4B 28 48 C7 C2 01 00 00 00 4C 8B 43 58 49 C7 C1 00 00 00 00 FF 53 60 48 83 F8 00 75 1A 48 8B 43 50 48 8B 00 48 8B 00 48 8B 4B 50 48 8B 53 38 4C 8B 43 48 FF D0 EB C7 48 83 7B 40 00 0F 84 1B 03 00 00 48 8B 43 40 48 8B 00 48 8B 40 48 48 89 43 68 E8 40 04 00 00 48 89 43 70 E8 80 04 00 00 48 89 43 78 48 89 D8 48 05 80 00 00 00 48 89 83 88 00 00 00 48 8B 4B 40 48 8B 53 78 4C 8B 43 70 4C 8B 8B 88 00 00 00 FF 53 68 48 83 F8 00 0F 85 CA 02 00 00 48 83 BB 80 00 00 00 00 0F 84 BC 02 00 00 48 8B 83 80 00 00 00 48 8B 00 48 8B 40 50 48 89 83 90 00 00 00 48 8B 8B 80 00 00 00 FF 93 90 00 00 00 48 83 F8 00 0F 85 90 02 00 00 48 8B 83 80 00 00 00 48 8B 00 48 8B 40 68 48 89 83 98 00 00 00 48 89 D8 48 05 A0 00 00 00 48 89 83 A8 00 00 00 E8 31 04 00 00 48 89 83 B0 00 00 00 48 8B 8B 80 00 00 00 48 8B 93 A8 00 00 00 FF 93 98 00 00 00 48 83 BB A0 00 00 00 00 0F 84 3D 02 00 00 48 89 D8 48 05 B8 00 00 00 48 89 83 C0 00 00 00 48 8B 83 A0 00 00 00 48 8B 00 48 8B 00 48 89 83 C8 00 00 00 48 8B 8B A0 00 00 00 48 8B 93 B0 00 00 00 4C 8B 83 C0 00 00 00 FF 93 C8 00 00 00 48 83 BB B8 00 00 00 00 0F 84 F0 01 00 00 B9 08 00 00 00 E8 F2 01 00 00 48 89 83 E0 00 00 00 48 8B 93 D8 00 00 00 89 10 C7 40 04 00 00 00 00 B9 11 00 00 00 BA 01 00 00 00 4C 8B 83 E0 00 00 00 FF 93 C8 01 00 00 48 89 83 E8 00 00 00 48 8B 8B E8 00 00 00 FF 93 D0 01 00 00 48 8B 83 E8 00 00 00 48 8B 48 10 48 8B 93 D0 00 00 00 4C 8B 83 D8 00 00 00 E8 9A 03 00 00 48 8B 8B E8 00 00 00 FF 93 D8 01 00 00 48 89 D8 48 05 F0 00 00 00 48 89 83 F8 00 00 00 48 8B 83 B8 00 00 00 48 8B 00 48 8B 80 68 01 00 00 48 89 83 00 01 00 00 48 8B 8B B8 00 00 00 48 8B 93 E8 00 00 00 4C 8B 83 F8 00 00 00 FF 93 00 01 00 00 48 83 F8 00 48 83 BB F0 00 00 00 00 0F 84 24 01 00 00 48 89 D8 48 05 08 01 00 00 48 89 83 10 01 00 00 E8 65 03 00 00 48 89 83 18 01 00 00 48 8B 83 F0 00 00 00 48 8B 00 48 8B 80 88 00 00 00 48 89 83 20 01 00 00 48 8B 8B F0 00 00 00 48 8B 93 18 01 00 00 4C 8B 83 10 01 00 00 FF 93 20 01 00 00 48 83 F8 00 0F 85 CB 00 00 00 48 83 BB 08 01 00 00 00 0F 84 BD 00 00 00 B9 0C 00 00 00 BA 00 00 00 00 41 B8 00 00 00 00 FF 93 E8 01 00 00 48 89 83 28 01 00 00 E8 0E 03 00 00 48 89 83 30 01 00 00 E8 02 03 00 00 48 89 83 38 01 00 00 48 8B 83 08 01 00 00 48 8B 00 48 8B 80 C8 01 00 00 48 89 83 40 01 00 00 E8 A4 02 00 00 48 89 83 48 01 00 00 48 8B 8B 08 01 00 00 48 8B 93 48 01 00 00 41 B8 18 01 00 00 41 B9 00 00 00 00 48 8B 83 30 01 00 00 48 89 44 24 20 48 8B 83 28 01 00 00 48 89 44 24 28 48 8B B3 38 01 00 00 48 8B 06 48 89 44 24 30 48 8B 46 08 48 89 44 24 38 48 8B 46 10 48 89 44 24 3E FF 93 40 01 00 00 48 83 F8 00 75 05 48 89 EC 5D C3 48 C7 C0 FF FF FF FF 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 48 89 4D F8 FF 93 A0 01 00 00 48 89 C1 BA 08 00 00 00 4C 8B 45 F8 FF 93 90 01 00 00 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 48 89 4D F8 FF 93 A0 01 00 00 48 89 C1 BA 00 00 00 00 4C 8B 45 F8 FF 93 98 01 00 00 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 B9 10 00 00 00 E8 9C FF FF FF C7 00 8D 18 80 92 66 C7 40 04 8E 0E 66 C7 40 06 67 48 C6 40 08 B3 C6 40 09 0C C6 40 0A 7F C6 40 0B A8 C6 40 0C 38 C6 40 0D 84 C6 40 0E E8 C6 40 0F DE 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 B9 10 00 00 00 E8 53 FF FF FF C7 00 9E DB 32 D3 66 C7 40 04 B3 B9 66 C7 40 06 25 41 C6 40 08 82 C6 40 09 07 C6 40 0A A1 C6 40 0B 48 C6 40 0C 84 C6 40 0D F5 C6 40 0E 32 C6 40 0F 16 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 B9 10 00 00 00 E8 0A FF FF FF C7 00 D2 D1 39 BD 66 C7 40 04 2F BA 66 C7 40 06 6A 48 C6 40 08 89 C6 40 09 B0 C6 40 0A B4 C6 40 0B B0 C6 40 0C CB C6 40 0D 46 C6 40 0E 68 C6 40 0F 91 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 B9 10 00 00 00 E8 C1 FE FF FF C7 00 22 67 2F CB 66 C7 40 04 3A AB 66 C7 40 06 D2 11 C6 40 08 9C C6 40 09 40 C6 40 0A 00 C6 40 0B C0 C6 40 0C 4F C6 40 0D A3 C6 40 0E 0A C6 40 0F 3E 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 B9 10 00 00 00 E8 78 FE FF FF C7 00 23 67 2F CB 66 C7 40 04 3A AB 66 C7 40 06 D2 11 C6 40 08 9C C6 40 09 40 C6 40 0A 00 C6 40 0B C0 C6 40 0C 4F C6 40 0D A3 C6 40 0E 0A C6 40 0F 3E 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 B9 10 00 00 00 E8 2F FE FF FF C7 00 DC 96 F6 05 66 C7 40 04 29 2B 66 C7 40 06 63 36 C6 40 08 AD C6 40 09 8B C6 40 0A C4 C6 40 0B 38 C6 40 0C 9C C6 40 0D F2 C6 40 0E A7 C6 40 0F 13 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 8A 02 88 01 48 FF C2 48 FF C1 49 FF C8 49 83 F8 00 75 ED B8 01 00 00 00 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 48 8B 83 60 02 00 00 48 89 C1 FF 93 E0 01 00 00 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 48 8B 83 58 02 00 00 48 89 C1 FF 93 E0 01 00 00 48 89 EC 5D C3 55 48 89 E5 48 83 EC 20 B9 18 00 00 00 E8 87 FD FF FF 50 48 89 C1 FF 93 F0 01 00 00 58 48 89 EC 5D C3 55 48 89 E5 48 83 EC 28 41 54 B9 0C 00 00 00 E8 63 FD FF FF C6 00 6D C6 40 01 73 C6 40 02 63 C6 40 03 6F C6 40 04 72 C6 40 05 65 C6 40 06 65 C6 40 07 2E C6 40 08 64 C6 40 09 6C C6 40 0A 6C C6 40 0B 00 49 89 C4 48 89 C1 FF 93 A8 01 00 00 48 83 F8 00 0F 84 B0 03 00 00 48 89 83 B8 01 00 00 4C 89 E1 E8 38 FD FF FF B9 0D 00 00 00 E8 05 FD FF FF C6 00 6F C6 40 01 6C C6 40 02 65 C6 40 03 61 C6 40 04 75 C6 40 05 74 C6 40 06 33 C6 40 07 32 C6 40 08 2E C6 40 09 64 C6 40 0A 6C C6 40 0B 6C C6 40 0C 00 49 89 C4 48 89 C1 FF 93 A8 01 00 00 48 83 F8 00 0F 84 4E 03 00 00 48 89 83 C0 01 00 00 4C 89 E1 E8 D6 FC FF FF B9 10 00 00 00 E8 A3 FC FF FF C6 00 53 C6 40 01 61 C6 40 02 66 C6 40 03 65 C6 40 04 41 C6 40 05 72 C6 40 06 72 C6 40 07 61 C6 40 08 79 C6 40 09 43 C6 40 0A 72 C6 40 0B 65 C6 40 0C 61 C6 40 0D 74 C6 40 0E 65 C6 40 0F 00 49 89 C4 48 8B 8B C0 01 00 00 48 89 C2 FF 93 B0 01 00 00 48 83 F8 00 0F 84 D9 02 00 00 48 89 83 C8 01 00 00 4C 89 E1 E8 61 FC FF FF B9 0E 00 00 00 E8 2E FC FF FF C6 00 53 C6 40 01 61 C6 40 02 66 C6 40 03 65 C6 40 04 41 C6 40 05 72 C6 40 06 72 C6 40 07 61 C6 40 08 79 C6 40 09 4C C6 40 0A 6F C6 40 0B 63 C6 40 0C 6B C6 40 0D 00 49 89 C4 48 8B 8B C0 01 00 00 48 89 C2 FF 93 B0 01 00 00 48 83 F8 00 0F 84 6C 02 00 00 48 89 83 D0 01 00 00 4C 89 E1 E8 F4 FB FF FF B9 10 00 00 00 E8 C1 FB FF FF C6 00 53 C6 40 01 61 C6 40 02 66 C6 40 03 65 C6 40 04 41 C6 40 05 72 C6 40 06 72 C6 40 07 61 C6 40 08 79 C6 40 09 55 C6 40 0A 6E C6 40 0B 6C C6 40 0C 6F C6 40 0D 63 C6 40 0E 6B C6 40 0F 00 49 89 C4 48 8B 8B C0 01 00 00 48 89 C2 FF 93 B0 01 00 00 48 83 F8 00 0F 84 F7 01 00 00 48 89 83 D8 01 00 00 4C 89 E1 E8 7F FB FF FF B9 0F 00 00 00 E8 4C FB FF FF C6 00 53 C6 40 01 79 C6 40 02 73 C6 40 03 41 C6 40 04 6C C6 40 05 6C C6 40 06 6F C6 40 07 63 C6 40 08 53 C6 40 09 74 C6 40 0A 72 C6 40 0B 69 C6 40 0C 6E C6 40 0D 67 C6 40 0E 00 49 89 C4 48 8B 8B C0 01 00 00 48 89 C2 FF 93 B0 01 00 00 48 83 F8 00 0F 84 86 01 00 00 48 89 83 E0 01 00 00 4C 89 E1 E8 0E FB FF FF B9 16 00 00 00 E8 DB FA FF FF C6 00 53 C6 40 01 61 C6 40 02 66 C6 40 03 65 C6 40 04 41 C6 40 05 72 C6 40 06 72 C6 40 07 61 C6 40 08 79 C6 40 09 43 C6 40 0A 72 C6 40 0B 65 C6 40 0C 61 C6 40 0D 74 C6 40 0E 65 C6 40 0F 56 C6 40 10 65 C6 40 11 63 C6 40 12 74 C6 40 13 6F C6 40 14 72 C6 40 15 00 49 89 C4 48 8B 8B C0 01 00 00 48 89 C2 FF 93 B0 01 00 00 48 83 F8 00 0F 84 F9 00 00 00 48 89 83 E8 01 00 00 4C 89 E1 E8 81 FA FF FF B9 0C 00 00 00 E8 4E FA FF FF C6 00 56 C6 40 01 61 C6 40 02 72 C6 40 03 69 C6 40 04 61 C6 40 05 6E C6 40 06 74 C6 40 07 49 C6 40 08 6E C6 40 09 69 C6 40 0A 74 C6 40 0B 00 49 89 C4 48 8B 8B C0 01 00 00 48 89 C2 FF 93 B0 01 00 00 48 83 F8 00 0F 84 94 00 00 00 48 89 83 F0 01 00 00 4C 89 E1 E8 1C FA FF FF B9 12 00 00 00 E8 E9 F9 FF FF C6 00 43 C6 40 01 4C C6 40 02 52 C6 40 03 43 C6 40 04 72 C6 40 05 65 C6 40 06 61 C6 40 07 74 C6 40 08 65 C6 40 09 49 C6 40 0A 6E C6 40 0B 73 C6 40 0C 74 C6 40 0D 61 C6 40 0E 6E C6 40 0F 63 C6 40 10 65 C6 40 11 00 49 89 C4 48 8B 8B B8 01 00 00 48 89 C2 FF 93 B0 01 00 00 48 83 F8 00 74 1B 48 89 83 F8 01 00 00 4C 89 E1 E8 A3 F9 FF FF B8 01 00 00 00 41 5C 48 89 EC 5D C3 B8 00 00 00 00 41 5C 48 89 EC 5D C3\n }\n\n $stub_injectassemblyx32 = {\n 8B 44 24 04 89 C6 FF 56 08 68 00 04 00 00 6A 08 50 FF 16 89 C3 8B 06 89 83 2C 01 00 00 8B 46 04 89 83 30 01 00 00 8B 46 08 89 83 34 01 00 00 8B 46 0C 89 83 38 01 00 00 8B 46 10 89 83 3C 01 00 00 8B 46 14 89 83 90 01 00 00 8B 46 18 89 83 94 01 00 00 89 F0 83 C0 20 89 83 C8 00 00 00 89 F0 83 C0 20 03 46 1C 83 C0 04 89 83 CC 00 00 00 E8 D2 02 00 00 83 F8 00 0F 84 C1 02 00 00 89 5B 04 E8 A1 06 00 00 89 43 08 E8 D3 06 00 00 89 43 0C FF 73 04 FF 73 0C FF 73 08 FF 93 60 01 00 00 83 F8 00 0F 85 96 02 00 00 8B 03 8B 00 8B 40 14 89 43 0E 89 D8 83 C0 12 89 43 16 FF 73 16 FF 33 FF 53 0E 83 F8 00 0F 85 73 02 00 00 E8 CA 06 00 00 89 43 1A 89 D8 83 C0 1E 89 43 22 89 D8 83 C0 26 89 43 2A 8B 43 12 8B 00 8B 40 0C 89 43 2E 6A 00 FF 73 2A 6A 01 FF 73 12 FF 53 2E 83 F8 00 75 14 8B 43 26 8B 00 8B 00 FF 73 22 FF 73 1A FF 73 26 FF D0 EB DA 83 7B 1E 00 0F 84 20 02 00 00 8B 43 1E 8B 00 8B 40 24 89 43 32 E8 A6 06 00 00 89 43 36 E8 D8 06 00 00 89 43 3A 89 D8 83 C0 3E 89 43 42 FF 73 42 FF 73 36 FF 73 3A FF 73 1E FF 53 32 83 F8 00 0F 85 E5 01 00 00 83 7B 3E 00 0F 84 DB 01 00 00 8B 43 3E 8B 00 8B 40 28 89 43 46 FF 73 3E FF 53 46 83 F8 00 0F 85 C1 01 00 00 8B 43 3E 8B 00 8B 40 34 89 43 4A 89 D8 83 C0 4E 89 43 52 E8 B3 06 00 00 89 43 56 FF 73 52 FF 73 3E FF 53 4A 83 7B 4E 00 0F 84 93 01 00 00 89 D8 83 C0 5A 89 43 5E 8B 43 4E 8B 00 8B 00 89 43 62 FF 73 5E FF 73 56 FF 73 4E FF 53 62 83 7B 5A 00 0F 84 6B 01 00 00 8B 83 90 01 00 00 89 43 66 8B 83 94 01 00 00 89 43 6A 6A 08 E8 04 05 00 00 89 43 6E 8B 43 6E 8B 7B 6A 89 38 C7 40 04 00 00 00 00 FF 73 6E 6A 01 6A 11 FF 93 48 01 00 00 89 43 72 FF 73 72 FF 93 4C 01 00 00 8B 43 72 83 C0 0C FF 30 FF 73 66 FF 73 6A E8 A8 04 00 00 FF 73 72 FF 93 50 01 00 00 89 D8 83 C0 76 89 43 7A 8B 43 5A 8B 00 8B 80 B4 00 00 00 89 43 7E FF 73 7A FF 73 72 FF 73 5A FF 53 7E 83 F8 00 0F 85 E0 00 00 00 83 7B 76 00 0F 84 D6 00 00 00 89 D8 05 82 00 00 00 89 83 86 00 00 00 E8 08 06 00 00 89 83 8A 00 00 00 8B 43 76 8B 00 8B 40 44 89 83 8E 00 00 00 FF B3 86 00 00 00 FF B3 8A 00 00 00 FF 73 76 FF 93 8E 00 00 00 83 F8 00 0F 85 92 00 00 00 83 BB 82 00 00 00 00 0F 84 85 00 00 00 6A 00 6A 00 6A 0C FF 93 58 01 00 00 89 83 92 00 00 00 E8 CE 05 00 00 89 83 96 00 00 00 E8 C3 05 00 00 89 83 9A 00 00 00 8B 83 82 00 00 00 8B 00 8B 80 E4 00 00 00 89 83 9E 00 00 00 E8 96 05 00 00 89 83 A2 00 00 00 FF B3 96 00 00 00 FF B3 92 00 00 00 8B 83 9A 00 00 00 FF 70 0C FF 70 08 FF 70 04 FF 30 6A 00 68 18 01 00 00 FF B3 A2 00 00 00 FF B3 82 00 00 00 FF 93 9E 00 00 00 83 F8 00 75 03 C2 04 00 B8 FF FF FF FF C2 04 00 6A 0C E8 A3 03 00 00 C6 00 6D C6 40 01 73 C6 40 02 63 C6 40 03 6F C6 40 04 72 C6 40 05 65 C6 40 06 65 C6 40 07 2E C6 40 08 64 C6 40 09 6C C6 40 0A 6C C6 40 0B 00 50 50 FF 93 38 01 00 00 89 83 40 01 00 00 58 50 E8 7C 03 00 00 6A 0D E8 58 03 00 00 C6 00 6F C6 40 01 6C C6 40 02 65 C6 40 03 61 C6 40 04 75 C6 40 05 74 C6 40 06 33 C6 40 07 32 C6 40 08 2E C6 40 09 64 C6 40 0A 6C C6 40 0B 6C C6 40 0C 00 50 50 FF 93 38 01 00 00 89 83 44 01 00 00 58 50 E8 2D 03 00 00 6A 10 E8 09 03 00 00 C6 00 53 C6 40 01 61 C6 40 02 66 C6 40 03 65 C6 40 04 41 C6 40 05 72 C6 40 06 72 C6 40 07 61 C6 40 08 79 C6 40 09 43 C6 40 0A 72 C6 40 0B 65 C6 40 0C 61 C6 40 0D 74 C6 40 0E 65 C6 40 0F 00 50 50 FF B3 44 01 00 00 FF 93 3C 01 00 00 83 F8 00 0F 84 8F 02 00 00 89 83 48 01 00 00 58 50 E8 C3 02 00 00 6A 0E E8 9F 02 00 00 C6 00 53 C6 40 01 61 C6 40 02 66 C6 40 03 65 C6 40 04 41 C6 40 05 72 C6 40 06 72 C6 40 07 61 C6 40 08 79 C6 40 09 4C C6 40 0A 6F C6 40 0B 63 C6 40 0C 6B C6 40 0D 00 50 50 FF B3 44 01 00 00 FF 93 3C 01 00 00 83 F8 00 0F 84 2D 02 00 00 89 83 4C 01 00 00 58 50 E8 61 02 00 00 6A 10 E8 3D 02 00 00 C6 00 53 C6 40 01 61 C6 40 02 66 C6 40 03 65 C6 40 04 41 C6 40 05 72 C6 40 06 72 C6 40 07 61 C6 40 08 79 C6 40 09 55 C6 40 0A 6E C6 40 0B 6C C6 40 0C 6F C6 40 0D 63 C6 40 0E 6B C6 40 0F 00 50 50 FF B3 44 01 00 00 FF 93 3C 01 00 00 83 F8 00 0F 84 C3 01 00 00 89 83 50 01 00 00 58 50 E8 F7 01 00 00 6A 0F E8 D3 01 00 00 C6 00 53 C6 40 01 79 C6 40 02 73 C6 40 03 41 C6 40 04 6C C6 40 05 6C C6 40 06 6F C6 40 07 63 C6 40 08 53 C6 40 09 74 C6 40 0A 72 C6 40 0B 69 C6 40 0C 6E C6 40 0D 67 C6 40 0E 00 50 50 FF B3 44 01 00 00 FF 93 3C 01 00 00 83 F8 00 0F 84 5D 01 00 00 89 83 54 01 00 00 58 50 E8 91 01 00 00 6A 16 E8 6D 01 00 00 C6 00 53 C6 40 01 61 C6 40 02 66 C6 40 03 65 C6 40 04 41 C6 40 05 72 C6 40 06 72 C6 40 07 61 C6 40 08 79 C6 40 09 43 C6 40 0A 72 C6 40 0B 65 C6 40 0C 61 C6 40 0D 74 C6 40 0E 65 C6 40 0F 56 C6 40 10 65 C6 40 11 63 C6 40 12 74 C6 40 13 6F C6 40 14 72 C6 40 15 00 50 50 FF B3 44 01 00 00 FF 93 3C 01 00 00 83 F8 00 0F 84 DB 00 00 00 89 83 58 01 00 00 58 50 E8 0F 01 00 00 6A 0C E8 EB 00 00 00 C6 00 56 C6 40 01 61 C6 40 02 72 C6 40 03 69 C6 40 04 61 C6 40 05 6E C6 40 06 74 C6 40 07 49 C6 40 08 6E C6 40 09 69 C6 40 0A 74 C6 40 0B 00 50 50 FF B3 44 01 00 00 FF 93 3C 01 00 00 83 F8 00 0F 84 81 00 00 00 89 83 5C 01 00 00 58 50 E8 B5 00 00 00 6A 12 E8 91 00 00 00 C6 00 43 C6 40 01 4C C6 40 02 52 C6 40 03 43 C6 40 04 72 C6 40 05 65 C6 40 06 61 C6 40 07 74 C6 40 08 65 C6 40 09 49 C6 40 0A 6E C6 40 0B 73 C6 40 0C 74 C6 40 0D 61 C6 40 0E 6E C6 40 0F 63 C6 40 10 65 C6 40 11 00 50 50 FF B3 40 01 00 00 FF 93 3C 01 00 00 83 F8 00 74 13 89 83 60 01 00 00 58 50 E8 47 00 00 00 B8 01 00 00 00 C3 B8 00 00 00 00 C3 57 56 51 8B 4C 24 10 8B 74 24 14 8B 7C 24 18 8A 06 88 07 46 47 49 75 F7 59 5E 5F C2 0C 00 8B 44 24 04 51 52 89 C1 FF 93 34 01 00 00 51 6A 08 50 FF 93 2C 01 00 00 5A 59 C2 04 00 55 8B 6C 24 08 FF 93 34 01 00 00 55 6A 00 50 FF 93 30 01 00 00 5D C2 04 00 6A 10 E8 C3 FF FF FF C7 00 8D 18 80 92 66 C7 40 04 8E 0E 66 C7 40 06 67 48 C6 40 08 B3 C6 40 09 0C C6 40 0A 7F C6 40 0B A8 C6 40 0C 38 C6 40 0D 84 C6 40 0E E8 C6 40 0F DE C3 6A 10 E8 89 FF FF FF C7 00 9E DB 32 D3 66 C7 40 04 B3 B9 66 C7 40 06 25 41 C6 40 08 82 C6 40 09 07 C6 40 0A A1 C6 40 0B 48 C6 40 0C 84 C6 40 0D F5 C6 40 0E 32 C6 40 0F 16 C3 6A 10 E8 4F FF FF FF C7 00 D2 D1 39 BD 66 C7 40 04 2F BA 66 C7 40 06 6A 48 C6 40 08 89 C6 40 09 B0 C6 40 0A B4 C6 40 0B B0 C6 40 0C CB C6 40 0D 46 C6 40 0E 68 C6 40 0F 91 C3 6A 10 E8 15 FF FF FF C7 00 22 67 2F CB 66 C7 40 04 3A AB 66 C7 40 06 D2 11 C6 40 08 9C C6 40 09 40 C6 40 0A 00 C6 40 0B C0 C6 40 0C 4F C6 40 0D A3 C6 40 0E 0A C6 40 0F 3E C3 6A 10 E8 DB FE FF FF C7 00 23 67 2F CB 66 C7 40 04 3A AB 66 C7 40 06 D2 11 C6 40 08 9C C6 40 09 40 C6 40 0A 00 C6 40 0B C0 C6 40 0C 4F C6 40 0D A3 C6 40 0E 0A C6 40 0F 3E C3 6A 10 E8 A1 FE FF FF C7 00 DC 96 F6 05 66 C7 40 04 29 2B 66 C7 40 06 63 36 C6 40 08 AD C6 40 09 8B C6 40 0A C4 C6 40 0B 38 C6 40 0C 9C C6 40 0D F2 C6 40 0E A7 C6 40 0F 13 C3 8B 83 C8 00 00 00 50 FF 93 54 01 00 00 C3 8B 83 CC 00 00 00 50 FF 93 54 01 00 00 C3 6A 10 E8 4B FE FF FF 50 FF 93 5C 01 00 00 C3\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "xenostealer" ], "rule_creation_date": "2025-05-06", "rule_modified_date": "2025-07-02", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Stealer.XenoStealer" ], "rule_tactic_tags": [ "attack.credential_access" ], "rule_technique_tags": [ "attack.t1555.003" ], "rule_score": 70, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-xmrig_2c4067cc5a65_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583787Z", "creation_date": "2026-03-23T11:46:25.583789Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583794Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1496/\nhttps://github.com/xmrig/xmrig" ], "name": "xmrig_2c4067cc5a65.yar", "content": "rule xmrig_2c4067cc5a65 {\n meta:\n title = \"XMRig Cryptominer (2c4067cc5a65)\"\n id = \"548e6b49-8e4f-4e67-a8c6-2c4067cc5a65\"\n description = \"Detects the XMRig cryptominer on Windows systems.\\nXMRig is an open-source cryptocurrency mining software often abused by adversaries for malicious cryptocurrency mining activities.\"\n references = \"https://attack.mitre.org/techniques/T1496/\\nhttps://github.com/xmrig/xmrig\"\n date = \"2023-06-28\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1496\"\n classification = \"Windows.CryptoMiner.XMRig\"\n context = \"memory,thread\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 673ebada19e044b1ddb88155ad99188ba403cbb413868877b3ce0af11617bcfb\n // 3d59d9199a21d4e75346e75f4e3ca6eade6fcaed90ce56c6ce106366c2873eef\n // 1ecc54cc2974bf1be389806a85457d5b527dc51a6c1eeffd64d2624e08bd053f\n // 8f7bf8e5067dc531bb160012248043ddc70d76d2c49018a1810b56cbdceef477\n\n $s1 = \"XMRIG_HOSTNAME\" ascii nocase fullword\n $s2 = \"Usage: xmrig [OPTIONS]\" ascii nocase fullword\n $s3 = \"username:password pair for mining server\" ascii nocase\n $s4 = \"XMRIG_INCLUDE_RANDOM_MATH\" ascii nocase fullword\n\n $m1 = \"{\\\"id\\\":%lld,\\\"jsonrpc\\\":\\\"2.0\\\",\\\"method\\\":\\\"keepalived\\\",\\\"params\\\":{\\\"id\\\":\\\"%s\\\"}}\" ascii fullword\n $m2 = \"IP Address currently banned\" ascii fullword\n $m3 = \"daemon-poll-interval\" ascii fullword\n $m4 = \"submit-to-origin\" ascii fullword\n $m5 = \"self-select\" ascii fullword\n $m6 = \"nicehash.com\" ascii fullword\n $m7 = \"stratum+tcp://\" ascii fullword\n\n $xmrig_string = \"xmrig\" ascii nocase\n\n condition:\n (all of ($s*) and #xmrig_string > 25) or\n 6 of ($m*)\n}\n", "rule_count": 1, "rule_names": [ "xmrig_2c4067cc5a65" ], "rule_creation_date": "2023-06-28", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.CryptoMiner.XMRig" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1496" ], "rule_score": 100, "rule_context": [ "memory", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-xmrig_c55b1ddfc1b6_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.583814Z", "creation_date": "2026-03-23T11:46:25.583817Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.583822Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://attack.mitre.org/techniques/T1496/\nhttps://github.com/xmrig/xmrig" ], "name": "xmrig_c55b1ddfc1b6.yar", "content": "rule xmrig_c55b1ddfc1b6 {\n meta:\n title = \"XMRig Cryptominer (c55b1ddfc1b6)\"\n id = \"53dead3f-0388-4c49-a287-c55b1ddfc1b6\"\n description = \"Detects the XMRig cryptominer on Windows systems.\\nXMRig is an open-source cryptocurrency mining software often abused by adversaries for malicious cryptocurrency mining activities.\"\n references = \"https://attack.mitre.org/techniques/T1496/\\nhttps://github.com/xmrig/xmrig\"\n date = \"2022-11-14\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1496\"\n classification = \"Windows.CryptoMiner.XMRig\"\n context = \"process,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // 5d9d30f4a9e254cd3754c47ca59ac4d4e0f50f4d6fd6564e777819d1701be81e\n\n $decryption_1 = {\n 48 89 C1 // mov rcx, rax\n 4D 89 C1 // mov r9, r8\n 83 E1 07 // and ecx, 7\n 48 C1 E1 03 // shl rcx, 3\n 49 D3 E9 // shr r9, cl\n 44 30 0C 02 // xor [rdx+rax], r9b\n 48 83 C0 01 // add rax, 1\n 48 83 F8 ?? // cmp rax, 15h\n 75 ?? // jnz short loc_140001700\n }\n\n $decryption_2 = {\n 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? // mov rax, 9D2323E9E9F9F97Bh\n 48 BA ?? ?? ?? ?? ?? ?? ?? ?? // mov rdx, 4949717179799Dh\n 48 31 01 // xor [rcx], rax\n 48 31 51 08 // xor [rcx+8], rdx\n 48 31 41 10 // xor [rcx+10h], rax\n C6 41 18 00 // mov byte ptr [rcx+18h], 0\n C3 // retn\n }\n\n // Detection for this sample:\n // 673ebada19e044b1ddb88155ad99188ba403cbb413868877b3ce0af11617bcfb\n\n $xmrig_string = \"xmrig\" ascii nocase\n // exclusion for docker ebd184ac3b44b8d32c003b75927c1e1a4aa06c9b6ee4a70a3afa34ede70db1cc\n $exclusion_docker_1 = \"aygualas/xmrig\" ascii\n $exclusion_docker_2 = \"arunkarthick34/xmrig\" ascii\n\n condition:\n uint16(0) == 0x5A4D and (all of ($decryption_*) or (#xmrig_string > 25 and none of ($exclusion_*)))\n}\n", "rule_count": 1, "rule_names": [ "xmrig_c55b1ddfc1b6" ], "rule_creation_date": "2022-11-14", "rule_modified_date": "2025-03-17", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.CryptoMiner.XMRig" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1496" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-xmrig_memory_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.587022Z", "creation_date": "2026-03-23T11:46:25.587025Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.587695Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/xmrig/xmrig\nhttps://attack.mitre.org/techniques/T1496/" ], "name": "xmrig_memory.yar", "content": "rule xmrig_memory {\n meta:\n title = \"XMRIG Cryptominer\"\n id = \"3859e57e-5000-44de-8619-a16cfef872ef\"\n description = \"Detects the XMRig cryptominer.\\nXMRig is an open-source cryptocurrency mining software frequently abused by adversaries for malicious cryptocurrency generation.\\nXMRig can either be executed as a standalone process or injected into memory, and uses significant CPU resources to mine Monero (XMR) without the victim's consent. This activity can degrade system performance and generate network traffic associated with mining operations.\\nIt is recommended to block the process and isolate the system for further investigation.\"\n references = \"https://github.com/xmrig/xmrig\\nhttps://attack.mitre.org/techniques/T1496/\"\n date = \"2023-02-06\"\n modified = \"2025-03-04\"\n author = \"HarfangLab\"\n tags = \"attack.impact;attack.t1496\"\n classification = \"CryptoMiner.XMRig\"\n context = \"process,memory,thread,file.pe,file.elf,file.macho\"\n os = \"Windows,Linux,MacOS\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for this sample:\n // c7de9799873b353f2fec6a490ed1d4062340eddda623afa0ba8798aca7ced31d\n\n $xmrig1 = \"XMRIG_VERSION\" ascii\n $xmrig2 = \"XMRIG_KIND\" ascii\n $xmrig3 = \"XMRIG_HOSTNAME\" ascii\n $xmrig4 = \"XMRIG_EXE\" ascii\n $xmrig5 = \"XMRIG_HOME_DIR\" ascii\n $xmrig6 = \"XMRIG_TEMP_DIR\" ascii\n $xmrig7 = \"XMRIG_DATA_DIR\" ascii\n $xmrig8 = \"XMRIG_INCLUDE_RANDOM_MATH\" ascii\n\n condition:\n 5 of ($xmrig*)\n}\n", "rule_count": 1, "rule_names": [ "xmrig_memory" ], "rule_creation_date": "2023-02-06", "rule_modified_date": "2025-03-04", "rule_os": [ "macos", "windows", "linux" ], "rule_classifications": [ "CryptoMiner.XMRig" ], "rule_tactic_tags": [ "attack.impact" ], "rule_technique_tags": [ "attack.t1496" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "file.pe", "process", "file.macho", "thread" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-xworm_rat_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.574018Z", "creation_date": "2026-03-23T11:46:25.574020Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.574028Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm\nhttps://www.trellix.com/blogs/research/old-loader-new-threat-exploring-xworm/" ], "name": "xworm_rat.yar", "content": "rule xworm_rat {\n meta:\n title = \"Xworm RAT\"\n id = \"0365c790-8dd4-4317-9b13-bb369d32838a\"\n description = \"Detects the Xworm RAT.\\nXworm RAT is a remote access trojan (RAT) written in .NET. It is designed to provide attackers with unauthorized access to infected systems. The malware exhibits various malicious behaviors, including installing additional malware, stealing sensitive information such as banking details and credentials, and launching DDoS attacks. Xworm can also execute commands remotely, making it a versatile tool for persistence and data exfiltration.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm\\nhttps://www.trellix.com/blogs/research/old-loader-new-threat-exploring-xworm/\"\n date = \"2024-06-18\"\n modified = \"2025-04-22\"\n author = \"HarfangLab\"\n tags = \"attack.discovery;attack.t1082;attack.defense_evasion;attack.t1027;attack.collection;attack.t1056.001;attack.command_and_control;attack.t1571\"\n classification = \"Windows.Trojan.Xworm\"\n context = \"process,memory,thread,file.pe\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // ae907314d6998b7be3104c418c26aa60f89faec783c8d55c1363af8f51a933e8\n // 98493d1be8cb7bbbeb6e1dd8875f28a0a9b7e559f64edf83ae6d7f3c5cf962ff\n // ec3d5175cee3ae76998bf7c8c2a024e38ad7ddd98adcaf9f89112920a7ac62d7\n // 7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448\n // ff6f34a8f137b987d516a5455d0285e40cb1c2eda5ca61fc3acd865a8cc6ca81\n // 4c7504a7e4997436a85862bd6c54bb7a50af9b3960a3ca808a4ac577539372d6\n\n $x1 = \"\" fullword ascii wide\n $x2 = /XWorm (V|v)\\d+\\.\\d+/ fullword ascii wide\n\n $s1 = \"PING!\" fullword ascii wide\n $s2 = \"Urlhide\" fullword ascii wide\n $s3 = \"PCShutdown\" fullword ascii wide\n $s4 = \"Xchat\" fullword ascii wide\n $s5 = \"HostsMSG\" fullword ascii wide\n\n condition:\n 1 of ($x*) or all of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "xworm_rat" ], "rule_creation_date": "2024-06-18", "rule_modified_date": "2025-04-22", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Trojan.Xworm" ], "rule_tactic_tags": [ "attack.collection", "attack.command_and_control", "attack.defense_evasion", "attack.discovery" ], "rule_technique_tags": [ "attack.t1056.001", "attack.t1027", "attack.t1082", "attack.t1571" ], "rule_score": 100, "rule_context": [ "thread", "memory", "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-xzutils_backdoor_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.564632Z", "creation_date": "2026-03-23T11:46:25.564634Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.564640Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://www.openwall.com/lists/oss-security/2024/03/29/4\nhttps://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users\nhttps://attack.mitre.org/techniques/T1195/" ], "name": "xzutils_backdoor.yar", "content": "rule xzutils_backdoor {\n meta:\n title = \"XZ Utils Backdoor\"\n id = \"8fcb5ece-f66f-4e92-b2a3-416e52d1fec9\"\n description = \"Detects CVE-2024-3094, a backdoored XZ library (xzutil).\\nA malicious code was discovered in March 2024 in the upstream tarballs of xz in version 5.6.0 and 5.6.1.\\nThis results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.\\nIt is recommended to investigate the context around this alert to look for malicious actions.\"\n references = \"https://www.openwall.com/lists/oss-security/2024/03/29/4\\nhttps://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users\\nhttps://attack.mitre.org/techniques/T1195/\"\n date = \"2024-03-29\"\n modified = \"2025-03-17\"\n author = \"HarfangLab\"\n tags = \"attack.initial_access;attack.t1195;cve.2024-3094\"\n classification = \"Linux.Backdoor.XZUtils\"\n context = \"process,memory,file.elf\"\n os = \"Linux\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // 319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae\n // b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963\n // 8fa641c454c3e0f76de73b7cc3446096b9c8b9d33d406d38b8ac76090b0344fd\n // 605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4\n\n $x1 = {\n 0F B6 02 // movzx eax, byte ptr [rdx]\n 3C 67 // cmp al, 67h ; 'g'\n 77 3B // ja short loc_9D\n 3C 2D // cmp al, 2Dh ; '-'\n 77 12 // ja short loc_78\n 3C 0F // cmp al, 0Fh\n 0F 84 CA 00 00 00 // jz loc_138\n 3C 26 // cmp al, 26h ; '&'\n 0F 85 0B 01 00 00 // jnz loc_181\n EB 5F // jmp short loc_D7\n }\n\n $x2 = {\n FF D0 // call rax\n 89 C3 // mov ebx, eax\n 3D 00 40 00 00 // cmp eax, 4000h\n 77 CA // ja short loc_737D\n 83 C3 07 // add ebx, 7\n C1 EB 03 // shr ebx, 3\n 74 C2 // jz short loc_737D\n 89 DD // mov ebp, ebx\n 49 83 EF 06 // sub r15, 6\n 49 39 EF // cmp r15, rbp\n 72 B7 // jb short loc_737D\n 4D 8D 7D 05 // lea r15, [r13+5]\n 41 C6 45 04 00 // mov byte ptr [r13+4], 0\n 48 8B 7C 24 08 // mov rdi, [rsp+48h+var_40]\n 4C 89 FE // mov rsi, r15\n }\n\n // Value from detection script provided in https://seclists.org/oss-sec/2024/q1/268\n // Header of 'cpuid' wrapper (which setup the backdoor hook)\n $x3 = {\n F0 F3 0F 1E FA // endbr64\n 55 // push rbp\n 48 89 F5 // mov rbp, rsi\n 4C 89 CE // mov rsi, r9\n 53 // push rbx\n 89 FB // mov ebx, edi\n 81 E7 00 00 00 80 // and edi, 80000000h\n 48 83 EC 28 // sub rsp, 28h\n 48 89 54 24 18 // mov [rsp+38h+var_20], rdx\n 48 89 4C 24 10 // mov [rsp+38h+var_28], rcx\n }\n\n condition:\n 1 of them\n}\n", "rule_count": 1, "rule_names": [ "xzutils_backdoor" ], "rule_creation_date": "2024-03-29", "rule_modified_date": "2025-03-17", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Backdoor.XZUtils" ], "rule_tactic_tags": [ "attack.initial_access" ], "rule_technique_tags": [ "attack.t1195" ], "rule_score": 100, "rule_context": [ "file.elf", "memory", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-zendar_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.586384Z", "creation_date": "2026-03-23T11:46:25.586386Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.586392Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://github.com/ring-1/zendar/" ], "name": "zendar.yar", "content": "rule linux_library_rootkit_zendar {\n meta:\n title = \"Zendar Rootkit\"\n id = \"ef1cf676-d195-4be9-a973-37100e3fc676\"\n description = \"Detects the Zendar rootkit.\\nZendar is a userland LD_PRELOAD-based rootkit that allows adversaries to hijack environment variables used by the dynamic linker to load shared libraries.\\nThis enables attackers to intercept and control function calls, establishing persistence on the system.\"\n references = \"https://github.com/ring-1/zendar/\"\n date = \"2023-12-12\"\n modified = \"2025-02-27\"\n author = \"HarfangLab\"\n tags = \"attack.execution;attack.t1059.004;attack.persistence;attack.t1574.006;attack.defense_evasion;attack.t1014;attack.t1070;attack.t1564;attack.credential_access;attack.t1556;attack.command_and_control\"\n classification = \"Linux.Rootkit.Zendar\"\n context = \"process,file.elf\"\n os = \"Linux\"\n arch = \"x86,x64\"\n score = 100\n confidence = \"strong\"\n\n strings:\n // Detection for these samples:\n // abbacf92d1a44db463daf202819ae494f8306f3eaad6f880d811ba118bec3db0\n // 84bc6ba08aea96e3f7bb78a361d8915b87afadf0cb1728d6b0abdf93cd3a2c16\n\n $z1 = \"zendar.c\" ascii fullword\n $z2 = \"zendarU\" ascii fullword\n $z3 = \"hiddenFile\" ascii fullword\n $z4 = \"/etc/.passwd\" ascii fullword\n $z5 = \"/etc/.shadow\" ascii fullword\n $z6 = \"libsslcore.so\" ascii fullword\n $z7 = \"ZENDAR\" ascii fullword\n $z8 = \"_zendar\" ascii fullword\n $z9 = \"/etc/ld.so.preload\" ascii fullword\n $z10 = \"Secret Sex Loaf of a Single Mom\" ascii\n $z11 = \"And there's a NoNo for him too!\" ascii\n\n condition:\n (uint32be(0) == 0x7F454c46) // ELF\n and ((uint16be(0x10) == 0x03) or (uint16(0x10) == 0x03)) // ET_DYN\n and (4 of them)\n}\n", "rule_count": 1, "rule_names": [ "linux_library_rootkit_zendar" ], "rule_creation_date": "2023-12-12", "rule_modified_date": "2025-02-27", "rule_os": [ "linux" ], "rule_classifications": [ "Linux.Rootkit.Zendar" ], "rule_tactic_tags": [ "attack.command_and_control", "attack.credential_access", "attack.defense_evasion", "attack.execution", "attack.persistence" ], "rule_technique_tags": [ "attack.t1070", "attack.t1564", "attack.t1014", "attack.t1556", "attack.t1574.006", "attack.t1059.004" ], "rule_score": 100, "rule_context": [ "file.elf", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" } { "id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645-zerologon_tool_yar", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "alert", "effective_state": "alert", "rule_effective_level": "critical", "rule_effective_confidence": "strong", "alert_count": 0, "source_id": "215dd4e5-9cb3-4e8e-805c-9e96809b7645", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack": { "id": "b8e2fe4fc90e4d08", "name": null, "is_current": false, "is_supervisor": true, "is_tenant": false }, "tenant": "b8e2fe4fc90e4d08", "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:46:25.584423Z", "creation_date": "2026-03-23T11:46:25.584425Z", "enabled": true, "block_on_agent": false, "quarantine_on_agent": false, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:46:25.584430Z", "rule_level": "critical", "rule_level_override": null, "rule_confidence": "strong", "rule_confidence_override": null, "references": [ "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/" ], "name": "zerologon_tool.yar", "content": "rule zerologon {\n meta:\n title = \"Unknown Zerologon Exploit (CVE-2020-1472)\"\n id = \"92aaecc7-d68a-449a-b03a-6a5e661182f5\"\n description = \"Detects an unknown origin tool exploiting the Zerologon vulnerability (CVE-2020-1472).\\nThis tool is used to gain full administrative privileges on a vulnerable domain controller by exploiting a vulnerability in the Netlogon Remote Procedure Call (RPC) service. It is recommended quickly investigate for signs of lateral movement on domain controllers and to isolate infected hosts.\"\n references = \"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\"\n date = \"2021-11-01\"\n modified = \"2025-03-07\"\n author = \"HarfangLab\"\n tags = \"attack.privilege_escalation;attack.t1068;attack.lateral_movement;attack.t1210;attack.credential_access;attack.t1212\"\n classification = \"Windows.Exploit.Zerologon\"\n context = \"process,file.pe\"\n arch = \"x86,x64\"\n os = \"Windows\"\n score = 100\n confidence = \"strong\"\n\n strings:\n $s01 = \"server passwd set successfully\" ascii\n $s02 = \"server passwd ser failed !\" ascii\n $s03 = \"TARGET IS VULNURABLE\" ascii\n $s04 = \"TARGET SEEMS TO BE PATCHED\" ascii\n $s05 = \"IP - ip address of domain controller\" fullword ascii\n $s06 = \"ADMIN_USERNAME - account name of the administrator. can be default or something else\" fullword ascii\n $s07 = \"ZERO.EXE -test IP DC\" fullword ascii\n $s08 = \"testing target:\" fullword ascii\n $s09 = \"EXECUTED SUCCESSFULLY\" fullword ascii\n $s10 = \"COMMAND - command that will be executed on domain controller. should be surrounded by quotes\" fullword ascii\n $s11 = \"ADMIN_USERNAME - account name of the administrator.\" ascii\n $s12 = \"netrserverauthenticate2: STATUS_NO_TRUST_SAM_ACCOUNT (cannot find the account or bad type)\" fullword ascii\n $s13 = \"ADMIN_USERNAME - %ws\" fullword ascii\n $s14 = \"COMMAND - %ws\" fullword ascii\n\n condition:\n uint16(0) == 0x5a4d and filesize < 400KB and 10 of ($s*)\n}\n", "rule_count": 1, "rule_names": [ "zerologon" ], "rule_creation_date": "2021-11-01", "rule_modified_date": "2025-03-07", "rule_os": [ "windows" ], "rule_classifications": [ "Windows.Exploit.Zerologon" ], "rule_tactic_tags": [ "attack.credential_access", "attack.lateral_movement", "attack.privilege_escalation" ], "rule_technique_tags": [ "attack.t1210", "attack.t1212", "attack.t1068" ], "rule_score": 100, "rule_context": [ "file.pe", "process" ], "source": "215dd4e5-9cb3-4e8e-805c-9e96809b7645" }