10000 GitHub - roadwy/DefenderYara: Extracted Yara rules from Windows Defender mpavbase and mpasbase
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

roadwy/DefenderYara

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
#ALF/TrojanDownloader
#ALF/TrojanDownloader
 
 
#ASRWin32ApiMacroExclusion
#ASRWin32ApiMacroExclusion
 
 
#PUA/Block
#PUA/Block
 
 
#attrmatch_rescan_psif
#attrmatch_rescan_psif
 
 
Adware
Adware
 
 
Backdoor
Backdoor
 
 
Behavior/Win32/Pryncimoklyn
Behavior/Win32/Pryncimoklyn
 
 
BrowserModifier
BrowserModifier
 
 
Constructor/Win32
Constructor/Win32
 
 
DDoS
DDoS
 
 
DoS
DoS
 
 
Exploit
Exploit
 
 
HackTool
HackTool
 
 
InfrastructureShared
InfrastructureShared
 
 
Joke/Win32
Joke/Win32
 
 
Misleading
Misleading
 
 
MonitoringTool
MonitoringTool
 
 
PUA
PUA
 
 
PUAMiner/Linux/CoinMiner
PUAMiner/Linux/CoinMiner
 
 
PWS
PWS
 
 
Program/Win32/CompromisedCert
Program/Win32/CompromisedCert
 
 
PseudoThreat_40000020
PseudoThreat_40000020
 
 
PseudoThreat_40000021
PseudoThreat_40000021
 
 
PseudoThreat_40000022
PseudoThreat_40000022
 
 
PseudoThreat_40000023
PseudoThreat_40000023
 
 
PseudoThreat_40000024
PseudoThreat_40000024
 
 
PseudoThreat_40000025
PseudoThreat_40000025
 
 
PseudoThreat_40000026
PseudoThreat_40000026
 
 
PseudoThreat_40000027
PseudoThreat_40000027
 
 
PseudoThreat_40000028
PseudoThreat_40000028
 
 
PseudoThreat_40000029
PseudoThreat_40000029
 
 
PseudoThreat_4000002a
PseudoThreat_4000002a
 
 
PseudoThreat_4000002b
PseudoThreat_4000002b
 
 
PseudoThreat_4000002c
PseudoThreat_4000002c
 
 
PseudoThreat_4000002d
PseudoThreat_4000002d
 
 
PseudoThreat_4000002e
PseudoThreat_4000002e
 
 
PseudoThreat_40000031
PseudoThreat_40000031
 
 
PseudoThreat_c0000e91
PseudoThreat_c0000e91
 
 
PseudoThreat_c0000ec1
PseudoThreat_c0000ec1
 
 
PseudoThreat_c0000ed7
PseudoThreat_c0000ed7
 
 
PseudoThreat_c0000ed8
PseudoThreat_c0000ed8
 
 
PseudoThreat_c0000ed9
PseudoThreat_c0000ed9
 
 
PseudoThreat_c0000eda
PseudoThreat_c0000eda
 
 
PseudoThreat_c0000f7a
PseudoThreat_c0000f7a
 
 
PseudoThreat_c0000f7b
PseudoThreat_c0000f7b
 
 
PseudoThreat_c0001045
PseudoThreat_c0001045
 
 
PseudoThreat_c0001046
PseudoThreat_c0001046
 
 
PseudoThreat_c0001048
PseudoThreat_c0001048
 
 
PseudoThreat_c0001049
PseudoThreat_c0001049
 
 
PseudoThreat_c000104a
PseudoThreat_c000104a
 
 
PseudoThreat_c000104c
PseudoThreat_c000104c
 
 
PseudoThreat_c000104d
PseudoThreat_c000104d
 
 
PseudoThreat_c000104e
PseudoThreat_c000104e
 
 
PseudoThreat_c000104f
PseudoThreat_c000104f
 
 
PseudoThreat_c0001050
PseudoThreat_c0001050
 
 
PseudoThreat_c0001051
PseudoThreat_c0001051
 
 
PseudoThreat_c0001052
PseudoThreat_c0001052
 
 
PseudoThreat_c0001053
PseudoThreat_c0001053
 
 
PseudoThreat_c0001054
PseudoThreat_c0001054
 
 
PseudoThreat_c00014c4
PseudoThreat_c00014c4
 
 
PseudoThreat_c0001523
PseudoThreat_c0001523
 
 
PseudoThreat_c0001726
PseudoThreat_c0001726
 
 
PseudoThreat_c0001763
PseudoThreat_c0001763
 
 
PseudoThreat_c000176c
PseudoThreat_c000176c
 
 
Ransom
Ransom
 
 
RemoteAccess/MSIL/AveMariaRAT
RemoteAccess/MSIL/AveMariaRAT
 
 
Rogue
Rogue
 
 
SoftwareBundler/Win32
SoftwareBundler/Win32
 
 
Spammer
Spammer
 
 
Spoofer/Win32/Arpspoof
Spoofer/Win32/Arpspoof
 
 
Spyware
Spyware
 
 
SupportScam
SupportScam
 
 
Tool
Tool
 
 
Trojan
Trojan
 
 
TrojanClicker
TrojanClicker
 
 
TrojanDownloader
TrojanDownloader
 
 
TrojanDropper
TrojanDropper
 
 
TrojanProxy
TrojanProxy
 
 
TrojanSpy
TrojanSpy
 
 
VirTool
VirTool
 
 
Virus
Virus
 
 
Worm
Worm
 
 
README.MD
README.MD
 
 

Repository files navigation

DefenderYara

DefenderYara

Description

Extracted Yara rules from Defender mpavbase.vdm and mpasbase.Enjoy it.

rule HackTool_Win64_ATPMiniDump_lsa{
	meta:
		description = "HackTool:Win64/ATPMiniDump!lsa,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 "
		
	strings :
		$a_01_0 = {41 54 50 4d 69 6e 69 44 75 6d 70 } //2 ATPMiniDump
		$a_01_1 = {42 00 79 00 20 00 62 00 34 00 72 00 74 00 69 00 6b 00 20 00 26 00 20 00 75 00 66 00 30 00 } //2 By b4rtik & uf0
		$a_01_2 = {54 00 65 00 6d 00 70 00 5c 00 64 00 75 00 6d 00 70 00 65 00 72 00 74 00 2e 00 64 00 6d 00 70 00 } //2 Temp\dumpert.dmp
		$a_01_3 = {5b 00 21 00 5d 00 20 00 59 00 6f 00 75 00 20 00 6e 00 65 00 65 00 64 00 20 00 65 00 6c 00 65 00 76 00 61 00 74 00 65 00 64 00 } //1 [!] You need elevated
		$a_01_4 = {5b 00 21 00 5d 00 20 00 46 00 61 00 69 00 6c 00 65 00 64 00 20 00 74 00 6f 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 6d 00 69 00 6e 00 69 00 64 00 75 00 6d 00 70 00 2c 00 } //1 [!] Failed to create minidump,
		$a_01_5 = {5b 00 31 00 5d 00 20 00 43 00 68 00 65 00 63 00 6b 00 69 00 6e 00 67 00 20 00 4f 00 53 00 } //1 [1] Checking OS
	condition:
		((#a_01_0  & 1)*2+(#a_01_1  & 1)*2+(#a_01_2  & 1)*2+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1+(#a_01_5  & 1)*1) >=5
 
}

NOTE: some strings or condition maybe wrong.

Parsed HSTR type:

  • SIGNATURE_TYPE_PEHSTR_EXT
  • SIGNATURE_TYPE_ELFHSTR_EXT
  • SIGNATURE_TYPE_MACHOHSTR_EXT
  • SIGNATURE_TYPE_MACROHSTR_EXT
  • SIGNATURE_TYPE_DEXHSTR_EXT
  • SIGNATURE_TYPE_JAVAHSTR_EXT
  • SIGNATURE_TYPE_CMDHSTR_EXT
  • SIGNATURE_TYPE_ARHSTR_EXT
  • SIGNATURE_TYPE_PEHSTR

TODO:

  • SIGNATURE_TYPE_SWFHSTR_EXT
  • SIGNATURE_TYPE_AUTOITHSTR_EXT
  • SIGNATURE_TYPE_INNOHSTR_EXT
  • SIGNATURE_TYPE_MDBHSTR_EXT
  • SIGNATURE_TYPE_DMGHSTR_EXT

Reference

About

Extracted Yara rules from Windows Defender mpavbase and mpasbase

Topics

ioc dfir defender antivirus malware-analysis yara yara-rules threat-intelligence yara-signatures

Resources

Readme
Activity

Stars

423 stars

Watchers

6 watching

Forks

67 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages
0