A collection of YARA rules from the folks at InQuest we wish to share with the world. These rules should not be considered production appropriate. Rather, they are valuable for research and hunting purposes.
See also:
- https://github.com/InQuest/yara-rules-vt 📖
- https://github.com/InQuest/awesome-yara 🏆🥇
- https://labs.inquest.net 🥼🔬🧪
- http://yaramate.com 😆
The rules are listed here, alphabetically, along with references for further reading:
- Base64 Encoded Powershell
- CVE-2018-4878: Adobe Flash MediaPlayer DRM user-after-free Vulnerability
- CVE_2018_4878_0day_ITW
- Microsoft_Office_Document_with_Embedded_Flash_File
- Adobe_Flash_DRM_Use_After_Free
- Blog: Adobe Flash MediaPlayer DRM Use-after-free Vulnerability
- Follow highlights of the conversation on Twitter from this "moment" we maintain.
- Embedded PE Files
- Discover embedded PE files, without relying on easily stripped/modified header strings.
- Executables Converted to MSI
- Hex Encoded Powershell Pivot
- Hidden Bee Custom Windows Executable Format
- Hunting Suspicious IQY Files
- labs.inquest.net
- VirusTotal Intelligence hunt rules that feed the InQuest Labs data portal.
- Microsoft Excel Hidden Macro Sheets
- Microsoft Excel Data Connection
- Microsoft_Office_DDE_Command_Execution
- Blogs: Overview, Hunting, and Mitigation, Freddie Mac Targeted Lure, SEC OMB Masquerading Lure, Vortex Ransomware Targeting Poland.
- Follow highlights of the conversation on Twitter from this "moment" we maintain.
- Microsoft XLSX with Macrosheet
- MSIExec Pivot
- NTLM_Credentials_Theft_via_PDF
- This signature detects Adobe PDF files that reference a remote UNC object for the purpose of leaking NTLM hashes. New methods for NTLM hash leaks are discovered from time to time. This particular one is triggered upon opening of a malicious crafted PDF. Original write-up from CheckPoint.
- RTF_Byte_Nibble_Obfuscation
- This signature is designed to detect the obfuscation method described by Boris Larin here Disappearing bytes: Reverse engineering the MS Office RTF parser. This obfuscation method is rarely seen but was used in the distribution of CVE-2018-8174 0day discovered in-the-wild.
- We'll continue to earmark interesting tidbits around the subject matter in this Twitter Moment.
- Suspicious Symbolic Link Files that contain Excel 4.0 macros Or File Characteristics
- These signatures detect Symbolic Link (SLK) files that contain Excel 4.0 macros described here by Stan Hegt.
- CVE-2020-0601 ("Chain of Fools" or "Curveball")
- This signature detects a Microsoft Windows executable that has been signed using Elliptic Curve Cryptography (ECC) certificates with an explicit curve.
- GlowSpark
- This signature detects a second stage Actinium Downloader dubbed GlowSpark.