A repo containing some of my privately developed Yara rules.
To contribute to the community.
Of course! That's why I created this repo.
You can use them in your detection systems. For example, CAPE sandbox, MalwareBazaar and VirusTotal (must be logged in) are using these rules. Furthermore, the rules can work natively with AssemblyLine due to the CCCS Yara rule standard adoption.
All rules are TLP:White, so you can use and distribute them freely. Please retain the meta.
There's two workflows running on this Github repository:
- YARA-CI: runs automatically to detect signature errors, as well as false positives and negatives.
- Package Yara rules: allows download of a complete rules file (all Yara rules from this repo in one file) for convenience from the Actions tab > Artifacts (see image below).
v3.3.0 is minimally needed, as some rules may require a specific module. Note that it's recommended to always use the latest Yara version as found here.
If you spot an issue or improvement with one of the rules, feel free to submit a PR!
If one of the rules in the generic rules section hits on your software: this is not a false positive. It is simply an objective fact that, for example, your software has been compiled or wrapped using AutoIT. It equally does not mean your software is malicious.
From the official Github repo, https://github.com/VirusTotal/yara:
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
More information: https://yara.readthedocs.io/en/stable/index.html
The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information.
The rules in this repo are TLP:White.
Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
More information: https://www.us-cert.gov/tlp
InQuest has made a Github repo which contains a curated list of Yara rules: https://github.com/InQuest/awesome-yara.