Skip to content

Extracted Yara rules from Windows Defender mpavbase and mpasbase

Notifications You must be signed in to change notification settings

roadwy/DefenderYara

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

DefenderYara

DefenderYara

Description

Extracted Yara rules from Defender mpavbase.vdm and mpasbase.Enjoy it.

rule HackTool_Win64_ATPMiniDump_lsa{
	meta:
		description = "HackTool:Win64/ATPMiniDump!lsa,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 "
		
	strings :
		$a_01_0 = {41 54 50 4d 69 6e 69 44 75 6d 70 } //2 ATPMiniDump
		$a_01_1 = {42 00 79 00 20 00 62 00 34 00 72 00 74 00 69 00 6b 00 20 00 26 00 20 00 75 00 66 00 30 00 } //2 By b4rtik & uf0
		$a_01_2 = {54 00 65 00 6d 00 70 00 5c 00 64 00 75 00 6d 00 70 00 65 00 72 00 74 00 2e 00 64 00 6d 00 70 00 } //2 Temp\dumpert.dmp
		$a_01_3 = {5b 00 21 00 5d 00 20 00 59 00 6f 00 75 00 20 00 6e 00 65 00 65 00 64 00 20 00 65 00 6c 00 65 00 76 00 61 00 74 00 65 00 64 00 } //1 [!] You need elevated
		$a_01_4 = {5b 00 21 00 5d 00 20 00 46 00 61 00 69 00 6c 00 65 00 64 00 20 00 74 00 6f 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 6d 00 69 00 6e 00 69 00 64 00 75 00 6d 00 70 00 2c 00 } //1 [!] Failed to create minidump,
		$a_01_5 = {5b 00 31 00 5d 00 20 00 43 00 68 00 65 00 63 00 6b 00 69 00 6e 00 67 00 20 00 4f 00 53 00 } //1 [1] Checking OS
	condition:
		((#a_01_0  & 1)*2+(#a_01_1  & 1)*2+(#a_01_2  & 1)*2+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1+(#a_01_5  & 1)*1) >=5
 
}

NOTE: some strings or condition maybe wrong.

Parsed HSTR type:

  • SIGNATURE_TYPE_PEHSTR_EXT
  • SIGNATURE_TYPE_ELFHSTR_EXT
  • SIGNATURE_TYPE_MACHOHSTR_EXT
  • SIGNATURE_TYPE_MACROHSTR_EXT
  • SIGNATURE_TYPE_DEXHSTR_EXT
  • SIGNATURE_TYPE_JAVAHSTR_EXT
  • SIGNATURE_TYPE_CMDHSTR_EXT
  • SIGNATURE_TYPE_ARHSTR_EXT
  • SIGNATURE_TYPE_PEHSTR

TODO:

  • SIGNATURE_TYPE_SWFHSTR_EXT
  • SIGNATURE_TYPE_AUTOITHSTR_EXT
  • SIGNATURE_TYPE_INNOHSTR_EXT
  • SIGNATURE_TYPE_MDBHSTR_EXT
  • SIGNATURE_TYPE_DMGHSTR_EXT

Reference

Releases

No releases published

Packages

No packages published

Languages