admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add comprehensive YARA rule library for malware detection

Browse Source 
Created professional YARA ruleset covering:
- Metasploit payloads and encoders (Meterpreter, Shikata Ga Nai)
- Cobalt Strike beacons and C2 profiles
- Generic shellcode patterns (PEB/TEB access, API hashing)
- Process injection techniques (hollowing, DLL injection, APC)
- Advanced injection (AtomBombing, Process Doppelganging, Early Bird)
- Evasion techniques (anti-debug, anti-VM, AMSI/ETW bypass)

Each rule includes metadata for threat level and MITRE ATT&CK mapping.

Generated with [Claude Code](https://claude.com/claude-code)
This commit is contained in:
Adir Shitrit
2025-11-21 00:38:07 +02:00
parent bcf934fac2
commit df8604e937
5 changed files with 671 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
rules/cobalt_strike.yar Normal file
View File

@@ -0,0 +1,92 @@
rule CobaltStrike_Beacon_Memory
{
meta:
description = "Detects Cobalt Strike Beacon in process memory"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1055"
reference = "https://www.cobaltstrike.com/"
strings:
$beacon_1 = "%s as %s\\%s: %d" wide
$beacon_2 = "beacon.dll" nocase
$beacon_3 = "beacon.x64.dll" nocase
$beacon_4 = { 69 68 69 68 69 6B ?? 69 6B 69 68 69 6B }
$config_marker = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 }
$sleep_mask = { 48 89 5C 24 08 57 48 83 EC 20 48 8B D9 33 FF }
condition:
2 of them
}
rule CobaltStrike_Beacon_Config
{
meta:
description = "Detects Cobalt Strike Beacon configuration structure"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1071"
strings:
$config_1 = { 00 01 00 01 00 02 }
$config_2 = { 00 02 00 01 00 02 }
$config_3 = { 00 03 00 02 }
$http_header = "MZ" wide
$named_pipe = "\\\\.\\pipe\\" wide
condition:
2 of ($config_*) or ($config_1 and ($http_header or $named_pipe))
}
rule CobaltStrike_Named_Pipe_Beacon
{
meta:
description = "Detects Cobalt Strike named pipe beacon patterns"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1090"
strings:
$pipe_1 = "\\\\.\\pipe\\MSSE-" wide
$pipe_2 = "\\\\.\\pipe\\postex_" wide
$pipe_3 = "\\\\.\\pipe\\msagent_" wide
$pipe_4 = "\\\\.\\pipe\\status_" wide
condition:
any of them
}
rule CobaltStrike_Artifact_Kit_Payload
{
meta:
description = "Detects Cobalt Strike Artifact Kit generated payloads"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1055.002"
strings:
$artifact_1 = { 48 8D 05 ?? ?? 00 00 48 89 44 24 ?? 48 8D 05 }
$artifact_2 = { 48 89 5C 24 10 48 89 74 24 18 57 48 83 EC 20 }
$reflective_loader = "ReflectiveLoader"
condition:
any of them
}
rule CobaltStrike_Malleable_C2_Profile
{
meta:
description = "Detects Cobalt Strike malleable C2 profile indicators"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1071.001"
strings:
$header_1 = "Cookie: " nocase
$header_2 = "Accept: */*" nocase
$header_3 = "User-Agent: Mozilla/" nocase
$uri_pattern = /\/[a-z]{4,12}\/[a-z]{4,12}/
condition:
3 of them
}

174
rules/evasion.yar Normal file
View File

@@ -0,0 +1,174 @@
rule Anti_Debug_Techniques
{
meta:
description = "Detects anti-debugging techniques in memory"
author = "Ghost Detection Engine"
threat_level = "medium"
mitre_attack = "T1622"
strings:
$isdebuggerpresent = "IsDebuggerPresent" nocase
$checkremotedebuggerpresent = "CheckRemoteDebuggerPresent" nocase
$ntqueryinformationprocess = "NtQueryInformationProcess" nocase
$outputdebugstring = "OutputDebugStringA" nocase
// PEB BeingDebugged check
$peb_debug_1 = { 64 A1 30 00 00 00 80 78 02 00 }
$peb_debug_2 = { 65 48 8B 04 25 60 00 00 00 80 78 02 00 }
// Debug register checks
$dr_check = { 8B 45 ?? 89 45 ?? 8B 45 ?? 09 45 }
condition:
2 of them
}
rule Anti_VM_Techniques
{
meta:
description = "Detects anti-VM and sandbox detection techniques"
author = "Ghost Detection Engine"
threat_level = "medium"
mitre_attack = "T1497.001"
strings:
// VM detection strings
$vmware_1 = "VMware" nocase
$vmware_2 = "vmtoolsd" nocase
$virtualbox = "VirtualBox" nocase
$vbox = "VBOX" nocase
$qemu = "QEMU" nocase
$kvm = "KVMKVMKVM" nocase
// Registry keys for VM detection
$reg_vm_1 = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port" nocase
$reg_vm_2 = "SYSTEM\\ControlSet001\\Services\\Disk\\Enum" nocase
// CPUID VM detection
$cpuid_check = { 0F A2 81 FB ?? ?? ?? ?? }
// Red Pill technique
$redpill = { 0F 01 0D 00 00 00 00 }
condition:
2 of them
}
rule Timing_Attacks
{
meta:
description = "Detects timing-based anti-analysis techniques"
author = "Ghost Detection Engine"
threat_level = "low"
mitre_attack = "T1497.003"
strings:
$rdtsc = { 0F 31 }
$queryperformancecounter = "QueryPerformanceCounter" nocase
$gettickcount = "GetTickCount" nocase
$sleep = "Sleep" nocase
$timegettime = "timeGetTime" nocase
condition:
2 of them
}
rule API_Hashing_Obfuscation
{
meta:
description = "Detects API hashing for obfuscation"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1027"
strings:
// ROR13 hash algorithm
$ror13 = { C1 C? 0D 03 ?? }
// CRC32 hashing
$crc32 = { F7 D1 33 C8 C1 E? 08 }
// DJB2 hash
$djb2 = { C1 E0 05 03 C? }
// GetProcAddress via hash
$hash_resolve = { 8B 40 78 03 C? 8B 58 20 }
condition:
2 of them
}
rule Memory_Evasion_Techniques
{
meta:
description = "Detects memory-based evasion techniques"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1562.001"
strings:
$virtualprotect = "VirtualProtect" nocase
$virtualprotectex = "VirtualProtectEx" nocase
$ntprotectvirtualmemory = "NtProtectVirtualMemory" nocase
// Memory permission changes
$mem_perm_1 = { 6A 40 68 00 30 00 00 }
$mem_perm_2 = { 68 00 00 40 00 }
condition:
any of them
}
rule Heaven_Gate_Technique
{
meta:
description = "Detects Heaven's Gate (WoW64 bypass) technique"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055"
strings:
$heavens_gate_1 = { 33 C0 }
$far_jump = { EA ?? ?? ?? ?? 33 00 }
$segment_switch = { 48 89 E5 48 83 EC ?? }
$wow64_syscall = { 0F 05 }
condition:
2 of them
}
rule AMSI_Bypass_Attempt
{
meta:
description = "Detects AMSI bypass techniques"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1562.001"
strings:
$amsi_string = "AmsiScanBuffer" nocase
$amsi_context = "AmsiInitialize" nocase
$amsi_patch_1 = { B8 57 00 07 80 C3 }
$amsi_patch_2 = { 31 C0 C3 }
$amsi_bypass = "amsi.dll" nocase
condition:
2 of them
}
rule ETW_Bypass_Attempt
{
meta:
description = "Detects ETW bypass techniques"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1562.001"
strings:
$etw_string = "EtwEventWrite" nocase
$etw_provider = "EtwEventRegister" nocase
$etw_patch = { 33 C0 C2 14 00 }
condition:
any of them
}

72
rules/metasploit.yar Normal file
View File

@@ -0,0 +1,72 @@
rule Metasploit_Meterpreter_Payload
{
meta:
description = "Detects Metasploit Meterpreter payload in memory"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1055"
strings:
$meterpreter_1 = "metsrv.dll" nocase
$meterpreter_2 = "stdapi.dll" nocase
$meterpreter_3 = "ReflectiveLoader" nocase
$meterpreter_4 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 }
$meterpreter_sig = "meterpreter" nocase
$stage_marker = { 00 00 00 00 00 00 00 00 00 00 00 00 4d 65 74 65 72 70 72 65 74 65 72 }
condition:
2 of them
}
rule Metasploit_Reverse_TCP_Shellcode
{
meta:
description = "Detects Metasploit reverse TCP shellcode patterns"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055.001"
strings:
// Windows reverse TCP patterns
$rev_tcp_1 = { 68 02 00 ?? ?? 89 E6 6A 10 56 57 68 99 A5 74 61 }
$rev_tcp_2 = { 68 7F 00 00 01 68 02 00 ?? ?? 89 E6 }
$winsock_2 = "ws2_32" nocase
$winsock_call = { FF 55 ?? 68 63 6D 64 00 }
condition:
any of them
}
rule Metasploit_Shikata_Ga_Nai_Encoder
{
meta:
description = "Detects Metasploit Shikata Ga Nai polymorphic encoder"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1027"
strings:
// Shikata Ga Nai decoder stub patterns
$shikata_1 = { D9 74 24 F4 5? B? ?? ?? ?? ?? 31 }
$shikata_2 = { D9 EE D9 74 24 F4 5? B? }
$shikata_3 = { D9 ?? D9 74 24 F4 5? ?? ?? ?? ?? ?? 29 C9 }
condition:
any of them
}
rule Metasploit_Inline_Egg_Stager
{
meta:
description = "Detects Metasploit inline egg stager patterns"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055"
strings:
$egg_tag = { 77 30 30 74 }
$egg_search = { 66 81 CA FF 0F 42 52 6A 02 58 CD 2E }
condition:
any of them
}

175
rules/process_injection.yar Normal file
View File

@@ -0,0 +1,175 @@
rule Process_Hollowing_Indicators
{
meta:
description = "Detects process hollowing technique indicators"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1055.012"
strings:
// Common API sequences for process hollowing
$api_1 = "NtUnmapViewOfSection" nocase
$api_2 = "ZwUnmapViewOfSection" nocase
$api_3 = "VirtualAllocEx" nocase
$api_4 = "WriteProcessMemory" nocase
$api_5 = "SetThreadContext" nocase
$api_6 = "ResumeThread" nocase
// Suspended process creation
$create_suspended = { 6A 04 5? 6A 00 }
condition:
($api_1 or $api_2) and 2 of ($api_3, $api_4, $api_5, $api_6)
}
rule DLL_Injection_Classic
{
meta:
description = "Detects classic DLL injection techniques"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055.001"
strings:
$api_1 = "CreateRemoteThread" nocase
$api_2 = "LoadLibraryA" nocase
$api_3 = "LoadLibraryW" nocase
$api_4 = "VirtualAllocEx" nocase
$api_5 = "WriteProcessMemory" nocase
condition:
$api_1 and ($api_2 or $api_3) and ($api_4 or $api_5)
}
rule Reflective_DLL_Injection
{
meta:
description = "Detects reflective DLL injection patterns"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1055.001"
strings:
$reflective_1 = "ReflectiveLoader" nocase
$reflective_2 = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 49 8B F8 }
$reflective_3 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 }
$custom_loader = { 8B 45 3C 8B 54 05 78 03 D5 8B 4A 20 }
condition:
any of them
}
rule APC_Injection_Technique
{
meta:
description = "Detects APC queue injection technique"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055.004"
strings:
$api_1 = "QueueUserAPC" nocase
$api_2 = "NtQueueApcThread" nocase
$api_3 = "ZwQueueApcThread" nocase
$api_4 = "OpenThread" nocase
$api_5 = "VirtualAllocEx" nocase
condition:
($api_1 or $api_2 or $api_3) and ($api_4 or $api_5)
}
rule Thread_Execution_Hijacking
{
meta:
description = "Detects thread execution hijacking"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055.003"
strings:
$api_1 = "SuspendThread" nocase
$api_2 = "GetThreadContext" nocase
$api_3 = "SetThreadContext" nocase
$api_4 = "ResumeThread" nocase
$api_5 = "VirtualAllocEx" nocase
condition:
$api_1 and $api_2 and $api_3 and $api_4
}
rule AtomBombing_Technique
{
meta:
description = "Detects AtomBombing injection technique"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055"
reference = "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows"
strings:
$api_1 = "GlobalAddAtomA" nocase
$api_2 = "GlobalAddAtomW" nocase
$api_3 = "GlobalGetAtomNameA" nocase
$api_4 = "GlobalGetAtomNameW" nocase
$api_5 = "NtQueueApcThread" nocase
condition:
($api_1 or $api_2) and ($api_3 or $api_4) and $api_5
}
rule Process_Doppelganging
{
meta:
description = "Detects process doppelganging technique"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1055.013"
strings:
$api_1 = "NtCreateTransaction" nocase
$api_2 = "NtCreateSection" nocase
$api_3 = "NtRollbackTransaction" nocase
$api_4 = "RtlSetCurrentTransaction" nocase
condition:
3 of them
}
rule PROPagate_Injection
{
meta:
description = "Detects PROPagate injection using window properties"
author = "Ghost Detection Engine"
threat_level = "medium"
mitre_attack = "T1055"
strings:
$api_1 = "SetPropA" nocase
$api_2 = "SetPropW" nocase
$api_3 = "EnumPropsA" nocase
$api_4 = "EnumPropsW" nocase
$api_5 = "CallWindowProcA" nocase
$api_6 = "CallWindowProcW" nocase
condition:
($api_1 or $api_2) and ($api_5 or $api_6)
}
rule Early_Bird_Injection
{
meta:
description = "Detects Early Bird APC injection technique"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055.004"
strings:
$api_1 = "CreateProcessA" nocase
$api_2 = "CreateProcessW" nocase
$api_3 = "QueueUserAPC" nocase
$api_4 = "ResumeThread" nocase
$create_suspended = { 00 00 00 04 }
condition:
($api_1 or $api_2) and $api_3 and $api_4
}

158
rules/shellcode.yar Normal file
View File

@@ -0,0 +1,158 @@
rule Generic_Shellcode_Patterns
{
meta:
description = "Detects generic shellcode patterns in memory"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055"
strings:
// Common shellcode prologue patterns
$prologue_1 = { EB ?? 5? 31 ?? 64 8B }
$prologue_2 = { 55 89 E5 83 EC }
$prologue_3 = { 48 89 5C 24 ?? 48 89 74 24 }
// PEB/TEB access patterns (x86)
$peb_access_1 = { 64 A1 30 00 00 00 }
$peb_access_2 = { 64 8B 15 30 00 00 00 }
$peb_access_3 = { 64 8B 0D 30 00 00 00 }
// PEB/TEB access patterns (x64)
$peb_access_x64_1 = { 65 48 8B 04 25 60 00 00 00 }
$peb_access_x64_2 = { 65 48 8B 0C 25 60 00 00 00 }
// API hashing (ROR13)
$api_hash_ror13 = { C1 C? 0D 03 ?? 83 C? 04 }
// GetProcAddress pattern
$getprocaddr = { 8B 40 78 03 C? 8B 58 20 03 D? }
// LoadLibrary pattern
$loadlibrary = { 6A 00 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 00 }
condition:
2 of them
}
rule Windows_API_Call_Shellcode
{
meta:
description = "Detects shellcode with Windows API call patterns"
author = "Ghost Detection Engine"
threat_level = "medium"
mitre_attack = "T1106"
strings:
$api_1 = "kernel32" nocase
$api_2 = "ntdll" nocase
$api_3 = "advapi32" nocase
$api_call = { FF 5? ?? 85 C0 }
$stack_align = { 83 E4 F0 }
condition:
1 of ($api_*) and 1 of ($api_call, $stack_align)
}
rule Egg_Hunter_Shellcode
{
meta:
description = "Detects egg hunter shellcode patterns"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055"
strings:
// 32-bit egg hunter (SEH method)
$egg_seh_32 = { 66 81 CA FF 0F 42 52 6A 02 58 CD 2E }
// IsBadReadPtr egg hunter
$egg_isbad = { 8B FB 4F 4F B9 ?? ?? ?? ?? 40 }
// NtDisplayString egg hunter
$egg_ntdisplay = { B8 ?? ?? ?? ?? 8D 54 24 04 CD 2E }
condition:
any of them
}
rule Position_Independent_Shellcode
{
meta:
description = "Detects position-independent shellcode characteristics"
author = "Ghost Detection Engine"
threat_level = "medium"
mitre_attack = "T1027"
strings:
// Call/Pop pattern to get EIP
$call_pop_1 = { E8 00 00 00 00 5? }
$call_pop_2 = { E8 ?? ?? ?? ?? 5? }
// FSTENV trick
$fstenv = { D9 EE D9 74 24 F4 5? }
// GetPC thunk
$getpc_thunk = { 8B 0C 24 C3 }
condition:
any of them
}
rule Stack_Pivot_Shellcode
{
meta:
description = "Detects stack pivot operations common in shellcode"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055"
strings:
$pivot_1 = { 8B EC 81 EC ?? ?? 00 00 }
$pivot_2 = { 48 81 EC ?? ?? 00 00 }
$pivot_3 = { 54 5C }
$pivot_4 = { 94 }
condition:
any of them
}
rule NOP_Sled_Detection
{
meta:
description = "Detects NOP sleds commonly used in exploits"
author = "Ghost Detection Engine"
threat_level = "low"
mitre_attack = "T1055"
strings:
$nop_x86 = { 90 90 90 90 90 90 90 90 90 90 }
$nop_x64 = { 66 90 66 90 66 90 66 90 66 90 }
$multi_nop_1 = { 40 40 40 40 40 40 40 40 }
$multi_nop_2 = { 47 47 47 47 47 47 47 47 }
condition:
any of them
}
rule Polymorphic_Decoder_Stub
{
meta:
description = "Detects polymorphic decoder stubs"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1027.002"
strings:
// XOR decoder
$xor_decoder_1 = { 30 ?? 40 E2 FA }
$xor_decoder_2 = { 80 ?? ?? E2 FA }
// ADD/SUB decoder
$add_decoder = { 80 ?? ?? 40 3D ?? ?? ?? ?? 75 }
// Loop-based decoder
$loop_decoder = { AC 34 ?? AA E2 FA }
condition:
any of them
}