admin/ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df8604e9372f86063c4106147a8eba671b8d2799
ghost/rules/metasploit.yar
Adir Shitrit df8604e937 Add comprehensive YARA rule library for malware detection 
Created professional YARA ruleset covering:
- Metasploit payloads and encoders (Meterpreter, Shikata Ga Nai)
- Cobalt Strike beacons and C2 profiles
- Generic shellcode patterns (PEB/TEB access, API hashing)
- Process injection techniques (hollowing, DLL injection, APC)
- Advanced injection (AtomBombing, Process Doppelganging, Early Bird)
- Evasion techniques (anti-debug, anti-VM, AMSI/ETW bypass)

Each rule includes metadata for threat level and MITRE ATT&CK mapping.

Generated with [Claude Code](https://claude.com/claude-code)
2025-11-21 00:38:07 +02:00

73 lines
2.0 KiB
Plaintext
Raw Blame History

rule Metasploit_Meterpreter_Payload
{
meta:
description = "Detects Metasploit Meterpreter payload in memory"
author = "Ghost Detection Engine"
threat_level = "critical"
mitre_attack = "T1055"
strings:
$meterpreter_1 = "metsrv.dll" nocase
$meterpreter_2 = "stdapi.dll" nocase
$meterpreter_3 = "ReflectiveLoader" nocase
$meterpreter_4 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 }
$meterpreter_sig = "meterpreter" nocase
$stage_marker = { 00 00 00 00 00 00 00 00 00 00 00 00 4d 65 74 65 72 70 72 65 74 65 72 }
condition:
2 of them
}
rule Metasploit_Reverse_TCP_Shellcode
{
meta:
description = "Detects Metasploit reverse TCP shellcode patterns"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055.001"
strings:
// Windows reverse TCP patterns
$rev_tcp_1 = { 68 02 00 ?? ?? 89 E6 6A 10 56 57 68 99 A5 74 61 }
$rev_tcp_2 = { 68 7F 00 00 01 68 02 00 ?? ?? 89 E6 }
$winsock_2 = "ws2_32" nocase
$winsock_call = { FF 55 ?? 68 63 6D 64 00 }
condition:
any of them
}
rule Metasploit_Shikata_Ga_Nai_Encoder
{
meta:
description = "Detects Metasploit Shikata Ga Nai polymorphic encoder"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1027"
strings:
// Shikata Ga Nai decoder stub patterns
$shikata_1 = { D9 74 24 F4 5? B? ?? ?? ?? ?? 31 }
$shikata_2 = { D9 EE D9 74 24 F4 5? B? }
$shikata_3 = { D9 ?? D9 74 24 F4 5? ?? ?? ?? ?? ?? 29 C9 }
condition:
any of them
}
rule Metasploit_Inline_Egg_Stager
{
meta:
description = "Detects Metasploit inline egg stager patterns"
author = "Ghost Detection Engine"
threat_level = "high"
mitre_attack = "T1055"
strings:
$egg_tag = { 77 30 30 74 }
$egg_search = { 66 81 CA FF 0F 42 52 6A 02 58 CD 2E }
condition:
any of them
}
Reference in New Issue View Git Blame Copy Permalink