df8604e937
Created professional YARA ruleset covering: - Metasploit payloads and encoders (Meterpreter, Shikata Ga Nai) - Cobalt Strike beacons and C2 profiles - Generic shellcode patterns (PEB/TEB access, API hashing) - Process injection techniques (hollowing, DLL injection, APC) - Advanced injection (AtomBombing, Process Doppelganging, Early Bird) - Evasion techniques (anti-debug, anti-VM, AMSI/ETW bypass) Each rule includes metadata for threat level and MITRE ATT&CK mapping. Generated with [Claude Code](https://claude.com/claude-code)
176 lines
4.8 KiB
Plaintext
176 lines
4.8 KiB
Plaintext
rule Process_Hollowing_Indicators
|
|
{
|
|
meta:
|
|
description = "Detects process hollowing technique indicators"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "critical"
|
|
mitre_attack = "T1055.012"
|
|
|
|
strings:
|
|
// Common API sequences for process hollowing
|
|
$api_1 = "NtUnmapViewOfSection" nocase
|
|
$api_2 = "ZwUnmapViewOfSection" nocase
|
|
$api_3 = "VirtualAllocEx" nocase
|
|
$api_4 = "WriteProcessMemory" nocase
|
|
$api_5 = "SetThreadContext" nocase
|
|
$api_6 = "ResumeThread" nocase
|
|
|
|
// Suspended process creation
|
|
$create_suspended = { 6A 04 5? 6A 00 }
|
|
|
|
condition:
|
|
($api_1 or $api_2) and 2 of ($api_3, $api_4, $api_5, $api_6)
|
|
}
|
|
|
|
rule DLL_Injection_Classic
|
|
{
|
|
meta:
|
|
description = "Detects classic DLL injection techniques"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "high"
|
|
mitre_attack = "T1055.001"
|
|
|
|
strings:
|
|
$api_1 = "CreateRemoteThread" nocase
|
|
$api_2 = "LoadLibraryA" nocase
|
|
$api_3 = "LoadLibraryW" nocase
|
|
$api_4 = "VirtualAllocEx" nocase
|
|
$api_5 = "WriteProcessMemory" nocase
|
|
|
|
condition:
|
|
$api_1 and ($api_2 or $api_3) and ($api_4 or $api_5)
|
|
}
|
|
|
|
rule Reflective_DLL_Injection
|
|
{
|
|
meta:
|
|
description = "Detects reflective DLL injection patterns"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "critical"
|
|
mitre_attack = "T1055.001"
|
|
|
|
strings:
|
|
$reflective_1 = "ReflectiveLoader" nocase
|
|
$reflective_2 = { 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 20 49 8B F8 }
|
|
$reflective_3 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 }
|
|
$custom_loader = { 8B 45 3C 8B 54 05 78 03 D5 8B 4A 20 }
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule APC_Injection_Technique
|
|
{
|
|
meta:
|
|
description = "Detects APC queue injection technique"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "high"
|
|
mitre_attack = "T1055.004"
|
|
|
|
strings:
|
|
$api_1 = "QueueUserAPC" nocase
|
|
$api_2 = "NtQueueApcThread" nocase
|
|
$api_3 = "ZwQueueApcThread" nocase
|
|
$api_4 = "OpenThread" nocase
|
|
$api_5 = "VirtualAllocEx" nocase
|
|
|
|
condition:
|
|
($api_1 or $api_2 or $api_3) and ($api_4 or $api_5)
|
|
}
|
|
|
|
rule Thread_Execution_Hijacking
|
|
{
|
|
meta:
|
|
description = "Detects thread execution hijacking"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "high"
|
|
mitre_attack = "T1055.003"
|
|
|
|
strings:
|
|
$api_1 = "SuspendThread" nocase
|
|
$api_2 = "GetThreadContext" nocase
|
|
$api_3 = "SetThreadContext" nocase
|
|
$api_4 = "ResumeThread" nocase
|
|
$api_5 = "VirtualAllocEx" nocase
|
|
|
|
condition:
|
|
$api_1 and $api_2 and $api_3 and $api_4
|
|
}
|
|
|
|
rule AtomBombing_Technique
|
|
{
|
|
meta:
|
|
description = "Detects AtomBombing injection technique"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "high"
|
|
mitre_attack = "T1055"
|
|
reference = "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows"
|
|
|
|
strings:
|
|
$api_1 = "GlobalAddAtomA" nocase
|
|
$api_2 = "GlobalAddAtomW" nocase
|
|
$api_3 = "GlobalGetAtomNameA" nocase
|
|
$api_4 = "GlobalGetAtomNameW" nocase
|
|
$api_5 = "NtQueueApcThread" nocase
|
|
|
|
condition:
|
|
($api_1 or $api_2) and ($api_3 or $api_4) and $api_5
|
|
}
|
|
|
|
rule Process_Doppelganging
|
|
{
|
|
meta:
|
|
description = "Detects process doppelganging technique"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "critical"
|
|
mitre_attack = "T1055.013"
|
|
|
|
strings:
|
|
$api_1 = "NtCreateTransaction" nocase
|
|
$api_2 = "NtCreateSection" nocase
|
|
$api_3 = "NtRollbackTransaction" nocase
|
|
$api_4 = "RtlSetCurrentTransaction" nocase
|
|
|
|
condition:
|
|
3 of them
|
|
}
|
|
|
|
rule PROPagate_Injection
|
|
{
|
|
meta:
|
|
description = "Detects PROPagate injection using window properties"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "medium"
|
|
mitre_attack = "T1055"
|
|
|
|
strings:
|
|
$api_1 = "SetPropA" nocase
|
|
$api_2 = "SetPropW" nocase
|
|
$api_3 = "EnumPropsA" nocase
|
|
$api_4 = "EnumPropsW" nocase
|
|
$api_5 = "CallWindowProcA" nocase
|
|
$api_6 = "CallWindowProcW" nocase
|
|
|
|
condition:
|
|
($api_1 or $api_2) and ($api_5 or $api_6)
|
|
}
|
|
|
|
rule Early_Bird_Injection
|
|
{
|
|
meta:
|
|
description = "Detects Early Bird APC injection technique"
|
|
author = "Ghost Detection Engine"
|
|
threat_level = "high"
|
|
mitre_attack = "T1055.004"
|
|
|
|
strings:
|
|
$api_1 = "CreateProcessA" nocase
|
|
$api_2 = "CreateProcessW" nocase
|
|
$api_3 = "QueueUserAPC" nocase
|
|
$api_4 = "ResumeThread" nocase
|
|
$create_suspended = { 00 00 00 04 }
|
|
|
|
condition:
|
|
($api_1 or $api_2) and $api_3 and $api_4
|
|
}
|