# YARA Malware Detection Rules > Search results for `write YARA rules to detect malware families` on awesome-repositories.com. 114 total matches; showing the first 50. Explore on the web: https://awesome-repositories.com/q/write-yara-rules-to-detect-malware-families **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [this search on awesome-repositories.com](https://awesome-repositories.com/q/write-yara-rules-to-detect-malware-families).** ## Results - [anyrun/yara](https://awesome-repositories.com/repository/anyrun-yara.md) (29 ⭐) — Maintained by the ANY.RUN team, this repository provides YARA rules to help detect and classify various malware families and other malicious artifacts. - [elastic/detection-rules](https://awesome-repositories.com/repository/elastic-detection-rules.md) (2,508 ⭐) — This project is a detection-as-code framework providing a library of security monitoring rules and predefined detection content for Elasticsearch data indices. It serves as a threat detection rule library designed to identify malicious activity and attack patterns across diverse data streams in cloud and on-premises environments. The framework implements a detection engineering workflow where rules are defined in YAML and managed as versioned code. It includes a set of command-line utilities for automated rule deployment, metadata searching, and template generation, supported by a Python-base - [bartblaze/yara-rules](https://awesome-repositories.com/repository/bartblaze-yara-rules.md) (385 ⭐) — Collection of private Yara rules. - [crowdsecurity/crowdsec](https://awesome-repositories.com/repository/crowdsecurity-crowdsec.md) (12,574 ⭐) — CrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offl - [virustotal/yara](https://awesome-repositories.com/repository/virustotal-yara.md) (9,420 ⭐) — YARA is a pattern matching engine and binary analysis tool used to identify and classify malware samples. It functions as a malware research framework that allows for the definition of file descriptions and detection rules to find indicators of compromise within binaries. The system enables the creation of custom detection rules using strings, wildcards, and regular expressions. These rules use boolean logic to match textual or binary patterns, allowing for the classification of files into specific malware families and the automation of threat intelligence. The engine utilizes Aho-Corasick s - [bearer/bearer](https://awesome-repositories.com/repository/bearer-bearer.md) (2,566 ⭐) — Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing. The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports. The platform co - [h3x2b/yara-rules](https://awesome-repositories.com/repository/h3x2b-yara-rules.md) (23 ⭐) — Yara rules for detecting malware - [cellularprivacy/android-imsi-catcher-detector](https://awesome-repositories.com/repository/cellularprivacy-android-imsi-catcher-detector.md) (5,335 ⭐) — This project is a mobile network security auditor and IMSI catcher detector designed to identify fake base stations and surveillance hardware attempting to intercept mobile traffic. It functions as a radio interface analyzer and cellular tower mapping tool, monitoring connections to detect unauthorized network infrastructure. The system distinguishes itself by combining real-time threat level monitoring with the ability to identify silent SMS and stealth communications used for device tracking. It analyzes ciphering status to detect forced network downgrades to weaker encryption standards and - [cockroachdb/cockroach](https://awesome-repositories.com/repository/cockroachdb-cockroach.md) (32,207 ⭐) — Cockroach is a distributed SQL database designed to scale horizontally across multiple nodes while maintaining strict ACID compliance and global data consistency. It functions as a relational database engine that automatically partitions data into ranges, rebalancing them across a cluster to accommodate growing storage and throughput requirements. By utilizing a distributed consensus protocol, the system ensures that all nodes agree on the order of operations, providing fault tolerance and continuous availability even in the event of hardware failures. The system distinguishes itself through - [horsicq/detect-it-easy](https://awesome-repositories.com/repository/horsicq-detect-it-easy.md) (10,266 ⭐) — Detect-It-Easy is a binary file identifier and analysis toolkit designed to determine file formats, compilers, and packers. It functions as a binary file identifier that utilizes signature matching and heuristic analysis to identify executable and archive formats. The project includes a custom file signature engine and a scriptable rule system for defining and applying detection logic to identify specific binary patterns. It features specialized detectors for Android packages, such as APK and DEX files, and a malware packer detector to identify protections, obfuscators, and virus families. T - [yara-rules/rules](https://awesome-repositories.com/repository/yara-rules-rules.md) (4,712 ⭐) — This project is a community-curated repository of YARA rules used to detect malware, webshells, and other malicious patterns in files. It serves as a dataset of signatures for identifying known malware families, software packers, and threat intelligence indicators. The collection provides specialized detection capabilities for identifying exploit kits and anti-analysis evasion techniques, such as anti-debugging and anti-virtualization methods. It also includes signatures for cryptographic algorithm detection and the identification of unauthorized remote administration tools on servers. The r - [yara-rules/yara-endpoint](https://awesome-repositories.com/repository/yara-rules-yara-endpoint.md) (109 ⭐) — Yara-Endpoint is a tool useful for incident response as well as anti-malware enpoint base on Yara signatures. - [crytic/slither](https://awesome-repositories.com/repository/crytic-slither.md) (6,141 ⭐) - [cisco-talos/clamav](https://awesome-repositories.com/repository/cisco-talos-clamav.md) (6,869 ⭐) — ClamAV - Documentation is here: https://docs.clamav.net - [tenable/yara-rules](https://awesome-repositories.com/repository/tenable-yara-rules.md) (60 ⭐) — Repository of yara rules - [oisf/suricata](https://awesome-repositories.com/repository/oisf-suricata.md) (6,008 ⭐) — Suricata is an open-source network intrusion detection and prevention engine that analyzes live network traffic in real-time to identify and alert on malicious activity. It operates as a rule-based threat detection system, matching traffic against user-defined signatures to detect known attack patterns and policy violations, and can be placed inline to actively block malicious packets before they reach their target. The engine inspects a wide range of application-layer protocols including HTTP, DNS, TLS, SMB, and MQTT, and supports high-performance packet capture through specialized hardware a - [etcd-io/etcd](https://awesome-repositories.com/repository/etcd-io-etcd.md) (51,838 ⭐) — etcd is a distributed, strongly consistent key-value store designed to provide reliable storage for critical system metadata and coordination primitives. It functions as a distributed consensus engine, utilizing a replicated log and leader-based state machine to ensure that all nodes in a cluster maintain a synchronized view of data. By providing atomic operations and linearizable reads and writes, it serves as a foundational component for distributed systems requiring high availability and fault tolerance. The system distinguishes itself through its multi-version concurrency control, which e - [github/codeql](https://awesome-repositories.com/repository/github-codeql.md) (9,252 ⭐) — CodeQL is a semantic code analysis engine and vulnerability scanning tool that treats source code as data. It utilizes a static analysis query language to define complex patterns and security vulnerabilities within a code graph database. The system represents source code as a relational database, enabling the execution of structural queries and data flow analysis. This approach allows for the detection of security flaws and coding errors across large-scale repositories. The tool provides capabilities for automated code auditing, static analysis security testing, and custom vulnerability dete - [ctxis/cape](https://awesome-repositories.com/repository/ctxis-cape.md) (760 ⭐) — Malware Configuration And Payload Extraction - [fboldewin/yara-rules](https://awesome-repositories.com/repository/fboldewin-yara-rules.md) (70 ⭐) — Some YARA rules i will add from time to time - [dxa4481/trufflehog](https://awesome-repositories.com/repository/dxa4481-trufflehog.md) (26,790 ⭐) — TruffleHog is a secret scanning tool designed to identify leaked credentials and API keys across version control systems, cloud storage, and filesystems. It functions as a git secret detector that enumerates hidden commits and a cloud storage security auditor for inspecting container images and storage buckets. The project is distinguished by a credential verification engine that tests discovered secrets against service APIs to confirm they are active, which eliminates false positive alerts. It further analyzes these verified credentials to determine the specific access levels and resources t - [avelino/awesome-go](https://awesome-repositories.com/repository/avelino-awesome-go.md) (175,576 ⭐) — This project serves as a comprehensive language ecosystem index, functioning as a centralized, community-curated directory for the Go programming language. It organizes a vast landscape of software components, libraries, and development tools into a structured, navigable hierarchy, enabling developers to efficiently discover resources tailored to specific functional domains. The repository distinguishes itself through a decentralized contribution model, where community-driven updates ensure the index remains current with the rapidly evolving software landscape. Beyond simple resource listing, - [godaddy/yara-rules](https://awesome-repositories.com/repository/godaddy-yara-rules.md) (89 ⭐) — YARA rules for use with ProcFilter - [imp0rtp3/yara-rules](https://awesome-repositories.com/repository/imp0rtp3-yara-rules.md) (20 ⭐) — Yara rules written by me, for free use. - [f/prompts.chat](https://awesome-repositories.com/repository/f-prompts-chat.md) (163,814 ⭐) — This platform serves as a centralized management system for organizing, refining, and versioning AI instructions and agent skills. It functions as a repository that enables users to store, categorize, and retrieve structured prompts, ensuring consistent performance across various artificial intelligence models. By integrating with the Model Context Protocol, the system allows external AI assistants and development environments to discover and access these instruction libraries directly. The platform distinguishes itself through its focus on prompt engineering and automated refinement, utilizi - [trufflesecurity/trufflehog](https://awesome-repositories.com/repository/trufflesecurity-trufflehog.md) (24,630 ⭐) — Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platfor - [inquest/yara-rules](https://awesome-repositories.com/repository/inquest-yara-rules.md) (390 ⭐) — A collection of YARA rules we wish to share with the world, most probably referenced from http://blog.inquest.net. - [falcosecurity/falco](https://awesome-repositories.com/repository/falcosecurity-falco.md) (8,670 ⭐) — Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments - [airbus-cert/dnyara](https://awesome-repositories.com/repository/airbus-cert-dnyara.md) (39 ⭐) — A multi-platform .Net wrapper library for the native Yara library. - [codewatchorg/burp-yara-rules](https://awesome-repositories.com/repository/codewatchorg-burp-yara-rules.md) (49 ⭐) — Yara rules to be used with the Burp Yara-Scanner extension - [agent-threat-rule/agent-threat-rules](https://awesome-repositories.com/repository/agent-threat-rule-agent-threat-rules.md) (282 ⭐) — Open detection standard -- like Sigma, but for AI agents. 425 rules, shipped in Microsoft AGT, Cisco AI Defense, MISP, OWASP A-S-R-H. 97.1% recall on NVIDIA garak. NIST OSCAL Path 1. - [dyad-sh/dyad](https://awesome-repositories.com/repository/dyad-sh-dyad.md) (19,648 ⭐) — Dyad is a local, artificial intelligence-powered development environment designed to manage, edit, and scaffold full-stack software projects. It functions as an automated codebase manager and code editor that leverages language models to execute programming tasks, maintain project context, and apply targeted modifications directly to source files on a user's machine. The platform distinguishes itself through a model-agnostic architecture that allows for flexible integration with various language model runtimes. It provides specialized operational modes to optimize development speed and effici - [claroty/arya](https://awesome-repositories.com/repository/claroty-arya.md) (261 ⭐) — Arya is a unique tool that produces pseudo-malicious files meant to trigger YARA rules. You can think of it like a reverse YARA. - [kubescape/kubescape](https://awesome-repositories.com/repository/kubescape-kubescape.md) (11,489 ⭐) — Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Mo - [reversinglabs/reversinglabs-yara-rules](https://awesome-repositories.com/repository/reversinglabs-reversinglabs-yara-rules.md) (922 ⭐) — ReversingLabs YARA Rules - [cube-js/cube](https://awesome-repositories.com/repository/cube-js-cube.md) (20,251 ⭐) — Cube is a semantic data layer that provides a unified framework for defining business metrics, dimensions, and relationships across diverse data sources. By acting as a headless business intelligence engine, it transforms raw data into a governed model that can be queried via SQL, REST, and GraphQL interfaces. This architecture ensures consistent data definitions and logic across all downstream analytical applications and reporting tools. The platform distinguishes itself through its integrated conversational AI capabilities, which allow users to explore data using natural language. It orches - [ccfos/nightingale](https://awesome-repositories.com/repository/ccfos-nightingale.md) (13,108 ⭐) — Nightingale is a Prometheus-compatible monitoring and alerting platform designed to centralize telemetry management across multiple time-series databases. It functions as a multi-source alerting engine and metric data pipeline that ingests telemetry via remote write protocols and triggers alarms based on data from sources such as Prometheus, Elasticsearch, Loki, and ClickHouse. The system is distinguished by its automated alert healing system, which executes predefined scripts and RPC-based corrective actions when monitoring thresholds are breached. It supports distributed alert processing, a - [t4d/phishingkit-yara-rules](https://awesome-repositories.com/repository/t4d-phishingkit-yara-rules.md) (240 ⭐) — Repository of Yara rules dedicated to Phishing Kits Zip files - [jaykali/maskphish](https://awesome-repositories.com/repository/jaykali-maskphish.md) (3,020 ⭐) — Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe - [alienvault-otx/yabin](https://awesome-repositories.com/repository/alienvault-otx-yabin.md) (165 ⭐) — A Yara rule generator for finding related samples and hunting - [lolbas-project/lolbas](https://awesome-repositories.com/repository/lolbas-project-lolbas.md) (8,323 ⭐) — LOLBAS is a curated database and knowledge base of signed Windows binaries that can be misused to bypass security restrictions and execute unauthorized code. It serves as a technical registry that maps trusted system files to their functional capabilities and the offensive tactics they enable. The project distinguishes itself by providing a capability-driven indexing system and a tactics registry that relates legitimate binary functionality to known security evasion techniques. It includes an association layer that links specific system binaries to attack patterns and tactical objectives, pro - [citizenlab/malware-signatures](https://awesome-repositories.com/repository/citizenlab-malware-signatures.md) (143 ⭐) — Yara rules for malware families seen as part of targeted threats project - [arendst/tasmota](https://awesome-repositories.com/repository/arendst-tasmota.md) (24,502 ⭐) — Tasmota is a universal firmware platform for ESP8266 and ESP32 microcontrollers, designed to provide local control and management of smart home hardware. It functions as an event-driven automation controller that replaces proprietary factory firmware, allowing users to manage relays, sensors, and lighting systems without relying on external cloud services. The system is built on a modular driver architecture that enables dynamic hardware configuration and peripheral support through a web-based management interface. The platform distinguishes itself through a template-driven hardware mapping s - [jipegit/yara-rules-public](https://awesome-repositories.com/repository/jipegit-yara-rules-public.md) (11 ⭐) — A set of public Yara rules - [projectdiscovery/nuclei-templates](https://awesome-repositories.com/repository/projectdiscovery-nuclei-templates.md) (12,518 ⭐) — Nuclei-templates is a security automation framework and vulnerability scanning library designed for the continuous assessment of distributed infrastructure. It functions as a collection of structured configuration files that define how to identify security flaws and misconfigurations across web applications and network services. The project utilizes a declarative domain-specific language to decouple detection logic from the underlying execution engine. This approach allows for the creation of modular, protocol-agnostic scanning rules that can be updated independently of the core software. By - [gitleaks/gitleaks](https://awesome-repositories.com/repository/gitleaks-gitleaks.md) (24,973 ⭐) — Gitleaks is a security scanning engine designed to identify hardcoded credentials, API keys, and other sensitive information within version control systems and local file structures. It functions as a static analysis tool that automates the detection of secrets, helping to prevent the accidental exposure of sensitive data during the development lifecycle. The tool distinguishes itself through its ability to perform deep forensic analysis of git history, allowing users to audit entire project timelines or enforce security gates within continuous integration pipelines. It supports complex detec - [eslint/eslint](https://awesome-repositories.com/repository/eslint-eslint.md) (27,349 ⭐) — This project is a static analysis engine designed to identify patterns, enforce coding standards, and automate code quality improvements in software projects. By parsing source code into structured abstract syntax trees, it enables deep programmatic inspection and the automated remediation of identified programming issues. The engine functions as a pluggable linting framework, allowing developers to extend its core capabilities through a modular architecture. Users can inject custom rules, parsers, and processors to support non-standard file formats or domain-specific logic. This extensibilit - [mthcht/threathunting-keywords-yara-rules](https://awesome-repositories.com/repository/mthcht-threathunting-keywords-yara-rules.md) (164 ⭐) — yara detection rules for hunting with the threathunting-keywords project - [astral-sh/ty](https://awesome-repositories.com/repository/astral-sh-ty.md) (17,287 ⭐) — This project is a high-performance static type checker and comprehensive development toolkit for Python. It functions as a core analysis engine that identifies type inconsistencies and enforces code correctness, while simultaneously providing a language server implementation to deliver real-time diagnostics and intelligence directly within development environments. The tool distinguishes itself through a parallelized execution engine that maximizes performance across large-scale codebases and monorepo structures. It supports gradual type adoption, allowing developers to integrate type checkin - [chronicle/detection-rules](https://awesome-repositories.com/repository/chronicle-detection-rules.md) (502 ⭐) — This repository contains example YARA-L rules and dashboards for use within Google Security Operations (SecOps)