Rules

This project is a community-curated repository of YARA rules used to detect malware, webshells, and other malicious patterns in files. It serves as a dataset of signatures for identifying known malware families, software packers, and threat intelligence indicators.

The collection provides specialized detection capabilities for identifying exploit kits and anti-analysis evasion techniques, such as anti-debugging and anti-virtualization methods. It also includes signatures for cryptographic algorithm detection and the identification of unauthorized remote administration tools on servers.

The repository covers a broad surface of digital forensics and security analysis, including the inspection of malicious documents and emails for embedded code. It further supports threat hunting through the identification of patterns associated with system compromises and active security breaches.

Features

Malware Family Identification - Provides a comprehensive set of signatures to identify known malware families, software packers, and mobile threats.

Evasion Detection Rules - Implements signatures designed to detect the use of anti-debugging and anti-virtualization evasion techniques.

Exploitation and Malware - Provides signatures to identify exploit kits and research regarding binary infection and shellcode.

Threat Intelligence Feeds - Provides collections of indicators of compromise used to identify active security breaches and exploit kits.

Declarative Signature Formats - Provides standardized markup formats used to define security event patterns and detection logic across different platforms.

Logical Pattern Combinations - Implements boolean expressions over pattern matches that must evaluate to true for a malware match to be reported.

Anti-Analysis Technique Development - Includes signatures that detect and resist virtual machines, sandboxes, and debuggers used by analysts.

Binary Pattern Matching - Provides signatures for searching specific byte sequences within executable files and documents to identify malware.

Byte Literal Pattern Matching - Uses byte literal ranges and values to match specific byte sequences within binary data and memory dumps.

Intrusion Detection Systems - Identifies unauthorized webshells and remote administration tools to detect system compromise on servers.

Malicious String Heuristics - Identifies malicious intent by scanning for embedded shellcode, hardcoded IP addresses, and specific API function calls.

Webshell Detection - Includes signatures specifically designed to find unauthorized webshells and remote administration tools on servers.

Office and Documents - Provides patterns for scanning office suite and document formats for embedded malicious code.

Document Analysis Tools - Provides utilities for inspecting and extracting content from malicious documents and emails.

Rule Categorizations - Groups detection rules into categories such as threat type or software family to organize rule sets.

Signature-Based Discovery - Scans binaries and files for the presence of specific cryptographic algorithms used to secure or hide data.

Algorithm Detection - Scans binaries for specific cryptographic algorithms used to encrypt or obfuscate malicious data.

Digital Forensics - Offers signatures for investigating digital evidence, including malicious code embedded in documents and emails.

Threat Intelligence - Centralized repository for YARA detection rules.

Yara Rule Collections - Large, community-maintained collection of rules.

Fingerprinting and Signatures - Compiles and maintains a repository of malware detection signatures.

Malware Detection Rules - Comprehensive repository of rules for malware identification.

Yara-Rulesrules

Features

Star history