AntonSMarinov/yara-rules-collection

# YARA Rules Collection ## **Author:** Anton Marinov ([@AntonSMarinov](https://github.com/AntonSMarinov)) ## Contents | Category | Rules | Families Covered | |----------|-------|-----------------| | [Generic Malware](rules/malware/generic_malware.yar) | 5 | PE anomalies, shellcode injection, UPX packers, registry persistence | | [Ransomware](rules/ransomware/ransomware.yar) | 5 | LockBit, Conti, REvil/Sodinokibi, generic indicators | | [RATs & Backdoors](rules/rats_backdoors/rats_backdoors.yar) | 5 | Cobalt Strike, Meterpreter, AsyncRAT, njRAT | | [Phishing Documents](rules/phishing/phishing_docs.yar) | 5 | Office macros, ClickFix, PDF exploits, RTF (CVE-2017-11882) | | [Web Shells](rules/webshells/webshells.yar) | 5 | PHP, ASP/ASPX, JSP, China Chopper, obfuscated shells | **Total: 25 rules across 5 categories** ## Scanner The included `scanner.py` script lets you scan files or directories directly from the command line. ### Requirements pip install yara-python colorama ### Usage # Scan a single file python scanner.py -f suspicious.exe # Scan a directory recursively python scanner.py -d /tmp/samples # Scan with a specific category only python scanner.py -d /var/www/html -c webshells # Filter by file extension python scanner.py -d /uploads -e .php .asp .jsp # Output as JSON (for SIEM/pipeline integration) python scanner.py -f malware.bin --json > results.json ### Example Output ════════════════════════════════════════════════════════════ [!] MATCH: Cobalt_Strike_Beacon File : /tmp/samples/beacon.dll Category : rats Severity : CRITICAL Family : Cobalt Strike Desc : Detects Cobalt Strike Beacon payloads Matched : 3 string(s) @ 0x00004a20 $beacon4 'ReflectiveLoader' @ 0x00008b10 $cs4 'MSSE-' @ 0x0000a240 $pipe1 '\\\\.\\pipe\\MSSE-' ════════════════════════════════════════════════════════════ ## Rule Structure Each rule follows a consistent metadata schema: rule Rule_Name { meta: author = "Anton Marinov" description = "What this rule detects" category = "ransomware|malware|webshells|phishing|rats_backdoors" family = "Malware family name (if applicable)" severity = "critical|high|medium|low" date = "YYYY-MM-DD" reference = "https://source-url" strings: // ... condition: // ... } ### Severity Levels | Level | Description | |-------|-------------| | `critical` | Active threat, immediate response required | | `high` | Strong indicator of compromise | | `medium` | Suspicious behavior, further investigation needed | | `low` | Low-confidence indicator, use with other signals | ## Rule Categories ### 🦠 Generic Malware ### 🔒 Ransomware Covers major ransomware families (LockBit, Conti, REvil) and generic indicators including encryption API usage, ransom note patterns, and shadow copy deletion commands. ### 🎭 RATs & Backdoors Includes signatures for Cobalt Strike Beacon, Metasploit Meterpreter, AsyncRAT, njRAT, and generic keylogging/screen capture/webcam access patterns. ### 📧 Phishing Documents Detects malicious Office macros, ClickFix social engineering lures, PDF JavaScript exploits, RTF exploit documents (CVE-2017-11882), and credential harvesting pages. ### 🐚 Web Shells Covers PHP, ASP/ASPX, and JSP web shells including the China Chopper family and heavily obfuscated variants using chained encoding. ## Integration ### With ClamAV # Convert for ClamAV (requires yara2clamav) yara2clamav rules/webshells/webshells.yar > webshells.ndb ### With SIEM (JSON output) python scanner.py -d /var/www --json | curl -X POST https://your-siem/api/events \ -H "Content-Type: application/json" -d @- ### Cron-based scheduled scan # /etc/cron.d/yara-scan 0 */6 * * * root python3 /opt/yara-rules-collection/scanner.py \ -d /var/www/html -c webshells --json >> /var/log/yara-scan.json ## Limitations - Rules are written for **detection** purposes and may produce false positives in development environments - Always validate matches in context before taking action - Ransomware family rules are based on **known samples** — novel variants may evade detection - Regularly update rules as threat actors evolve their TTPs ## Resources - [YARA Documentation](https://yara.readthedocs.io/) - [MITRE ATT&CK](https://attack.mitre.org/) - [Any.run](https://any.run/) — interactive malware sandbox - [VirusTotal](https://www.virustotal.com/) — multi-AV scanning - [MalwareBazaar](https://bazaar.abuse.ch/) — malware sample repository ## License These rules are provided for **defensive and educational purposes only**. Do not use against systems you do not own or have explicit permission to test. *Built by a SOC analyst, for SOC analysts.*