leonardosmoutinho/yara-detection-rules

GitHub: leonardosmoutinho/yara-detection-rules

一套按威胁类别组织、映射 MITRE ATT&CK 的生产就绪 YARA 检测规则集,用于恶意软件识别与威胁狩猎。

Stars: 0 | Forks: 0

# YARA 检测规则 一组用于恶意软件检测和威胁狩猎的 YARA 规则,涵盖勒索软件、Webshell、持久化机制以及命令与控制(C2)指示器。 ## 📋 概述 本仓库包含按威胁类别组织的检测规则,并映射到 MITRE ATT&CK 战术和技术。每个规则都提供了详尽的文档说明,包括: - 逻辑解释 - 检测的字符串和模式 - MITRE ATT&CK 映射 - 使用示例 - 真实样本(如适用) ## 📁 仓库结构 ``` yara-detection-rules/ ├── rules/ │ ├── ransomware/ # Ransomware behavior detection │ ├── webshells/ # Web shell detection (PHP, ASP, JSP) │ ├── persistence/ # Persistence mechanism detection │ ├── c2/ # C2 and lateral movement detection │ └── README.md # Rules documentation index ├── screenshots/ # Proof-of-concept detection screenshots │ ├── ransomware/ │ ├── webshells/ │ ├── persistence/ │ └── c2/ ├── .gitignore ├── LICENSE └── README.md # This file ``` ## 🚀 快速开始 ### 安装 ``` # Clone repository git clone https://github.com/leonardosmoutinho/yara-detection-rules.git cd yara-detection-rules # Install YARA (Ubuntu/Debian) sudo apt-get install yara # Install YARA (macOS) brew install yara ``` ### 运行所有规则 ``` # Scan file yara -r rules/ /path/to/file # Scan directory recursively yara -r rules/ /path/to/directory/ # Generate JSON format results yara -r rules/ -f json /path/to/target > results.json ``` ### 运行特定类别 ``` # Scan ransomware yara -r rules/ransomware/ /path/to/file # Scan webshells yara -r rules/webshells/ /path/to/directory/ # Scan persistence mechanisms yara -r rules/persistence/ /path/to/directory/ # Scan C2 indicators yara -r rules/c2/ /path/to/directory/ ``` ## 📊 规则类别 ### 1. **勒索软件检测** (`rules/ransomware/`) 检测常见的勒索软件行为: - 文件加密模式 - 注册表修改 - 勒索信创建 - 进程终止(反取证) - 卷序列号篡改 **MITRE ATT&CK 映射:** - T1486 - Data Encrypted for Impact - T1565 - Data Manipulation - T1490 - Inhibit System Recovery - T1070 - Indicator Removal **检测截图:** ![勒索软件检测测试](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/433a52ce8d192210.png) ### 2. **Webshell 检测** (`rules/webshells/`) 识别多种语言的基于 Web 的 shell: - PHP shell(常见 shell、混淆模式) - ASP.NET shell(ExecuteCommand、系统调用) - JSP shell(反弹 shell、命令执行) - Cold Fusion shell - 多层混淆检测 **MITRE ATT&CK 映射:** - T1190 - Exploit Public-Facing Application - T1505 - Server Software Component - T1569 - Service Execution - T1027 - Obfuscation or Encryption **检测截图:** ![Webshell 检测测试](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/dd41c847e7192216.png) ### 3. **持久化机制** (`rules/persistence/`) 检测安装和持久化技术: - 计划任务创建 - 注册表 Run 键修改 - 启动文件夹滥用 - WMI 事件订阅 - 服务安装 - 任务计划程序滥用 **MITRE ATT&CK 映射:** - T1547 - Boot or Logon Autostart Execution - T1053 - Scheduled Task/Job - T1546 - Event Triggered Execution - T1569 - System Services **检测截图:** ![持久化检测测试](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/c3cd0743d7192221.png) ### 4. **命令与控制(C2)检测** (`rules/c2/`) 识别 C2 通信和横向移动模式: - Cobalt Strike beacon 指示器 - Mimikatz 执行模式 - DNS 隧道尝试 - 动态 DNS beacon 活动 - Metasploit Meterpreter 签名 - Pass-the-hash 横向移动 - 反弹 shell 模式 **MITRE ATT&CK 映射:** - T1071 - Application Layer Protocol - T1008 - Fallback Channels - T1003 - OS Credential Dumping - T1570 - Lateral Tool Transfer - T1021 - Remote Service Session Initiation **检测截图:** ![C2 检测测试](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/1ffa4961e7192226.png) ## 🧪 测试与验证 所有规则均已通过以下环境的测试和验证: - **良性系统文件** - 尽量减少误报 - **概念验证恶意软件样本** - 确保真阳性 - **生产环境** - 验证实际适用性 上方截图展示了针对测试用例的成功规则检测。 ## 🎯 使用示例 ### 快速威胁狩猎查询 ``` # Hunt ransomware indicators yara -r rules/ransomware/ /var/log /usr/bin /home # Find webshells on web server yara -r rules/webshells/ /var/www/html /srv/www # Detect persistence mechanisms yara -r rules/persistence/ C:\Windows C:\Program\ Files # Identify C2 indicators yara -r rules/c2/ /var/cache /tmp /usr/tmp ``` ### 与 SIEM 集成 ``` # Export JSON matches for SIEM ingestion yara -r rules/ -f json /path/to/scan > yara_matches.json # Parse and forward to Splunk/ELK cat yara_matches.json | your-siem-forwarder ``` ## 📖 高级用法 ``` # Dry run (show what would match without modifying) yara -r rules/ -s /path/to/test/file # Match only (show rule names that match) yara -r rules/ -m /path/to/test/file # Print matched strings yara -r rules/ -s /path/to/test/file # Verbose mode (detailed output) yara -r rules/ -v /path/to/test/file ``` ## 📈 规则覆盖矩阵 | 类别 | 规则数 | MITRE 技术 | 测试状态 | |----------|-------|-----------------|-----------------| | 勒索软件 | 5 | T1486, T1565, T1490, T1070 | ✅ 已测试 | | Webshells | 6 | T1190, T1505, T1569, T1027 | ✅ 已测试 | | 持久化 | 6 | T1547, T1053, T1546, T1569 | ✅ 已测试 | | C2 | 7 | T1071, T1008, T1003, T1570, T1021 | ✅ 已测试 | | **总计** | **24** | **16+ 项技术** | **✅ 生产就绪** | ## 📚 资源 - [YARA 文档](https://yara.readthedocs.io/) - [MITRE ATT&CK 框架](https://attack.mitre.org/) - [VirusTotal YARA 规则](https://github.com/VirusTotal/yara-rules) - [Florian Roth 的 YARA 规则](https://github.com/Neo23x0/signature-base) ## ⚖️ 许可证 MIT License - 详情请参阅 LICENSE 文件 ## 👤 作者 **Leonardo da Silveira Moutinho** - LinkedIn: [linkedin.com/in/leonardomoutinho](https://linkedin.com/in/leonardomoutinho) - GitHub: [github.com/leonardosmoutinho](https://github.com/leonardosmoutinho) - 有志成为 SOC Analyst | Security+ | Network+ | SC-900 **最后更新:** 2026 年 6 月 **规则总数:** 24 条生产就绪检测规则 **覆盖范围:** 16+ 项 MITRE ATT&CK 技术 **状态:** ✅ 可用于生产环境部署
标签:IP 地址批量处理, YARA, 云资产可视化, 构建工具