InQuest / Yara Rules
Licence: mit
A collection of YARA rules we wish to share with the world, most probably referenced from http://blog.inquest.net.
Stars: ✭ 206
Programming Languages
python
139335 projects - #7 most used programming language
Labels
Projects that are alternatives of or similar to Yara Rules
Threathunting
Tools for hunting for threats.
Stars: ✭ 153 (-25.73%)
Mutual labels: threat-hunting, yara
Judge-Jury-and-Executable
A file system forensics analysis scanner and threat hunting tool. Scans file systems at the MFT and OS level and stores data in SQL, SQLite or CSV. Threats and data can be probed harnessing the power and syntax of SQL.
Stars: ✭ 66 (-67.96%)
Mutual labels: threat-hunting, yara
Signature Base
Signature base for my scanner tools
Stars: ✭ 1,212 (+488.35%)
Mutual labels: threat-hunting, yara
Threatingestor
Extract and aggregate threat intelligence.
Stars: ✭ 439 (+113.11%)
Mutual labels: threat-hunting, yara
Awesome Yara
A curated list of awesome YARA rules, tools, and people.
Stars: ✭ 1,394 (+576.7%)
Mutual labels: threat-hunting, yara
Phishingkithunter
Find phishing kits which use your brand/organization's files and image.
Stars: ✭ 177 (-14.08%)
Mutual labels: threat-hunting
Oriana
Oriana is a threat hunting tool that leverages a subset of Windows events to build relationships, calculate totals and run analytics. The results are presented in a Web layer to help defenders identify outliers and suspicious behavior on corporate environments.
Stars: ✭ 152 (-26.21%)
Mutual labels: threat-hunting
Intelowl
Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale
Stars: ✭ 2,114 (+926.21%)
Mutual labels: threat-hunting
Open Source Yara Rules
YARA Rules I come across on the internet
Stars: ✭ 195 (-5.34%)
Mutual labels: yara
Ee Outliers
Open-source framework to detect outliers in Elasticsearch events
Stars: ✭ 172 (-16.5%)
Mutual labels: threat-hunting
Weffles
Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI
Stars: ✭ 176 (-14.56%)
Mutual labels: threat-hunting
Bearded Avenger
CIF v3 -- the fastest way to consume threat intelligence
Stars: ✭ 152 (-26.21%)
Mutual labels: threat-hunting
Adaz
🔧 Automatically deploy customizable Active Directory labs in Azure
Stars: ✭ 197 (-4.37%)
Mutual labels: threat-hunting
Opensquat
Detection of phishing domains and domain squatting. Supports permutations such as homograph attack, typosquatting and bitsquatting.
Stars: ✭ 149 (-27.67%)
Mutual labels: threat-hunting
Patrowlengines
PatrOwl - Open Source, Free and Scalable Security Operations Orchestration Platform
Stars: ✭ 162 (-21.36%)
Mutual labels: threat-hunting
yara-rules
A collection of YARA rules from the folks at InQuest we wish to share with the world. These rules should not be considered production appropriate. Rather, they are valuable for research and hunting purposes. The rules are listed here, alphabetically, along with references for further reading:
- Base64 Encoded Powershell
- CVE-2018-4878: Adobe Flash MediaPlayer DRM user-after-free Vulnerability
- CVE_2018_4878_0day_ITW
- Microsoft_Office_Document_with_Embedded_Flash_File
- Adobe_Flash_DRM_Use_After_Free
- Blog: Adobe Flash MediaPlayer DRM Use-after-free Vulnerability
- Follow highlights of the conversation on Twitter from this "moment" we maintain.
-
Embedded PE Files
- Discover embedded PE files, without relying on easily stripped/modified header strings.
- Executables Converted to MSI
- Hex Encoded Powershell Pivot
- Hidden Bee Custom Windows Executable Format
- Hunting Suspicious IQY Files
-
labs.inquest.net
- VirusTotal Intelligence hunt rules that feed the InQuest Labs data portal.
- Microsoft Excel Hidden Macro Sheets
- Microsoft Excel Data Connection
-
Microsoft_Office_DDE_Command_Execution
- Blogs: Overview, Hunting, and Mitigation, Freddie Mac Targeted Lure, SEC OMB Masquerading Lure, Vortex Ransomware Targeting Poland.
- Follow highlights of the conversation on Twitter from this "moment" we maintain.
- Microsoft XLSX with Macrosheet
- MSIExec Pivot
-
NTLM_Credentials_Theft_via_PDF
- This signature detects Adobe PDF files that reference a remote UNC object for the purpose of leaking NTLM hashes. New methods for NTLM hash leaks are discovered from time to time. This particular one is triggered upon opening of a malicious crafted PDF. Original write-up from CheckPoint.
-
RTF_Byte_Nibble_Obfuscation
- This signature is designed to detect the obfuscation method described by Boris Larin here Disappearing bytes: Reverse engineering the MS Office RTF parser. This obfuscation method is rarely seen but was used in the distribution of CVE-2018-8174 0day discovered in-the-wild.
- We'll continue to earmark interesting tidbits around the subject matter in this Twitter Moment.
-
Suspicious Symbolic Link Files that contain Excel 4.0 macros Or File Characteristics
- These signatures detect Symbolic Link (SLK) files that contain Excel 4.0 macros described here by Stan Hegt.
-
CVE-2020-0601 ("Chain of Fools" or "Curveball")
- This signature detects a Microsoft Windows executable that has been signed using Elliptic Curve Cryptography (ECC) certificates with an explicit curve.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].