Merge pull request #3 from YARAHQ/new-repos

New rule repositories
YARAHQ · Dec 23, 2023 · b5b3bdc · b5b3bdc
2 parents 71d031a + 7980f96
commit b5b3bdc
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 31 deletions.
diff --git a/.github/workflows/run-yara-forge.yml b/.github/workflows/run-yara-forge.yml
@@ -21,7 +21,7 @@ jobs:
     - name: Check out repository with submodules
       uses: actions/checkout@v3
       with:
-        submodules: 'recursive' # Fetches all submodules recursively
+        submodules: 'recursive'
 
     - name: Set up Python 3.10
       uses: actions/setup-python@v3
@@ -31,15 +31,16 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install flake8 pytest
         if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
 
+    - name: Install RE2
+      run: sudo apt-get install -y libre2-dev
+
+    - name: Install dependencies for yaraQA
+      run: |
+        python -m pip install --upgrade pip
+        if [ -f qa/yaraQA/requirements.txt ]; then pip install -r qa/yaraQA/requirements.txt; fi
+
     - name: Run YARA-Forge
       run: |
-        python yara-forge.py --debug
-  
-    - name: Archive production artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: package-artifacts
-        path: ./packages/*
+        python yara-forge.py
diff --git a/yara-forge-config.yml b/yara-forge-config.yml
@@ -63,9 +63,9 @@ yara_repositories:
      quality: 75
      branch: "main"
      path: "rules"
-   - name: "McAfee ATR"
+   - name: "Trellix ARC"
      url: "https://github.com/advanced-threat-research/Yara-Rules/"
-     author: "McAfee ATR Team"
+     author: "Trellix ARC Team"
      quality: 70
      branch: "master"
    - name: "Arkbird SOLG"
@@ -145,20 +145,40 @@ yara_repositories:
      branch: "master"
      path: "NCSC"
 
-   # My own YARA rule collection used for our free scanners
-   - name: "Signature Base"
-     url: "https://github.com/Neo23x0/signature-base"
-     author: "Florian Roth"
+   # Repos added after the initial release
+   - name: "Dr4k0nia"
+     url: "https://github.com/dr4k0nia/yara-rules"
+     author: "Dr4k0nia"
      quality: 85
+     branch: "main"
+   - name: "EmbeeResearch"
+     url: "https://github.com/embee-research/Yara-detection-rules/"
+     author: "Matthew Brennan"
+     quality: 75
+     branch: "main" 
+   - name: "AvastTI"
+     url: "https://github.com/avast/ioc"
+     author: "Avast Threat Intel Team"
+     quality: 90
      branch: "master"
-     path: "yara"
+   - name: "SBousseaden"
+     url: "https://github.com/sbousseaden/YaraHunts/"
+     author: "SBousseaden"
+     quality: 75
+     branch: "master"
+   - name: "Elceef"
+     url: "https://github.com/elceef/yara-rulz"
+     author: "[email protected]"
+     quality: 75
+     branch: "main"
 
-  # License prevents the integration of the rules into the YARA-Forge
-  #- name: "AvastTI"
-  #  url: "https://github.com/avast/ioc"
-  #  author: "Avast Threat Intel Team"
-  #  quality: 90
-  #  branch: "master"
+  #  # My own YARA rule collection used for our free scanners
+  #  - name: "Signature Base"
+  #    url: "https://github.com/Neo23x0/signature-base"
+  #    author: "Florian Roth"
+  #    quality: 85
+  #    branch: "master"
+  #    path: "yara"
 
 # Rule Processing --------------------------------------------------------------
 rule_base_score: 75

diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml
@@ -95,10 +95,13 @@ noisy-rules:
     - name: "FIREEYE_RT_APT_Backdoor_Win_Dshell_2"
       quality: -30
       score: 60
-    # McAfee
+    # Tellix / McAfee
     - name: "MCAFEE_ATR_Vbs_Mykins_Botnet"
       quality: -30
       score: 60
+    - name: "TRELLIX_ARC_Vbs_Mykins_Botnet"
+      quality: -30
+      score: 60
     # Telekom Security
     - name: "TELEKOM_SECURITY_Allow_Rdp_Session_Without_Password"
       quality: -60
@@ -151,7 +154,7 @@ noisy-rules:
     - name: "MALPEDIA_Win_Flawedammyy_Auto"
       quality: -40
     - name: "MALPEDIA_Win_Hookinjex_Auto"
-      quality: -30
+      quality: -50
     - name: "MALPEDIA_Win_R980_Auto"
       quality: -30
     - name: "MALPEDIA_Win_Velso_Auto"
@@ -171,7 +174,7 @@ noisy-rules:
       quality: -30
       score: 60
     - name: "MALPEDIA_Win_Gauss_Auto"
-      quality: -30
+      quality: -60
       score: 60
     - name: "MALPEDIA_Win_Kleptoparasite_Stealer_Auto"
       quality: -40
@@ -183,7 +186,7 @@ noisy-rules:
       quality: -30
       score: 60
     - name: "MALPEDIA_Win_Alina_Pos_Auto"
-      quality: -30
+      quality: -60
       score: 60
     - name: "MALPEDIA_Elf_Blackcat_Auto"
       quality: -30
@@ -192,7 +195,7 @@ noisy-rules:
       quality: -30
       score: 60
     - name: "MALPEDIA_Win_Epsilon_Red_Auto"
-      quality: -30
+      quality: -60
       score: 60
     - name: "MALPEDIA_Win_Hookinjex_Auto"
       quality: -50
@@ -210,13 +213,13 @@ noisy-rules:
       quality: -30
       score: 60
     - name: "MALPEDIA_Win_Goldbackdoor_Auto"
-      quality: -50
+      quality: -60
       score: 60
     - name: "MALPEDIA_Win_Blister_Auto"
-      quality: -30
+      quality: -50
       score: 60
     - name: "MALPEDIA_Win_Aresloader_Auto"
-      quality: -40
+      quality: -50
       score: 60
     - name: "MALPEDIA_Win_Confucius_Auto"
       quality: -60
@@ -252,6 +255,9 @@ noisy-rules:
     - name: "JPCERTCC_Ursnif"
       quality: -70
       score: 60
+    - name: "JPCERTCC_Ursnif_1"
+      quality: -20
+      score: 60
     - name: "JPCERTCC_Cobaltstrike"
       quality: -70
       score: 60
@@ -294,7 +300,7 @@ noisy-rules:
       quality: -20
       score: 60
     - name: "SECUINFRA_SUSP_VBS_Wscript_Shell"
-      quality: -40
+      quality: -60
       score: 45
     - name: "SECUINFRA_SUS_Unsigned_APPX_MSIX_Installer_Feb23"
       quality: -40
@@ -306,3 +312,36 @@ noisy-rules:
     - name: "GCTI_Sliver_Implant_32Bit"
       quality: -50
       score: 60
+    # EmbeeResearch
+    - name: "EMBEERESEARCH_Win_Havoc_Ntdll_Hashes_Oct_2022"
+      quality: -80
+      score: 40
+    - name: "EMBEERESEARCH_Win_Redline_Wextract_Hunting_Oct_2023"
+      quality: -60
+      score: 60
+    - name: "EMBEERESEARCH_Win_Amadey_Bytecodes_Oct_2023"
+      quality: -60
+      score: 60
+    - name: "EMBEERESEARCH_Win_Bruteratel_Syscall_Hashes_Oct_2022"
+      quality: -50
+      score: 60
+    # SBousseaden
+    - name: "SBOUSSEADEN_Truncated_Win10_X64_Nativesyscall"
+      quality: -90
+      score: 40
+    - name: "SBOUSSEADEN_Hunt_Skyproj_Backdoor"
+      quality: -70
+      score: 40
+    - name: "SBOUSSEADEN_Hunt_Multi_EDR_Discovery"
+      quality: -70
+      score: 40
+    - name: "SBOUSSEADEN_Hunt_Lsass_Ntds_Ext"
+      quality: -70
+      score: 40
+    - name: "SBOUSSEADEN_Hunt_Credaccess_Iis_Xor"
+      quality: -30
+      score: 60
+    # Dr4k0nia
+    - name: "DR4K0NIA_Msil_Suspicious_Use_Of_Strreverse"
+      quality: -30
+      score: 60