diff --git a/.github/workflows/run-yara-forge.yml b/.github/workflows/run-yara-forge.yml index 2c6fefb..4934873 100644 --- a/.github/workflows/run-yara-forge.yml +++ b/.github/workflows/run-yara-forge.yml @@ -21,7 +21,7 @@ jobs: - name: Check out repository with submodules uses: actions/checkout@v3 with: - submodules: 'recursive' # Fetches all submodules recursively + submodules: 'recursive' - name: Set up Python 3.10 uses: actions/setup-python@v3 @@ -31,15 +31,16 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install flake8 pytest if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + - name: Install RE2 + run: sudo apt-get install -y libre2-dev + + - name: Install dependencies for yaraQA + run: | + python -m pip install --upgrade pip + if [ -f qa/yaraQA/requirements.txt ]; then pip install -r qa/yaraQA/requirements.txt; fi + - name: Run YARA-Forge run: | - python yara-forge.py --debug - - - name: Archive production artifacts - uses: actions/upload-artifact@v3 - with: - name: package-artifacts - path: ./packages/* + python yara-forge.py diff --git a/yara-forge-config.yml b/yara-forge-config.yml index 20460de..dc9365c 100644 --- a/yara-forge-config.yml +++ b/yara-forge-config.yml @@ -63,9 +63,9 @@ yara_repositories: quality: 75 branch: "main" path: "rules" - - name: "McAfee ATR" + - name: "Trellix ARC" url: "https://github.com/advanced-threat-research/Yara-Rules/" - author: "McAfee ATR Team" + author: "Trellix ARC Team" quality: 70 branch: "master" - name: "Arkbird SOLG" @@ -145,20 +145,40 @@ yara_repositories: branch: "master" path: "NCSC" - # My own YARA rule collection used for our free scanners - - name: "Signature Base" - url: "https://github.com/Neo23x0/signature-base" - author: "Florian Roth" + # Repos added after the initial release + - name: "Dr4k0nia" + url: "https://github.com/dr4k0nia/yara-rules" + author: "Dr4k0nia" quality: 85 + branch: "main" + - name: "EmbeeResearch" + url: "https://github.com/embee-research/Yara-detection-rules/" + author: "Matthew Brennan" + quality: 75 + branch: "main" + - name: "AvastTI" + url: "https://github.com/avast/ioc" + author: "Avast Threat Intel Team" + quality: 90 branch: "master" - path: "yara" + - name: "SBousseaden" + url: "https://github.com/sbousseaden/YaraHunts/" + author: "SBousseaden" + quality: 75 + branch: "master" + - name: "Elceef" + url: "https://github.com/elceef/yara-rulz" + author: "marcin@ulikowski.pl" + quality: 75 + branch: "main" - # License prevents the integration of the rules into the YARA-Forge - #- name: "AvastTI" - # url: "https://github.com/avast/ioc" - # author: "Avast Threat Intel Team" - # quality: 90 - # branch: "master" + # # My own YARA rule collection used for our free scanners + # - name: "Signature Base" + # url: "https://github.com/Neo23x0/signature-base" + # author: "Florian Roth" + # quality: 85 + # branch: "master" + # path: "yara" # Rule Processing -------------------------------------------------------------- rule_base_score: 75 diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index deb24cb..883c7c8 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -95,10 +95,13 @@ noisy-rules: - name: "FIREEYE_RT_APT_Backdoor_Win_Dshell_2" quality: -30 score: 60 - # McAfee + # Tellix / McAfee - name: "MCAFEE_ATR_Vbs_Mykins_Botnet" quality: -30 score: 60 + - name: "TRELLIX_ARC_Vbs_Mykins_Botnet" + quality: -30 + score: 60 # Telekom Security - name: "TELEKOM_SECURITY_Allow_Rdp_Session_Without_Password" quality: -60 @@ -151,7 +154,7 @@ noisy-rules: - name: "MALPEDIA_Win_Flawedammyy_Auto" quality: -40 - name: "MALPEDIA_Win_Hookinjex_Auto" - quality: -30 + quality: -50 - name: "MALPEDIA_Win_R980_Auto" quality: -30 - name: "MALPEDIA_Win_Velso_Auto" @@ -171,7 +174,7 @@ noisy-rules: quality: -30 score: 60 - name: "MALPEDIA_Win_Gauss_Auto" - quality: -30 + quality: -60 score: 60 - name: "MALPEDIA_Win_Kleptoparasite_Stealer_Auto" quality: -40 @@ -183,7 +186,7 @@ noisy-rules: quality: -30 score: 60 - name: "MALPEDIA_Win_Alina_Pos_Auto" - quality: -30 + quality: -60 score: 60 - name: "MALPEDIA_Elf_Blackcat_Auto" quality: -30 @@ -192,7 +195,7 @@ noisy-rules: quality: -30 score: 60 - name: "MALPEDIA_Win_Epsilon_Red_Auto" - quality: -30 + quality: -60 score: 60 - name: "MALPEDIA_Win_Hookinjex_Auto" quality: -50 @@ -210,13 +213,13 @@ noisy-rules: quality: -30 score: 60 - name: "MALPEDIA_Win_Goldbackdoor_Auto" - quality: -50 + quality: -60 score: 60 - name: "MALPEDIA_Win_Blister_Auto" - quality: -30 + quality: -50 score: 60 - name: "MALPEDIA_Win_Aresloader_Auto" - quality: -40 + quality: -50 score: 60 - name: "MALPEDIA_Win_Confucius_Auto" quality: -60 @@ -252,6 +255,9 @@ noisy-rules: - name: "JPCERTCC_Ursnif" quality: -70 score: 60 + - name: "JPCERTCC_Ursnif_1" + quality: -20 + score: 60 - name: "JPCERTCC_Cobaltstrike" quality: -70 score: 60 @@ -294,7 +300,7 @@ noisy-rules: quality: -20 score: 60 - name: "SECUINFRA_SUSP_VBS_Wscript_Shell" - quality: -40 + quality: -60 score: 45 - name: "SECUINFRA_SUS_Unsigned_APPX_MSIX_Installer_Feb23" quality: -40 @@ -306,3 +312,36 @@ noisy-rules: - name: "GCTI_Sliver_Implant_32Bit" quality: -50 score: 60 + # EmbeeResearch + - name: "EMBEERESEARCH_Win_Havoc_Ntdll_Hashes_Oct_2022" + quality: -80 + score: 40 + - name: "EMBEERESEARCH_Win_Redline_Wextract_Hunting_Oct_2023" + quality: -60 + score: 60 + - name: "EMBEERESEARCH_Win_Amadey_Bytecodes_Oct_2023" + quality: -60 + score: 60 + - name: "EMBEERESEARCH_Win_Bruteratel_Syscall_Hashes_Oct_2022" + quality: -50 + score: 60 + # SBousseaden + - name: "SBOUSSEADEN_Truncated_Win10_X64_Nativesyscall" + quality: -90 + score: 40 + - name: "SBOUSSEADEN_Hunt_Skyproj_Backdoor" + quality: -70 + score: 40 + - name: "SBOUSSEADEN_Hunt_Multi_EDR_Discovery" + quality: -70 + score: 40 + - name: "SBOUSSEADEN_Hunt_Lsass_Ntds_Ext" + quality: -70 + score: 40 + - name: "SBOUSSEADEN_Hunt_Credaccess_Iis_Xor" + quality: -30 + score: 60 + # Dr4k0nia + - name: "DR4K0NIA_Msil_Suspicious_Use_Of_Strreverse" + quality: -30 + score: 60