Obfuscate yara rules to avoid AV false positives

ION28 / BLUESPAWN

An Active Defense and EDR software to empower Blue Teams

GNU General Public License v3.0

1.22k stars 169 forks source link

Obfuscate yara rules to avoid AV false positives #412

Closed Jack-McDowell closed 2 years ago

Jack-McDowell commented 2 years ago

Obfuscate yara rules pre-zipping with a rolling XOR (and a bit of other stuff in there) to avoid AV false positives. Also fix an issue with an EventWrapper being compared to NULL.

sqrtZeroKnowledge commented 2 years ago

Well done after new compilation and test.