ditekshen
commented
2 years ago That rule is designed to be an indicator, and not necessarily detection as a malicious property. Ultimately, it is up to the analyst to determine if the detection of this rule is malicious in their context.
The use of raw/gist GitHub URLs is observed in several malware dropper samples (2nd stage, config, etc.), example: https://bazaar.abuse.ch/browse/yara/INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL/. GitHub is not the only abused infrastructure, others are also observed.
I just notice my app triggers "INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL"; I don't know if that's good or bad, I can tell you I have no bad intentions, but I've just headed over to git.io to get a shorter link, and one that is not detected by this rule. 👍