mthcht
commented
10 months ago @ruppde thanks, i create an all.yara that you can use here https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/blob/main/yara_rules/all.yara
Closed ruppde closed 10 months ago
mthcht
commented
10 months ago @ruppde thanks, i create an all.yara that you can use here https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/blob/main/yara_rules/all.yara
Hi,
nice project!
While trying the yara rules, at became a problem, that some tools are in two categories, e.g.: "greyware_tool_keyword","PowerSploit" "offensive_tool_keyword","PowerSploit"
Because if you put all rules in one big file and use them with the command line yara, it complains aobut the duplicate rule names: ../ThreatHunting-Keywords-yara-rules/all.yar(9993): error: duplicated identifier "whoami" ../ThreatHunting-Keywords-yara-rules/all.yar(11070): error: duplicated identifier "wmic" ../ThreatHunting-Keywords-yara-rules/all.yar(15983): error: duplicated identifier "SpaceRunner" ../ThreatHunting-Keywords-yara-rules/all.yar(17153): error: duplicated identifier "reg" ../ThreatHunting-Keywords-yara-rules/all.yar(18327): error: duplicated identifier "TelegramRAT" ../ThreatHunting-Keywords-yara-rules/all.yar(21322): error: duplicated identifier "socat" ../ThreatHunting-Keywords-yara-rules/all.yar(21668): error: duplicated identifier "transfer_sh" ../ThreatHunting-Keywords-yara-rules/all.yar(22595): error: duplicated identifier "ratchatpt" ../ThreatHunting-Keywords-yara-rules/all.yar(23810): error: duplicated identifier "supershell" ../ThreatHunting-Keywords-yara-rules/all.yar(28796): error: duplicated identifier "FudgeC2" ../ThreatHunting-Keywords-yara-rules/all.yar(29033): error: duplicated identifier "DBC2" ../ThreatHunting-Keywords-yara-rules/all.yar(29794): error: duplicated identifier "exegol" ../ThreatHunting-Keywords-yara-rules/all.yar(31304): error: duplicated identifier "dir" ../ThreatHunting-Keywords-yara-rules/all.yar(34567): error: duplicated identifier "findstr" ../ThreatHunting-Keywords-yara-rules/all.yar(41928): error: duplicated identifier "anydesk" ../ThreatHunting-Keywords-yara-rules/all.yar(42077): error: duplicated identifier "bloodhound" ../ThreatHunting-Keywords-yara-rules/all.yar(46928): error: duplicated identifier "CIMplant" ../ThreatHunting-Keywords-yara-rules/all.yar(49110): error: duplicated identifier "adfind" ../ThreatHunting-Keywords-yara-rules/all.yar(49960): error: duplicated identifier "copy" ../ThreatHunting-Keywords-yara-rules/all.yar(50044): error: duplicated identifier "cobaltstrike" ../ThreatHunting-Keywords-yara-rules/all.yar(57088): error: duplicated identifier "AlanFramework" ../ThreatHunting-Keywords-yara-rules/all.yar(57877): error: duplicated identifier "BrowserC2" ../ThreatHunting-Keywords-yara-rules/all.yar(58825): error: duplicated identifier "" ../ThreatHunting-Keywords-yara-rules/all.yar(59760): error: duplicated identifier "goMatrixC2" ../ThreatHunting-Keywords-yara-rules/all.yar(59847): error: duplicated identifier "golang_c2" ../ThreatHunting-Keywords-yara-rules/all.yar(66952): error: duplicated identifier "MpCmdRun" ../ThreatHunting-Keywords-yara-rules/all.yar(68807): error: duplicated identifier "net" ../ThreatHunting-Keywords-yara-rules/all.yar(70222): error: duplicated identifier "lyncsmash" ../ThreatHunting-Keywords-yara-rules/all.yar(73322): error: duplicated identifier "nmap" ../ThreatHunting-Keywords-yara-rules/all.yar(84417): error: duplicated identifier "PowerSploit" ../ThreatHunting-Keywords-yara-rules/all.yar(86106): error: duplicated identifier "powershell" ../ThreatHunting-Keywords-yara-rules/all.yar(87958): error: duplicated identifier "QuasarRAT"
Would be an option to append the category name to the name of yara rule, e.g.
Or unify it in the CSVs.
regards arnim