SteelTech/Tria.ge-Crawler-WIP
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Tria.ge-Crawler-WIP/rules/dangerous.yar
John husxdev fa8caa5116 Intitial release
2025-04-12 01:40:13 -05:00

134 lines
4.6 KiB
Text
Raw Blame History

rule Keylogging {
meta:
description = "Detects keylogging functionality"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$import1 = "import keyboard" ascii wide
$import2 = "from pynput" ascii wide
$hook1 = "keyboard.hook" ascii wide
$hook2 = "keyboard.Listener" ascii wide
$hook3 = "keyboard.on_press" ascii wide
$hook4 = "KeyboardEvent" ascii wide
$func1 = "on_press" ascii wide
$func2 = "on_release" ascii wide
condition:
1 of ($import*) and 1 of ($hook*) or 1 of ($func*)
}
rule ScreenCapture {
meta:
description = "Detects screen capture functionality"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$import1 = "import pyautogui" ascii wide
$import2 = "from PIL import ImageGrab" ascii wide
$import3 = "import mss" ascii wide
$func1 = "pyautogui.screenshot" ascii wide
$func2 = "ImageGrab.grab" ascii wide
$func3 = "mss().shot" ascii wide
$func4 = ".save(" ascii wide
condition:
1 of ($import*) and 1 of ($func*)
}
rule BrowserDataTheft {
meta:
description = "Detects browser data theft functionality"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$browser1 = "Chrome" nocase ascii wide
$browser2 = "Firefox" nocase ascii wide
$browser3 = "Edge" nocase ascii wide
$browser4 = "Opera" nocase ascii wide
$path1 = "AppData\\Local\\Google\\Chrome\\User Data" ascii wide
$path2 = "AppData\\Roaming\\Mozilla\\Firefox\\Profiles" ascii wide
$path3 = "AppData\\Local\\Microsoft\\Edge\\User Data" ascii wide
$data1 = "Login Data" ascii wide
$data2 = "Cookies" ascii wide
$data3 = "Web Data" ascii wide
$sql1 = "SELECT" ascii wide
$sql2 = "FROM logins" ascii wide
$sql3 = "FROM cookies" ascii wide
$crypto1 = "CryptUnprotectData" ascii wide
$crypto2 = "Crypt.decrypt" ascii wide
condition:
(2 of ($browser*) or 1 of ($path*)) and
(1 of ($data*)) and
(1 of ($sql*) or 1 of ($crypto*))
}
rule SystemInformationCollection {
meta:
description = "Detects system information collection functionality"
author = "Malware Researcher"
severity = "Medium"
date = "2023-01-01"
strings:
$import1 = "import platform" ascii wide
$import2 = "import socket" ascii wide
$import3 = "import uuid" ascii wide
$import4 = "import psutil" ascii wide
$func1 = "platform.system" ascii wide
$func2 = "platform.release" ascii wide
$func3 = "socket.gethostname" ascii wide
$func4 = "uuid.getnode" ascii wide
$func5 = "psutil.cpu_count" ascii wide
$func6 = "psutil.disk_usage" ascii wide
$func7 = "os.environ" ascii wide
$func8 = "os.getlogin" ascii wide
condition:
2 of ($import*) and 2 of ($func*)
}
rule AntiVMTechniques {
meta:
description = "Detects anti-VM/sandbox evasion techniques"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$vm1 = "VMware" nocase ascii wide
$vm2 = "VirtualBox" nocase ascii wide
$vm3 = "QEMU" nocase ascii wide
$vm4 = "Xen" nocase ascii wide
$vm5 = "KVM" nocase ascii wide
$vm6 = "Parallels" nocase ascii wide
$vm7 = "Hyper-V" nocase ascii wide
$vm8 = "Virtual Machine" nocase ascii wide
$check1 = "wmic.exe" nocase ascii wide
$check2 = "systeminfo" nocase ascii wide
$check3 = "get_mac" nocase ascii wide
$check4 = "registry" nocase ascii wide
$check5 = "check_vm" nocase ascii wide
$check6 = "is_vm" nocase ascii wide
condition:
2 of ($vm*) and 1 of ($check*)
}
rule SelfDestructCode {
meta:
description = "Detects self-destructing code functionality"
author = "Malware Researcher"
severity = "High"
date = "2023-01-01"
strings:
$del1 = "os.remove" ascii wide
$del2 = "os.unlink" ascii wide
$del3 = "shutil.rmtree" ascii wide
$path1 = "__file__" ascii wide
$path2 = "sys.argv[0]" ascii wide
$cmd1 = "cmd.exe /c" ascii wide
$cmd2 = "del " ascii wide
$cmd3 = "rmdir" ascii wide
$bat1 = ".bat" ascii wide
$bat2 = ".cmd" ascii wide
condition:
1 of ($del*) and (1 of ($path*) or
(1 of ($cmd*) and 1 of ($bat*)))
}
Reference in a new issue View git blame Copy permalink