From 72928f0b8f1832c818125b5fd52623e772d28ae9 Mon Sep 17 00:00:00 2001
From: Update third-party rules
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Sun, 29 Jun 2025 00:29:11 +0000
Subject: [PATCH] Update third-party rules as of 2025-06-29

---
 .../yara/elastic/Linux_Rootkit_Generic.yar    | 21 +++++++++++++++++++
 .../yara/elastic/Linux_Trojan_Mirai.yar       | 20 ------------------
 third_party/yara/elastic/RELEASE              |  2 +-
 3 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/third_party/yara/elastic/Linux_Rootkit_Generic.yar b/third_party/yara/elastic/Linux_Rootkit_Generic.yar
index 963c6fd66..c240e7512 100644
--- a/third_party/yara/elastic/Linux_Rootkit_Generic.yar
+++ b/third_party/yara/elastic/Linux_Rootkit_Generic.yar
@@ -179,3 +179,24 @@ rule Linux_Rootkit_Generic_f07bcabe {
         2 of them
 }
 
+rule Linux_Rootkit_Generic_5d17781b {
+    meta:
+        author = "Elastic Security"
+        id = "5d17781b-5d2a-4405-8806-274e6cabfe2c"
+        fingerprint = "220eff54c80a69c3df0d8f71aeacdd114cc2ea0675595c2bfde2ac47578c3a02"
+        creation_date = "2024-12-02"
+        last_modified = "2025-06-10"
+        threat_name = "Linux.Rootkit.Generic"
+        severity = 100
+        arch_context = "x86, arm64"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $str = "kallsyms_lookup_name_t"
+        $lic1 = "license=Dual BSD/GPL"
+        $lic2 = "license=GPL"
+    condition:
+        $str and 1 of ($lic*)
+}
+
diff --git a/third_party/yara/elastic/Linux_Trojan_Mirai.yar b/third_party/yara/elastic/Linux_Trojan_Mirai.yar
index 62123a9b4..4bdef6b2f 100644
--- a/third_party/yara/elastic/Linux_Trojan_Mirai.yar
+++ b/third_party/yara/elastic/Linux_Trojan_Mirai.yar
@@ -927,26 +927,6 @@ rule Linux_Trojan_Mirai_b9a9d04b {
         all of them
 }
 
-rule Linux_Trojan_Mirai_d2205527 {
-    meta:
-        author = "Elastic Security"
-        id = "d2205527-0545-462b-b3c9-3bf2bdc44c6c"
-        fingerprint = "01d937fe8823e5f4764dea9dfe2d8d789187dcd6592413ea48e13f41943d67fd"
-        creation_date = "2021-01-12"
-        last_modified = "2021-09-16"
-        threat_name = "Linux.Trojan.Mirai"
-        reference_sample = "e4f584d1f75f0d7c98b325adc55025304d55907e8eb77b328c007600180d6f06"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "linux"
-    strings:
-        $a = { CA B8 37 00 00 00 0F 05 48 3D 01 F0 FF FF 73 01 C3 48 C7 C1 C0 FF }
-    condition:
-        all of them
-}
-
 rule Linux_Trojan_Mirai_ab073861 {
     meta:
         author = "Elastic Security"
diff --git a/third_party/yara/elastic/RELEASE b/third_party/yara/elastic/RELEASE
index 633111223..14fcbecfc 100644
--- a/third_party/yara/elastic/RELEASE
+++ b/third_party/yara/elastic/RELEASE
@@ -1 +1 @@
-1894c06fd2d6bcc10c29464b9032229df8f414a6
+ff154ddf0762a4a030c8832eee7753cb19b950ff