Skip to content

Update third-party rules as of 2025-09-23 #1135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
egibs merged 1 commit into from
Sep 23, 2025
Merged

Update third-party rules as of 2025-09-23 #1135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion third_party/yara/bartblaze/RELEASE
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
063fb36a398f8bec668ab715b17dc4596fdadb0f
cc2fab21ad5ba5f6dd74e57f44373bbcc6f0ce09
1 change: 1 addition & 0 deletions third_party/yara/bartblaze/generic/LNK_Ruleset.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,6 +338,7 @@ rule SMB_in_LNK
source = "BARTBLAZE"
author = "@bartblaze"
category = "INFO"
description = "Identifies SMB in shortcut (LNK) files"

strings:
$ = "\\c$\\" ascii wide nocase
Expand Down
5 changes: 3 additions & 2 deletions third_party/yara/bartblaze/hacktools/Adfind.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ rule Adfind
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies Adfind, a Command line Active Directory query tool."
category = "HACKTOOL"
category = "MALWARE"
malware_type = "HACKTOOL"
tool = "ADFIND"
mitre_att = "S0552"
reference = "http://www.joeware.net/freetools/tools/adfind/"
Expand All @@ -27,4 +28,4 @@ rule Adfind

condition:
any of them
}
}
17 changes: 9 additions & 8 deletions third_party/yara/bartblaze/hacktools/CreateMiniDump.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,23 +12,24 @@ rule CreateMiniDump
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies CreateMiniDump, tool to dump LSASS."
category = "HACKTOOL"
category = "MALWARE"
malware_type = "HACKTOOL"
tool = "CREATEMINIDUMP"
reference = "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass"


strings:
$ = "[+] Got lsass.exe PID:" ascii wide
$ = "[+] lsass dumped successfully!" ascii wide
$ = { 40 55 57 4? 81 ec e8 04 00 00 4? 8d ?? ?4 40 4? 8b fc b9 3a 01 00 00 b8 cc cc cc cc f3 ab 4?
8b 05 ?? ?? ?? ?? 4? 33 c5 4? 89 8? ?? ?? ?? ?? c7 4? ?? 00 00 00 00 4? c7 4? ?? 00 00 00 00 4?
c7 44 ?? ?? 00 00 00 00 c7 44 ?? ?? 80 00 00 00 c7 44 ?? ?? 02 00 00 00 45 33 c9 45 33 c0 ba 00
00 00 10 4? 8d 0d ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 4? 89 4? ?? 33 d2 b9 02 00 00 00 e8 ?? ?? ?? ??
$ = { 40 55 57 4? 81 ec e8 04 00 00 4? 8d ?? ?4 40 4? 8b fc b9 3a 01 00 00 b8 cc cc cc cc f3 ab 4?
8b 05 ?? ?? ?? ?? 4? 33 c5 4? 89 8? ?? ?? ?? ?? c7 4? ?? 00 00 00 00 4? c7 4? ?? 00 00 00 00 4?
c7 44 ?? ?? 00 00 00 00 c7 44 ?? ?? 80 00 00 00 c7 44 ?? ?? 02 00 00 00 45 33 c9 45 33 c0 ba 00
00 00 10 4? 8d 0d ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 4? 89 4? ?? 33 d2 b9 02 00 00 00 e8 ?? ?? ?? ??
4? 89 4? ?? 4? 8d ?? 90 00 00 00 4? 8b f8 33 c0 b9 38 02 00 00 f3 aa c7 8? ?? ?? ?? ?? 38 02 00
00 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 8d ?? 90 00 00 00 4? 8b 4? ?? e8 ?? ?? ?? ?? 85
c0 74 ?? 4? 8d 15 ?? ?? ?? ?? 4? 8b ?? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 85 c0 74 ?? 4? 8d ?? 90 00
00 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?? ?? ?? ?? 4? 8d ?? 90 00 00 00 4? 8b 4? ?? e8 ?? ?? ?? ?? 85
c0 74 ?? 4? 8d 15 ?? ?? ?? ?? 4? 8b ?? ?? ?? ?? ?? ff 15 ?? ?? ?? ?? 85 c0 74 ?? 4? 8d ?? 90 00
00 00 4? 8b 4? ?? e8 ?? ?? ?? ?? 4? 8d ?? bc 00 00 00 4? 89 8? ?? ?? ?? ?? 8b 8? ?? ?? ?? ?? 89 4? ?? }

condition:
any of them
}
}
5 changes: 3 additions & 2 deletions third_party/yara/bartblaze/hacktools/NLBrute.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,12 @@ rule NLBrute
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies NLBrute, an RDP brute-forcing tool."
category = "HACKTOOL"
category = "MALWARE"
malware_type = "HACKTOOL"

strings:
$ = "SERVER:PORT@DOMAIN\\USER;PASSWORD" ascii wide

condition:
any of them
}
}
5 changes: 3 additions & 2 deletions third_party/yara/bartblaze/hacktools/Responder.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ rule Responder
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies Responder, an LLMNR, NBT-NS and MDNS poisoner."
category = "HACKTOOL"
category = "MALWARE"
malware_type = "HACKTOOL"
tool = "RESPONDER"
mitre_att = "S0174"
reference = "https://github.com/lgandx/Responder"
Expand All @@ -35,4 +36,4 @@ rule Responder

condition:
any of them
}
}
5 changes: 3 additions & 2 deletions third_party/yara/bartblaze/hacktools/Windows_Credentials_Editor.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ rule Windows_Credentials_Editor
source = "BARTBLAZE"
author = "@bartblaze"
description = "Identifies Windows Credentials Editor (WCE), post-exploitation tool."
category = "HACKTOOL"
category = "MALWARE"
malware_type = "HACKTOOL"
tool = "WINDOWS CREDENTIAL EDITOR"
mitre_att = "S0005"
reference = "https://www.ampliasecurity.com/research/windows-credentials-editor/"
Expand Down Expand Up @@ -42,4 +43,4 @@ rule Windows_Credentials_Editor

condition:
3 of them
}
}
Loading