Update third-party rules as of 2025-09-24

tests/linux/2022.Conti/bb64b27.elf_x86_64.simple

@@ -1,5 +1,4 @@
 # linux/2022.Conti/bb64b27.elf_x86_64: critical
-3P/elastic/ransomware_conti: critical
 anti-behavior/random_behavior: low
 c2/addr/url: low
 c2/tool_transfer/arch: low

third_party/yara/elastic/Linux_Cryptominer_Xmrig.yar

@@ -77,25 +77,6 @@ rule Linux_Cryptominer_Xmrig_e7e64fb7 {
         all of them
 }
 
-rule Linux_Cryptominer_Xmrig_79b42b21 {
-    meta:
-        author = "Elastic Security"
-        id = "79b42b21-1408-4837-8f1f-6de30d7f5777"
-        fingerprint = "4cd0481edd1263accdac3ff941df4e31ef748bded0fba5fe55a9cffa8a37b372"
-        creation_date = "2021-01-12"
-        last_modified = "2021-09-16"
-        threat_name = "Linux.Cryptominer.Xmrig"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "linux"
-    strings:
-        $a = { FC 00 79 0A 8B 45 B8 83 E0 04 85 C0 75 38 8B 45 EC 83 C0 01 }
-    condition:
-        all of them
-}
-
 rule Linux_Cryptominer_Xmrig_77fbc695 {
     meta:
         author = "Elastic Security"

third_party/yara/elastic/Linux_Ransomware_Conti.yar

@@ -1,23 +1,3 @@
-rule Linux_Ransomware_Conti_53a640f4 {
-    meta:
-        author = "Elastic Security"
-        id = "53a640f4-905c-4b0d-ac4a-9ffdffd74253"
-        fingerprint = "d81309f83494b0635444234c514fda0edc05a11ac861c769a007f9f558def148"
-        creation_date = "2022-09-22"
-        last_modified = "2022-10-18"
-        threat_name = "Linux.Ransomware.Conti"
-        reference_sample = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "linux"
-    strings:
-        $a = { 48 D3 EA 48 89 D0 83 E0 01 48 85 C0 0F 95 C0 84 C0 74 0B 8B }
-    condition:
-        all of them
-}
-
 rule Linux_Ransomware_Conti_a89c26cf {
     meta:
         author = "Elastic Security"

third_party/yara/elastic/Linux_Rootkit_Flipswitch.yar

@@ -0,0 +1,26 @@
+rule Linux_Rootkit_Flipswitch_821f3c9e {
+    meta:
+        author = "Elastic Security"
+        id = "821f3c9e-ffce-4df1-903c-4ad898009388"
+        fingerprint = "ea27ee70f3af34c20bcde6e9a0ab04d8011d1ca7f79c4537ea0a152da0789261"
+        creation_date = "2025-09-05"
+        last_modified = "2025-09-17"
+        description = "Yara rule to detect the FlipSwitch rootkit PoC"
+        threat_name = "Linux.Rootkit.Flipswitch"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $all_a = { FF FF 48 89 45 E8 F0 80 ?? ?? ?? 31 C0 48 89 45 F0 48 8B 45 E8 0F 22 C0 }
+        $obf_b = { BA AA 00 00 00 BE 0D 00 00 00 48 C7 ?? ?? ?? ?? ?? 49 89 C4 E8 }
+        $obf_c = { BA AA 00 00 00 BE 15 00 00 00 48 89 C3 E8 ?? ?? ?? ?? 48 89 DF 48 89 43 30 E8 ?? ?? ?? ?? 85 C0 74 0D 48 89 DF E8 }
+        $main_b = { 41 54 53 E8 ?? ?? ?? ?? 48 C7 C7 ?? ?? ?? ?? 49 89 C4 E8 ?? ?? ?? ?? 4D 85 E4 74 2D 48 89 C3 48 85 }
+        $main_c = { 48 85 C0 74 1F 48 C7 ?? ?? ?? ?? ?? ?? 48 89 C7 48 89 C3 E8 ?? ?? ?? ?? 85 C0 74 0D 48 89 DF E8 ?? ?? ?? ?? 45 31 E4 EB 14 }
+        $debug_b = { 48 89 E5 41 54 53 48 85 C0 0F 84 ?? ?? 00 00 48 C7 }
+        $debug_c = { 48 85 C0 74 45 48 C7 ?? ?? ?? ?? ?? ?? 48 89 C7 48 89 C3 E8 ?? ?? ?? ?? 85 C0 75 26 48 89 DF 4C 8B 63 28 E8 ?? ?? ?? ?? 48 89 DF E8 }
+    condition:
+        #all_a >= 2 and (1 of ($obf_*) or 1 of ($main_*) or 1 of ($debug_*))
+}
+

third_party/yara/elastic/RELEASE

@@ -1 +1 @@
-490af209747cb9e0c665eb7c4e6327086be8e37b
+7c3ccfaa21b88ae633c47210f0cd60ec09bffab5