| 1 |
// MakeNotWork custom YARA rules |
| 2 |
// Platform-specific threats and common test patterns |
| 3 |
|
| 4 |
rule eicar_test_file { |
| 5 |
meta: |
| 6 |
description = "EICAR anti-virus test file" |
| 7 |
reference = "https://www.eicar.org/download-anti-malware-testfile/" |
| 8 |
strings: |
| 9 |
$eicar = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" |
| 10 |
condition: |
| 11 |
$eicar |
| 12 |
} |
| 13 |
|
| 14 |
rule suspicious_script_in_binary { |
| 15 |
meta: |
| 16 |
description = "Executable containing embedded script downloaders" |
| 17 |
strings: |
| 18 |
$ps1 = "powershell" ascii nocase |
| 19 |
$ps2 = "Invoke-Expression" ascii nocase |
| 20 |
$ps3 = "DownloadString" ascii nocase |
| 21 |
$bash1 = "curl " ascii |
| 22 |
$bash2 = "| bash" ascii |
| 23 |
$bash3 = "| sh" ascii |
| 24 |
condition: |
| 25 |
(2 of ($ps*)) or ($bash1 and ($bash2 or $bash3)) |
| 26 |
} |
| 27 |
|