From fb49e2a23adfa7ff755941416d8e42787b971bbf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 28 Jan 2024 10:02:13 +0100 Subject: [PATCH 01/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 143 ++++++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index 07a3aa5..0f12923 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -20,6 +20,18 @@ importance-scores: - rule: repo: "GodModeRules" importance: 60 + - rule: + repo: "DitekSHen" + file: "indicator_packed.yar" + importance: 50 + - rule: + repo: "DitekSHen" + file: "indicator_suspicious.yar" + importance: 50 + - rule: + repo: "DitekSHen" + file: "indicator_knownbad_certs.yar" + importance: 50 # FALSE POSITIVES # Rules that are prone to false positives @@ -388,3 +400,134 @@ noisy-rules: - name: "RUSSIANPANDA_Check_Installed_Software" quality: -50 score: 50 + + # ditekShen + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_" + quality: -30 + score: 40 + type: "prefix" + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_Finger_Download_Pattern" + quality: -30 + score: 50 + - name: "DITEKSHEN_INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1" + quality: -100 + score: 30 + - name: "DITEKSHEN_INDICATOR_RTF_Remotetemplate" + quality: -40 + score: 60 + - name: "DITEKSHEN_INDICATOR_PDF_Ipdropper" + quality: -40 + score: 60 + - name: "DITEKSHEN_INDICATOR_KB_CERT_62E745E92165213C971F5C490Aea12A5" + quality: -100 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_43Bb437D609866286Dd839E1D00309F5" + quality: -100 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_23389161E45A218Bd24E6E859Ae11153" + quality: -100 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_26279F0F2F11970Dccf63Eba88F2D4C4" + quality: -100 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_0D07705Fa0E0C4827Cc287Cfcdec20C4" + quality: -100 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_0F9D91C6Aba86F4E54Cbb9Ef57E68346" + quality: -100 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_07F9D80B85Ceff7Ee3F58Dc594Fe66B6" + quality: -100 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_01803Bc7537A1818C4Ab135469963C10" + quality: -70 + score: 40 + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Sqlquery_Confidentialdatastore" + quality: -40 + score: 60 + - name: "DITEKSHEN_INDICATOR_KB_CERT_1F3216F428F850Be2C66Caa056F6D821" + quality: -70 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_7C1118Cbbadc95Da3752C46E47A27438" + quality: -70 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_" + quality: -20 + score: 50 + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Regkeycomb_Disablewindefender" + quality: -90 + score: 50 + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Nonewindowsua" + quality: -90 + score: 50 + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Reversed" + quality: -90 + score: 50 + - name: "DITEKSHEN_MALWARE_Win_Dlagent02" + quality: -40 + score: 60 + - name: "DITEKSHEN_INDICATOR_TOOL_WEDGECUT" + quality: -80 + score: 50 + - name: "DITEKSHEN_MALWARE_Win_Asyncrat" + quality: -40 + score: 60 + - name: "DITEKSHEN_MALWARE_Osx_Lamepyre" + quality: -40 + score: 60 + - name: "DITEKSHEN_MALWARE_Win_Strelastealer" + quality: -40 + score: 60 + - name: "DITEKSHEN_MALWARE_Win_Dlagent02" + quality: -40 + score: 60 + - name: "DITEKSHEN_MALWARE_Win_Avemaria" + quality: -60 + score: 60 + - name: "DITEKSHEN_MALWARE_Win_Fabookie_02" + quality: -70 + score: 60 + - name: "DITEKSHEN_INDICATOR_EXE_Packed_Dotfuscator" + quality: -80 + score: 50 + - name: "DITEKSHEN_INDICATOR_KB_CERT_0C5396Dcb2949C70Fac48Ab08A07338E" + quality: -90 + score: 40 + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Rawgithub_URL" + quality: -90 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_20A20Dfce424E6Bbcc162A5Fcc0972Ee" + quality: -90 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_0B1F8Cd59E64746Beae153Ecca21066B" + quality: -90 + score: 40 + - name: "DITEKSHEN_INDICATOR_EXE_Packed_" + quality: -70 + score: 40 + type: "prefix" + - name: "DITEKSHEN_INDICATOR_TOOL_EXP_Serioussam02" + quality: -100 + score: 40 + - name: "DITEKSHEN_INDICATOR_EXE_Dotnet_Encrypted" + quality: -70 + score: 50 + - name: "DITEKSHEN_INDICATOR_KB_CERT_04F131322Cc31D92C849Fca351D2F141" + quality: -90 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_3991D810Fb336E5A7D8C2822" + quality: -90 + score: 40 + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_Finger_Download_Pattern" + quality: -70 + score: 40 + - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_PWSH_Passwordcredential_Retrievepassword" + quality: -70 + score: 40 + - name: "DITEKSHEN_INDICATOR_KB_CERT_028Aa6E7B516C0D155F15D6290A430E3" + quality: -90 + score: 40 + - name: "DITEKSHEN_INDICATOR_TOOL_EXP_Apachestrusts" + quality: -90 + score: 40 + From 3f0926a5ccbd2de1e0711891a7fb8ad2b8909973 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 28 Jan 2024 14:06:11 +0100 Subject: [PATCH 02/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index 09f77e6..be2d02a 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -23,15 +23,15 @@ importance-scores: - rule: repo: "DitekSHen" file: "indicator_packed.yar" - importance: 50 + importance: 20 - rule: repo: "DitekSHen" file: "indicator_suspicious.yar" - importance: 50 + importance: 20 - rule: repo: "DitekSHen" file: "indicator_knownbad_certs.yar" - importance: 50 + importance: 20 # FALSE POSITIVES # Rules that are prone to false positives From a32f12675a515cce8dc88d35f8392c63d44b4aad Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 22 Mar 2024 17:44:17 +0100 Subject: [PATCH 03/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index be2d02a..637a3b6 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -107,6 +107,8 @@ noisy-rules: - name: "ELASTIC_Linux_Trojan_Tsunami_47F93Be2" quality: -70 score: 60 + - name: "ELASTIC_Linux_Exploit_Dirtycow_8555F149" + quality: -80 # FireEye - name: "FIREEYE_RT_Hunting_Dotnettojscript_Functions" From affbb41041bd51c471a73b96ae54e7edafad9b1a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 27 May 2024 00:47:50 +0200 Subject: [PATCH 04/15] deliv-to rule HTML_B64_WASM_Blob --- yara-forge-custom-scoring.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index c6422b0..e22e3d0 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -323,6 +323,8 @@ noisy-rules: # Delivr.to - name: "DELIVRTO_SUSP_SVG_Onload_Onerror_Jul23" quality: -100 + - name: "DELIVRTO_SUSP_HTML_B64_WASM_Blob" + quality: -80 # SecuInfra - name: "SECUINFRA_OBFUS_Powershell_Common_Replace" From 1c4eafe4f89c71f05ba5b855f96bc6e06532ebae Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 13 Oct 2024 16:11:52 +0200 Subject: [PATCH 05/15] fix: rule with issues --- yara-forge-custom-scoring.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index e22e3d0..7d18402 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -270,6 +270,9 @@ noisy-rules: - name: "MALPEDIA_Win_Unidentified_090_Auto" quality: -60 score: 60 + - name: "MALPEDIA_Win_Maze_Auto" # $sequence_8 = { 41 41 41 41 41 41 41 } + quality: -100 + score: 60 # Signature Base - name: "SIGNATURE_BASE_Cobaltstrike_C2_Host_Indicator" From 938163c822e050218096b1b2e5f0210ffcd1e18e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 21 Oct 2024 14:44:48 +0200 Subject: [PATCH 06/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index 7d18402..1e2000c 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -56,6 +56,17 @@ noisy-rules: quality: -50 - name: "CAPE_Agentteslaxor" quality: -50 + - name: "CAPE_UPX" + quality: -40 + score: 30 + - name: "CAPE_NSIS" + quality: -40 + score: 30 + - name: "CAPE_Syscall" + quality: -40 + score: 30 + - name: "CAPE_Sparkrat" + quality: -80 # Elastic - name: "ELASTIC_Multi_EICAR_Ac8F42D6" @@ -430,7 +441,7 @@ noisy-rules: # RussianPanda - name: "RUSSIANPANDA_Check_Installed_Software" quality: -50 - score: 50 + score: 45 # ditekShen - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_" From b4fc415c7ce6be586320feb2a537f0fce0884dac Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 5 Sep 2025 14:05:09 +0200 Subject: [PATCH 07/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index 1e2000c..ee6296a 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -284,6 +284,9 @@ noisy-rules: - name: "MALPEDIA_Win_Maze_Auto" # $sequence_8 = { 41 41 41 41 41 41 41 } quality: -100 score: 60 + - name: MALPEDIA_Win_Sidetwist_Auto # FPs with libstdc++-6.dll + quality: -60 + score: 50 # Signature Base - name: "SIGNATURE_BASE_Cobaltstrike_C2_Host_Indicator" From affb165b0c065d110d62b00eecc66bf066b2f740 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 5 Sep 2025 23:52:44 +0200 Subject: [PATCH 08/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index ee6296a..253d317 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -67,6 +67,8 @@ noisy-rules: score: 30 - name: "CAPE_Sparkrat" quality: -80 + - name: "CAPE_Formhookb" + quality: -90 # Elastic - name: "ELASTIC_Multi_EICAR_Ac8F42D6" From e897b86e6621d1831647486d2e47c29190443064 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 5 Sep 2025 23:53:23 +0200 Subject: [PATCH 09/15] Update yaraQA --- qa/yaraQA | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qa/yaraQA b/qa/yaraQA index a3aa7a3..6d0cfc3 160000 --- a/qa/yaraQA +++ b/qa/yaraQA @@ -1 +1 @@ -Subproject commit a3aa7a36859045e8de8a308a0c5f360b184ea470 +Subproject commit 6d0cfc3b5356c3a58f79d98077ad505e4493785c From ba8160e13ef78134bd9ccb90fe4397d6acab9145 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 6 Sep 2025 00:04:07 +0200 Subject: [PATCH 10/15] Revert "Update yaraQA" This reverts commit e897b86e6621d1831647486d2e47c29190443064. --- qa/yaraQA | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qa/yaraQA b/qa/yaraQA index 6d0cfc3..a3aa7a3 160000 --- a/qa/yaraQA +++ b/qa/yaraQA @@ -1 +1 @@ -Subproject commit 6d0cfc3b5356c3a58f79d98077ad505e4493785c +Subproject commit a3aa7a36859045e8de8a308a0c5f360b184ea470 From 1e45a1b6a525ebe92ec9973a38afe72b7c7419f8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 3 Nov 2025 16:47:40 +0100 Subject: [PATCH 11/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index c3eb14b..146f72f 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -356,6 +356,8 @@ noisy-rules: quality: -100 - name: "DELIVRTO_SUSP_HTML_B64_WASM_Blob" quality: -80 + - name: "DELIVRTO_SUSP_ZIP_Smuggling_Egg_Jun01" + quality: -80 # SecuInfra - name: "SECUINFRA_OBFUS_Powershell_Common_Replace" @@ -436,6 +438,9 @@ noisy-rules: - name: "SBOUSSEADEN_Mem_Webcreds_Regexp_Xor" quality: -30 score: 60 + - name: 'SBOUSSEADEN_Adsync_Creddump_Wide' + quality: -30 + score: 60 # Dr4k0nia - name: "DR4K0NIA_Msil_Suspicious_Use_Of_Strreverse" @@ -589,7 +594,16 @@ noisy-rules: - name: "DITEKSHEN_INDICATOR_TOOL_EXP_Apachestrusts" quality: -90 score: 40 - + - name: 'DITEKSHEN_INDICATOR_OLE_Excel4Macros_DL2' + quality: -30 + score: 50 + - name: 'DITEKSHEN_INDICATOR_OLE_Suspicious_MITRE_T1117' + quality: -30 + score: 50 + - name: 'DITEKSHEN_INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2' + quality: -50 + score: 40 + # WithSecureLabs - name: "ducktail_artifacts" quality: -50 From 351cdfa38b302b07762de7477a65cd1fb10bfcb9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 7 Jan 2026 22:20:43 +0100 Subject: [PATCH 12/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index 146f72f..8b7b57d 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -71,6 +71,8 @@ noisy-rules: quality: -90 - name: "CAPE_Nettraveler" # wrong escape sequence in string quality: -100 + - name: "CAPE_Winosstager" + quality: -100 # Elastic - name: "ELASTIC_Multi_EICAR_Ac8F42D6" From af2b125cdb9bdad2722c4231f5b7ab7bf7c8587d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 8 Jan 2026 02:00:03 +0100 Subject: [PATCH 13/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index 8b7b57d..05d62cf 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -303,6 +303,9 @@ noisy-rules: - name: MALPEDIA_Win_Sidetwist_Auto # FPs with libstdc++-6.dll quality: -60 score: 50 + - name: "MALPEDIA_Win_Brute_Ratel_C4_Auto" # FPs with Microsoft OneDrive + quality: -90 + score: 45 # Signature Base - name: "SIGNATURE_BASE_Cobaltstrike_C2_Host_Indicator" From 7403ec7592d744a51cc590071b220c902ae8c27f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 23 Jan 2026 11:24:29 +0100 Subject: [PATCH 14/15] Update yara-forge-custom-scoring.yml --- yara-forge-custom-scoring.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index 05d62cf..a35721c 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -135,6 +135,9 @@ noisy-rules: - name: "FIREEYE_RT_APT_Backdoor_Win_Dshell_2" quality: -30 score: 60 + - name: "FIREEYE_RT_APT_Trojan_Win_REDFLARE_1" + quality: -80 + score: 50 # Tellix / McAfee - name: "MCAFEE_ATR_Vbs_Mykins_Botnet" From 3f36a95ba0c3ae34cf0ef17e301502aa55cbe9ef Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 19 Feb 2026 00:15:44 +0100 Subject: [PATCH 15/15] fix:FPs with CAPE_Blackdropper --- yara-forge-custom-scoring.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml index 06a71a0..b631b5b 100644 --- a/yara-forge-custom-scoring.yml +++ b/yara-forge-custom-scoring.yml @@ -73,6 +73,9 @@ noisy-rules: quality: -100 - name: "CAPE_Winosstager" quality: -100 + - name: "CAPE_Blackdropper" + quality: -60 + score: 40 # Elastic - name: "ELASTIC_Multi_EICAR_Ac8F42D6"