Skip to content

Instantly share code, notes, and snippets.

@dustyfresh
Last active October 11, 2022 21:26
Show Gist options
  • Save dustyfresh/614fa3edddfca99b766ba410fcc8ddd6 to your computer and use it in GitHub Desktop.
Save dustyfresh/614fa3edddfca99b766ba410fcc8ddd6 to your computer and use it in GitHub Desktop.
yara signatures converted from trufflehog regexes for identifying secrets in text files
/*
Yara signatures for identifying secrets in text files. Requires libmagic!
Mostly all stolen from Trufflehog regexes:
- https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
*/
import "magic"
rule RSA_PRIVATE_KEY {
meta:
description = "RSA key patterns"
strings:
$rsa = /-{5}BEGIN\sRSA\sPRIVATE\sKEY-{5}/
condition:
$rsa and magic.type() contains "text"
}
rule SSH_EC_PRIVATE_KEY {
meta:
description = "SSH (EC) private key patterns"
strings:
$pattern = /-{5}BEGIN\sEC\sPRIVATE\sKEY-{5}/
condition:
$pattern and magic.type() contains "text"
}
rule PGP_PRIVATE_KEY {
meta:
description = "PGP Private key patterns"
strings:
$pattern = /-{5}BEGIN\sPGP\sPRIVATE\sKEY-{5}/
condition:
$pattern and magic.type() contains "text"
}
rule AWS_KEY {
meta:
description = "AWS key patterns"
strings:
$aws_access_key_id = /AKIA[0-9A-Z]{16}/
$aws_mws_auth_token = /amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/
condition:
any of them and magic.type() contains "text"
}
rule facebook_keys {
meta:
description = "facebook key patterns"
strings:
$access_token = /EAACEdEose0cBA[0-9A-Za-z]+/
$facebook_oauth = /[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].*['|\"][0-9a-f]{32}['|\"]/
condition:
any of them and magic.type() contains "text"
}
rule github_key {
meta:
description = "github key patterns"
strings:
$access_token = /[g|G][i|I][t|T][h|H][u|U][b|B].*['|\"][0-9a-zA-Z]{35,40}['|\"]/
condition:
$access_token and magic.type() contains "text"
}
rule generic_api_key {
meta:
description = "generic key patterns"
strings:
$generic_key = /[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].*['|\"][0-9a-zA-Z]{32,45}['|\"]/
$generic_secret = /[s|S][e|E][c|C][r|R][e|E][t|T].*['|\"][0-9a-zA-Z]{32,45}['|\"]/
condition:
any of them and magic.type() contains "text"
}
rule google_keys {
meta:
description = "Google key patterns"
strings:
$google_api = /AIza[0-9A-Za-z\\-_]{35}/
$google_oauth = /[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com/
$gmail_oauth_access_key = /ya29\\.[0-9A-Za-z\\-_]+/
$GCP_service_account = /\"type\": \"service_account\"/
condition:
any of them and magic.type() contains "text"
}
rule heroku_api_key {
meta:
description = "heroku key patterns"
strings:
$heroku_key = /[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/
condition:
$heroku_key and magic.type() contains "text"
}
rule mailchimp_api_key {
meta:
description = "mailchimp key patterns"
strings:
$mailchimp_key = /[0-9a-f]{32}-us[0-9]{1,2}/
condition:
$mailchimp_key and magic.type() contains "text"
}
rule mailgun_api_key {
meta:
description = "mailgun key patterns"
strings:
$mailgun_key = /key-[0-9a-zA-Z]{32}/
condition:
$mailgun_key and magic.type() contains "text"
}
rule password_url {
meta:
description = "URL string containing a password"
strings:
$password_url = /[a-z-0-9]{,8}:\/{2}[a-z-0-9]{,16}\:[a-z-0-9-!@#$%^&*()_+\,.<>?]{,16}@[a-z]{,64}\.[a-z]{,8}/ nocase
condition:
$password_url and magic.type() contains "text"
}
rule paypal_braintree {
meta:
description = "paypal braintree access token"
strings:
$access_token = /access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}/
condition:
$access_token and magic.type() contains "text"
}
rule picatic_api_key {
meta:
description = "Picatic API Key"
strings:
$api_key = /sk_live_[0-9a-z]{32}/
condition:
$api_key and magic.type() contains "text"
}
rule stripe_api_keys {
meta:
description = "Stripe API"
strings:
$api_key = /sk_live_[0-9a-zA-Z]{24}/
$restricted_api_key = /rk_live_[0-9a-zA-Z]{24}/
condition:
any of them and magic.type() contains "text"
}
rule square_keys {
meta:
description = "Square secrets"
strings:
$square_access_token = /sq0atp-[0-9A-Za-z\\-_]{22}/
$square_oauth_secret = /sq0csp-[0-9A-Za-z\\-_]{43}/
condition:
any of them and magic.type() contains "text"
}
rule twilio_api_key {
meta:
description = "Twilio API key"
strings:
$api_key = /SK[0-9a-fA-F]{32}/
condition:
$api_key and magic.type() contains "text"
}
rule twitter_keys {
meta:
description = "Twitter API key"
strings:
$access_key = /[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*[1-9][0-9]+-[0-9a-zA-Z]{40}/
$oauth = /[t|T][w|W][i|I][t|T][t|T][e|E][r|R].*['|\"][0-9a-zA-Z]{35,44}['|\"]/
condition:
any of them and magic.type() contains "text"
}
/* commenting slack stuff out as needs to be tested
rule slack {
meta:
description = "Slack API key patterns"
strings:
$slack_token = /(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})/
condition:
$slack_token and magic.type() contains "text"
}
rule slack_webhook {
meta:
description = "Slack Webhook"
strings:
$slack_webhook_url = /https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}/
condition:
$slack_webhook_url and magic.type() contains "text"
}
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment