This Gist has been transfered into a Github Repo. You'll find the most recent version here.
When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them. This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16) |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
| import hashlib | |
| import re | |
| def calculate_rule_hash(rule): | |
| """ | |
| Calculates a hash over the relevant YARA rule content (string contents, sorted condition) | |
| Requires a YARA rule object as generated by 'plyara': https://github.com/plyara/plyara | |
| :param rule: yara rule object | |
| :return hash: generated hash | |
| """ |
| /* | |
| _____ __ __ ___ __ | |
| / ___/__ ___/ / / |/ /__ ___/ /__ | |
| / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
| \___/\___/\_,_/_/_/__/_/\___/\_,_/\__/ | |
| \ \/ / _ | / _ \/ _ | / _ \__ __/ /__ | |
| \ / __ |/ , _/ __ | / , _/ // / / -_) | |
| /_/_/ |_/_/|_/_/ |_| /_/|_|\_,_/_/\__/ | |
| Florian Roth - v0.5.0 October 2019 | |
| # ################################################################################ | |
| # IMPORTANT NOTE | |
| # The most recent version of this POC rule can now be found in the main repository | |
| # https://github.com/Neo23x0/sigma/blob/master/other/godmode_sigma_rule.yml | |
| # ################################################################################ | |
| # _____ __ __ ___ __ | |
| # / ___/__ ___/ / / |/ /__ ___/ /__ | |
| # / (_ / _ \/ _ / / /|_/ / _ \/ _ / -_) | |
| # \___/\___/\_,_/ /_/ /_/\___/\_,_/\__/_ | |
| # / __(_)__ ___ _ ___ _ / _ \__ __/ /__ |