Matthew Green mgreen27

## yara_performance_guidelines.md

      
              1 file
            
          
              26 forks
            
          
              1 comment
            
          
              118 stars
            
          
                Neo23x0
                / yara_performance_guidelines.md
            
            
              Last active
              April 30, 2024 10:39
            
              
                YARA Performance Guidelines
              
          
    This Gist has been transfered into a Github Repo.
You'll find the most recent version here.
YARA Performance Guidelines

When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7


## PowerShell Command Line Logging
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions

Log Source Type:
  MS Event Log for Win7/Win8/2008/2012 - PowerShell

Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true

## Get-EtwTraceProvider.ps1
#Requires -RunAsAdministrator
#Requires -Version 5.0
# requires Windows 10
Get-EtwTraceProvider | Select-Object SessionName, Guid | sort SessionName
# as Markdown
<#
#Requires -RunAsAdministrator
$result = Get-EtwTraceProvider | sort SessionName
$result | %{"|Name|GUID|";"|----|----|";}{"|$($_.SessionName)|$($_.Guid)|"}
#>

## config-client.xml
<!--
   This is a Microsoft Sysmon configuration to be used on Windows workstations
   v0.2.1 December 2016
   Florian Roth (with the help and ideas of others)

   The focus of this configuration is
   - malware detection (execution)
   - malware detection (network connections)
   - exploit detection
   It is not focussed on

## config-server.xml
<!--
   This is a Microsoft Sysmon configuation to be used on Windows server systems
   v0.2.1 December 2016
   Florian Roth

   The focus of this configuration is
   - hacking activity on servers / lateral movement (bad admin, attacker)
   It is not focussed on
   - malware detection (execution)
   - malware detection (network connections)

## Backdoor-Minimalist.sct
<?XML version="1.0"?>
<scriptlet>
<registration
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		<![CDATA[


## Microsoft-Windows-FileInfoMinifilter.txt


Id          : 1
Version     : 0
LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
Level       : System.Diagnostics.Eventing.Reader.EventLevel
Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
Task        : System.Diagnostics.Eventing.Reader.EventTask
Keywords    : {, fi:FileNameCreate}
Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">

## Get-InjectedThread.ps1
function Get-InjectedThread
{
    <#

    .SYNOPSIS

    Looks for threads that were created as a result of code injection.

    .DESCRIPTION


## Shellcode.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

## auto_shellcode_hashes.py
import os
import sys
import logging

import pefile
import ucutils
import unicorn
import capstone
import argparse
	# PowerShell Audit Logging for LogRhythm SIEM - 2015
	# For detecting dangerous PowerShell Commands/Functions

	Log Source Type:
	MS Event Log for Win7/Win8/2008/2012 - PowerShell

	Add this file to your PowerShell directory to enable verbose command line audit logging
	profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true
	#Requires -RunAsAdministrator
	#Requires -Version 5.0
	# requires Windows 10
	Get-EtwTraceProvider \| Select-Object SessionName, Guid \| sort SessionName
	# as Markdown
	<#
	#Requires -RunAsAdministrator
	$result = Get-EtwTraceProvider \| sort SessionName
	$result \| %{"\|Name\|GUID\|";"\|----\|----\|";}{"\|$($_.SessionName)\|$($_.Guid)\|"}
	#>
	<!--
	This is a Microsoft Sysmon configuration to be used on Windows workstations
	v0.2.1 December 2016
	Florian Roth (with the help and ideas of others)

	The focus of this configuration is
	- malware detection (execution)
	- malware detection (network connections)
	- exploit detection
	It is not focussed on
	<!--
	This is a Microsoft Sysmon configuation to be used on Windows server systems
	v0.2.1 December 2016
	Florian Roth

	The focus of this configuration is
	- hacking activity on servers / lateral movement (bad admin, attacker)
	It is not focussed on
	- malware detection (execution)
	- malware detection (network connections)
	<?XML version="1.0"?>
	<scriptlet>
	<registration
	progid="PoC"
	classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!-- License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[


	Id : 1
	Version : 0
	LogLink : System.Diagnostics.Eventing.Reader.EventLogLink
	Level : System.Diagnostics.Eventing.Reader.EventLevel
	Opcode : System.Diagnostics.Eventing.Reader.EventOpcode
	Task : System.Diagnostics.Eventing.Reader.EventTask
	Keywords : {, fi:FileNameCreate}
	Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION
	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause
	import os
	import sys
	import logging

	import pefile
	import ucutils
	import unicorn
	import capstone
	import argparse