AlienVault Labs Rules
- Collection of tools, signatures, and rules from the researchers at AlienVault Labs. Search the repo for .yar and .yara extensions to find about two dozen rules ranging from APT detection to generic sandbox / VM detection. Last updated in January of 2016.
- Apple has ~40 YARA signatures for detecting malware on OSX. The file, XProtect.yara, is available locally at /System/Library/CoreServices/XProtect.bundle/Contents/Resources/.
- Custom rules from Brian Wallace used for bamfdetect, along with some rules from other sources.
BinaryAlert YARA Rules
- A couple dozen rules written and released by AirBnB as part of their BinaryAlert tool (see next section). Detection for hack tools, malware, and ransomware across Linux, Window, and OS X. This is a new and active project.
Burp YARA Rules
- Collection of YARA rules intended to be used with the Burp Proxy through the Yara-Scanner extension. These rules focus mostly on non-exe malware typically delivered over HTTP including HTML, Java, Flash, Office, PDF, etc. Last updated in June of 2016.
- Find a common pattern of bytes within a set of samples and generate a YARA rule from the identified pattern.
- Rules from various authors bundled with the Config And Payload Extraction Cuckoo Sandbox extension (see next section).
- Collection of YARA rules released by CyberDefenses for public use. Built from information in intelligence profiles, dossiers and file work.
Citizen Lab Malware Signatures
- YARA signatures developed by Citizen Lab. Dozens of signatures covering a variety of malware families. The also inclde a syntax file for Vim. Last update was in November of 2016.
- A collection of Yara rules looking for PEs with PDB paths that have unique, unusual, or overtly malicious-looking keywords, terms, or other features.
- A collection of YARA rules made public by Adam Swanda, Splunk's Principal Threat Intel. Analyst, from his own recent malware research.
Didier Stevens Rules
- Collection of rules from Didier Stevens, author of a suite of tools for inspecting OLE/RTF/PDF. Didier's rules are worth scrutinizing and are generally written purposed towards hunting. New rules are frequently announced through the NVISO Labs Blog.
- Collection of YARA and Snort rules from IOCs collected by ESET researchers. There's about a dozen YARA Rules to glean from in this repo, search for file extension .yar. This repository is seemingly updated on a roughly monthly interval. New IOCs are often mentioned on the ESET WeLiveSecurity Blog.
- You can find a half dozen YARA rules in Fidelis Cyber's IOC repository. They update this repository on a roughly quarterly interval. Complete blog content is also available in this repository.
- FireEye Red Team countermeasures detection
Florian Roth Rules
- Florian Roth's signature base is a frequently updated collection of IOCs and YARA rules that cover a wide range of threats. There are dozens of rules which are actively maintained. Watch the repository to see rules evolve over time to address false potives / negatives.
Florian Roth's IDDQD Rule
- A proof-of-concept rule that shows how easy it actually is to detect red teamer and threat group tools and code.
- Mostly filetype detection rules, from the EmersonElectricCo FSF project (see next section).
GoDaddy ProcFilter Rules
- A couple dozen rules written and released by GoDaddy for use with ProcFilter (see next section). Example rules include detection for packers, mimikatz, and specific malware.
- Collection of signatures from h3x2b which stand out in that they are generic and can be used to assist in reverse engineering. There are YARA rules for identifying crypto routines, highly entropic sections (certificate discovery for example), discovering injection / hooking functionality, and more.
- Repository of automatically generated YARA rules from Icewater.io. This repository is updated rapidly with newly generated signatures that mostly match on file size range and partial content hashes.
- YARA rules published by InQuest researchers mostly geared towards threat hunting on Virus Total. Rules are updated as new samples are collected and novel pivots are discovered. The InQuest Blog will often discuss new findings.
mikesxrs YARA Rules Collection
- Large collection of open source rules aggregated from a variety of sources, including blogs and other more ephemeral sources. Over 100 categories, 1500 files, 4000 rules, and 20Mb. If you're going to pull down a single repo to play with, this is the one.
Patrick Olsen Rules
- Small collection of rules with a wide footprint for variety in detection. RATs, documents, PCAPs, executables, in-memory, point-of-sale malware, and more. Unfortunately this repository hasn't seen an update since late 2014.
QuickSand Lite Rules
- This repo contains a C framework and standalone tool for malware analysis, along with several useful YARA rules developed for use with the project.
- Triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes.
ReversingLabs YARA Rules
- A collection of yara rules published by ReversingLabs which covers exploits, infostealers, ransomeware, trojans, and viruses.
Sophos AI YaraML Rules
- A repository of Yara rules created automatically as translations of machine learning models. Each directory will have a rule and accompanying metadata: hashes of files used in training, and an accuracy diagram (a ROC curve).
- Repository of tools and scripts related to malware analysis from the researchers at SpiderLabs. There's only three YARA rules here and the last update was back in 2015, but worth exploring.
- This repository, dedicated to Phishing Kits zip files YARA rules, is based on zip raw format analysis to find directories and files names, you don't need yara-extend there.
- Automated Yara Rule generation using Biclustering
- Identifies and extracts information from bots and other malware.
- Generate YARA rules to match terms against base64-encoded data.
CAPE: Config And Payload Extraction
- Extension of Cuckoo specifically designed to extract payloads and configuration from malware. CAPE can detect a number of malware techniques or behaviours, as well as specific malware families, from its initial run on a sample. This detection then triggers a second run with a specific package, in order to extract the malware payload and possibly its configuration, for further analysis.
- YARA rule metadata specification and validation utility.
- Serverless, real-time, ClamAV+Yara scanning for your S3 Buckets.
- The Canadian Communications Security Establishment (CSE) open sourced AssemblyLine, a platform for analyzing malicious files. The component linked here provides an interface to YARA.
- A multi-platform .NET wrapper library for the native YARA library.
- Event Log Analysis Tool that creates/uses YARA rules for Windows event log analysis.
- Parser with YARA support, to extract meta information, perform static analysis and detect macros within files.
- ProcFilter is a process filtering system for Windows with built-in YARA integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with Microsoft's ETW API, making results viewable in the Windows Event Log. Installation, activation, and removal can be done dynamically and does not require a reboot.
- Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL).
- Advanced Indicator of Compromise (IOC) extractor, with YARA rule extraction.
- Powershell scripts to run YARA on remote machines.
- A minimal library to generate YARA rules from JAVA
- Distributed system written in Python, allows researchers to scan one or more YARA rules over collections with samples.
- Object scanner and intrusion detection system that strives to achieve the following goals: Scalable, Flexible, Verbose.
- .NET wrapper for libyara built in C++ CLI used to easily incorporate yara into .NET projects
- MalConfScan is a Volatility plugin extracts configuration data of known malware. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.
- Scan process memory for YARA matches and execute Python scripts if a match is found.
MISP Threat Sharing
- Threat intelligence platform including indicators, threat intelligence, malware samples and binaries. Includes support for sharing, generating, and validating YARA signatures.
- File analysis framework that assists the user in evaluating a set of files by automatically running a suite of tools for the user and aggregating the output.
- Generate YARA rules based on binary code.
- Web frontend for running blazingly fast YARA queries on large datasets.
Nextron Systems OSS and Commercial Tools (Florian Roth: @Neo23x0)
- Loki IOC and YARA rule scanner implemented in Python. Open source and free.
- THOR Lite IOC and YARA rule scanner implemented in Go. Closed source, free, but registration required.
- Automatically generate AV byte signatures from sets of similar binaries.
- Creates YARA signatures from executable code within malware.
- Generate bulk YARA rules from YAML input.
- YARA-CI helps you to keep your YARA rules in good shape. It can be integrated into any GitHub repository containing YARA rules and it will run automated tests every time you make some change.
- Tool useful for incident response as well as anti-malware enpoint based on YARA signatures.
- Web API and docker image for scanning files against YARA rules, built on @tylerha97's yara_scan.
- Quick, simple, and effective yara rule creation to isolate malware families and other malicious objects of interest.
YaraGen and yara_fn
- Plugins for x64dbg and IDAPython, respectively, that generate YARA rules from function blocks.