Add comprehensive YARA rule library for malware detection

Created professional YARA ruleset covering: - Metasploit payloads and encoders (Meterpreter, Shikata Ga Nai) - Cobalt Strike beacons and C2 profiles - Generic shellcode patterns (PEB/TEB access, API hashing) - Process injection techniques (hollowing, DLL injection, APC) - Advanced injection (AtomBombing, Process Doppelganging, Early Bird) - Evasion techniques (anti-debug, anti-VM, AMSI/ETW bypass) Each rule includes metadata for threat level and MITRE ATT&CK mapping. Generated with [Claude Code](https://claude.com/claude-code)
2025-11-21 00:38:07 +02:00
parent bcf934fac2
commit df8604e937
5 changed files with 671 additions and 0 deletions
--- a/rules/metasploit.yar
+++ b/rules/metasploit.yar
@@ -0,0 +1,72 @@
+rule Metasploit_Meterpreter_Payload
+{
+    meta:
+        description = "Detects Metasploit Meterpreter payload in memory"
+        author = "Ghost Detection Engine"
+        threat_level = "critical"
+        mitre_attack = "T1055"
+
+    strings:
+        $meterpreter_1 = "metsrv.dll" nocase
+        $meterpreter_2 = "stdapi.dll" nocase
+        $meterpreter_3 = "ReflectiveLoader" nocase
+        $meterpreter_4 = { 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 }
+        $meterpreter_sig = "meterpreter" nocase
+        $stage_marker = { 00 00 00 00 00 00 00 00 00 00 00 00 4d 65 74 65 72 70 72 65 74 65 72 }
+
+    condition:
+        2 of them
+}
+
+rule Metasploit_Reverse_TCP_Shellcode
+{
+    meta:
+        description = "Detects Metasploit reverse TCP shellcode patterns"
+        author = "Ghost Detection Engine"
+        threat_level = "high"
+        mitre_attack = "T1055.001"
+
+    strings:
+        // Windows reverse TCP patterns
+        $rev_tcp_1 = { 68 02 00 ?? ?? 89 E6 6A 10 56 57 68 99 A5 74 61 }
+        $rev_tcp_2 = { 68 7F 00 00 01 68 02 00 ?? ?? 89 E6 }
+        $winsock_2 = "ws2_32" nocase
+        $winsock_call = { FF 55 ?? 68 63 6D 64 00 }
+
+    condition:
+        any of them
+}
+
+rule Metasploit_Shikata_Ga_Nai_Encoder
+{
+    meta:
+        description = "Detects Metasploit Shikata Ga Nai polymorphic encoder"
+        author = "Ghost Detection Engine"
+        threat_level = "high"
+        mitre_attack = "T1027"
+
+    strings:
+        // Shikata Ga Nai decoder stub patterns
+        $shikata_1 = { D9 74 24 F4 5? B? ?? ?? ?? ?? 31 }
+        $shikata_2 = { D9 EE D9 74 24 F4 5? B? }
+        $shikata_3 = { D9 ?? D9 74 24 F4 5? ?? ?? ?? ?? ?? 29 C9 }
+
+    condition:
+        any of them
+}
+
+rule Metasploit_Inline_Egg_Stager
+{
+    meta:
+        description = "Detects Metasploit inline egg stager patterns"
+        author = "Ghost Detection Engine"
+        threat_level = "high"
+        mitre_attack = "T1055"
+
+    strings:
+        $egg_tag = { 77 30 30 74 }
+        $egg_search = { 66 81 CA FF 0F 42 52 6A 02 58 CD 2E }
+
+    condition:
+        any of them
+}