virustotal-rules.yara

//Rule to Catch Intelligence files in the meta of files uploaded. Current rule looks for NSA and MOSAD in meta of samples.

rule catch_intelligence_files
{
meta:
	author = "@abhinavbom"
	maltype = "NA"
	version = "0.1"
	date = "21/09/2015"
    description = "catch files"
strings:
    $meta1 = "National Security Agency"
    $meta3 = "Israeli Secret Intelligence"
    $tag1 = "docx"
	$tag2 = "doc"
	$tag3 = "xls"
	$tag4 = "xlxs"
	$tag5 = "pdf"
	$tag6 = "zip"
	$tag7 = "rar"
    	$tag8 = "xlsb"

condition:
    any of ($meta*) and any of ($tag*)
}

//Rule to pick up all the pcaps uploaded to Virustotal. This rule can be very noisy. 

rule FE_PCAPs
{
meta:
	author = "@abhinavbom"
	maltype = "NA"
	version = "0.1"
	description = "All pcaps uploaded to VT"
	date = "29/07/2015"
strings:
	$magic = {D4 C3 B2 A1}
condition:
	$magic at 0
}

//Rule to detect all pcap uploads to Virustotal with +3 detection.

rule pcap_positives
{
meta:
	author = "@abhinavbom"
	maltype = "NA"
	version = "0.1"
	description = "All pcaps uploaded to VT with +3 detection rate"
	date = "21/06/2015"
strings:
	$magic = {D4 C3 B2 A1}
condition:
	$magic at 0 and positives > 3
}

//Rule to detect All pcaps submitted to VT and tagged as Exploit kits.

rule ek_submissions				
{
meta:
	author = "@abhinavbom"
	maltype = "NA"
	version = "0.1"
	description = "Detects pcaps uploaded to VT and matches IDS detections for Exploit kits"
	date = "23/06/2015"
strings:
	$magic = {D4 C3 B2 A1}
condition:
	$magic at 0 and tags contains "exploit-kit"
}

//EK detection in VT for +3 positive engine detections

rule ek_submissions_2				
{
meta:
	author = "@abhinavbom"
	maltype = "NA"
	version = "0.1"
	description = "Detects pcaps uploaded to VT and matches IDS detections for Exploit kits"
	date = "23/06/2015"
strings:
	$magic = {D4 C3 B2 A1}
condition:
	$magic at 0 and tags contains "exploit-kit" and positives >3
}