YARA Rule Library¶
Production-Ready Rules
All rules include ATT&CK mapping, detection rationale, and test strings. Rules are organized by malware category. Always test in a sandboxed environment before production deployment.
Legal Notice
These rules are for defensive detection only. Validate against your environment before deployment. Some rules may generate false positives on legitimate security tools.
Ransomware Detection¶
RULE-RS-001: Generic Ransomware — Shadow Copy Deletion¶
rule Ransomware_VSS_Deletion {
meta:
description = "Detects commands used to delete Volume Shadow Copies — ransomware precursor"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1490 — Inhibit System Recovery"
severity = "CRITICAL"
references = "https://attack.mitre.org/techniques/T1490/"
strings:
$s1 = "vssadmin delete shadows" nocase
$s2 = "wmic shadowcopy delete" nocase
$s3 = "wbadmin delete catalog" nocase
$s4 = "bcdedit /set recoveryenabled no" nocase
$s5 = "bcdedit /set bootstatuspolicy ignoreallfailures" nocase
$s6 = "diskshadow /s" nocase
condition:
any of them
}
Test string: vssadmin delete shadows /all /quiet
RULE-RS-002: LockBit 3.0 Ransom Note¶
rule LockBit3_RansomNote {
meta:
description = "Detects LockBit 3.0 ransom note artifacts"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1486 — Data Encrypted for Impact"
severity = "CRITICAL"
family = "LockBit"
strings:
$note1 = "LockBit 3.0" nocase
$note2 = "lockbit" nocase
$note3 = "LockBit_3_0_README" nocase
$tor1 = ".onion" nocase
$tor2 = "Tor Browser" nocase
$demand = "bitcoin" nocase
condition:
(any of ($note*)) and (any of ($tor*)) and $demand
}
Detection context: File content scan on newly created .txt/.html files in user directories.
RULE-RS-003: ALPHV/BlackCat Ransomware Binary¶
rule ALPHV_BlackCat_Ransomware {
meta:
description = "Detects ALPHV/BlackCat ransomware binary artifacts"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1486, T1083, T1082"
severity = "CRITICAL"
family = "ALPHV/BlackCat"
strings:
$rust1 = "alphv" nocase wide ascii
$rust2 = "blackcat" nocase wide ascii
$cfg1 = "config.json" nocase
$cfg2 = "\"extension\":" nocase
$cfg3 = "\"note_file_name\":" nocase
$cfg4 = "\"note_full_text\":" nocase
$mutex = "Global\\ALPHV" wide ascii
condition:
uint16(0) == 0x5A4D and // MZ header
(2 of ($rust*) or (3 of ($cfg*)) or $mutex)
}
RULE-RS-004: Ransomware — Bulk File Encryption Pattern¶
rule Ransomware_BulkEncryption_Strings {
meta:
description = "Detects strings associated with bulk file encryption routines"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1486"
severity = "HIGH"
false_positives = "Encryption tools (AxCrypt, VeraCrypt) — validate context"
strings:
$enc1 = "CryptEncrypt" nocase
$enc2 = "BCryptEncrypt" nocase
$enc3 = "CryptoAPI" nocase
$ext1 = ".locked" nocase wide
$ext2 = ".encrypted" nocase wide
$ext3 = ".crypted" nocase wide
$ext4 = ".enc" nocase wide
$walk = "FindFirstFile" nocase
$walk2 = "FindNextFile" nocase
condition:
uint16(0) == 0x5A4D and
(any of ($enc*)) and
(any of ($ext*)) and
(any of ($walk*))
}
Remote Access Trojans (RATs)¶
RULE-RAT-001: Cobalt Strike Beacon — Default Config¶
rule CobaltStrike_Beacon_Default {
meta:
description = "Detects Cobalt Strike beacon with default/common configuration"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1059.003, T1105, T1071.001"
severity = "CRITICAL"
references = "CISA AA21-148A"
strings:
$magic1 = { FC 48 83 E4 F0 } // common CS shellcode prelude (x64)
$magic2 = { FC E8 89 00 00 00 } // common CS shellcode (x86)
$beacon1 = "beacon.dll" nocase
$beacon2 = "ReflectiveDll" nocase
$cs_cfg = { 00 01 00 01 00 02 } // CS config structure marker
$pipe1 = "\\\\.\\pipe\\msagent_" nocase
$pipe2 = "postex_" nocase
condition:
any of ($magic*) or
(any of ($beacon*) and any of ($pipe*)) or
(#cs_cfg > 3)
}
RULE-RAT-002: Metasploit Meterpreter Shellcode¶
rule Meterpreter_Shellcode {
meta:
description = "Detects common Meterpreter shellcode patterns"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1059, T1055"
severity = "HIGH"
false_positives = "Authorized penetration testing — validate with change records"
strings:
$msfmagic1 = { FC E8 82 00 00 00 }
$msfmagic2 = { FC E8 8F 00 00 00 }
$reverse = "EXITFUNC=thread" nocase
$stageless = "meterpreter" nocase wide ascii
$reflective = "ReflectiveLoader" nocase
condition:
any of ($msfmagic*) or
($stageless and $reflective) or
$reverse
}
RULE-RAT-003: AsyncRAT / njRAT Common Artifacts¶
rule AsyncRAT_njRAT_Artifacts {
meta:
description = "Detects AsyncRAT and njRAT common configuration and strings"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1219, T1547.001, T1082"
severity = "HIGH"
strings:
$async1 = "AsyncRAT" nocase wide ascii
$async2 = "AsyncClient" nocase wide ascii
$nj1 = "njRAT" nocase wide ascii
$nj2 = "LV|" wide ascii // njRAT data separator
$cfg1 = "Ports" nocase wide
$cfg2 = "Hosts" nocase wide
$cfg3 = "Install" nocase wide
$cfg4 = "Mutex" nocase wide
$key = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" nocase wide
condition:
(any of ($async*) or any of ($nj*)) or
(4 of ($cfg*) and $key)
}
Wipers¶
RULE-WP-001: Disk Wiper — MBR Overwrite Pattern¶
rule DiskWiper_MBR_Overwrite {
meta:
description = "Detects disk wiper MBR overwrite techniques (WhisperGate, HermeticWiper pattern)"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1561.002 — Disk Structure Wipe"
severity = "CRITICAL"
references = "CISA AA22-057A (HermeticWiper)"
strings:
$mbr1 = { B8 00 02 BB 00 7C B9 00 01 } // MBR read/write stub
$mbr2 = "\\\\.\\PhysicalDrive0" wide nocase
$mbr3 = "\\\\.\\PHYSICALDRIVE" wide nocase
$wipe1 = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA } // MBR signature after wipe
$hermetic = "DiskPart" nocase wide
$driver = ".sys" nocase
condition:
uint16(0) == 0x5A4D and
(any of ($mbr*) or $wipe1) and
any of ($hermetic, $driver)
}
RULE-WP-002: File System Wiper — Mass Deletion¶
rule FileSystemWiper_MassDeletion {
meta:
description = "Detects wiper malware with mass file deletion capabilities"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1485 — Data Destruction"
severity = "CRITICAL"
strings:
$del1 = "DeleteFileW" nocase
$del2 = "RemoveDirectoryW" nocase
$del3 = "SHFileOperationW" nocase
$walk1 = "FindFirstFileW" nocase
$walk2 = "FindNextFileW" nocase
$overwrite = "WriteFile" nocase
$zeros = { 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
condition:
uint16(0) == 0x5A4D and
(any of ($del*)) and
(any of ($walk*)) and
$overwrite and $zeros
}
Loaders & Droppers¶
RULE-LD-001: Process Hollowing Loader¶
rule ProcessHollowing_Loader {
meta:
description = "Detects process hollowing technique in PE files"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1055.012 — Process Hollowing"
severity = "HIGH"
false_positives = "Some legitimate AV/EDR products use similar APIs"
strings:
$api1 = "NtUnmapViewOfSection" nocase
$api2 = "ZwUnmapViewOfSection" nocase
$api3 = "VirtualAllocEx" nocase
$api4 = "WriteProcessMemory" nocase
$api5 = "SetThreadContext" nocase
$api6 = "ResumeThread" nocase
$api7 = "CreateProcessW" nocase
condition:
uint16(0) == 0x5A4D and
(any of ($api1, $api2)) and
$api3 and $api4 and $api6 and $api7
}
RULE-LD-002: Reflective DLL Injection¶
rule ReflectiveDLL_Injection {
meta:
description = "Detects reflective DLL injection technique"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1055.001 — Dynamic-link Library Injection"
severity = "HIGH"
strings:
$reflect1 = "ReflectiveLoader" nocase
$reflect2 = "ReflectiveDLLInjection" nocase
$api1 = "LoadLibraryA" nocase
$api2 = "GetProcAddress" nocase
$api3 = "VirtualAlloc" nocase
$hash1 = { 33 32 35 31 37 33 34 30 36 35 } // hash of "LoadLibraryA" in RDI
condition:
(any of ($reflect*)) or
($api1 and $api2 and $api3 and $hash1)
}
RULE-LD-003: PowerShell Dropper — Base64 Encoded Payload¶
rule PowerShell_Base64_Dropper {
meta:
description = "Detects PowerShell scripts with encoded payload execution"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1059.001, T1027 — Obfuscated Files"
severity = "HIGH"
false_positives = "Some legitimate admin scripts use encoding — validate context"
strings:
$ps1 = "powershell" nocase wide ascii
$enc1 = "-EncodedCommand" nocase wide ascii
$enc2 = "-enc " nocase wide ascii
$enc3 = "-e " nocase wide ascii
$iex1 = "IEX" nocase wide ascii
$iex2 = "Invoke-Expression" nocase wide ascii
$iex3 = "Invoke-WebreQuest" nocase wide ascii
$bypass1 = "-ExecutionPolicy Bypass" nocase
$bypass2 = "-ep bypass" nocase
$b64 = /[A-Za-z0-9+\/]{100,}={0,2}/ // long base64 string
condition:
$ps1 and
(any of ($enc*) or any of ($bypass*)) and
(any of ($iex*) or $b64)
}
Information Stealers¶
RULE-ST-001: Credential Harvesting — LSASS Dump¶
rule LSASS_Credential_Dump {
meta:
description = "Detects LSASS memory dump tools and techniques"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1003.001 — LSASS Memory"
severity = "CRITICAL"
strings:
$tool1 = "mimikatz" nocase wide ascii
$tool2 = "sekurlsa" nocase wide ascii
$tool3 = "wce.exe" nocase wide ascii
$tool4 = "procdump" nocase wide ascii
$lsass1 = "lsass.exe" nocase wide ascii
$lsass2 = "lsass.dmp" nocase wide ascii
$api1 = "MiniDumpWriteDump" nocase
$api2 = "OpenProcess" nocase
$logon = "logonpasswords" nocase wide ascii
condition:
(any of ($tool*) and any of ($lsass*)) or
($api1 and $api2 and any of ($lsass*)) or
$logon
}
RULE-ST-002: Browser Credential Stealer¶
rule BrowserCredentialStealer {
meta:
description = "Detects malware targeting browser stored credentials"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1555.003 — Credentials from Web Browsers"
severity = "HIGH"
strings:
$chrome1 = "Google\\Chrome\\User Data\\Default\\Login Data" nocase wide
$chrome2 = "Google\\Chrome\\User Data\\Default\\Cookies" nocase wide
$firefox1 = "Mozilla\\Firefox\\Profiles" nocase wide
$firefox2 = "key4.db" nocase wide
$firefox3 = "logins.json" nocase wide
$edge1 = "Microsoft\\Edge\\User Data\\Default\\Login Data" nocase wide
$api1 = "CryptUnprotectData" nocase
$sqlite = "SQLite format 3" nocase
condition:
(any of ($chrome*) or any of ($firefox*) or any of ($edge*)) and
($api1 or $sqlite)
}
RULE-ST-003: Keylogger — API Hook Pattern¶
rule Keylogger_APIHook {
meta:
description = "Detects keylogger API hooking patterns"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1056.001 — Keylogging"
severity = "HIGH"
false_positives = "Legitimate accessibility software, input testing tools"
strings:
$hook1 = "SetWindowsHookExA" nocase
$hook2 = "SetWindowsHookExW" nocase
$hook3 = "GetAsyncKeyState" nocase
$hook4 = "GetKeyState" nocase
$hook5 = "RegisterHotKey" nocase
$log1 = "GetForegroundWindow" nocase
$log2 = "GetWindowTextW" nocase
$file1 = "keylog" nocase wide ascii
$file2 = "keys.txt" nocase wide ascii
condition:
(any of ($hook1, $hook2, $hook3)) and
(any of ($log*)) and
(any of ($file*) or #hook3 > 5)
}
C2 / Network Indicators¶
RULE-C2-001: DNS Tunneling Tool Signatures¶
rule DNSTunneling_Tools {
meta:
description = "Detects DNS tunneling tool signatures (iodine, dnscat2, dns2tcp)"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1071.004 — DNS C2"
severity = "HIGH"
strings:
$iodine1 = "iodine" nocase wide ascii
$iodine2 = "topdomain" nocase
$dnscat1 = "dnscat" nocase wide ascii
$dnscat2 = "dns2tcp" nocase wide ascii
$tunnel1 = "TXT query" nocase
$tunnel2 = "NULL query" nocase
$b32 = /[A-Z2-7]{20,}/ // base32 subdomain encoding
condition:
(any of ($iodine*) or any of ($dnscat*)) or
(any of ($tunnel*) and $b32)
}
RULE-C2-002: Scheduled Task Persistence — XML Artifacts¶
rule ScheduledTask_Persistence {
meta:
description = "Detects malicious scheduled task XML with suspicious actions"
author = "Nexus SecOps Detection Team"
date = "2026-01-01"
mitre_attack = "T1053.005 — Scheduled Task/Job"
severity = "MEDIUM"
strings:
$xml1 = "<Task " nocase
$xml2 = "<Actions>" nocase
$cmd1 = "powershell" nocase wide
$cmd2 = "cmd.exe" nocase wide
$cmd3 = "wscript" nocase wide
$cmd4 = "mshta" nocase wide
$enc = "-enc" nocase
$iex = "IEX" nocase
$hidden = "WindowsStyle Hidden" nocase
condition:
$xml1 and $xml2 and
(any of ($cmd*)) and
(any of ($enc, $iex, $hidden))
}
Using These Rules¶
Deployment Platforms¶
| Platform | Command |
|---|---|
| YARA CLI | yara -r rule.yar /path/to/scan |
| Velociraptor | Upload to artifact Windows.Detection.Yara.Process |
| CrowdStrike | Custom IOC import via Falcon console |
| Microsoft Defender | Via MDTI custom indicator upload |
| SIEM (Splunk) | Use | eval yara_match=... with python custom command |
Testing Rules Safely¶
# Test against a known-clean directory first
yara -r rules.yar /tmp/clean_samples/ 2>/dev/null | wc -l # Should be 0
# Scan specific file type recursively
yara -r --include="*.exe" rules.yar /path/to/samples/
# Performance test (check scan speed)
time yara -r rules.yar /usr/bin/
False Positive Tuning¶
Before production deployment:
- Baseline scan: Run against a known-clean gold image — document any hits
- Exclusion lists: Whitelist legitimate tool hashes (security scanners, admin tools)
- Context gates: Pair YARA hits with process parent, network, or file path context in SIEM
- Alert thresholds: Single YARA hit = investigation trigger, not auto-block (except CRITICAL rules)
ATT&CK Coverage Map¶
| Technique | Rule(s) |
|---|---|
| T1003.001 LSASS Dump | RULE-ST-001 |
| T1027 Obfuscated Files | RULE-LD-003 |
| T1053.005 Scheduled Task | RULE-C2-002 |
| T1055.001 DLL Injection | RULE-LD-002 |
| T1055.012 Process Hollow | RULE-LD-001 |
| T1056.001 Keylogging | RULE-ST-003 |
| T1059.001 PowerShell | RULE-LD-003 |
| T1071.004 DNS C2 | RULE-C2-001 |
| T1219 Remote Access | RULE-RAT-003 |
| T1485 Data Destruction | RULE-WP-002 |
| T1486 Ransomware Encrypt | RULE-RS-004 |
| T1490 VSS Deletion | RULE-RS-001 |
| T1555.003 Browser Creds | RULE-ST-002 |
| T1561.002 Disk Wipe | RULE-WP-001 |