Home/APT31/YARA rules
YARA

YARA rules for APT31

102 rules · scoped to actor · back to APT31
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.

YARA rules

2 of 102
direct hacktool
hacktool_multi_bloodhound_owned
Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains
author @fusionrace license see source repo
view YARA rule 
rule hacktool_multi_bloodhound_owned
{
    meta:
        description = "Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains"
        reference = "https://github.com/porterhau5/BloodHound-Owned/"
        author = "@fusionrace"
    strings:
        $s1 = "Find all owned Domain Admins" fullword ascii wide
        $s2 = "Find Shortest Path from owned node to Domain Admins" fullword ascii wide
        $s3 = "List all directly owned nodes" fullword ascii wide
        $s4 = "Set owned and wave properties for a node" fullword ascii wide
        $s5 = "Find spread of compromise for owned nodes in wave" fullword ascii wide
        $s6 = "Show clusters of password reuse" fullword ascii wide
        $s7 = "Something went wrong when creating SharesPasswordWith relationship" fullword ascii wide
        $s8 = "reference doc of custom Cypher queries for BloodHound" fullword ascii wide
        $s9 = "Created SharesPasswordWith relationship between" fullword ascii wide
        $s10 = "Skipping finding spread of compromise due to" fullword ascii wide
    condition:
        any of them
}
direct ShadowPad
ShadowPad_nssock2
Detects malicious nssock2.dll from ShadowPad incident - file nssock2.dll
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule ShadowPad_nssock2 {
   meta:
      description = "Detects malicious nssock2.dll from ShadowPad incident - file nssock2.dll"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://securelist.com/shadowpad-in-corporate-networks/81432/"
      date = "2017-08-15"
      hash1 = "462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8"
      hash2 = "c45116a22cf5695b618fcdf1002619e8544ba015d06b2e1dbf47982600c7545f"
      hash3 = "696be784c67896b9239a8af0a167add72b1becd3ef98d03e99207a3d5734f6eb"
      hash4 = "515d3110498d7b4fdb451ed60bb11cd6835fcff4780cb2b982ffd2740e1347a0"
      hash5 = "536d7e3bd1c9e1c2fd8438ab75d6c29c921974560b47c71686714d12fb8e9882"
      hash6 = "637fa40cf7dd0252c87140f7895768f42a370551c87c37a3a77aac00eb17d72e"
      id = "47ecc7f8-065a-558b-9bba-300fd28f4eab"
   condition:
      ( uint16(0) == 0x5a4d and
        filesize < 500KB and
        (
           pe.imphash() == "c67de089f2009b21715744762fc484e8" or
           pe.imphash() == "11522f7d4b2fc05acba8f534ca1b828a"
        )
      )
}
Showing 101-102 of 102
Prev 3 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin