ail-yara-rules

A set of YARA rules for the AIL framework to detect leak or information disclosure. This repository can be used by other tools.

YARA rules

• rules
  • api-keys
    • aws_api.yar
    • discord_api.yar
    • generic_api.yar
    • github_api.yar
    • github_homebrew.yar
    • github_jekyll.yar
    • google_api.yar
    • heroku_api.yar
    • pivotal_token.yar
    • shodan_api.yar
    • slack_api.yar
    • twitter_api.yar
  • b64_encoded
    • b64_docx.yar
    • b64_doc.yar
    • b64_elf.yar
    • b64_exe.yar
    • b64_gzip.yar
    • b64_rar.yar
    • b64_rtf.yar
    • b64_url.yar
    • b64_xml_doc.yar
    • b64_zip.yar
  • blacklist
    • default.yar
  • classified
    • nato.yar
    • us.yar
  • cloud
    • aws_cli.yar
    • sw_bucket.yar
  • code
    • autoit.yar
    • hex_mz.yar
    • powershell.yar
    • vbscript.yar
  • crypto
    • certificate.yar
  • database
    • db_connection.yar
    • db_create_user.yar
    • db_structure.yar
  • detection
    • avdetect.yar
    • dbgdetect_files.yar
    • dbgdetect_func.yar
    • dbgdetect_procs.yar
    • sandboxdetect.yar
    • vmdetect.yar
  • keylogger
    • bunny_code.yar
    • ducky_code.yar
  • obfuscation
    • php_obfuscation.yar
  • password
    • amazon-credentials.yar
    • mlab.yar
    • salesforce.yar
    • password_leak.yar
  • stealer
    • ailurophile.yara
    • arechclientv2.yara
    • astris.yara
    • atomic.yara
    • banshee.yara
    • blankgrabber.yara
    • cryptbot.yara
    • darkcrystal.yara
    • luca.yara
    • lumma2.yara
    • lumma.yara
    • meduza.yara
    • noxy.yara
    • phemedrone.yara
    • raccoon2.yara
    • raccoon.yara
    • redline.yara
    • risepro.yara
    • rlstealer.yara
    • skalka.yara
    • stealc.yara
    • stealerium.yara
    • vidar.yara
    • xfiles.yara

Contributors

• kevthehermit via PasteHunter for the initial rule set licensed under the GNU General Public License
• AlienVault-Labs for some additional rules
• what-is-this-stealer
• AIL Project contributors

License

ail-yara-rules is distributed under the AGPL if not specified or the original license of the rules.

Contribute

It's quite easy. Fork the repository, add or modify existing YARA rule and make a pull request. Please take a look at the directory name to map the scope of the YARA rule.