ail-yara-rules

A set of YARA rules for the AIL framework to detect leak or information disclosure. This repository can be used by other tools.

YARA rules

• rules
  • code
    • vbscript.yar
    • autoit.yar
    • hex_mz.yar
    • powershell.yar
  • keylogger
    • ducky_code.yar
    • bunny_code.yar
  • crypto
    • certificate.yar
  • cloud
    • aws_cli.yar
    • sw_bucket.yar
  • b64_encoded
    • b64_xml_doc.yar
    • b64_docx.yar
    • b64_rtf.yar
    • b64_doc.yar
    • b64_url.yar
    • b64_gzip.yar
    • b64_rar.yar
    • b64_zip.yar
    • b64_elf.yar
    • b64_exe.yar
  • blacklist
    • default.yar
  • database
    • db_connection.yar
    • db_structure.yar
    • db_create_user.yar
  • obfuscation
    • php_obfuscation.yar
  • api-keys
    • discord_api.yar
    • heroku_api.yar
    • aws_api.yar
    • github_api.yar
    • slack_api.yar
    • google_api.yar
    • twitter_api.yar
    • generic_api.yar
    • github_homebrew.yar
    • shodan_api.yar
    • github_jekyll.yar
    • pivotal_token.yar
  • password
    • mlab.yar
    • amazon-credentials.yar
    • salesforce.yar
  • detection
    • avdetect.yar
    • dbgdetect_func.yar
    • dbgdetect_procs.yar
    • dbgdetect_files.yar
    • sandboxdetect.yar
    • vmdetect.yar
  • classified
    • nato.yar

Contributors

• kevthehermit via PasteHunter for the initial rule set licensed under the GNU General Public License
• AlienVault-Labs for some additional rules
• AIL Project contributors

License

ail-yara-rules is distributed under the AGPL.

Contribute

It's quite easy. Fork the repository, add or modify existing YARA rule and make a pull request. Please take a look at the directory name to map the scope of the YARA rule.