Different categories for the same tools

Question

Different categories for the same tools

ruppde opened this issue 10 months ago · comments

Hi,

nice project!

While trying the yara rules, at became a problem, that some tools are in two categories, e.g.:
"greyware_tool_keyword","PowerSploit"
"offensive_tool_keyword","PowerSploit"

Because if you put all rules in one big file and use them with the command line yara, it complains aobut the duplicate rule names:
../ThreatHunting-Keywords-yara-rules/all.yar(9993): error: duplicated identifier "whoami"
../ThreatHunting-Keywords-yara-rules/all.yar(11070): error: duplicated identifier "wmic"
../ThreatHunting-Keywords-yara-rules/all.yar(15983): error: duplicated identifier "SpaceRunner"
../ThreatHunting-Keywords-yara-rules/all.yar(17153): error: duplicated identifier "reg"
../ThreatHunting-Keywords-yara-rules/all.yar(18327): error: duplicated identifier "TelegramRAT"
../ThreatHunting-Keywords-yara-rules/all.yar(21322): error: duplicated identifier "socat"
../ThreatHunting-Keywords-yara-rules/all.yar(21668): error: duplicated identifier "transfer_sh"
../ThreatHunting-Keywords-yara-rules/all.yar(22595): error: duplicated identifier "ratchatpt"
../ThreatHunting-Keywords-yara-rules/all.yar(23810): error: duplicated identifier "supershell"
../ThreatHunting-Keywords-yara-rules/all.yar(28796): error: duplicated identifier "FudgeC2"
../ThreatHunting-Keywords-yara-rules/all.yar(29033): error: duplicated identifier "DBC2"
../ThreatHunting-Keywords-yara-rules/all.yar(29794): error: duplicated identifier "exegol"
../ThreatHunting-Keywords-yara-rules/all.yar(31304): error: duplicated identifier "dir"
../ThreatHunting-Keywords-yara-rules/all.yar(34567): error: duplicated identifier "findstr"
../ThreatHunting-Keywords-yara-rules/all.yar(41928): error: duplicated identifier "anydesk"
../ThreatHunting-Keywords-yara-rules/all.yar(42077): error: duplicated identifier "bloodhound"
../ThreatHunting-Keywords-yara-rules/all.yar(46928): error: duplicated identifier "CIMplant"
../ThreatHunting-Keywords-yara-rules/all.yar(49110): error: duplicated identifier "adfind"
../ThreatHunting-Keywords-yara-rules/all.yar(49960): error: duplicated identifier "copy"
../ThreatHunting-Keywords-yara-rules/all.yar(50044): error: duplicated identifier "cobaltstrike"
../ThreatHunting-Keywords-yara-rules/all.yar(57088): error: duplicated identifier "AlanFramework"
../ThreatHunting-Keywords-yara-rules/all.yar(57877): error: duplicated identifier "Browser_C2"
../ThreatHunting-Keywords-yara-rules/all.yar(58825): error: duplicated identifier "_"
../ThreatHunting-Keywords-yara-rules/all.yar(59760): error: duplicated identifier "goMatrixC2"
../ThreatHunting-Keywords-yara-rules/all.yar(59847): error: duplicated identifier "golang_c2"
../ThreatHunting-Keywords-yara-rules/all.yar(66952): error: duplicated identifier "MpCmdRun"
../ThreatHunting-Keywords-yara-rules/all.yar(68807): error: duplicated identifier "net"
../ThreatHunting-Keywords-yara-rules/all.yar(70222): error: duplicated identifier "lyncsmash"
../ThreatHunting-Keywords-yara-rules/all.yar(73322): error: duplicated identifier "nmap"
../ThreatHunting-Keywords-yara-rules/all.yar(84417): error: duplicated identifier "PowerSploit"
../ThreatHunting-Keywords-yara-rules/all.yar(86106): error: duplicated identifier "powershell"
../ThreatHunting-Keywords-yara-rules/all.yar(87958): error: duplicated identifier "QuasarRAT"

Would be an option to append the category name to the name of yara rule, e.g.

rule PowerSploit_greyware_tool_keyword

Or unify it in the CSVs.

regards
arnim

mthcht · Answer 1 · Wed Dec 06 2023 15:52:49 GMT+0800 (China Standard Time)

@ruppde thanks, i create an all.yara that you can use here https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/blob/main/yara_rules/all.yara