Detection Rule List – Django REST framework

GET /api/detection_rules/?format=api&page=4

HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 153,
    "next": null,
    "previous": "https://unprotect.it/api/detection_rules/?format=api&page=3",
    "results": [
        {
            "id": 5,
            "key": "yara_wiping_event",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "YARA_wiping_event",
            "rule": "rule UNPROTECT_wiping_event\r\n{\r\n    meta:\r\n        description = \"Rule to detect wiping events logs\"\r\n        author = \"McAfee ATR team | Thomas Roccia\"\r\n        date = \"2020-11-10\"\r\n        rule_version = \"v1\"\r\n        mitre = \"T1070\"\r\n        hash = \"c063c86931c662c1a962d08915d9f3a8\"\r\n\r\n    strings:\r\n        $s1 = \"wevtutil.exe\" ascii wide nocase\r\n        $s2 = \"cl Application\" ascii wide nocase\r\n        $s3 = \"cl System\" ascii wide nocase\r\n        $s4 = \"cl Setup\" ascii wide nocase\r\n        $s5 = \"cl Security\" ascii wide nocase\r\n        $s6 = \"sl Security /e:false\" ascii wide nocase\r\n        $s7= \"usn deletejournal /D\" ascii wide nocase\r\n\r\n    condition:\r\n        uint16(0) == 0x5a4d and 4 of them\r\n}"
        },
        {
            "id": 76,
            "key": "yara_detect_outputdebugstring",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "Yara_Detect_OutputDebugString",
            "rule": "rule Detect_OutputDebugStringA_iat: AntiDebug\r\n{\r\n\tmeta:\r\n\t\tAuthor = \"http://twitter.com/j0sm1\"\r\n\t\tDescription = \"Detect in IAT OutputDebugstringA\"\r\n\t\tDate = \"20/04/2015\"\r\n\r\n\tcondition:\r\n\t\tpe.imports(\"kernel32.dll\",\"OutputDebugStringA\")\r\n}"
        },
        {
            "id": 155,
            "key": "yara_limecrypter",
            "type": {
                "id": 1,
                "name": "YARA",
                "syntax_lang": "YARA"
            },
            "name": "Yara_LimeCRypter",
            "rule": "rule MAL_NET_LimeCrypter_RunPE_Jan24\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Detects LimeCrypter RunPE module. LimeCrypter is an open source .NET based crypter and loader commonly used by threat actors\"\r\n\t\tauthor = \"Jonathan Peters\"\r\n\t\tdate = \"2024-01-16\"\r\n\t\treference = \"https://github.com/NYAN-x-CAT/Lime-Crypter/tree/master\"\r\n\t\thash = \"bcc8c679acfc3aabf22ebdb2349b1fabd351a89fd23a716d85154049d352dd12\"\r\n\t\tscore = 80\r\n\tstrings:\r\n\t\t$op1 = { 1F 1A 58 1F 1A 58 28 }                                        //  BitConverter.ToInt32(... + 0x2A + 0x2A);\r\n\t\t$op2 = { 20 B3 00 00 00 8D ?? 00 00 01 13 ?? 11 ?? 16 20 02 00 01 00 } // int[] context = new int[0xB3]; context[0] = 0x10002;\r\n\t\t$op3 = { 11 0? 11 0? 20 00 30 00 00 1F 40 28 ?? 00 00 06 }             // VirtualAllocEx( ... 0x3000, 0x40);\r\n\t\t$op4 = { 6E 20 FF 7F 00 00 6A FE 02 }                                  // (ulong)bufferSize > 0x7FFFUL\r\n\r\n\t\t$s1 = \"RawSecurityDescriptor\" ascii\r\n\t\t$s2 = \"CommonAce\" ascii\r\n\tcondition:\r\n\t\tuint16(0) == 0x5a4d and\r\n\t\tall of ($s*) and\r\n\t\t2 of ($op*)\r\n}"
        }
    ]
}