GET /api/detection_rules/?format=api&page=4
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 153,
"next": null,
"previous": "https://unprotect.it/api/detection_rules/?format=api&page=3",
"results": [
{
"id": 5,
"key": "yara_wiping_event",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "YARA_wiping_event",
"rule": "rule UNPROTECT_wiping_event\r\n{\r\n meta:\r\n description = \"Rule to detect wiping events logs\"\r\n author = \"McAfee ATR team | Thomas Roccia\"\r\n date = \"2020-11-10\"\r\n rule_version = \"v1\"\r\n mitre = \"T1070\"\r\n hash = \"c063c86931c662c1a962d08915d9f3a8\"\r\n\r\n strings:\r\n $s1 = \"wevtutil.exe\" ascii wide nocase\r\n $s2 = \"cl Application\" ascii wide nocase\r\n $s3 = \"cl System\" ascii wide nocase\r\n $s4 = \"cl Setup\" ascii wide nocase\r\n $s5 = \"cl Security\" ascii wide nocase\r\n $s6 = \"sl Security /e:false\" ascii wide nocase\r\n $s7= \"usn deletejournal /D\" ascii wide nocase\r\n\r\n condition:\r\n uint16(0) == 0x5a4d and 4 of them\r\n}"
},
{
"id": 76,
"key": "yara_detect_outputdebugstring",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "Yara_Detect_OutputDebugString",
"rule": "rule Detect_OutputDebugStringA_iat: AntiDebug\r\n{\r\n\tmeta:\r\n\t\tAuthor = \"http://twitter.com/j0sm1\"\r\n\t\tDescription = \"Detect in IAT OutputDebugstringA\"\r\n\t\tDate = \"20/04/2015\"\r\n\r\n\tcondition:\r\n\t\tpe.imports(\"kernel32.dll\",\"OutputDebugStringA\")\r\n}"
},
{
"id": 155,
"key": "yara_limecrypter",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "Yara_LimeCRypter",
"rule": "rule MAL_NET_LimeCrypter_RunPE_Jan24\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Detects LimeCrypter RunPE module. LimeCrypter is an open source .NET based crypter and loader commonly used by threat actors\"\r\n\t\tauthor = \"Jonathan Peters\"\r\n\t\tdate = \"2024-01-16\"\r\n\t\treference = \"https://github.com/NYAN-x-CAT/Lime-Crypter/tree/master\"\r\n\t\thash = \"bcc8c679acfc3aabf22ebdb2349b1fabd351a89fd23a716d85154049d352dd12\"\r\n\t\tscore = 80\r\n\tstrings:\r\n\t\t$op1 = { 1F 1A 58 1F 1A 58 28 } // BitConverter.ToInt32(... + 0x2A + 0x2A);\r\n\t\t$op2 = { 20 B3 00 00 00 8D ?? 00 00 01 13 ?? 11 ?? 16 20 02 00 01 00 } // int[] context = new int[0xB3]; context[0] = 0x10002;\r\n\t\t$op3 = { 11 0? 11 0? 20 00 30 00 00 1F 40 28 ?? 00 00 06 } // VirtualAllocEx( ... 0x3000, 0x40);\r\n\t\t$op4 = { 6E 20 FF 7F 00 00 6A FE 02 } // (ulong)bufferSize > 0x7FFFUL\r\n\r\n\t\t$s1 = \"RawSecurityDescriptor\" ascii\r\n\t\t$s2 = \"CommonAce\" ascii\r\n\tcondition:\r\n\t\tuint16(0) == 0x5a4d and\r\n\t\tall of ($s*) and\r\n\t\t2 of ($op*)\r\n}"
}
]
}