GET /api/detection_rules/?page=2
HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "count": 56,
    "next": null,
    "previous": "https://search.unprotect.it/api/detection_rules/",
    "results": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_uac_bypass",
            "rule": "rule UNPROTECT_UAC_Bypass_Strings {\r\n    meta:\r\n        description = \"Rule to detect UAC bypass attempt by regarding strings\"\r\n        author = \"Thibault Seret\"\r\n        date = \"2020-04-10\"\r\n    strings:\r\n        $s1 = \"SeIncreaseQuotaPrivilege\" ascii fullword\r\n        $s2 = \"SeSecurityPrivilege\" ascii fullword\r\n        $s3 = \"SeTakeOwnershipPrivilege\" ascii fullword\r\n        $s4 = \"SeLoadDriverPrivilege\" ascii fullword\r\n        $s5 = \"SeSystemProfilePrivilege\" ascii fullword\r\n        $s6 = \"SeSystemtimePrivilege\" ascii fullword\r\n        $s7 = \"SeProfileSingleProcessPrivilege\" ascii fullword\r\n        $s8 = \"SeIncreaseBasePriorityPrivilege\" ascii fullword\r\n        $s9 = \"SeCreatePagefilePrivilege\" ascii fullword\r\n        $s10 = \"SeBackupPrivilege\" ascii fullword\r\n        $s11 = \"SeRestorePrivilege\" ascii fullword\r\n        $s12 = \"SeShutdownPrivilege\" ascii fullword\r\n        $s13 = \"SeDebugPrivilege\" ascii fullword\r\n        $s14 = \"SeSystemEnvironmentPrivilege\" ascii fullword\r\n        $s15 = \"SeChangeNotifyPrivilege\" ascii fullword\r\n        $s16 = \"SeRemoteShutdownPrivilege\" ascii fullword\r\n        $s17 = \"SeUndockPrivilege\" ascii fullword\r\n        $s18 = \"SeManageVolumePrivilege\" ascii fullword\r\n        $s19 = \"SeImpersonatePrivilege\" ascii fullword\r\n        $s20 = \"SeCreateGlobalPrivilege\" ascii fullword\r\n        $s21 = \"SeIncreaseWorkingSetPrivilege\" ascii fullword\r\n        $s22 = \"SeTimeZonePrivilege\" ascii fullword\r\n        $s23 = \"SeCreateSymbolicLinkPrivilege\" ascii fullword\r\n    condition:\r\n        5 of them\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "UNPROTECT_wiping_event",
            "rule": "rule UNPROTECT_wiping_event\r\n{\r\n    meta:\r\n        description = \"Rule to detect wiping events logs\"\r\n        author = \"McAfee ATR team | Thomas Roccia\"\r\n        date = \"2020-11-10\"\r\n        rule_version = \"v1\"\r\n        mitre = \"T1070\"\r\n        hash = \"c063c86931c662c1a962d08915d9f3a8\"\r\n\r\n    strings:\r\n        $s1 = \"wevtutil.exe\" ascii wide nocase\r\n        $s2 = \"cl Application\" ascii wide nocase\r\n        $s3 = \"cl System\" ascii wide nocase\r\n        $s4 = \"cl Setup\" ascii wide nocase\r\n        $s5 = \"cl Security\" ascii wide nocase\r\n        $s6 = \"sl Security /e:false\" ascii wide nocase\r\n        $s7= \"usn deletejournal /D\" ascii wide nocase\r\n\r\n    condition:\r\n        uint16(0) == 0x5a4d and 4 of them\r\n}"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "vm_artefact",
            "rule": "rule:\r\n  meta:\r\n    name: reference anti-VM strings targeting VMWare\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: michael.hunhoff@fireeye.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VMWare.cpp\r\n    examples:\r\n      - al-khaser_x86.exe_\r\n  features:\r\n    - or:\r\n      - string: /VMWare/i\r\n      - string: /VMTools/i\r\n      - string: /SOFTWARE\\\\VMware, Inc\\.\\\\VMware Tools/i\r\n      - string: /vmnet.sys/i\r\n      - string: /vmmouse.sys/i\r\n      - string: /vmusb.sys/i\r\n      - string: /vm3dmp.sys/i\r\n      - string: /vmci.sys/i\r\n      - string: /vmhgfs.sys/i\r\n      - string: /vmmemctl.sys/i\r\n      - string: /vmx86.sys/i\r\n      - string: /vmrawdsk.sys/i\r\n      - string: /vmusbmouse.sys/i\r\n      - string: /vmkdb.sys/i\r\n      - string: /vmnetuserif.sys/i\r\n      - string: /vmnetadapter.sys/i\r\n      - string: /\\\\\\\\.\\\\HGFS/i\r\n      - string: /\\\\\\\\.\\\\vmci/i\r\n      - string: /vmtoolsd.exe/i\r\n      - string: /vmwaretray.exe/i\r\n      - string: /vmwareuser.exe/i\r\n      - string: /VGAuthService.exe/i\r\n      - string: /vmacthlp.exe/i\r\n      - string: /vmci/i\r\n        description: VMWare VMCI Bus Driver\r\n      - string: /vmhgfs/i\r\n        description: VMWare Host Guest Control Redirector\r\n      - string: /vmmouse/i\r\n      - string: /vmmemctl/i\r\n        description: VMWare Guest Memory Controller Driver\r\n      - string: /vmusb/i\r\n      - string: /vmusbmouse/i\r\n      - string: /vmx_svga/i\r\n      - string: /vmxnet/i\r\n      - string: /vmx86/i\r\n      - string: /VMwareVMware/i\r\n      - string: /vmGuestLib.dll/i"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "vm_artefact2",
            "rule": "rule:\r\n  meta:\r\n    name: reference anti-VM strings\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: moritz.raabe@fireeye.com\r\n    scope: file\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*\r\n      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp\r\n    examples:\r\n      - Practical Malware Analysis Lab 17-02.dll_\r\n  features:\r\n    - or:\r\n      - string: /HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS/i\r\n      - string: /HARDWARE\\\\DESCRIPTION\\\\System\\\\(SystemBiosVersion|VideoBiosVersion)/i\r\n      - string: /HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*ProcessorNameString/i\r\n      - string: /HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0/i\r\n      - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE/i\r\n      - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\Disk\\\\Enum\\\\/i\r\n      - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SystemInformation\\\\SystemManufacturer/i\r\n      - string: /A M I/i\r\n      - string: /Hyper-V/i\r\n      - string: /Kernel-VMDetection-Private/i\r\n      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699\r\n      - string: /KVMKVMKVM/i\r\n        description: KVM\r\n      - string: /Microsoft Hv/i\r\n        description: Microsoft Hyper-V or Windows Virtual PC\r\n      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8\r\n      - string: /avghookx.dll/i\r\n        description: AVG\r\n      - string: /avghooka.dll/i\r\n        description: AVG\r\n      - string: /snxhk.dll/i\r\n        description: Avast\r\n      - string: /pstorec.dll/i\r\n        description: SunBelt Sandbox\r\n      - string: /vmcheck.dll/i\r\n        description: Virtual PC\r\n      - string: /wpespy.dll/i\r\n        description: WPE Pro\r\n      - string: /cmdvrt64.dll/i\r\n        description: Comodo Container\r\n      - string: /cmdvrt32.dll/i\r\n        description: Comodo Container\r\n      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46\r\n      - string: /sample.exe/i\r\n      - string: /bot.exe/i\r\n      - string: /sandbox.exe/i\r\n      - string: /malware.exe/i\r\n      - string: /test.exe/i\r\n      - string: /klavme.exe/i\r\n      - string: /myapp.exe/i\r\n      - string: /testapp.exe/i"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "vm_instruction",
            "rule": "rule:\r\n  meta:\r\n    name: execute anti-VM instructions\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: moritz.raabe@fireeye.com\r\n    scope: basic block\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029]\r\n    examples:\r\n      - Practical Malware Analysis Lab 17-03.exe_:0x401A80\r\n  features:\r\n    - or:\r\n      - mnemonic: sdit\r\n      - mnemonic: sgdt\r\n      - mnemonic: sldt\r\n      - mnemonic: smsw\r\n      - mnemonic: str\r\n      - mnemonic: in\r\n      - mnemonic: cpuid\r\n      - mnemonic: vpcext"
        },
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/2/",
            "name": "vm_registry",
            "rule": "rule:\r\n  meta:\r\n    name: check for windows sandbox via registry\r\n    namespace: anti-analysis/anti-vm/vm-detection\r\n    author: \"@_re_fox\"\r\n    scope: function\r\n    att&ck:\r\n      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n    mbc:\r\n      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n    references:\r\n      - https://github.com/LloydLabs/wsb-detect\r\n    examples:\r\n      - 773290480d5445f11d3dc1b800728966:0x140001140\r\n  features:\r\n    - and:\r\n      - api: RegOpenKeyEx\r\n      - api: RegEnumValue\r\n      - string: /\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce/\r\n      - string: /wmic useraccount where \\\"name='WDAGUtilityAccount'\\\"/i"
        }
    ]
}