Refresh scanner binaries + restructure YARA rules

CHANGELOG.md

@@ -87,6 +87,16 @@ All notable changes to this project will be documented in this file.
 - Dead code in `grumpycat.py` and `LitterBoxMCP.py` (cache, unused imports, exception envelope, lazy client wrapper)
 - `etw_wait_time` config key (replaced by event-driven readiness signal)
 
+### Scanners
+- New "Scanners" tracking table in README — version + last-updated date + source per scanner/rule pack so operators can tell at a glance whether each binary is current
+- PE-Sieve refreshed to 0.4.1.2 (commit `f1dc39d`, 2026-05-02)
+- Hollows-Hunter refreshed to 0.4.1.2 (commit `e271f7e`, 2026-04-18)
+- Moneta refreshed (commit `5b65395`, 2024-03-16)
+- Hunt-Sleeping-Beacons refreshed (commit `84dd3a9`, 2026-01-25)
+- YARA rules restructured under `Scanners/Yara/rules/` into `elastic-yara/` and `YARAForge/` subdirs; orchestrator `LitterBox.yar` regenerated to match the new layout
+- Elastic YARA rules synced to upstream `d131ea8` (2026-04-30, 686 rules — 684 upstream + Morpes/Torii retained locally after Elastic rotated them out)
+- YARA-Forge bumped to 0.9.1 (release `20260503`, 2026-05-03) — separate `YARAForge_Extended.yar` pack alongside the Elastic rules
+
 ### Notes
 - New runtime dependency: `requests==2.32.3`
 - Whiskers binary not committed — build via `cargo build --release` (see `Whiskers/BUILD.md`)

README.md

@@ -66,6 +66,29 @@ The setup script provisions a Windows 10 container with KVM and runs LitterBox i
 
 Drop one or more profile YAMLs under `Config/edr_profiles/` and the upload page picks them up at boot. Full walkthroughs in the wiki: [Whiskers Agent](../../wiki/Whiskers-Agent) → [Elastic Defend Setup](../../wiki/Elastic-Defend-Setup) or [Fibratus Setup](../../wiki/Fibratus-Setup).
 
+## Scanners
+
+Bundled binaries under `Scanners/`. Versions and last-update dates tracked here so operators can tell at a glance whether a scanner is current.
+
+| Scanner | Version | Last updated | Source |
+|---|---|---|---|
+| [PE-Sieve](https://github.com/hasherezade/pe-sieve) | 0.4.1.2 (`f1dc39d`) | 2026-05-02 | hasherezade/pe-sieve |
+| [Hollows-Hunter](https://github.com/hasherezade/hollows_hunter) | 0.4.1.2 (`e271f7e`) | 2026-04-18 | hasherezade/hollows_hunter |
+| [Moneta](https://github.com/forrest-orr/moneta) | `5b65395` | 2024-03-16 | forrest-orr/moneta |
+| [Patriot](https://github.com/joe-desimone/patriot) | — | 2024-12-29 | joe-desimone/patriot |
+| [Hunt-Sleeping-Beacons](https://github.com/thefLink/Hunt-Sleeping-Beacons) | `84dd3a9` | 2026-01-25 | thefLink/Hunt-Sleeping-Beacons |
+| [RedEdr](https://github.com/dobin/RedEdr) | 0.9 (release) | 2026-04-12 | dobin/RedEdr |
+| [YARA](https://github.com/VirusTotal/yara/releases) (engine `yara64.exe`) | — | 2024-12-29 | VirusTotal/yara |
+| Elastic YARA rules (`Scanners/Yara/rules/elastic-yara/`) | `d131ea8` | 2026-04-30 | elastic/protections-artifacts |
+| YARA-Forge Extended (`Scanners/Yara/rules/YARAForge/`) | 0.9.1 (release `20260503`) | 2026-05-03 | YARAHQ/yara-forge |
+| [CheckPlz](https://github.com/BlackSnufkin/CheckPlz) | — | 2024-12-29 | BlackSnufkin/CheckPlz |
+| [Stringnalyzer](https://github.com/BlackSnufkin/Rusty-Playground/tree/main/Stringnalyzer) | — | 2025-01-27 | BlackSnufkin/Rusty-Playground |
+| [HolyGrail](https://github.com/BlackSnufkin/HolyGrail) | — | 2025-08-18 | BlackSnufkin/HolyGrail |
+
+Version format: `<release-version>` or `<release-version> (release)` when the binary is pulled from an upstream release; `<release-version> (\`<commit>\`)` or just `\`<commit>\`` when built from source. Last-updated date is the upstream commit / release date, not the local build date.
+
+When you refresh a scanner: replace the binary under its `Scanners/<Name>/` directory and update the row above (version + date).
+
 ## Contributing
 
 See [CONTRIBUTING.md](./CONTRIBUTING.md). Work in feature branches on personal forks.

Scanners/Yara/LitterBox.yar

@@ -1,619 +1,687 @@
-include ".\rules\Linux_Backdoor_Bash.yar"
-include ".\rules\Linux_Backdoor_Fontonlake.yar"
-include ".\rules\Linux_Backdoor_Generic.yar"
-include ".\rules\Linux_Backdoor_Python.yar"
-include ".\rules\Linux_Backdoor_Tinyshell.yar"
-include ".\rules\Linux_Cryptominer_Attribute.yar"
-include ".\rules\Linux_Cryptominer_Bscope.yar"
-include ".\rules\Linux_Cryptominer_Bulz.yar"
-include ".\rules\Linux_Cryptominer_Camelot.yar"
-include ".\rules\Linux_Cryptominer_Casdet.yar"
-include ".\rules\Linux_Cryptominer_Ccminer.yar"
-include ".\rules\Linux_Cryptominer_Flystudio.yar"
-include ".\rules\Linux_Cryptominer_Generic.yar"
-include ".\rules\Linux_Cryptominer_Ksmdbot.yar"
-include ".\rules\Linux_Cryptominer_Loudminer.yar"
-include ".\rules\Linux_Cryptominer_Malxmr.yar"
-include ".\rules\Linux_Cryptominer_Miancha.yar"
-include ".\rules\Linux_Cryptominer_Minertr.yar"
-include ".\rules\Linux_Cryptominer_Pgminer.yar"
-include ".\rules\Linux_Cryptominer_Presenoker.yar"
-include ".\rules\Linux_Cryptominer_Roboto.yar"
-include ".\rules\Linux_Cryptominer_Stak.yar"
-include ".\rules\Linux_Cryptominer_Ursu.yar"
-include ".\rules\Linux_Cryptominer_Uwamson.yar"
-include ".\rules\Linux_Cryptominer_Xmrig.yar"
-include ".\rules\Linux_Cryptominer_Xmrminer.yar"
-include ".\rules\Linux_Cryptominer_Xpaj.yar"
-include ".\rules\Linux_Cryptominer_Zexaf.yar"
-include ".\rules\Linux_Downloader_Generic.yar"
-include ".\rules\Linux_Exploit_Abrox.yar"
-include ".\rules\Linux_Exploit_Alie.yar"
-include ".\rules\Linux_Exploit_Cornelgen.yar"
-include ".\rules\Linux_Exploit_Courier.yar"
-include ".\rules\Linux_Exploit_Criscras.yar"
-include ".\rules\Linux_Exploit_CVE_2009_1897.yar"
-include ".\rules\Linux_Exploit_CVE_2009_2698.yar"
-include ".\rules\Linux_Exploit_CVE_2009_2908.yar"
-include ".\rules\Linux_Exploit_CVE_2010_3301.yar"
-include ".\rules\Linux_Exploit_CVE_2012_0056.yar"
-include ".\rules\Linux_Exploit_CVE_2014_3153.yar"
-include ".\rules\Linux_Exploit_CVE_2016_4557.yar"
-include ".\rules\Linux_Exploit_CVE_2016_5195.yar"
-include ".\rules\Linux_Exploit_CVE_2017_100011.yar"
-include ".\rules\Linux_Exploit_CVE_2017_16995.yar"
-include ".\rules\Linux_Exploit_CVE_2018_10561.yar"
-include ".\rules\Linux_Exploit_CVE_2019_13272.yar"
-include ".\rules\Linux_Exploit_CVE_2021_3156.yar"
-include ".\rules\Linux_Exploit_CVE_2021_3490.yar"
-include ".\rules\Linux_Exploit_CVE_2021_4034.yar"
-include ".\rules\Linux_Exploit_CVE_2022_0847.yar"
-include ".\rules\Linux_Exploit_Dirtycow.yar"
-include ".\rules\Linux_Exploit_Enoket.yar"
-include ".\rules\Linux_Exploit_Foda.yar"
-include ".\rules\Linux_Exploit_Intfour.yar"
-include ".\rules\Linux_Exploit_IOUring.yar"
-include ".\rules\Linux_Exploit_Local.yar"
-include ".\rules\Linux_Exploit_Log4j.yar"
-include ".\rules\Linux_Exploit_Lotoor.yar"
-include ".\rules\Linux_Exploit_Moogrey.yar"
-include ".\rules\Linux_Exploit_Openssl.yar"
-include ".\rules\Linux_Exploit_Perl.yar"
-include ".\rules\Linux_Exploit_Pulse.yar"
-include ".\rules\Linux_Exploit_Race.yar"
-include ".\rules\Linux_Exploit_Ramen.yar"
-include ".\rules\Linux_Exploit_Sorso.yar"
-include ".\rules\Linux_Exploit_Vmsplice.yar"
-include ".\rules\Linux_Exploit_Wuftpd.yar"
-include ".\rules\Linux_Generic_Threat.yar"
-include ".\rules\Linux_Hacktool_Aduh.yar"
-include ".\rules\Linux_Hacktool_Bruteforce.yar"
-include ".\rules\Linux_Hacktool_Cleanlog.yar"
-include ".\rules\Linux_Hacktool_Earthworm.yar"
-include ".\rules\Linux_Hacktool_Exploitscan.yar"
-include ".\rules\Linux_Hacktool_Flooder.yar"
-include ".\rules\Linux_Hacktool_Fontonlake.yar"
-include ".\rules\Linux_Hacktool_Infectionmonkey.yar"
-include ".\rules\Linux_Hacktool_Lightning.yar"
-include ".\rules\Linux_Hacktool_LigoloNG.yar"
-include ".\rules\Linux_Hacktool_Portscan.yar"
-include ".\rules\Linux_Hacktool_Prochide.yar"
-include ".\rules\Linux_Hacktool_Tcpscan.yar"
-include ".\rules\Linux_Hacktool_Wipelog.yar"
-include ".\rules\Linux_Packer_Patched_UPX.yar"
-include ".\rules\Linux_Proxy_Frp.yar"
-include ".\rules\Linux_Ransomware_Agenda.yar"
-include ".\rules\Linux_Ransomware_Akira.yar"
-include ".\rules\Linux_Ransomware_Babuk.yar"
-include ".\rules\Linux_Ransomware_BlackBasta.yar"
-include ".\rules\Linux_Ransomware_BlackSuit.yar"
-include ".\rules\Linux_Ransomware_Clop.yar"
-include ".\rules\Linux_Ransomware_Conti.yar"
-include ".\rules\Linux_Ransomware_EchoRaix.yar"
-include ".\rules\Linux_Ransomware_Erebus.yar"
-include ".\rules\Linux_Ransomware_Esxiargs.yar"
-include ".\rules\Linux_Ransomware_Gonnacry.yar"
-include ".\rules\Linux_Ransomware_Hellokitty.yar"
-include ".\rules\Linux_Ransomware_Hive.yar"
-include ".\rules\Linux_Ransomware_ItsSoEasy.yar"
-include ".\rules\Linux_Ransomware_LimpDemon.yar"
-include ".\rules\Linux_Ransomware_Lockbit.yar"
-include ".\rules\Linux_Ransomware_Monti.yar"
-include ".\rules\Linux_Ransomware_NoEscape.yar"
-include ".\rules\Linux_Ransomware_Quantum.yar"
-include ".\rules\Linux_Ransomware_RagnarLocker.yar"
-include ".\rules\Linux_Ransomware_RedAlert.yar"
-include ".\rules\Linux_Ransomware_RoyalPest.yar"
-include ".\rules\Linux_Ransomware_SFile.yar"
-include ".\rules\Linux_Ransomware_Sodinokibi.yar"
-include ".\rules\Linux_Rootkit_Adore.yar"
-include ".\rules\Linux_Rootkit_Arkd.yar"
-include ".\rules\Linux_Rootkit_Bedevil.yar"
-include ".\rules\Linux_Rootkit_BrokePKG.yar"
-include ".\rules\Linux_Rootkit_Dakkatoni.yar"
-include ".\rules\Linux_Rootkit_Diamorphine.yar"
-include ".\rules\Linux_Rootkit_Fontonlake.yar"
-include ".\rules\Linux_Rootkit_Generic.yar"
-include ".\rules\Linux_Rootkit_HiddenWasp.yar"
-include ".\rules\Linux_Rootkit_Jynx.yar"
-include ".\rules\Linux_Rootkit_Kovid.yar"
-include ".\rules\Linux_Rootkit_Melofee.yar"
-include ".\rules\Linux_Rootkit_Perfctl.yar"
-include ".\rules\Linux_Rootkit_Reptile.yar"
-include ".\rules\Linux_Rootkit_Snapekit.yar"
-include ".\rules\Linux_Rootkit_Suterusu.yar"
-include ".\rules\Linux_Shellcode_Generic.yar"
-include ".\rules\Linux_Trojan_Adlibrary.yar"
-include ".\rules\Linux_Trojan_Asacub.yar"
-include ".\rules\Linux_Trojan_Azeela.yar"
-include ".\rules\Linux_Trojan_Backconnect.yar"
-include ".\rules\Linux_Trojan_Backegmm.yar"
-include ".\rules\Linux_Trojan_Badbee.yar"
-include ".\rules\Linux_Trojan_Banload.yar"
-include ".\rules\Linux_Trojan_Bedevil.yar"
-include ".\rules\Linux_Trojan_Bish.yar"
-include ".\rules\Linux_Trojan_Bluez.yar"
-include ".\rules\Linux_Trojan_BPFDoor.yar"
-include ".\rules\Linux_Trojan_Cerbu.yar"
-include ".\rules\Linux_Trojan_Chinaz.yar"
-include ".\rules\Linux_Trojan_Connectback.yar"
-include ".\rules\Linux_Trojan_Ddostf.yar"
-include ".\rules\Linux_Trojan_DinodasRAT.yar"
-include ".\rules\Linux_Trojan_Dnsamp.yar"
-include ".\rules\Linux_Trojan_Dofloo.yar"
-include ".\rules\Linux_Trojan_Dropperl.yar"
-include ".\rules\Linux_Trojan_Ebury.yar"
-include ".\rules\Linux_Trojan_Gafgyt.yar"
-include ".\rules\Linux_Trojan_Ganiw.yar"
-include ".\rules\Linux_Trojan_Generic.yar"
-include ".\rules\Linux_Trojan_Getshell.yar"
-include ".\rules\Linux_Trojan_Godlua.yar"
-include ".\rules\Linux_Trojan_Godropper.yar"
-include ".\rules\Linux_Trojan_Gognt.yar"
-include ".\rules\Linux_Trojan_Hiddad.yar"
-include ".\rules\Linux_Trojan_Ipstorm.yar"
-include ".\rules\Linux_Trojan_Ircbot.yar"
-include ".\rules\Linux_Trojan_Iroffer.yar"
-include ".\rules\Linux_Trojan_Kaiji.yar"
-include ".\rules\Linux_Trojan_Kinsing.yar"
-include ".\rules\Linux_Trojan_Ladvix.yar"
-include ".\rules\Linux_Trojan_Lady.yar"
-include ".\rules\Linux_Trojan_Lala.yar"
-include ".\rules\Linux_Trojan_Malxmr.yar"
-include ".\rules\Linux_Trojan_Marut.yar"
-include ".\rules\Linux_Trojan_Masan.yar"
-include ".\rules\Linux_Trojan_Mech.yar"
-include ".\rules\Linux_Trojan_Mechbot.yar"
-include ".\rules\Linux_Trojan_Melofee.yar"
-include ".\rules\Linux_Trojan_Merlin.yar"
-include ".\rules\Linux_Trojan_Metasploit.yar"
-include ".\rules\Linux_Trojan_Meterpreter.yar"
-include ".\rules\Linux_Trojan_Mettle.yar"
-include ".\rules\Linux_Trojan_Mirai.yar"
-include ".\rules\Linux_Trojan_Mobidash.yar"
-include ".\rules\Linux_Trojan_Morpes.yar"
-include ".\rules\Linux_Trojan_Mumblehard.yar"
-include ".\rules\Linux_Trojan_Ngioweb.yar"
-include ".\rules\Linux_Trojan_Nuker.yar"
-include ".\rules\Linux_Trojan_Orbit.yar"
-include ".\rules\Linux_Trojan_Patpooty.yar"
-include ".\rules\Linux_Trojan_Pnscan.yar"
-include ".\rules\Linux_Trojan_Pornoasset.yar"
-include ".\rules\Linux_Trojan_Psybnc.yar"
-include ".\rules\Linux_Trojan_Rbot.yar"
-include ".\rules\Linux_Trojan_Rekoobe.yar"
-include ".\rules\Linux_Trojan_Roopre.yar"
-include ".\rules\Linux_Trojan_Rooter.yar"
-include ".\rules\Linux_Trojan_Rotajakiro.yar"
-include ".\rules\Linux_Trojan_Rozena.yar"
-include ".\rules\Linux_Trojan_Sambashell.yar"
-include ".\rules\Linux_Trojan_Sckit.yar"
-include ".\rules\Linux_Trojan_Sdbot.yar"
-include ".\rules\Linux_Trojan_Setag.yar"
-include ".\rules\Linux_Trojan_Sfloost.yar"
-include ".\rules\Linux_Trojan_Shark.yar"
-include ".\rules\Linux_Trojan_Shellbot.yar"
-include ".\rules\Linux_Trojan_Skidmap.yar"
-include ".\rules\Linux_Trojan_Snessik.yar"
-include ".\rules\Linux_Trojan_Snowlight.yar"
-include ".\rules\Linux_Trojan_Springtail.yar"
-include ".\rules\Linux_Trojan_Sqlexp.yar"
-include ".\rules\Linux_Trojan_Sshdkit.yar"
-include ".\rules\Linux_Trojan_Sshdoor.yar"
-include ".\rules\Linux_Trojan_Subsevux.yar"
-include ".\rules\Linux_Trojan_Swrort.yar"
-include ".\rules\Linux_Trojan_Sysrv.yar"
-include ".\rules\Linux_Trojan_Torii.yar"
-include ".\rules\Linux_Trojan_Truncpx.yar"
-include ".\rules\Linux_Trojan_Tsunami.yar"
-include ".\rules\Linux_Trojan_Winnti.yar"
-include ".\rules\Linux_Trojan_Xhide.yar"
-include ".\rules\Linux_Trojan_Xorddos.yar"
-include ".\rules\Linux_Trojan_Xpmmap.yar"
-include ".\rules\Linux_Trojan_XZBackdoor.yar"
-include ".\rules\Linux_Trojan_Zerobot.yar"
-include ".\rules\Linux_Trojan_Zpevdo.yar"
-include ".\rules\Linux_Virus_Gmon.yar"
-include ".\rules\Linux_Virus_Rst.yar"
-include ".\rules\Linux_Virus_Staffcounter.yar"
-include ".\rules\Linux_Virus_Thebe.yar"
-include ".\rules\Linux_Webshell_Generic.yar"
-include ".\rules\Linux_Worm_Generic.yar"
-include ".\rules\MacOS_Backdoor_Applejeus.yar"
-include ".\rules\MacOS_Backdoor_Fakeflashlxk.yar"
-include ".\rules\MacOS_Backdoor_Kagent.yar"
-include ".\rules\MacOS_Backdoor_Keyboardrecord.yar"
-include ".\rules\MacOS_Backdoor_Useragent.yar"
-include ".\rules\MacOS_Creddump_KeychainAccess.yar"
-include ".\rules\MacOS_Cryptominer_Generic.yar"
-include ".\rules\MacOS_Cryptominer_Xmrig.yar"
-include ".\rules\MacOS_Exploit_Log4j.yar"
-include ".\rules\MacOS_Hacktool_Bifrost.yar"
-include ".\rules\Macos_Hacktool_JokerSpy.yar"
-include ".\rules\MacOS_Hacktool_Swiftbelt.yar"
-include ".\rules\Macos_Infostealer_EncodedOsascript.yar"
-include ".\rules\MacOS_Infostealer_MdQueryPassw.yar"
-include ".\rules\MacOS_Infostealer_MdQuerySecret.yar"
-include ".\rules\MacOS_Infostealer_MdQueryTCC.yar"
-include ".\rules\MacOS_Infostealer_MdQueryToken.yar"
-include ".\rules\Macos_Infostealer_Wallets.yar"
-include ".\rules\MacOS_Trojan_Adload.yar"
-include ".\rules\MacOS_Trojan_Amcleaner.yar"
-include ".\rules\MacOS_Trojan_Aobokeylogger.yar"
-include ".\rules\MacOS_Trojan_Bundlore.yar"
-include ".\rules\MacOS_Trojan_Eggshell.yar"
-include ".\rules\MacOS_Trojan_Electrorat.yar"
-include ".\rules\MacOS_Trojan_Fplayer.yar"
-include ".\rules\MacOS_Trojan_Generic.yar"
-include ".\rules\MacOS_Trojan_Genieo.yar"
-include ".\rules\MacOS_Trojan_Getshell.yar"
-include ".\rules\MacOS_Trojan_HLoader.yar"
-include ".\rules\MacOS_Trojan_KandyKorn.yar"
-include ".\rules\MacOS_Trojan_Metasploit.yar"
-include ".\rules\MacOS_Trojan_RustBucket.yar"
-include ".\rules\MacOS_Trojan_SugarLoader.yar"
-include ".\rules\MacOS_Trojan_Thiefquest.yar"
-include ".\rules\MacOS_Virus_Maxofferdeal.yar"
-include ".\rules\MacOS_Virus_Pirrit.yar"
-include ".\rules\MacOS_Virus_Vsearch.yar"
-include ".\rules\Multi_AttackSimulation_Blindspot.yar"
-include ".\rules\Multi_EICAR.yar"
-include ".\rules\Multi_Generic_Threat.yar"
-include ".\rules\Multi_Hacktool_Gsocket.yar"
-include ".\rules\Multi_Hacktool_Nps.yar"
-include ".\rules\Multi_Hacktool_Rakshasa.yar"
-include ".\rules\Multi_Hacktool_Stowaway.yar"
-include ".\rules\Multi_Hacktool_SuperShell.yar"
-include ".\rules\Multi_Ransomware_Akira.yar"
-include ".\rules\Multi_Ransomware_BlackCat.yar"
-include ".\rules\Multi_Ransomware_Luna.yar"
-include ".\rules\Multi_Ransomware_RansomHub.yar"
-include ".\rules\Multi_Trojan_Coreimpact.yar"
-include ".\rules\Multi_Trojan_Gosar.yar"
-include ".\rules\Multi_Trojan_Merlin.yar"
-include ".\rules\Multi_Trojan_Mythic.yar"
-include ".\rules\Multi_Trojan_Sliver.yar"
-include ".\rules\Multi_Trojan_SparkRat.yar"
-include ".\rules\Windows_AttackSimulation_Hovercraft.yar"
-include ".\rules\Windows_Backdoor_DragonCastling.yar"
-include ".\rules\Windows_Backdoor_Goldbackdoor.yar"
-include ".\rules\Windows_Backdoor_TeamViewer.yar"
-include ".\rules\Windows_Clickfraud_LuckySlots.yar"
-include ".\rules\Windows_Cryptominer_Generic.yar"
-include ".\rules\Windows_Exploit_CVE_2022_38028.yar"
-include ".\rules\Windows_Exploit_Dcom.yar"
-include ".\rules\Windows_Exploit_Eternalblue.yar"
-include ".\rules\Windows_Exploit_FakePipe.yar"
-include ".\rules\Windows_Exploit_Generic.yar"
-include ".\rules\Windows_Exploit_IoRing.yar"
-include ".\rules\Windows_Exploit_Log4j.yar"
-include ".\rules\Windows_Exploit_Perfusion.yar"
-include ".\rules\Windows_Exploit_RpcJunction.yar"
-include ".\rules\Windows_Generic_Threat.yar"
-include ".\rules\Windows_Hacktool_AskCreds.yar"
-include ".\rules\Windows_Hacktool_BlackBone.yar"
-include ".\rules\Windows_Hacktool_Capcom.yar"
-include ".\rules\Windows_Hacktool_Certify.yar"
-include ".\rules\Windows_Hacktool_CheatEngine.yar"
-include ".\rules\Windows_Hacktool_ChromeKatz.yar"
-include ".\rules\Windows_Hacktool_ClrOxide.yar"
-include ".\rules\Windows_Hacktool_COFFLoader.yar"
-include ".\rules\Windows_Hacktool_CpuLocker.yar"
-include ".\rules\Windows_Hacktool_DarkLoadLibrary.yar"
-include ".\rules\Windows_Hacktool_Dcsyncer.yar"
-include ".\rules\Windows_Hacktool_DinvokeRust.yar"
-include ".\rules\Windows_Hacktool_EDRrecon.yar"
-include ".\rules\Windows_Hacktool_EDRWFP.yar"
-include ".\rules\Windows_Hacktool_ExecuteAssembly.yar"
-include ".\rules\Windows_Hacktool_Gmer.yar"
-include ".\rules\Windows_Hacktool_GodPotato.yar"
-include ".\rules\Windows_Hacktool_Iox.yar"
-include ".\rules\Windows_Hacktool_LeiGod.yar"
-include ".\rules\Windows_Hacktool_Mimikatz.yar"
-include ".\rules\Windows_Hacktool_NetFilter.yar"
-include ".\rules\Windows_Hacktool_Phant0m.yar"
-include ".\rules\Windows_Hacktool_PhysMem.yar"
-include ".\rules\Windows_Hacktool_ProcessHacker.yar"
-include ".\rules\Windows_Hacktool_RingQ.yar"
-include ".\rules\Windows_Hacktool_Rubeus.yar"
-include ".\rules\Windows_Hacktool_SafetyKatz.yar"
-include ".\rules\Windows_Hacktool_Seatbelt.yar"
-include ".\rules\Windows_Hacktool_SharpAppLocker.yar"
-include ".\rules\Windows_Hacktool_SharpChromium.yar"
-include ".\rules\Windows_Hacktool_SharpDump.yar"
-include ".\rules\Windows_Hacktool_SharPersist.yar"
-include ".\rules\Windows_Hacktool_SharpGPOAbuse.yar"
-include ".\rules\Windows_Hacktool_SharpHound.yar"
-include ".\rules\Windows_Hacktool_SharpLAPS.yar"
-include ".\rules\Windows_Hacktool_SharpMove.yar"
-include ".\rules\Windows_Hacktool_SharpRDP.yar"
-include ".\rules\Windows_Hacktool_SharpSCCM.yar"
-include ".\rules\Windows_Hacktool_SharpShares.yar"
-include ".\rules\Windows_Hacktool_SharpStay.yar"
-include ".\rules\Windows_Hacktool_SharpUp.yar"
-include ".\rules\Windows_Hacktool_SharpView.yar"
-include ".\rules\Windows_Hacktool_SharpWMI.yar"
-include ".\rules\Windows_Hacktool_SleepObfLoader.yar"
-include ".\rules\Windows_Hacktool_WinPEAS_ng.yar"
-include ".\rules\Windows_Infostealer_Generic.yar"
-include ".\rules\Windows_Infostealer_PhemedroneStealer.yar"
-include ".\rules\Windows_Infostealer_Strela.yar"
-include ".\rules\Windows_Packer_ScrubCrypt.yar"
-include ".\rules\Windows_PUP_Generic.yar"
-include ".\rules\Windows_PUP_MediaArena.yar"
-include ".\rules\Windows_PUP_Veriato.yar"
-include ".\rules\Windows_Ransomware_Agenda.yar"
-include ".\rules\Windows_Ransomware_Akira.yar"
-include ".\rules\Windows_Ransomware_Avoslocker.yar"
-include ".\rules\Windows_Ransomware_Azov.yar"
-include ".\rules\Windows_Ransomware_Bitpaymer.yar"
-include ".\rules\Windows_Ransomware_BlackBasta.yar"
-include ".\rules\Windows_Ransomware_BlackHunt.yar"
-include ".\rules\Windows_Ransomware_Blackmatter.yar"
-include ".\rules\Windows_Ransomware_Cicada3301.yar"
-include ".\rules\Windows_Ransomware_Clop.yar"
-include ".\rules\Windows_Ransomware_Conti.yar"
-include ".\rules\Windows_Ransomware_Crytox.yar"
-include ".\rules\Windows_Ransomware_Cuba.yar"
-include ".\rules\Windows_Ransomware_Darkside.yar"
-include ".\rules\Windows_Ransomware_Dharma.yar"
-include ".\rules\Windows_Ransomware_Doppelpaymer.yar"
-include ".\rules\Windows_Ransomware_Egregor.yar"
-include ".\rules\Windows_Ransomware_GandCrab.yar"
-include ".\rules\Windows_Ransomware_Generic.yar"
-include ".\rules\Windows_Ransomware_Grief.yar"
-include ".\rules\Windows_Ransomware_Haron.yar"
-include ".\rules\Windows_Ransomware_Hellokitty.yar"
-include ".\rules\Windows_Ransomware_Helloxd.yar"
-include ".\rules\Windows_Ransomware_Hive.yar"
-include ".\rules\Windows_Ransomware_Lockbit.yar"
-include ".\rules\Windows_Ransomware_Lockfile.yar"
-include ".\rules\Windows_Ransomware_Magniber.yar"
-include ".\rules\Windows_Ransomware_Makop.yar"
-include ".\rules\Windows_Ransomware_Maui.yar"
-include ".\rules\Windows_Ransomware_Maze.yar"
-include ".\rules\Windows_Ransomware_Mespinoza.yar"
-include ".\rules\Windows_Ransomware_Mountlocker.yar"
-include ".\rules\Windows_Ransomware_Nightsky.yar"
-include ".\rules\Windows_Ransomware_Pandora.yar"
-include ".\rules\Windows_Ransomware_Phobos.yar"
-include ".\rules\Windows_Ransomware_Ragnarok.yar"
-include ".\rules\Windows_Ransomware_Ransomexx.yar"
-include ".\rules\Windows_Ransomware_Rook.yar"
-include ".\rules\Windows_Ransomware_Royal.yar"
-include ".\rules\Windows_Ransomware_Ryuk.yar"
-include ".\rules\Windows_Ransomware_Snake.yar"
-include ".\rules\Windows_Ransomware_Sodinokibi.yar"
-include ".\rules\Windows_Ransomware_Stop.yar"
-include ".\rules\Windows_Ransomware_Thanos.yar"
-include ".\rules\Windows_Ransomware_WannaCry.yar"
-include ".\rules\Windows_Ransomware_WhisperGate.yar"
-include ".\rules\Windows_RemoteAdmin_UltraVNC.yar"
-include ".\rules\Windows_Rootkit_R77.yar"
-include ".\rules\Windows_Shellcode_Generic.yar"
-include ".\rules\Windows_Shellcode_Rdi.yar"
-include ".\rules\Windows_Trojan_A310logger.yar"
-include ".\rules\Windows_Trojan_Afdk.yar"
-include ".\rules\Windows_Trojan_AgentTesla.yar"
-include ".\rules\Windows_Trojan_Amadey.yar"
-include ".\rules\Windows_Trojan_ArkeiStealer.yar"
-include ".\rules\Windows_Trojan_Asyncrat.yar"
-include ".\rules\Windows_Trojan_AveMaria.yar"
-include ".\rules\Windows_Trojan_Azorult.yar"
-include ".\rules\Windows_Trojan_Babble.yar"
-include ".\rules\Windows_Trojan_Babylonrat.yar"
-include ".\rules\Windows_Trojan_Backoff.yar"
-include ".\rules\Windows_Trojan_Bandook.yar"
-include ".\rules\Windows_Trojan_Bazar.yar"
-include ".\rules\Windows_Trojan_Beam.yar"
-include ".\rules\Windows_Trojan_Behinder.yar"
-include ".\rules\Windows_Trojan_Bitrat.yar"
-include ".\rules\Windows_Trojan_BITSloth.yar"
-include ".\rules\Windows_Trojan_BlackShades.yar"
-include ".\rules\Windows_Trojan_Blackwood.yar"
-include ".\rules\Windows_Trojan_Blister.yar"
-include ".\rules\Windows_Trojan_BloodAlchemy.yar"
-include ".\rules\Windows_Trojan_BruteRatel.yar"
-include ".\rules\Windows_Trojan_Buerloader.yar"
-include ".\rules\Windows_Trojan_Bughatch.yar"
-include ".\rules\Windows_Trojan_Bumblebee.yar"
-include ".\rules\Windows_Trojan_CaesarKbd.yar"
-include ".\rules\Windows_Trojan_Carberp.yar"
-include ".\rules\Windows_Trojan_Clipbanker.yar"
-include ".\rules\Windows_Trojan_CobaltStrike.yar"
-include ".\rules\Windows_Trojan_Cryptbot.yar"
-include ".\rules\Windows_Trojan_CyberGate.yar"
-include ".\rules\Windows_Trojan_Danabot.yar"
-include ".\rules\Windows_Trojan_DarkCloud.yar"
-include ".\rules\Windows_Trojan_Darkcomet.yar"
-include ".\rules\Windows_Trojan_DarkGate.yar"
-include ".\rules\Windows_Trojan_DarkVNC.yar"
-include ".\rules\Windows_Trojan_DBatLoader.yar"
-include ".\rules\Windows_Trojan_DCRat.yar"
-include ".\rules\Windows_Trojan_Deimos.yar"
-include ".\rules\Windows_Trojan_DiamondFox.yar"
-include ".\rules\Windows_Trojan_Diceloader.yar"
-include ".\rules\Windows_Trojan_DodgeBox.yar"
-include ".\rules\Windows_Trojan_Donutloader.yar"
-include ".\rules\Windows_Trojan_DoorMe.yar"
-include ".\rules\Windows_Trojan_DoubleBack.yar"
-include ".\rules\Windows_Trojan_DownTown.yar"
-include ".\rules\Windows_Trojan_DragonBreath.yar"
-include ".\rules\Windows_Trojan_Dridex.yar"
-include ".\rules\Windows_Trojan_DustyWarehouse.yar"
-include ".\rules\Windows_Trojan_EagerBee.yar"
-include ".\rules\Windows_Trojan_Emotet.yar"
-include ".\rules\Windows_Trojan_Fabookie.yar"
-include ".\rules\Windows_Trojan_FalseFont.yar"
-include ".\rules\Windows_Trojan_Farfli.yar"
-include ".\rules\Windows_Trojan_Fickerstealer.yar"
-include ".\rules\Windows_Trojan_FlawedGrace.yar"
-include ".\rules\Windows_Trojan_Formbook.yar"
-include ".\rules\Windows_Trojan_Garble.yar"
-include ".\rules\Windows_Trojan_Generic.yar"
-include ".\rules\Windows_Trojan_Gh0st.yar"
-include ".\rules\Windows_Trojan_GhostEngine.yar"
-include ".\rules\Windows_Trojan_GhostPulse.yar"
-include ".\rules\Windows_Trojan_Glupteba.yar"
-include ".\rules\Windows_Trojan_Gozi.yar"
-include ".\rules\Windows_Trojan_Grandoreiro.yar"
-include ".\rules\Windows_Trojan_Guloader.yar"
-include ".\rules\Windows_Trojan_Hancitor.yar"
-include ".\rules\Windows_Trojan_Havoc.yar"
-include ".\rules\Windows_Trojan_Hawkeye.yar"
-include ".\rules\Windows_Trojan_HazelCobra.yar"
-include ".\rules\Windows_Trojan_HijackLoader.yar"
-include ".\rules\Windows_Trojan_HotPage.yar"
-include ".\rules\Windows_Trojan_IcedID.yar"
-include ".\rules\Windows_Trojan_JesterStealer.yar"
-include ".\rules\Windows_Trojan_Jupyter.yar"
-include ".\rules\Windows_Trojan_Kronos.yar"
-include ".\rules\Windows_Trojan_Latrodectus.yar"
-include ".\rules\Windows_Trojan_LegionLoader.yar"
-include ".\rules\Windows_Trojan_Limerat.yar"
-include ".\rules\Windows_Trojan_Lobshot.yar"
-include ".\rules\Windows_Trojan_Lokibot.yar"
-include ".\rules\Windows_Trojan_Lumma.yar"
-include ".\rules\Windows_Trojan_Lurker.yar"
-include ".\rules\Windows_Trojan_M0yv.yar"
-include ".\rules\Windows_Trojan_MassLogger.yar"
-include ".\rules\Windows_Trojan_Matanbuchus.yar"
-include ".\rules\Windows_Trojan_Merlin.yar"
-include ".\rules\Windows_Trojan_Metasploit.yar"
-include ".\rules\Windows_Trojan_MetaStealer.yar"
-include ".\rules\Windows_Trojan_MicroBackdoor.yar"
-include ".\rules\Windows_Trojan_ModPipe.yar"
-include ".\rules\Windows_Trojan_MyloBot.yar"
-include ".\rules\Windows_Trojan_Nanocore.yar"
-include ".\rules\Windows_Trojan_NapListener.yar"
-include ".\rules\Windows_Trojan_Netwire.yar"
-include ".\rules\Windows_Trojan_Nighthawk.yar"
-include ".\rules\Windows_Trojan_Nimplant.yar"
-include ".\rules\Windows_Trojan_Njrat.yar"
-include ".\rules\Windows_Trojan_Octopus.yar"
-include ".\rules\Windows_Trojan_OnlyLogger.yar"
-include ".\rules\Windows_Trojan_OskiStealer.yar"
-include ".\rules\Windows_Trojan_P8Loader.yar"
-include ".\rules\Windows_Trojan_Pandastealer.yar"
-include ".\rules\Windows_Trojan_Parallax.yar"
-include ".\rules\Windows_Trojan_Phoreal.yar"
-include ".\rules\Windows_Trojan_PikaBot.yar"
-include ".\rules\Windows_Trojan_Pingpull.yar"
-include ".\rules\Windows_Trojan_PipeDance.yar"
-include ".\rules\Windows_Trojan_PizzaPotion.yar"
-include ".\rules\Windows_Trojan_PlugX.yar"
-include ".\rules\Windows_Trojan_Pony.yar"
-include ".\rules\Windows_Trojan_PoshC2.yar"
-include ".\rules\Windows_Trojan_PowerSeal.yar"
-include ".\rules\Windows_Trojan_PrivateLoader.yar"
-include ".\rules\Windows_Trojan_ProtectS.yar"
-include ".\rules\Windows_Trojan_Qbot.yar"
-include ".\rules\Windows_Trojan_Quasarrat.yar"
-include ".\rules\Windows_Trojan_Raccoon.yar"
-include ".\rules\Windows_Trojan_RaspberryRobin.yar"
-include ".\rules\Windows_Trojan_RedLineStealer.yar"
-include ".\rules\Windows_Trojan_Remcos.yar"
-include ".\rules\Windows_Trojan_Revcoderat.yar"
-include ".\rules\Windows_Trojan_Revengerat.yar"
-include ".\rules\Windows_Trojan_Rhadamanthys.yar"
-include ".\rules\Windows_Trojan_RudeBird.yar"
-include ".\rules\Windows_Trojan_SadBridge.yar"
-include ".\rules\Windows_Trojan_ServHelper.yar"
-include ".\rules\Windows_Trojan_ShadowPad.yar"
-include ".\rules\Windows_Trojan_SiestaGraph.yar"
-include ".\rules\Windows_Trojan_Sliver.yar"
-include ".\rules\Windows_Trojan_Smokeloader.yar"
-include ".\rules\Windows_Trojan_SnakeKeylogger.yar"
-include ".\rules\Windows_Trojan_SolarMarker.yar"
-include ".\rules\Windows_Trojan_SomniRecord.yar"
-include ".\rules\Windows_Trojan_SourShark.yar"
-include ".\rules\Windows_Trojan_SpectralViper.yar"
-include ".\rules\Windows_Trojan_Squirrelwaffle.yar"
-include ".\rules\Windows_Trojan_Stealc.yar"
-include ".\rules\Windows_Trojan_StormKitty.yar"
-include ".\rules\Windows_Trojan_STRRAT.yar"
-include ".\rules\Windows_Trojan_SuddenIcon.yar"
-include ".\rules\Windows_Trojan_SVCReady.yar"
-include ".\rules\Windows_Trojan_SysJoker.yar"
-include ".\rules\Windows_Trojan_SystemBC.yar"
-include ".\rules\Windows_Trojan_Sythe.yar"
-include ".\rules\Windows_Trojan_Tofsee.yar"
-include ".\rules\Windows_Trojan_Trickbot.yar"
-include ".\rules\Windows_Trojan_TwistedTinsel.yar"
-include ".\rules\Windows_Trojan_Vidar.yar"
-include ".\rules\Windows_Trojan_WarmCookie.yar"
-include ".\rules\Windows_Trojan_WhisperGate.yar"
-include ".\rules\Windows_Trojan_WikiLoader.yar"
-include ".\rules\Windows_Trojan_WineLoader.yar"
-include ".\rules\Windows_Trojan_Xeno.yar"
-include ".\rules\Windows_Trojan_Xpertrat.yar"
-include ".\rules\Windows_Trojan_XtremeRAT.yar"
-include ".\rules\Windows_Trojan_XWorm.yar"
-include ".\rules\Windows_Trojan_Zeus.yar"
-include ".\rules\Windows_Trojan_Zloader.yar"
-include ".\rules\Windows_Virus_Expiro.yar"
-include ".\rules\Windows_Virus_Floxif.yar"
-include ".\rules\Windows_Virus_Neshta.yar"
-include ".\rules\Windows_VulnDriver_Agent64.yar"
-include ".\rules\Windows_VulnDriver_Amifldrv.yar"
-include ".\rules\Windows_VulnDriver_ArPot.yar"
-include ".\rules\Windows_VulnDriver_AsIo.yar"
-include ".\rules\Windows_VulnDriver_Asrock.yar"
-include ".\rules\Windows_VulnDriver_Atillk.yar"
-include ".\rules\Windows_VulnDriver_ATSZIO.yar"
-include ".\rules\Windows_VulnDriver_Biostar.yar"
-include ".\rules\Windows_VulnDriver_BSMI.yar"
-include ".\rules\Windows_VulnDriver_CCProtect.yar"
-include ".\rules\Windows_VulnDriver_Cpuz.yar"
-include ".\rules\Windows_VulnDriver_DBUtil.yar"
-include ".\rules\Windows_VulnDriver_DirectIo.yar"
-include ".\rules\Windows_VulnDriver_EchoDrv.yar"
-include ".\rules\Windows_VulnDriver_Elby.yar"
-include ".\rules\Windows_VulnDriver_ElRawDisk.yar"
-include ".\rules\Windows_VulnDriver_EneIo.yar"
-include ".\rules\Windows_VulnDriver_FidDrv.yar"
-include ".\rules\Windows_VulnDriver_Fidpci.yar"
-include ".\rules\Windows_VulnDriver_Fileseclab.yar"
-include ".\rules\Windows_VulnDriver_GDrv.yar"
-include ".\rules\Windows_VulnDriver_GlckIo.yar"
-include ".\rules\Windows_VulnDriver_Gvci.yar"
-include ".\rules\Windows_VulnDriver_HpPortIo.yar"
-include ".\rules\Windows_VulnDriver_HrSword.yar"
-include ".\rules\Windows_VulnDriver_IoBitUnlocker.yar"
-include ".\rules\Windows_VulnDriver_Iqvw.yar"
-include ".\rules\Windows_VulnDriver_Lha.yar"
-include ".\rules\Windows_VulnDriver_LLAccess.yar"
-include ".\rules\Windows_VulnDriver_MarvinHW.yar"
-include ".\rules\Windows_VulnDriver_Mhyprot.yar"
-include ".\rules\Windows_VulnDriver_MicroStar.yar"
-include ".\rules\Windows_VulnDriver_MsIo.yar"
-include ".\rules\Windows_VulnDriver_MtcBsv.yar"
-include ".\rules\Windows_VulnDriver_PowerProfiler.yar"
-include ".\rules\Windows_VulnDriver_PowerTool.yar"
-include ".\rules\Windows_VulnDriver_ProcExp.yar"
-include ".\rules\Windows_VulnDriver_ProcId.yar"
-include ".\rules\Windows_VulnDriver_RentDrv.yar"
-include ".\rules\Windows_VulnDriver_RtCore.yar"
-include ".\rules\Windows_VulnDriver_Rtkio.yar"
-include ".\rules\Windows_VulnDriver_RWEverything.yar"
-include ".\rules\Windows_VulnDriver_Ryzen.yar"
-include ".\rules\Windows_VulnDriver_Sandra.yar"
-include ".\rules\Windows_VulnDriver_Segwin.yar"
-include ".\rules\Windows_VulnDriver_Speedfan.yar"
-include ".\rules\Windows_VulnDriver_ThreatFire.yar"
-include ".\rules\Windows_VulnDriver_TmComm.yar"
-include ".\rules\Windows_VulnDriver_ToshibaBios.yar"
-include ".\rules\Windows_VulnDriver_TrueSight.yar"
-include ".\rules\Windows_VulnDriver_VBox.yar"
-include ".\rules\Windows_VulnDriver_Viragt.yar"
-include ".\rules\Windows_VulnDriver_Vmdrv.yar"
-include ".\rules\Windows_VulnDriver_WinDivert.yar"
-include ".\rules\Windows_VulnDriver_WinFlash.yar"
-include ".\rules\Windows_VulnDriver_WinIo.yar"
-include ".\rules\Windows_VulnDriver_XTier.yar"
-include ".\rules\Windows_VulnDriver_Zam.yar"
-include ".\rules\Windows_Wiper_CaddyWiper.yar"
-include ".\rules\Windows_Wiper_DoubleZero.yar"
-include ".\rules\Windows_Wiper_HermeticWiper.yar"
-include ".\rules\Windows_Wiper_IsaacWiper.yar"
-include ".\rules\YARAForge_Extended.yar"
+include ".\rules\elastic-yara\Linux_Backdoor_Bash.yar"
+include ".\rules\elastic-yara\Linux_Backdoor_Fontonlake.yar"
+include ".\rules\elastic-yara\Linux_Backdoor_Generic.yar"
+include ".\rules\elastic-yara\Linux_Backdoor_Python.yar"
+include ".\rules\elastic-yara\Linux_Backdoor_Tinyshell.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Attribute.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Bscope.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Bulz.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Camelot.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Casdet.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Ccminer.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Flystudio.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Generic.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Ksmdbot.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Loudminer.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Malxmr.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Miancha.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Minertr.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Pgminer.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Presenoker.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Roboto.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Stak.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Ursu.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Uwamson.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Xmrig.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Xmrminer.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Xpaj.yar"
+include ".\rules\elastic-yara\Linux_Cryptominer_Zexaf.yar"
+include ".\rules\elastic-yara\Linux_Downloader_Generic.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Abrox.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Alie.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2009_1897.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2009_2698.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2009_2908.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2010_3301.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2012_0056.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2014_3153.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2016_4557.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2016_5195.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2017_100011.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2017_16995.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2018_10561.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2019_13272.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2021_3156.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2021_3490.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2021_4034.yar"
+include ".\rules\elastic-yara\Linux_Exploit_CVE_2022_0847.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Cornelgen.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Courier.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Criscras.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Dirtycow.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Enoket.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Foda.yar"
+include ".\rules\elastic-yara\Linux_Exploit_IOUring.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Intfour.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Local.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Log4j.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Lotoor.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Moogrey.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Openssl.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Perl.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Pulse.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Race.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Ramen.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Sorso.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Vmsplice.yar"
+include ".\rules\elastic-yara\Linux_Exploit_Wuftpd.yar"
+include ".\rules\elastic-yara\Linux_Generic_Threat.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Aduh.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Bruteforce.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Cleanlog.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Earthworm.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Exploitscan.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Flooder.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Fontonlake.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Infectionmonkey.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Lightning.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_LigoloNG.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Outlaw.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Portscan.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Prochide.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Tcpscan.yar"
+include ".\rules\elastic-yara\Linux_Hacktool_Wipelog.yar"
+include ".\rules\elastic-yara\Linux_Packer_Patched_UPX.yar"
+include ".\rules\elastic-yara\Linux_Proxy_Frp.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Agenda.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Akira.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Babuk.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_BlackBasta.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_BlackSuit.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Clop.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Conti.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_EchoRaix.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Erebus.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Esxiargs.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Gonnacry.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Hellokitty.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Hive.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_ItsSoEasy.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_LimpDemon.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Lockbit.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Monti.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_NoEscape.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Quantum.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_RagnarLocker.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_RedAlert.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_RoyalPest.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_SFile.yar"
+include ".\rules\elastic-yara\Linux_Ransomware_Sodinokibi.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Adore.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Arkd.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Bedevil.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_BrokePKG.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Dakkatoni.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Diamorphine.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Flipswitch.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Fontonlake.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Generic.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_HiddenWasp.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Jynx.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Kovid.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Melofee.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Mobkit.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Perfctl.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Reptile.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Snapekit.yar"
+include ".\rules\elastic-yara\Linux_Rootkit_Suterusu.yar"
+include ".\rules\elastic-yara\Linux_Shellcode_Generic.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Adlibrary.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Asacub.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Autocolor.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Azeela.yar"
+include ".\rules\elastic-yara\Linux_Trojan_BPFDoor.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Backconnect.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Backegmm.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Badbee.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Banload.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Bedevil.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Bish.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Bluez.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Cerbu.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Chinaz.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Connectback.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Ddostf.yar"
+include ".\rules\elastic-yara\Linux_Trojan_DinodasRAT.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Dnsamp.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Dofloo.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Dropperl.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Ebury.yar"
+include ".\rules\elastic-yara\Linux_Trojan_FinalDraft.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Gafgyt.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Ganiw.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Generic.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Getshell.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Godlua.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Godropper.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Gognt.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Hiddad.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Ipstorm.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Ircbot.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Iroffer.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Kaiji.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Kinsing.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Ladvix.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Lady.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Lala.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Malxmr.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Marut.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Masan.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Mech.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Mechbot.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Melofee.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Merlin.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Metasploit.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Meterpreter.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Mettle.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Mirai.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Mobidash.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Morpes.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Mumblehard.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Ngioweb.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Nuker.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Orbit.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Patpooty.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Pnscan.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Pornoasset.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Psybnc.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Pumakit.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Rbot.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Rekoobe.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Roopre.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Rooter.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Rotajakiro.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Rozena.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Sambashell.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Sckit.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Sdbot.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Setag.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Sfloost.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Shark.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Shellbot.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Skidmap.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Snessik.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Snowlight.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Springtail.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Sqlexp.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Sshdkit.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Sshdoor.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Subsevux.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Swrort.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Sysrv.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Torii.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Truncpx.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Tsunami.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Winnti.yar"
+include ".\rules\elastic-yara\Linux_Trojan_XZBackdoor.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Xhide.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Xorddos.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Xpmmap.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Zerobot.yar"
+include ".\rules\elastic-yara\Linux_Trojan_Zpevdo.yar"
+include ".\rules\elastic-yara\Linux_Virus_Gmon.yar"
+include ".\rules\elastic-yara\Linux_Virus_Rst.yar"
+include ".\rules\elastic-yara\Linux_Virus_Staffcounter.yar"
+include ".\rules\elastic-yara\Linux_Virus_Thebe.yar"
+include ".\rules\elastic-yara\Linux_Webshell_Generic.yar"
+include ".\rules\elastic-yara\Linux_Worm_Generic.yar"
+include ".\rules\elastic-yara\MacOS_Backdoor_Applejeus.yar"
+include ".\rules\elastic-yara\MacOS_Backdoor_Fakeflashlxk.yar"
+include ".\rules\elastic-yara\MacOS_Backdoor_Kagent.yar"
+include ".\rules\elastic-yara\MacOS_Backdoor_Keyboardrecord.yar"
+include ".\rules\elastic-yara\MacOS_Backdoor_Useragent.yar"
+include ".\rules\elastic-yara\MacOS_Creddump_KeychainAccess.yar"
+include ".\rules\elastic-yara\MacOS_Cryptominer_Generic.yar"
+include ".\rules\elastic-yara\MacOS_Cryptominer_Xmrig.yar"
+include ".\rules\elastic-yara\MacOS_Exploit_Log4j.yar"
+include ".\rules\elastic-yara\MacOS_Hacktool_Bifrost.yar"
+include ".\rules\elastic-yara\MacOS_Hacktool_Swiftbelt.yar"
+include ".\rules\elastic-yara\MacOS_Infostealer_MdQueryPassw.yar"
+include ".\rules\elastic-yara\MacOS_Infostealer_MdQuerySecret.yar"
+include ".\rules\elastic-yara\MacOS_Infostealer_MdQueryTCC.yar"
+include ".\rules\elastic-yara\MacOS_Infostealer_MdQueryToken.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Adload.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Amcleaner.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Aobokeylogger.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_BeaverTail.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Bundlore.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_CryptoBot.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Eggshell.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Electrorat.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Fplayer.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Generic.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Genieo.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Getshell.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_HLoader.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_KandyKorn.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Metasploit.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Odyssey.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Paradox.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_RootTroy.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_RustBucket.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Stratofear.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_SugarLoader.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Telegram2.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_Thiefquest.yar"
+include ".\rules\elastic-yara\MacOS_Trojan_XScreen.yar"
+include ".\rules\elastic-yara\MacOS_Virus_Maxofferdeal.yar"
+include ".\rules\elastic-yara\MacOS_Virus_Pirrit.yar"
+include ".\rules\elastic-yara\MacOS_Virus_Vsearch.yar"
+include ".\rules\elastic-yara\Macos_Hacktool_JokerSpy.yar"
+include ".\rules\elastic-yara\Macos_Infostealer_Atomic.yar"
+include ".\rules\elastic-yara\Macos_Infostealer_Banshee.yar"
+include ".\rules\elastic-yara\Macos_Infostealer_EncodedOsascript.yar"
+include ".\rules\elastic-yara\Macos_Infostealer_Wallets.yar"
+include ".\rules\elastic-yara\Macos_Trojan_NukeSped.yar"
+include ".\rules\elastic-yara\Multi_AttackSimulation_Blindspot.yar"
+include ".\rules\elastic-yara\Multi_Cryptominer_Xmrig.yar"
+include ".\rules\elastic-yara\Multi_EICAR.yar"
+include ".\rules\elastic-yara\Multi_Generic_Threat.yar"
+include ".\rules\elastic-yara\Multi_Hacktool_Gsocket.yar"
+include ".\rules\elastic-yara\Multi_Hacktool_Nps.yar"
+include ".\rules\elastic-yara\Multi_Hacktool_Rakshasa.yar"
+include ".\rules\elastic-yara\Multi_Hacktool_Stowaway.yar"
+include ".\rules\elastic-yara\Multi_Hacktool_SuperShell.yar"
+include ".\rules\elastic-yara\Multi_Ransomware_Akira.yar"
+include ".\rules\elastic-yara\Multi_Ransomware_BlackCat.yar"
+include ".\rules\elastic-yara\Multi_Ransomware_Luna.yar"
+include ".\rules\elastic-yara\Multi_Ransomware_RansomHub.yar"
+include ".\rules\elastic-yara\Multi_Trojan_Coreimpact.yar"
+include ".\rules\elastic-yara\Multi_Trojan_EmpirGo.yar"
+include ".\rules\elastic-yara\Multi_Trojan_FinalDraft.yar"
+include ".\rules\elastic-yara\Multi_Trojan_Goffloader.yar"
+include ".\rules\elastic-yara\Multi_Trojan_Gosar.yar"
+include ".\rules\elastic-yara\Multi_Trojan_Merlin.yar"
+include ".\rules\elastic-yara\Multi_Trojan_Mythic.yar"
+include ".\rules\elastic-yara\Multi_Trojan_Sliver.yar"
+include ".\rules\elastic-yara\Multi_Trojan_SparkRat.yar"
+include ".\rules\elastic-yara\Windows_AttackSimulation_Hovercraft.yar"
+include ".\rules\elastic-yara\Windows_Backdoor_DragonCastling.yar"
+include ".\rules\elastic-yara\Windows_Backdoor_Goldbackdoor.yar"
+include ".\rules\elastic-yara\Windows_Backdoor_TeamViewer.yar"
+include ".\rules\elastic-yara\Windows_Clickfraud_LuckySlots.yar"
+include ".\rules\elastic-yara\Windows_Cryptominer_Generic.yar"
+include ".\rules\elastic-yara\Windows_Exploit_CVE_2022_38028.yar"
+include ".\rules\elastic-yara\Windows_Exploit_Dcom.yar"
+include ".\rules\elastic-yara\Windows_Exploit_Eternalblue.yar"
+include ".\rules\elastic-yara\Windows_Exploit_FakePipe.yar"
+include ".\rules\elastic-yara\Windows_Exploit_Generic.yar"
+include ".\rules\elastic-yara\Windows_Exploit_IoRing.yar"
+include ".\rules\elastic-yara\Windows_Exploit_Log4j.yar"
+include ".\rules\elastic-yara\Windows_Exploit_Perfusion.yar"
+include ".\rules\elastic-yara\Windows_Exploit_RpcJunction.yar"
+include ".\rules\elastic-yara\Windows_Generic_MalCert.yar"
+include ".\rules\elastic-yara\Windows_Generic_Threat.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_AskCreds.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_BlackBone.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_COFFLoader.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Capcom.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Certify.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_CheatEngine.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_ChromeKatz.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_ClrOxide.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_CpuLocker.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_DarkLoadLibrary.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Dcsyncer.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_DinvokeRust.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_EDRWFP.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_EDRrecon.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_ExecuteAssembly.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Gmer.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_GodPotato.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Iox.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_LeiGod.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Mimikatz.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_NetFilter.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Nimhawk.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Phant0m.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_PhysMem.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_ProcessHacker.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_RingQ.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Rubeus.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SafetyKatz.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_Seatbelt.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharPersist.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpAppLocker.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpChromium.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpDump.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpGPOAbuse.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpHound.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpLAPS.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpMove.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpRDP.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpSCCM.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpShares.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpStay.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpUp.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpView.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SharpWMI.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_SleepObfLoader.yar"
+include ".\rules\elastic-yara\Windows_Hacktool_WinPEAS_ng.yar"
+include ".\rules\elastic-yara\Windows_Infostealer_EddieStealer.yar"
+include ".\rules\elastic-yara\Windows_Infostealer_Generic.yar"
+include ".\rules\elastic-yara\Windows_Infostealer_NovaBlight.yar"
+include ".\rules\elastic-yara\Windows_Infostealer_PhemedroneStealer.yar"
+include ".\rules\elastic-yara\Windows_Infostealer_Strela.yar"
+include ".\rules\elastic-yara\Windows_PUP_Generic.yar"
+include ".\rules\elastic-yara\Windows_PUP_MediaArena.yar"
+include ".\rules\elastic-yara\Windows_PUP_Veriato.yar"
+include ".\rules\elastic-yara\Windows_Packer_ScrubCrypt.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Agenda.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Akira.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Avoslocker.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Azov.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Bitpaymer.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_BlackBasta.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_BlackHunt.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Blackmatter.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Cicada3301.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Clop.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Conti.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Crytox.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Cuba.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Darkside.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Dharma.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Doppelpaymer.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_DragonForce.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Egregor.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_GandCrab.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Generic.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Grief.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Haron.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Hellokitty.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Helloxd.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Hive.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Lockbit.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Lockfile.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Magniber.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Makop.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Maui.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Maze.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Medusa.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Mespinoza.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Mountlocker.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Nightsky.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Pandora.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Phobos.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Ragnarok.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Ransomexx.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Rook.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Royal.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Ryuk.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Snake.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Sodinokibi.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Stop.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Thanos.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Vgod.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_Vhd.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_WannaCry.yar"
+include ".\rules\elastic-yara\Windows_Ransomware_WhisperGate.yar"
+include ".\rules\elastic-yara\Windows_RemoteAdmin_UltraVNC.yar"
+include ".\rules\elastic-yara\Windows_Rootkit_AbyssWorker.yar"
+include ".\rules\elastic-yara\Windows_Rootkit_R77.yar"
+include ".\rules\elastic-yara\Windows_Shellcode_Generic.yar"
+include ".\rules\elastic-yara\Windows_Shellcode_Rdi.yar"
+include ".\rules\elastic-yara\Windows_Trojan_A310logger.yar"
+include ".\rules\elastic-yara\Windows_Trojan_ACRStealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Adaptix.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Afdk.yar"
+include ".\rules\elastic-yara\Windows_Trojan_AgentTesla.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Amadey.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Arechclient2.yar"
+include ".\rules\elastic-yara\Windows_Trojan_ArkeiStealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Asyncrat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_AveMaria.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Azorult.yar"
+include ".\rules\elastic-yara\Windows_Trojan_BITSloth.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Babble.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Babylonrat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Backoff.yar"
+include ".\rules\elastic-yara\Windows_Trojan_BadIIS.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Bandook.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Bazar.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Beam.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Behinder.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Bitrat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_BlackShades.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Blackwood.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Blister.yar"
+include ".\rules\elastic-yara\Windows_Trojan_BloodAlchemy.yar"
+include ".\rules\elastic-yara\Windows_Trojan_BruteRatel.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Buerloader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Bughatch.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Bumblebee.yar"
+include ".\rules\elastic-yara\Windows_Trojan_CaesarKbd.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Carberp.yar"
+include ".\rules\elastic-yara\Windows_Trojan_CastleLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Clipbanker.yar"
+include ".\rules\elastic-yara\Windows_Trojan_CobaltStrike.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Cryptbot.yar"
+include ".\rules\elastic-yara\Windows_Trojan_CyberGate.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DBatLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DCRat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DTrack.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Danabot.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Dante.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DarkCloud.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DarkGate.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DarkVNC.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Darkcomet.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DeerStealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Deimos.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DiamondFox.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Diceloader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DodgeBox.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Donutloader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DoorMe.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DoubleBack.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DoubleLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DownTown.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DragonBreath.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DreamJob.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Dridex.yar"
+include ".\rules\elastic-yara\Windows_Trojan_DustyWarehouse.yar"
+include ".\rules\elastic-yara\Windows_Trojan_EagerBee.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Emotet.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Fabookie.yar"
+include ".\rules\elastic-yara\Windows_Trojan_FalseFont.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Farfli.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Fickerstealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_FinalDraft.yar"
+include ".\rules\elastic-yara\Windows_Trojan_FlawedGrace.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Formbook.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Garble.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Generic.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Gh0st.yar"
+include ".\rules\elastic-yara\Windows_Trojan_GhostEngine.yar"
+include ".\rules\elastic-yara\Windows_Trojan_GhostPulse.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Glupteba.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Gozi.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Grandoreiro.yar"
+include ".\rules\elastic-yara\Windows_Trojan_GuidLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Guloader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Hancitor.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Havoc.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Hawkeye.yar"
+include ".\rules\elastic-yara\Windows_Trojan_HazelCobra.yar"
+include ".\rules\elastic-yara\Windows_Trojan_HiddenCli.yar"
+include ".\rules\elastic-yara\Windows_Trojan_HiddenDriver.yar"
+include ".\rules\elastic-yara\Windows_Trojan_HijackLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_HotPage.yar"
+include ".\rules\elastic-yara\Windows_Trojan_IcedID.yar"
+include ".\rules\elastic-yara\Windows_Trojan_JesterStealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Jupyter.yar"
+include ".\rules\elastic-yara\Windows_Trojan_KoiLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Kronos.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Latrodectus.yar"
+include ".\rules\elastic-yara\Windows_Trojan_LegionLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Limerat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Lobshot.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Lokibot.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Lumma.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Lurker.yar"
+include ".\rules\elastic-yara\Windows_Trojan_M0yv.yar"
+include ".\rules\elastic-yara\Windows_Trojan_MagicRat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_MassLogger.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Mata.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Matanbuchus.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Merlin.yar"
+include ".\rules\elastic-yara\Windows_Trojan_MetaStealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Metasploit.yar"
+include ".\rules\elastic-yara\Windows_Trojan_MicroBackdoor.yar"
+include ".\rules\elastic-yara\Windows_Trojan_MimicRat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_ModPipe.yar"
+include ".\rules\elastic-yara\Windows_Trojan_MonsterV2.yar"
+include ".\rules\elastic-yara\Windows_Trojan_MyloBot.yar"
+include ".\rules\elastic-yara\Windows_Trojan_NanoRemote.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Nanocore.yar"
+include ".\rules\elastic-yara\Windows_Trojan_NapListener.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Netwire.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Nighthawk.yar"
+include ".\rules\elastic-yara\Windows_Trojan_NightshadeC2.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Nimplant.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Njrat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_NukeSped.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Octopus.yar"
+include ".\rules\elastic-yara\Windows_Trojan_OnlyLogger.yar"
+include ".\rules\elastic-yara\Windows_Trojan_OskiStealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Oyster.yar"
+include ".\rules\elastic-yara\Windows_Trojan_P8Loader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Pandastealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Parallax.yar"
+include ".\rules\elastic-yara\Windows_Trojan_PathLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Phoreal.yar"
+include ".\rules\elastic-yara\Windows_Trojan_PikaBot.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Pingpull.yar"
+include ".\rules\elastic-yara\Windows_Trojan_PipeDance.yar"
+include ".\rules\elastic-yara\Windows_Trojan_PizzaPotion.yar"
+include ".\rules\elastic-yara\Windows_Trojan_PlugX.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Pony.yar"
+include ".\rules\elastic-yara\Windows_Trojan_PoshC2.yar"
+include ".\rules\elastic-yara\Windows_Trojan_PowerSeal.yar"
+include ".\rules\elastic-yara\Windows_Trojan_PrivateLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_ProtectS.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Qbot.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Quasarrat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Raccoon.yar"
+include ".\rules\elastic-yara\Windows_Trojan_RaspberryRobin.yar"
+include ".\rules\elastic-yara\Windows_Trojan_RedLineStealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Remcos.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Revcoderat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Revengerat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Rhadamanthys.yar"
+include ".\rules\elastic-yara\Windows_Trojan_RoningLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_RudeBird.yar"
+include ".\rules\elastic-yara\Windows_Trojan_STRRAT.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SVCReady.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SadBridge.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SalatStealer.yar"
+include ".\rules\elastic-yara\Windows_Trojan_ServHelper.yar"
+include ".\rules\elastic-yara\Windows_Trojan_ShadowPad.yar"
+include ".\rules\elastic-yara\Windows_Trojan_ShelbyC2.yar"
+include ".\rules\elastic-yara\Windows_Trojan_ShelbyLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Shellter.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SiestaGraph.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SilentConnect.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Sliver.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Smokeloader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SnakeKeylogger.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SolarMarker.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SomniRecord.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SourShark.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SpectralViper.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Squirrelwaffle.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Stealc.yar"
+include ".\rules\elastic-yara\Windows_Trojan_StormKitty.yar"
+include ".\rules\elastic-yara\Windows_Trojan_StumpZarus.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SuddenIcon.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Supper.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SysJoker.yar"
+include ".\rules\elastic-yara\Windows_Trojan_SystemBC.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Sythe.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Tofsee.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Tollbooth.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Trickbot.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Tuoni.yar"
+include ".\rules\elastic-yara\Windows_Trojan_TwistedTinsel.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Vidar.yar"
+include ".\rules\elastic-yara\Windows_Trojan_WMLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_WarmCookie.yar"
+include ".\rules\elastic-yara\Windows_Trojan_WhisperGate.yar"
+include ".\rules\elastic-yara\Windows_Trojan_WikiLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_WineLoader.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Winos.yar"
+include ".\rules\elastic-yara\Windows_Trojan_XWorm.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Xeno.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Xpertrat.yar"
+include ".\rules\elastic-yara\Windows_Trojan_XtremeRAT.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Zeus.yar"
+include ".\rules\elastic-yara\Windows_Trojan_Zloader.yar"
+include ".\rules\elastic-yara\Windows_Virus_Expiro.yar"
+include ".\rules\elastic-yara\Windows_Virus_Floxif.yar"
+include ".\rules\elastic-yara\Windows_Virus_Neshta.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_ATSZIO.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Agent64.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Amifldrv.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_ArPot.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_AsIo.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Asrock.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Atillk.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_BSMI.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Biostar.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_CCProtect.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Cpuz.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_DBUtil.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_DirectIo.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_EchoDrv.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_ElRawDisk.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Elby.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_EneIo.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_FidDrv.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Fidpci.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Fileseclab.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_GDrv.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_GlckIo.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Gvci.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_HpPortIo.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_HrSword.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_IoBitUnlocker.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Iqvw.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_LLAccess.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Lha.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_MarvinHW.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Mhyprot.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_MicroStar.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_MsIo.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_MtcBsv.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_PowerProfiler.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_PowerTool.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_ProcExp.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_ProcId.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_RWEverything.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_RentDrv.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_RtCore.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Rtkio.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Ryzen.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Sandra.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Segwin.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Speedfan.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_ThreatFire.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_ThrottleStop.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_TmComm.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_TopazOFD.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_ToshibaBios.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_TrueSight.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_VBox.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Viragt.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Vmdrv.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_WinDivert.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_WinFlash.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_WinIo.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_XTier.yar"
+include ".\rules\elastic-yara\Windows_VulnDriver_Zam.yar"
+include ".\rules\elastic-yara\Windows_Wiper_CaddyWiper.yar"
+include ".\rules\elastic-yara\Windows_Wiper_DoubleZero.yar"
+include ".\rules\elastic-yara\Windows_Wiper_HermeticWiper.yar"
+include ".\rules\elastic-yara\Windows_Wiper_IsaacWiper.yar"
+include ".\rules\YARAForge\YARAForge_Extended.yar"

Scanners/Yara/rules/Linux_Rootkit_Generic.yar

@@ -1,75 +0,0 @@
-rule Linux_Rootkit_Generic_61229bdf {
-    meta:
-        author = "Elastic Security"
-        id = "61229bdf-0b78-48b1-8a4d-09836dd2bcac"
-        fingerprint = "8180ee7a04fd5ba23700e77ad3be7f30d592e77cffa8ebee8de7094627446335"
-        creation_date = "2024-11-14"
-        last_modified = "2024-11-22"
-        threat_name = "Linux.Rootkit.Generic"
-        severity = 100
-        arch_context = "x86, arm64"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "linux"
-    strings:
-        $str1 = "dropshell"
-        $str2 = "fake_account_user_time"
-        $str3 = "fake_bpf_trace_printk"
-        $str4 = "fake_crash_kexec"
-        $str5 = "fake_loadavg_proc_show"
-        $str6 = "fake_sched_debug_show"
-        $str7 = "fake_seq_show_ipv4_tcp"
-        $str8 = "fake_seq_show_ipv4_udp"
-        $str9 = "fake_seq_show_ipv6_tcp"
-        $str10 = "fake_seq_show_ipv6_udp"
-        $str11 = "fake_trace_printk"
-        $str12 = "give_root"
-        $str13 = "hack_getdents"
-        $str14 = "hacked_getdents64"
-        $str15 = "hacked_kill"
-        $str16 = "hideModule"
-        $str17 = "hide_module"
-        $str18 = "hide_tcp4_port"
-        $str19 = "hide_tcp6_port"
-        $str20 = "hidden_tcp4_ports"
-        $str21 = "hidden_tcp6_ports"
-        $str22 = "hidden_udp4_ports"
-        $str23 = "hidden_udp6_ports"
-        $str24 = "hook_getdents"
-        $str25 = "hook_kill"
-        $str26 = "hook_local_in_func"
-        $str27 = "hook_local_out_func"
-        $str28 = "hook_tcp4_seq_show"
-        $str29 = "hook_tcp6_seq_show"
-        $str30 = "hooked_tcp6_seq_show"
-        $str31 = "hooked_udp4_seq_show"
-        $str32 = "hooked_udp6_seq_show"
-        $str33 = "is_invisible"
-        $str34 = "module_hide"
-        $str35 = "module_show"
-        $str36 = "nf_inet_hooks"
-        $str37 = "old_access"
-        $str38 = "old_fopen"
-        $str39 = "old_lxstat"
-        $str40 = "old_open"
-        $str41 = "old_opendir"
-        $str42 = "old_readdir"
-        $str43 = "old_rmdir"
-        $str44 = "old_unlink"
-        $str45 = "old_xstat"
-        $str46 = "orig_getdents"
-        $str47 = "orig_getdents64"
-        $str48 = "orig_kill"
-        $str49 = "orig_tcp4_seq_show"
-        $str50 = "orig_tcp6_seq_show"
-        $str51 = "secret_connection"
-        $str52 = "unhide_file"
-        $str53 = "unhide_proc"
-        $str54 = "unhide_tcp4_port"
-        $str55 = "unhide_tcp6_port"
-        $str56 = "unhide_udp4_port"
-        $str57 = "unhide_udp6_port"
-    condition:
-        4 of ($str*)
-}
-

Scanners/Yara/rules/MacOS_Backdoor_Applejeus.yar

@@ -1,20 +0,0 @@
-rule MacOS_Backdoor_Applejeus_31872ae2 {
-    meta:
-        author = "Elastic Security"
-        id = "31872ae2-f6df-4079-89c2-866cb2e62ec8"
-        fingerprint = "24b78b736f691e6b84ba88b0bb47aaba84aad0c0e45cf70f2fa8c455291517df"
-        creation_date = "2021-10-18"
-        last_modified = "2021-10-25"
-        threat_name = "MacOS.Backdoor.Applejeus"
-        reference_sample = "e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "macos"
-    strings:
-        $a = { FF CE 74 12 89 F0 31 C9 80 34 0F 63 48 FF C1 48 39 C8 75 F4 }
-    condition:
-        all of them
-}
-

Scanners/Yara/rules/MacOS_Trojan_Generic.yar

@@ -1,20 +0,0 @@
-rule MacOS_Trojan_Generic_a829d361 {
-    meta:
-        author = "Elastic Security"
-        id = "a829d361-ac57-4615-b8e9-16089c44d7af"
-        fingerprint = "5dba43dbc5f4d5ee295e65d66dd4e7adbdb7953232faf630b602e6d093f69584"
-        creation_date = "2021-10-05"
-        last_modified = "2021-10-25"
-        threat_name = "MacOS.Trojan.Generic"
-        reference_sample = "5b2a1cd801ae68a890b40dbd1601cdfeb5085574637ae8658417d0975be8acb5"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "macos"
-    strings:
-        $a = { E7 81 6A 12 EA A8 56 6C 86 94 ED F6 E8 D7 35 E1 EC 65 47 BA 8E 46 2C A6 14 5F }
-    condition:
-        all of them
-}
-

Scanners/Yara/rules/Macos_Infostealer_Wallets.yar

@@ -1,112 +0,0 @@
-rule Macos_Infostealer_Wallets_8e469ea0 {
-    meta:
-        author = "Elastic Security"
-        id = "8e469ea0-0c68-444b-b19a-4e1ab89f94b2"
-        fingerprint = "ef913d90c42c8ed1ac47a0057e5e1cb7d5b2de66fe13b088724e87e223d6c377"
-        creation_date = "2024-03-06"
-        last_modified = "2024-08-26"
-        threat_name = "Macos.Infostealer.Wallets"
-        reference_sample = "0e649facc5c82f7112997c7629bd114e63acc1c8dc9ede646214243ace9b9c1d"
-        severity = 100
-        arch_context = "x86, arm64"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "macos"
-    strings:
-        $s1 = "Ibnejdfjmmkpcnlpebklmnkoeoihofec" ascii wide nocase
-        $s2 = "fhbohimaelbohpjbbldcngcnapndodjp" ascii wide nocase
-        $s3 = "ffnbelfdoeiohenkjibnmadjiehjhajb" ascii wide nocase
-        $s4 = "jbdaocneiiinmjbjlgalhcelgbejmnid" ascii wide nocase
-        $s5 = "afbcbjpbpfadlkmhmclhkeeodmamcflc" ascii wide nocase
-        $s6 = "hnfanknocfeofbddgcijnmhnfnkdnaad" ascii wide nocase
-        $s7 = "hpglfhgfnhbgpjdenjgmdgoeiappafln" ascii wide nocase
-        $s8 = "blnieiiffboillknjnepogjhkgnoapac" ascii wide nocase
-        $s9 = "cjelfplplebdjjenllpjcblmjkfcffne" ascii wide nocase
-        $s10 = "fihkakfobkmkjojpchpfgcmhfjnmnfpi" ascii wide nocase
-        $s11 = "kncchdigobghenbbaddojjnnaogfppfj" ascii wide nocase
-        $s12 = "amkmjjmmflddogmhpjloimipbofnfjih" ascii wide nocase
-        $s13 = "nlbmnnijcnlegkjjpcfjclmcfggfefdm" ascii wide nocase
-        $s14 = "nanjmdknhkinifnkgdcggcfnhdaammmj" ascii wide nocase
-        $s15 = "nkddgncdjgjfcddamfgcmfnlhccnimig" ascii wide nocase
-        $s16 = "fnjhmkhhmkbjkkabndcnnogagogbneec" ascii wide nocase
-        $s17 = "cphhlgmgameodnhkjdmkpanlelnlohao" ascii wide nocase
-        $s18 = "nhnkbkgjikgcigadomkphalanndcapjk" ascii wide nocase
-        $s19 = "kpfopkelmapcoipemfendmdcghnegimn" ascii wide nocase
-        $s20 = "aiifbnbfobpmeekipheeijimdpnlpgpp" ascii wide nocase
-        $s21 = "dmkamcknogkgcdfhhbddcghachkejeap" ascii wide nocase
-        $s22 = "fhmfendgdocmcbmfikdcogofphimnkno" ascii wide nocase
-        $s23 = "cnmamaachppnkjgnildpdmkaakejnhae" ascii wide nocase
-        $s24 = "jojhfeoedkpkglbfimdfabpdfjaoolaf" ascii wide nocase
-        $s25 = "flpiciilemghbmfalicajoolhkkenfel" ascii wide nocase
-        $s26 = "nknhiehlklippafakaeklbeglecifhad" ascii wide nocase
-        $s27 = "hcflpincpppdclinealmandijcmnkbgn" ascii wide nocase
-        $s28 = "ookjlbkiijinhpmnjffcofjonbfbgaoc" ascii wide nocase
-        $s29 = "mnfifefkajgofkcjkemidiaecocnkjeh" ascii wide nocase
-        $s30 = "lodccjjbdhfakaekdiahmedfbieldgik" ascii wide nocase
-        $s31 = "Ijmpgkjfkbfhoebgogflfebnmejmfbml" ascii wide nocase
-        $s32 = "lkcjlnjfpbikmcmbachjpdbijejflpcm" ascii wide nocase
-        $s33 = "nkbihfbeogaeaoehlefnkodbefgpgknn" ascii wide nocase
-        $s34 = "bcopgchhojmggmffilplmbdicgaihlkp" ascii wide nocase
-        $s35 = "klnaejjgbibmhlephnhpmaofohgkpgkd" ascii wide nocase
-        $s36 = "aeachknmefphepccionboohckonoeemg" ascii wide nocase
-        $s37 = "dkdedlpgdmmkkfjabffeganieamfklkm" ascii wide nocase
-        $s38 = "nlgbhdfgdhgbiamfdfmbikcdghidoadd" ascii wide nocase
-        $s39 = "onofpnbbkehpmmoabgpcpmigafmmnjhl" ascii wide nocase
-        $s40 = "cihmoadaighcejopammfbmddcmdekcje" ascii wide nocase
-        $s41 = "cgeeodpfagjceefieflmdfphplkenlfk" ascii wide nocase
-        $s42 = "pdadjkfkgcafgbceimcpbkalnfnepbnk" ascii wide nocase
-        $s43 = "acmacodkjbdgmoleebolmdjonilkdbch" ascii wide nocase
-        $s44 = "bfnaelmomeimhlpmgjnjophhpkkoljpa" ascii wide nocase
-        $s45 = "fhilaheimglignddkjgofkcbgekhenbh" ascii wide nocase
-        $s46 = "mgffkfbidihjpoaomajlbgchddlicgpn" ascii wide nocase
-        $s47 = "hmeobnfnfcmdkdcmlblgagmfpfboieaf" ascii wide nocase
-        $s48 = "lpfcbjknijpeeillifnkikgncikgfhdo" ascii wide nocase
-        $s49 = "dngmlblcodfobpdpecaadgfbcggfjfnm" ascii wide nocase
-        $s50 = "bhhhlbepdkbapadjdnnojkbgioiodbic" ascii wide nocase
-        $s51 = "jnkelfanjkeadonecabehalmbgpfodjm" ascii wide nocase
-        $s52 = "jhgnbkkipaallpehbohjmkbjofjdmeid" ascii wide nocase
-        $s53 = "jnlgamecbpmbajjfhmmmlhejkemejdma" ascii wide nocase
-        $s54 = "kkpllkodjeloidieedojogacfhpaihoh" ascii wide nocase
-        $s55 = "mcohilncbfahbmgdjkbpemcciiolgcge" ascii wide nocase
-        $s56 = "gjagmgiddbbciopjhllkdnddhcglnemk" ascii wide nocase
-        $s57 = "kmhcihpebfmpgmihbkipmjlmmioameka" ascii wide nocase
-        $s58 = "phkbamefinggmakgklpkljjmgibohnba" ascii wide nocase
-        $s59 = "lpilbniiabackdjcionkobglmddfbcjo" ascii wide nocase
-        $s60 = "cjmkndjhnagcfbpiemnkdpomccnjblmj" ascii wide nocase
-        $s61 = "aijcbedoijmgnlmjeegjaglmepbmpkpi" ascii wide nocase
-        $s62 = "efbglgofoippbgcjepnhiblaibcnclgk" ascii wide nocase
-        $s63 = "odbfpeeihdkbihmopkbjmoonfanlbfcl" ascii wide nocase
-        $s64 = "fnnegphlobjdpkhecapkijjdkgcjhkib" ascii wide nocase
-        $s65 = "aodkkagnadcbobfpggfnjeongemjbjca" ascii wide nocase
-        $s66 = "akoiaibnepcedcplijmiamnaigbepmcb" ascii wide nocase
-        $s67 = "ejbalbakoplchlghecdalmeeeajnimhm" ascii wide nocase
-        $s68 = "dfeccadlilpndjjohbjdblepmjeahlmm" ascii wide nocase
-        $s69 = "kjmoohlgokccodicjjfebfomlbljgfhk" ascii wide nocase
-        $s70 = "ajkhoeiiokighlmdnlakpjfoobnjinie" ascii wide nocase
-        $s71 = "fplfipmamcjaknpgnipjeaeeidnjooao" ascii wide nocase
-        $s72 = "niihfokdlimbddhfmngnplgfcgpmlido" ascii wide nocase
-        $s73 = "obffkkagpmohennipjokmpllocnlndac" ascii wide nocase
-        $s74 = "kfocnlddfahihoalinnfbnfmopjokmhl" ascii wide nocase
-        $s75 = "infeboajgfhgbjpjbeppbkgnabfdkdaf" ascii wide nocase
-        $s76 = "{530f7c6c-6077-4703-8f71-cb368c663e35}.xpi" ascii wide nocase
-        $s77 = "ronin-wallet@axieinfinity.com.xpi" ascii wide nocase
-        $s78 = "webextension@metamask.io.xpi" ascii wide nocase
-        $s79 = "{5799d9b6-8343-4c26-9ab6-5d2ad39884ce}.xpi" ascii wide nocase
-        $s80 = "{aa812bee-9e92-48ba-9570-5faf0cfe2578}.xpi" ascii wide nocase
-        $s81 = "{59ea5f29-6ea9-40b5-83cd-937249b001e1}.xpi" ascii wide nocase
-        $s82 = "{d8ddfc2a-97d9-4c60-8b53-5edd299b6674}.xpi" ascii wide nocase
-        $s83 = "{7c42eea1-b3e4-4be4-a56f-82a5852b12dc}.xpi" ascii wide nocase
-        $s84 = "{b3e96b5f-b5bf-8b48-846b-52f430365e80}.xpi" ascii wide nocase
-        $s85 = "{eb1fb57b-ca3d-4624-a841-728fdb28455f}.xpi" ascii wide nocase
-        $s86 = "{76596e30-ecdb-477a-91fd-c08f2018df1a}.xpi" ascii wide nocase
-        $s87 = "ejjladinnckdgjemekebdpeokbikhfci" ascii wide nocase
-        $s88 = "bgpipimickeadkjlklgciifhnalhdjhe" ascii wide nocase
-        $s89 = "epapihdplajcdnnkdeiahlgigofloibg" ascii wide nocase
-        $s90 = "aholpfdialjgjfhomihkjbmgjidlcdno" ascii wide nocase
-        $s91 = "egjidjbpglichdcondbcbdnbeeppgdph" ascii wide nocase
-        $s92 = "pnndplcbkakcplkjnolgbkdgjikjednm" ascii wide nocase
-        $s93 = "gojhcdgcpbpfigcaejpfhfegekdgiblk" ascii wide nocase
-    condition:
-        6 of them
-}
-

Scanners/Yara/rules/Multi_Trojan_Gosar.yar

@@ -1,26 +0,0 @@
-rule Multi_Trojan_Gosar_31dba745 {
-    meta:
-        author = "Elastic Security"
-        id = "31dba745-8079-4161-9299-84a4c33b95c8"
-        fingerprint = "87e44b3050eb33edb24ad8aa8923ed91124f2e92e4eae42e94decefc49ccbf4c"
-        creation_date = "2024-11-05"
-        last_modified = "2024-12-04"
-        threat_name = "Multi.Trojan.Gosar"
-        reference_sample = "4caf4b280e61745ce53f96f48a74dea3b69df299c3b9de78ba4731b83c76c334"
-        severity = 100
-        arch_context = "x86, arm64"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "multi"
-    strings:
-        $a1 = "GetRecoverAccounts"
-        $a2 = "GetIsFirstScreen"
-        $a3 = "DoWebcamStop"
-        $a4 = "DoAskElevate"
-        $a5 = "vibrant/proto/pb"
-        $a6 = "vibrant/network/sender"
-        $a7 = "vibrant/pkg/helpers"
-    condition:
-        3 of them
-}
-

Scanners/Yara/rules/Windows_Trojan_Cryptbot.yar

@@ -1,24 +0,0 @@
-rule Windows_Trojan_Cryptbot_489a6562 {
-    meta:
-        author = "Elastic Security"
-        id = "489a6562-870c-4105-9bb7-52ab09e5b09c"
-        fingerprint = "f4578d79f8923706784e9d55a70ec74051273a945d2b277daa6229724defec3f"
-        creation_date = "2021-08-18"
-        last_modified = "2021-10-04"
-        threat_name = "Windows.Trojan.Cryptbot"
-        reference_sample = "423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "windows"
-    strings:
-        $a1 = "/c rd /s /q %Temp%\\" wide fullword
-        $a2 = "\\_Files\\_AllPasswords_list.txt" wide fullword
-        $a3 = "\\files_\\cryptocurrency\\log.txt" wide fullword
-        $a4 = "%wS\\%wS\\%wS.tmp" wide fullword
-        $a5 = "%AppData%\\waves-exchange" wide fullword
-    condition:
-        all of them
-}
-

Scanners/Yara/rules/Windows_Trojan_Grandoreiro.yar

@@ -1,24 +0,0 @@
-rule Windows_Trojan_Grandoreiro_51236ba2 {
-    meta:
-        author = "Elastic Security"
-        id = "51236ba2-fdbc-4c46-b57b-27fc1e135486"
-        fingerprint = "c3082cc865fc177d8cbabcfcf9fb67317af5f2d28e8eeb95eb04108a558d80d4"
-        creation_date = "2022-08-23"
-        last_modified = "2023-06-13"
-        description = "Grandoreiro rule, target loader and payload"
-        threat_name = "Windows.Trojan.Grandoreiro"
-        reference_sample = "1bdf381e7080d9bed3f52f4b3db1991a80d3e58120a5790c3d1609617d1f439e"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "windows"
-    strings:
-        $antivm0 = { B8 68 58 4D 56 BB 12 F7 6C 3C B9 0A 00 00 00 66 BA 58 56 ED B8 01 00 00 00 }
-        $antivm1 = { B9 [4] 89 E5 53 51 64 FF 35 00 00 00 00 64 89 25 00 00 00 00 BB 00 00 00 00 B8 01 00 00 00 0F 3F 07 0B }
-        $xor0 = { 0F B7 44 70 ?? 33 D8 8D 45 ?? 50 89 5D ?? }
-        $xor1 = { 8B 45 ?? 0F B7 44 70 ?? 33 C3 89 45 ?? }
-    condition:
-        all of them
-}
-

Scanners/Yara/rules/Windows_Trojan_LegionLoader.yar

@@ -1,20 +0,0 @@
-rule Windows_Trojan_LegionLoader_f91120c6 {
-    meta:
-        author = "Elastic Security"
-        id = "f91120c6-395d-4c47-acd2-49c7eb1b8013"
-        fingerprint = "81476a8981ca0dbd7ac32073d6dc4362ae251ff06827c120e902f1aa3a53ce68"
-        creation_date = "2024-06-05"
-        last_modified = "2024-06-12"
-        threat_name = "Windows.Trojan.LegionLoader"
-        reference_sample = "45670ffa9b24542ae84e3c9eb5ce609c2bcd29129215a7f37eb74b6211e32b22"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "windows"
-    strings:
-        $a = { 55 8B EC 83 EC 08 89 4D F8 8B 4D F8 E8 4F 01 00 00 0F B6 C0 85 C0 75 09 C7 45 FC 01 00 00 00 EB 07 C7 45 FC 00 00 00 00 0F B6 45 FC 8B E5 5D C3 55 8B EC 51 89 4D FC 8B 4D FC E8 21 01 00 00 8B }
-    condition:
-        all of them
-}
-

Scanners/Yara/rules/elastic-yara/Linux_Cryptominer_Camelot.yar

@@ -17,25 +17,6 @@ rule Linux_Cryptominer_Camelot_9ac1654b {
         all of them
 }
 
-rule Linux_Cryptominer_Camelot_dd167aa0 {
-    meta:
-        author = "Elastic Security"
-        id = "dd167aa0-80e0-46dc-80d1-9ce9f6984860"
-        fingerprint = "2642e4c4c58d95cd6ed6d38bf89b108dc978a865473af92494b6cb89f4f877e2"
-        creation_date = "2021-01-12"
-        last_modified = "2021-09-16"
-        threat_name = "Linux.Cryptominer.Camelot"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "linux"
-    strings:
-        $a = { E7 F2 AE 4C 89 EF 48 F7 D1 48 89 CE 48 89 D1 F2 AE 48 89 C8 48 }
-    condition:
-        all of them
-}
-
 rule Linux_Cryptominer_Camelot_b25398dd {
     meta:
         author = "Elastic Security"

Scanners/Yara/rules/elastic-yara/Linux_Cryptominer_Xmrig.yar

@@ -77,25 +77,6 @@ rule Linux_Cryptominer_Xmrig_e7e64fb7 {
         all of them
 }
 
-rule Linux_Cryptominer_Xmrig_79b42b21 {
-    meta:
-        author = "Elastic Security"
-        id = "79b42b21-1408-4837-8f1f-6de30d7f5777"
-        fingerprint = "4cd0481edd1263accdac3ff941df4e31ef748bded0fba5fe55a9cffa8a37b372"
-        creation_date = "2021-01-12"
-        last_modified = "2021-09-16"
-        threat_name = "Linux.Cryptominer.Xmrig"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "linux"
-    strings:
-        $a = { FC 00 79 0A 8B 45 B8 83 E0 04 85 C0 75 38 8B 45 EC 83 C0 01 }
-    condition:
-        all of them
-}
-
 rule Linux_Cryptominer_Xmrig_77fbc695 {
     meta:
         author = "Elastic Security"

Scanners/Yara/rules/elastic-yara/Linux_Cryptominer_Xmrminer.yar

@@ -156,26 +156,6 @@ rule Linux_Cryptominer_Xmrminer_02d19c01 {
         all of them
 }
 
-rule Linux_Cryptominer_Xmrminer_2dd045fc {
-    meta:
-        author = "Elastic Security"
-        id = "2dd045fc-a585-4a49-b334-773bc86a3370"
-        fingerprint = "b5f02ac76db686e61c6f293183f2c17fe0f901a65eebaccfe109f07fc9abeeaa"
-        creation_date = "2021-01-12"
-        last_modified = "2021-09-16"
-        threat_name = "Linux.Cryptominer.Xmrminer"
-        reference_sample = "30a77ab582f0558829a78960929f657a7c3c03c2cf89cd5a0f6934b79a74b7a4"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "linux"
-    strings:
-        $a = { BA 0E 00 00 00 74 25 48 8B 8C 24 B8 00 00 00 64 48 33 0C 25 28 00 }
-    condition:
-        all of them
-}
-
 rule Linux_Cryptominer_Xmrminer_d1a814b0 {
     meta:
         author = "Elastic Security"

Scanners/Yara/rules/elastic-yara/Linux_Hacktool_Earthworm.yar

@@ -18,26 +18,6 @@ rule Linux_Hacktool_Earthworm_4de7b584 {
         all of them
 }
 
-rule Linux_Hacktool_Earthworm_e3da43e2 {
-    meta:
-        author = "Elastic Security"
-        id = "e3da43e2-1737-4c51-af6c-7c64d9cbfb07"
-        fingerprint = "fdf19096c6afc1c3be75fe4bb2935aca8ac915c97ad0ab3c2b87e803347cc460"
-        creation_date = "2021-01-12"
-        last_modified = "2021-09-16"
-        threat_name = "Linux.Hacktool.Earthworm"
-        reference_sample = "da0cffc4222d11825778fe4fa985fef2945caa0cc3b4de26af0a06509ebafb21"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "linux"
-    strings:
-        $a = { 8D 20 FF FF FF 4C 89 C1 4C 8B 85 20 FF FF FF 49 D3 E0 4C 21 C7 48 83 }
-    condition:
-        all of them
-}
-
 rule Linux_Hacktool_Earthworm_82d5c4cf {
     meta:
         author = "Elastic Security"

Scanners/Yara/rules/elastic-yara/Linux_Hacktool_Outlaw.yar

@@ -0,0 +1,87 @@
+rule Linux_Hacktool_Outlaw_cf069e73 {
+    meta:
+        author = "Elastic Security"
+        id = "cf069e73-21f8-494c-b60e-286c033d2d55"
+        fingerprint = "25169be28aa92f36a6d7cb803056efe1b7892a78120b648dc81887bc66eae89d"
+        creation_date = "2025-02-21"
+        last_modified = "2025-03-07"
+        description = "Outlaw SSH bruteforce component fom the Dota3 package"
+        threat_name = "Linux.Hacktool.Outlaw"
+        reference_sample = "c3efbd6b5e512e36123f7b24da9d83f11fffaf3023d5677d37731ebaa959dd27"
+        severity = 100
+        arch_context = "x86, arm64"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $ssh_key_1 = "MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI8vKBZRGKsHoCAggA"
+        $ssh_key_2 = "MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAECBBBC3juWsJ7DsDd2wH2XI+vUBIIJ"
+        $ssh_key_3 = "UCQ2viiVV8pk3QSUOiwionAoe4j4cBP3Ly4TQmpbLge9zRfYEUVe4LmlytlidI7H"
+        $ssh_key_4 = "O+bWbjqkvRXT9g/SELQofRrjw/W2ZqXuWUjhuI9Ruq0qYKxCgG2DR3AcqlmOv54g"
+        $path_1 = "/home/eax/up"
+        $path_2 = "/var/tmp/dota"
+        $path_3 = "/dev/shm/ip"
+        $path_4 = "/dev/shm/p"
+        $path_5 = "/var/tmp/.systemcache"
+        $cmd_1 = "cat /proc/cpuinfo | grep name | head -n 1 | awk '{print $4,$5,$6,$7,$8,$9;}'"
+        $cmd_2 = "cd ~; chattr -ia .ssh; lockr -ia .ssh"
+        $cmd_3 = "sort -R b | awk '{ if ( NF == 2 ) print } '> p || cat b | awk '{ if ( NF == 2 ) print } '> p; sort -R a"
+        $cmd_4 = "rm -rf /var/tmp/dota*"
+        $cmd_5 = "rm -rf a b c d p ip ab.tar.gz"
+    condition:
+        (all of ($ssh_key*)) or (3 of ($path*) and 3 of ($cmd*))
+}
+
+rule Linux_Hacktool_Outlaw_bc128a02 {
+    meta:
+        author = "Elastic Security"
+        id = "bc128a02-ee4e-484d-ae94-9e5cf1d26e94"
+        fingerprint = "7dbce4ec62eac61115a98bcf0703bfddf684e54adef2b17d31a88cdfbf52e23c"
+        creation_date = "2025-02-21"
+        last_modified = "2025-03-07"
+        description = "Socat wrapper found in one of the versions of the outlaw Dota3 package"
+        threat_name = "Linux.Hacktool.Outlaw"
+        reference_sample = "008eadac3de35c5d4cd46ec00eb3997ff4c2fe864232fff5320b2697de7116cd"
+        severity = 100
+        arch_context = "x86, arm64"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $str_1 = ".templock"
+        $str_2 = "Selected IP: %s\n"
+        $str_3 = "Connection is working! #########"
+        $str_4 = "Killed all socat processes using 'pkill -9 socat'."
+        $str_5 = "socat process is running! (PID: %d)\n"
+        $str_6 = "Connection to %s:%d is working!\n"
+    condition:
+        5 of them
+}
+
+rule Linux_Hacktool_Outlaw_2f007b58 {
+    meta:
+        author = "Elastic Security"
+        id = "2f007b58-2041-4ef8-8bd5-3a76a6e86ece"
+        fingerprint = "7fc8a66712a147a1006e053b9e957b4e6029a793850e187ec8e1c4921f454462"
+        creation_date = "2025-02-28"
+        last_modified = "2025-03-07"
+        threat_name = "Linux.Hacktool.Outlaw"
+        reference_sample = "008eadac3de35c5d4cd46ec00eb3997ff4c2fe864232fff5320b2697de7116cd"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "linux"
+    strings:
+        $x64_start_thread = { 31 DB B9 10 00 00 00 4C 8B 44 24 10 48 89 D8 48 89 EF BE 7F 00 00 00 F3 48 AB 48 8B 4C 24 08 }
+        $x64_main = { 4B 8B 04 F7 48 89 42 10 4B 8B 44 F7 10 48 89 42 18 4B 8B 44 F7 20 48 89 42 20 4B 8B 44 F7 08 48 89 42 28 4B 8B 44 F7 18 48 89 42 30 4B 8B 44 F7 28 48 89 42 38 4D 85 F6 74 7B }
+        $x64_main_getopt = { 4C 89 EE 89 DF E8 ?? ?? ?? ?? 83 F8 FF 74 11 83 E8 48 83 F8 2E 77 E2 49 63 04 84 4C 01 E0 FF E0 }
+        $x64_ip_select = { 89 C2 48 98 48 69 C0 AB AA AA 2A 89 D1 C1 F9 1F 48 C1 E8 20 29 C8 8D 0C 40 89 D0 01 C9 29 C8 83 F8 02 }
+        $x86_main = { 83 C4 10 C6 04 06 00 8B 85 00 C2 FC FF 89 34 B8 83 C7 01 8B 85 10 C2 FC FF 83 EC 08 01 F8 89 85 04 C2 FC FF 89 85 0C C2 FC FF FF B5 08 C2 FC FF 6A 00 }
+        $x86_main_getopt = { 83 C4 10 83 F8 FF 74 13 83 E8 48 83 F8 2E 8B 8C 83 ?? ?? ?? ?? 01 D9 FF E1 }
+        $x86_ip_select = { BA AB AA AA 2A 83 C4 10 89 C1 F7 EA 89 C8 C1 F8 1F 29 C2 8D 04 52 01 C0 29 C1 83 F9 02 }
+        $x86_worker = { 83 C4 10 8D 7C 24 10 90 8B 46 04 85 C0 74 4F 8B 6E 74 83 EC 0C 55 }
+    condition:
+        3 of ($x64*) or 3 of ($x86*)
+}
+