Create Yara IDS rules to catch a particular executable and its variants
rule Rule1
{
strings:
$string_00 = "elcome to the YaraRulesx0x100" wide ascii
condition:
all of them
}
rule Rule2
{
strings:
$string_00 = "IsDebuggerPresent" wide ascii
$string_01 = "asInvoker" wide ascii
$string_02 = "AdjustTokenPrivilege" wide ascii
condition:
all of them
}
rule Rule3
{
strings:
$string_00 = "IsDebuggerP" wide ascii
$string_01 = "asInvoker" wide ascii
$string_02 = "UPX" wide ascii
condition:
all of them
}
