fix: FPs with Trellix software

threatcode · Dec 10, 2024 · 18921bc · 18921bc
1 parent e3966f0
commit 18921bc
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/yara/gen_github_net_redteam_tools_names.yar b/yara/gen_github_net_redteam_tools_names.yar
@@ -256,12 +256,16 @@ rule HKTL_NET_NAME_AmsiBypass {
 		hash = "8fa4ba512b34a898c4564a8eac254b6a786d195b"
         author = "Arnim Rupp"
         date = "2021-01-22"
+        modified = "2024-12-10"
         id = "26db14d8-1034-5bd1-a719-4756c832901d"
     strings:
-        $name = "AmsiBypass" ascii wide
-        $compile = "AssemblyTitle" ascii wide
+        $s_name = "AmsiBypass" ascii wide
+        $s_compile = "AssemblyTitle" ascii wide
+
+        $fp1 = "Adaptive Threat Protection" wide
     condition:
-        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($s*)
+        and not 1 of ($fp*)
 }
 
 rule HKTL_NET_NAME_Recon_AD {