Overview
This section contains detection logic for SIEM/EDR platforms, including Sigma and YARA rules.
Rules are mapped to MITRE ATT&CK techniques for triage and hunting.
Available Detections
Arsenal-237: Original Analysis (16 samples)
- Arsenal-237: agent.exe (PoetRAT)
- Arsenal-237: agent_xworm.exe (XWorm RAT v6)
- Arsenal-237: agent_xworm_v2.exe (XWorm RAT v2.4.0)
- Arsenal-237: FleetAgentAdvanced.exe
- Arsenal-237: FleetAgentFUD.exe
- Arsenal-237: uac_test.exe
- Arsenal-237: enc/dec Ransomware Family
Arsenal-237: New Files - Advanced Toolkit (11 samples)
- Arsenal-237 New Files: killer.dll (BYOVD Process Termination)
- Arsenal-237 New Files: killer_crowdstrike.dll (CrowdStrike-Specific Termination)
- Arsenal-237 New Files: lpe.exe (Privilege Escalation)
- Arsenal-237 New Files: BdApiUtil64.sys (Vulnerable Baidu Driver)
- Arsenal-237 New Files: rootkit.dll (Kernel-Mode Rootkit)
- Arsenal-237 New Files: nethost.dll (DLL Hijacking Persistence)
- Arsenal-237 New Files: chromelevator.exe (Browser Credential Theft)
- Arsenal-237 New Files: enc_c2.exe (Rust Ransomware with Tor C2)
- Arsenal-237 New Files: new_enc.exe (Human-Operated Rust Ransomware)
- Arsenal-237 New Files: dec_fixed.exe (Ransomware Decryptor)
- Arsenal-237 New Files: full_test_enc.exe (Advanced Rust Ransomware)
Other Threat Intelligence Reports
- Webserver Compromise Kit 91.236.230. 250
- Detection Rules - Remcos RAT OpenDirectory Campaign
- NsMiner Cryptojacker - Detection Rules
- Detection Rules - Dual-RAT Analysis: Pulsar RAT vs. NjRAT/XWorm
- Detection Rules - PULSAR RAT (server.exe)
- Hybrid Loader/Stealer Ecosystem Masquerading as Sogou
- Houselet.exe - The Go-Based Loader Masquerading as PlayStation Remote Play
- AdvancedRouterScanner
- From Webshells to The Cloud
- QuasarRAT + Xworm + PowerShell Loader
Usage
- Deploy Sigma/YARA rules in your SIEM/EDR.
- Map detections to ATT&CK techniques for triage.
- Adapt rules for your environment’s telemetry sources.
License
Detection rules are licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
Free to use in your environment, but not for commercial purposes.