docs: more rule ids

Author: Neo23x0

yara/expl_lnk_zdi_can_25373.yar

@@ -6,6 +6,7 @@ rule EXT_EXPL_ZTH_LNK_EXPLOIT_A
         reference = "https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html"
         date = "2025-03-18"
         score = 80
+        id = "14788504-64e3-533b-ad21-00a3462a33cc"
     strings:
         $spoof_a = {20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00}
         $spoof_b = {09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00}

yara/gen_webshells.yar

@@ -5702,6 +5702,7 @@ rule EXT_WEBSHELL_JSP_Generic_Tiny
         hash = "87c3ac9b75a72187e8bc6c61f50659435dbdc4fde6ed720cebb93881ba5989d8"
         hash = "1aa6af726137bf261849c05d18d0a630d95530588832aadd5101af28acc034b5"
 
+        id = "fad14524-de44-52ea-95e6-3e5de3138926"
     strings:
         $payload1 = "ProcessBuilder" fullword wide ascii
         $payload2 = "URLClassLoader" fullword wide ascii

yara/hktl_HvS_nfs_security_tooling.yar

@@ -7,6 +7,7 @@ rule HKTL_NFS_Fuse_NFS {
       score = 75
       reference = "https://github.com/hvs-consulting/nfs-security-tooling"
 
+      id = "287fbe7d-ee1c-58a4-aa2d-9d9bec8321b4"
    strings:
       $s1 = "NFS3ConnectionFactory" fullword ascii
       $s2 = "fuse_to_nfs_timestamp" fullword ascii
@@ -31,6 +32,7 @@ rule HKTL_NFS_NFS_Analyze {
       score = 75
       reference = "https://github.com/hvs-consulting/nfs-security-tooling"
 
+      id = "3350d0ae-e638-5c8f-a578-ba0ac5521053"
    strings:
       $s1 = "no_root_squash_exports" fullword ascii
       $s2 = "nfs lock manager" fullword ascii

yara/mal_babbleloader_win_jan24.yar

@@ -1,24 +1,24 @@
-rule mal_babbleloader_win_jan24 {
-  meta:
-      author = "0x0d4y"
-      description = "This rule detects intrinsic patterns of BabbleLoader."
-      date = "2025-01-27"
-      score = 100
-      reference = "https://0x0d4y.blog/babbleloader-technical-malware-analysis/"
-      hash = "fa3d03c319a7597712eeff1338dabf92"
-
-      uuid = "b2f18ab3-b4df-4e2f-aa23-de8694beb221"
-      license = "CC BY 4.0"
-      rule_matching_tlp = "TLP:WHITE"
-      rule_sharing_tlp = "TLP:WHITE"
-    strings:
-    $str_decryption_algorithm = { 48 63 44 24 ?? 48 8b 4c 24 ?? 0f b6 04 ?? 33 44 ?? ?? 0f b6 4c ?? ?? d2 c8 48 63 4c ?? ?? 48 8b 54 ?? ?? 88 04 0a 6b 44 24 ?? ?? 89 44 ?? ?? 8b 44 24 ?? ff c0 89 44 24 }
-    $hashing_algorithm = { 48 8b 44 24 ?? 0f be ?? 89 44 24 ?? 8b 44 24 ?? 89 44 24 ?? 48 8b 44 24 ?? 48 ff c0 48 89 44 24 ?? 83 7c 24 08 ?? ?? ?? 8b 44 24 ?? 8b 0c ?? 03 c8 8b c1 89 04 24 8b 44 24 ?? 05 ?? ?? ?? ?? 8b 0c 24 0f af c8 8b c1 89 04 }
-    $halos_gate = { 48 8b 44 24 ?? 0f b6 ?? 83 f8 4c 0f ?? ?? ?? ?? ?? 48 8b 44 ?? ?? 0f b6 ?? ?? 3d 8b ?? ?? ?? 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 3d d1 ?? ?? ?? 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 3d b8 ?? ?? ?? 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 85 c0 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 85c0 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 88 44 ?? ?? 48 8b 44 24 ?? 0f b6 40 ?? 88 44 ?? ?? 0f b6 44 ?? ?? c1 e0 08 0f b6 4c ?? ?? 0b c1 48 8b 8c ?? ?? ?? ?? ?? 89 01 ?? ?? ?? ?? ?? 48 8b 44 ?? ?? 0f b6 00 3d e9 }
-
-    $get_syscall_offset = { 4d 33 db 4c 8b d9 c3 }
-    $jump_syscall_offset = { 4c 8b d1 41 8b 03 41 ff 63 ?? }
-    condition:
-        uint16(0) == 0x5a4d and
-        $str_decryption_algorithm and $hashing_algorithm and (1 of ($halos_gate, $get_syscall_offset, $jump_syscall_offset))
+rule mal_babbleloader_win_jan24 {
+  meta:
+      author = "0x0d4y"
+      description = "This rule detects intrinsic patterns of BabbleLoader."
+      date = "2025-01-27"
+      score = 100
+      reference = "https://0x0d4y.blog/babbleloader-technical-malware-analysis/"
+      hash = "fa3d03c319a7597712eeff1338dabf92"
+
+      uuid = "b2f18ab3-b4df-4e2f-aa23-de8694beb221"
+      license = "CC BY 4.0"
+      rule_matching_tlp = "TLP:WHITE"
+      rule_sharing_tlp = "TLP:WHITE"
+    strings:
+    $str_decryption_algorithm = { 48 63 44 24 ?? 48 8b 4c 24 ?? 0f b6 04 ?? 33 44 ?? ?? 0f b6 4c ?? ?? d2 c8 48 63 4c ?? ?? 48 8b 54 ?? ?? 88 04 0a 6b 44 24 ?? ?? 89 44 ?? ?? 8b 44 24 ?? ff c0 89 44 24 }
+    $hashing_algorithm = { 48 8b 44 24 ?? 0f be ?? 89 44 24 ?? 8b 44 24 ?? 89 44 24 ?? 48 8b 44 24 ?? 48 ff c0 48 89 44 24 ?? 83 7c 24 08 ?? ?? ?? 8b 44 24 ?? 8b 0c ?? 03 c8 8b c1 89 04 24 8b 44 24 ?? 05 ?? ?? ?? ?? 8b 0c 24 0f af c8 8b c1 89 04 }
+    $halos_gate = { 48 8b 44 24 ?? 0f b6 ?? 83 f8 4c 0f ?? ?? ?? ?? ?? 48 8b 44 ?? ?? 0f b6 ?? ?? 3d 8b ?? ?? ?? 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 3d d1 ?? ?? ?? 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 3d b8 ?? ?? ?? 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 85 c0 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 85c0 75 ?? 48 8b 44 ?? ?? 0f b6 40 ?? 88 44 ?? ?? 48 8b 44 24 ?? 0f b6 40 ?? 88 44 ?? ?? 0f b6 44 ?? ?? c1 e0 08 0f b6 4c ?? ?? 0b c1 48 8b 8c ?? ?? ?? ?? ?? 89 01 ?? ?? ?? ?? ?? 48 8b 44 ?? ?? 0f b6 00 3d e9 }
+
+    $get_syscall_offset = { 4d 33 db 4c 8b d9 c3 }
+    $jump_syscall_offset = { 4c 8b d1 41 8b 03 41 ff 63 ?? }
+    condition:
+        uint16(0) == 0x5a4d and
+        $str_decryption_algorithm and $hashing_algorithm and (1 of ($halos_gate, $get_syscall_offset, $jump_syscall_offset))
 }

yara/mal_lockbit4_hashing_alg_win_feb24.yar

@@ -1,22 +1,22 @@
-rule mal_lockbit4_hashing_alg_win_feb24
-{
-    meta:
-        author = "0x0d4y"
-        description = "This rule detects the custom hashing algorithm of Lockbit4.0 unpacked"
-        date = "2024-02-16"
-        score = 100
-        reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
-        hash = "062311F136D83F64497FD81297360CD4"
-
-        uuid = "e91aedba-6f70-4ca2-9217-2991cbbc6e8d"
-        license = "CC BY 4.0"
-        rule_matching_tlp = "TLP:WHITE"
-        rule_sharing_tlp = "TLP:WHITE"
-        malpedia_family = "win.lockbit"
-    strings:
-        $hashing_alg = { 41 89 d0 46 0f be 04 00 45 09 c0 74 ?? 45 8d 48 ?? 45 8d 50 ?? 41 80 f9 ?? 45 0f 43 d0 44 31 d1 44 8d 04 3a 45 0f af c2 41 01 c8 89 d1 31 f9 09 d2 0f 44 ca 41 0f af c8 44 01 d1 ff c2 eb ?? 49 ff c6 }
-        
-    condition:
-        uint16(0) == 0x5a4d and
-        $hashing_alg
+rule mal_lockbit4_hashing_alg_win_feb24
+{
+    meta:
+        author = "0x0d4y"
+        description = "This rule detects the custom hashing algorithm of Lockbit4.0 unpacked"
+        date = "2024-02-16"
+        score = 100
+        reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
+        hash = "062311F136D83F64497FD81297360CD4"
+
+        uuid = "e91aedba-6f70-4ca2-9217-2991cbbc6e8d"
+        license = "CC BY 4.0"
+        rule_matching_tlp = "TLP:WHITE"
+        rule_sharing_tlp = "TLP:WHITE"
+        malpedia_family = "win.lockbit"
+    strings:
+        $hashing_alg = { 41 89 d0 46 0f be 04 00 45 09 c0 74 ?? 45 8d 48 ?? 45 8d 50 ?? 41 80 f9 ?? 45 0f 43 d0 44 31 d1 44 8d 04 3a 45 0f af c2 41 01 c8 89 d1 31 f9 09 d2 0f 44 ca 41 0f af c8 44 01 d1 ff c2 eb ?? 49 ff c6 }
+        
+    condition:
+        uint16(0) == 0x5a4d and
+        $hashing_alg
 }

yara/mal_lockbit4_packed_win_feb24.yar

@@ -1,25 +1,25 @@
-rule mal_lockbit4_packed_feb24
-{
-    meta:
-        author = "0x0d4y"
-        description = "Detect the packer used by Lockbit4.0"
-        date = "2024-02-16"
-        score = 100
-        reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
-        hash = "15796971D60F9D71AD162060F0F76A02"
-        uuid = "3c2b2806-9dce-4dce-a7ca-89ebc9005695"
-        license = "CC BY 4.0"
-        rule_matching_tlp = "TLP:WHITE"
-        rule_sharing_tlp = "TLP:WHITE"
-        malpedia_family = "win.lockbit"
-    strings:
-        $unpacking_loop_64b = { 8b 1e 48 83 ee fc 11 db 8a 16 72 e5 8d 41 01 41 ff d3 11 c0 01 db 75 0a }
-        $jump_to_unpacked_code_64b = { 48 8b 2d 16 0f ?? ?? 48 8d be 00 f0 ?? ?? bb 00 ?? ?? ?? 50 49 89 e1 41 b8 04 ?? ?? ?? 53 5a 90 57 59 90 48 83 ec ?? ff d5 48 8d 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 4c 8d 4c 24 ?? 4d 8b 01 53 90 5a 90 57 59 ff d5 48 83 c4 ?? 5d 5f 5e 5b 48 8d 44 24 ?? 6a ?? 48 39 c4 75 f9 48 83 ec ?? e9 }
-        $unpacking_loop_32b = { 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 EE ?? 11 DB 72 ?? 9C 29 C0 40 9D 01 DB 75 ?? 8B 1E 83 EE ?? 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE ?? 11 DB 73 }        
-        $jump_to_unpacked_code_32b = { 8b ae ?? ?? ?? ?? 8d be 00 f0 ?? ?? bb 00 ?? ?? ?? 50 54 6a 04 53 57 ff d5 8d 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 ff d5 58 8d 9e 00 f0 ?? ?? 8d bb ?? ?? ?? ?? 57 31 c0 aa 59 49 50 6a 01 53 ff d1 61 8d 44 24 ?? 6a ?? 39 c4 75 fa 83 ec ?? e9 }
-
-    condition:
-        uint16(0) == 0x5a4d and
-        1 of ($jump_to_unpacked_code_*) and
-        1 of ($unpacking_loop_*)
+rule mal_lockbit4_packed_feb24
+{
+    meta:
+        author = "0x0d4y"
+        description = "Detect the packer used by Lockbit4.0"
+        date = "2024-02-16"
+        score = 100
+        reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
+        hash = "15796971D60F9D71AD162060F0F76A02"
+        uuid = "3c2b2806-9dce-4dce-a7ca-89ebc9005695"
+        license = "CC BY 4.0"
+        rule_matching_tlp = "TLP:WHITE"
+        rule_sharing_tlp = "TLP:WHITE"
+        malpedia_family = "win.lockbit"
+    strings:
+        $unpacking_loop_64b = { 8b 1e 48 83 ee fc 11 db 8a 16 72 e5 8d 41 01 41 ff d3 11 c0 01 db 75 0a }
+        $jump_to_unpacked_code_64b = { 48 8b 2d 16 0f ?? ?? 48 8d be 00 f0 ?? ?? bb 00 ?? ?? ?? 50 49 89 e1 41 b8 04 ?? ?? ?? 53 5a 90 57 59 90 48 83 ec ?? ff d5 48 8d 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 4c 8d 4c 24 ?? 4d 8b 01 53 90 5a 90 57 59 ff d5 48 83 c4 ?? 5d 5f 5e 5b 48 8d 44 24 ?? 6a ?? 48 39 c4 75 f9 48 83 ec ?? e9 }
+        $unpacking_loop_32b = { 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 EE ?? 11 DB 72 ?? 9C 29 C0 40 9D 01 DB 75 ?? 8B 1E 83 EE ?? 11 DB 11 C0 01 DB 73 ?? 75 ?? 8B 1E 83 EE ?? 11 DB 73 }        
+        $jump_to_unpacked_code_32b = { 8b ae ?? ?? ?? ?? 8d be 00 f0 ?? ?? bb 00 ?? ?? ?? 50 54 6a 04 53 57 ff d5 8d 87 ?? ?? ?? ?? 80 20 ?? 80 60 ?? ?? 58 50 54 50 53 57 ff d5 58 8d 9e 00 f0 ?? ?? 8d bb ?? ?? ?? ?? 57 31 c0 aa 59 49 50 6a 01 53 ff d1 61 8d 44 24 ?? 6a ?? 39 c4 75 fa 83 ec ?? e9 }
+
+    condition:
+        uint16(0) == 0x5a4d and
+        1 of ($jump_to_unpacked_code_*) and
+        1 of ($unpacking_loop_*)
 }

yara/mal_lockbit4_rc4_win_feb24.yar

@@ -1,21 +1,21 @@
-rule mal_lockbit4_rc4_win_feb24
-{
-    meta:
-        author = "0x0d4y"
-        description = "Detect the implementation of RC4 Algorithm by Lockbit4.0"
-        date = "2024-02-13"
-        score = 100
-        reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
-        hash = "062311F136D83F64497FD81297360CD4"
-        uuid = "4de48ced-b9fa-4286-aac4-c263ad20d67d"
-        license = "CC BY 4.0"
-        rule_matching_tlp = "TLP:WHITE"
-        rule_sharing_tlp = "TLP:WHITE"
-        malpedia_family = "win.lockbit"
-    strings:
-        $rc4_alg = { 48 3d 00 01 00 00 74 0c 88 84 04 ?? ?? ?? ?? 48 ff c0 eb ec 29 c9 41 b8 ?? ?? ?? ?? 4c 8d 0d 15 7b 00 00 45 31 d2 48 81 f9 00 01 00 00 74 34 44 8a 9c 0c ?? ?? ?? ?? 45 00 da 89 c8 99 41 f7 f8 46 02 14 0a 41 0f b6 c2 8a 94 04 ?? ?? ?? ?? 88 94 0c ?? ?? ?? ?? 44 88 9c 04 ?? ?? ?? ?? 48 ff c1 eb c3 29 c0 48 8b 0d 14 9e 00 00 31 d2 45 29 c0 48 3d ?? ?? ?? ?? 74 4b 41 ff c0 45 0f b6 c0 46 8a 8c 04 ?? ?? ?? ?? 44 00 ca 44 0f b6 d2 46 8a 9c 14 ?? ?? ?? ?? 46 88 9c 04 ?? ?? ?? ?? 46 88 8c 14 ?? ?? ?? ?? 46 02 8c 04 ?? ?? ?? ?? 45 0f b6 c9 46 8a 8c 0c ?? ?? ?? ?? 44 30 0c 01 48 ff c0 eb ad }
-        
-    condition:
-        uint16(0) == 0x5a4d and
-        $rc4_alg
+rule mal_lockbit4_rc4_win_feb24
+{
+    meta:
+        author = "0x0d4y"
+        description = "Detect the implementation of RC4 Algorithm by Lockbit4.0"
+        date = "2024-02-13"
+        score = 100
+        reference = "https://0x0d4y.blog/lockbit4-0-evasion-tales/"
+        hash = "062311F136D83F64497FD81297360CD4"
+        uuid = "4de48ced-b9fa-4286-aac4-c263ad20d67d"
+        license = "CC BY 4.0"
+        rule_matching_tlp = "TLP:WHITE"
+        rule_sharing_tlp = "TLP:WHITE"
+        malpedia_family = "win.lockbit"
+    strings:
+        $rc4_alg = { 48 3d 00 01 00 00 74 0c 88 84 04 ?? ?? ?? ?? 48 ff c0 eb ec 29 c9 41 b8 ?? ?? ?? ?? 4c 8d 0d 15 7b 00 00 45 31 d2 48 81 f9 00 01 00 00 74 34 44 8a 9c 0c ?? ?? ?? ?? 45 00 da 89 c8 99 41 f7 f8 46 02 14 0a 41 0f b6 c2 8a 94 04 ?? ?? ?? ?? 88 94 0c ?? ?? ?? ?? 44 88 9c 04 ?? ?? ?? ?? 48 ff c1 eb c3 29 c0 48 8b 0d 14 9e 00 00 31 d2 45 29 c0 48 3d ?? ?? ?? ?? 74 4b 41 ff c0 45 0f b6 c0 46 8a 8c 04 ?? ?? ?? ?? 44 00 ca 44 0f b6 d2 46 8a 9c 14 ?? ?? ?? ?? 46 88 9c 04 ?? ?? ?? ?? 46 88 8c 14 ?? ?? ?? ?? 46 02 8c 04 ?? ?? ?? ?? 45 0f b6 c9 46 8a 8c 0c ?? ?? ?? ?? 44 30 0c 01 48 ff c0 eb ad }
+        
+    condition:
+        uint16(0) == 0x5a4d and
+        $rc4_alg
 }

yara/mal_octowave_loader_mar25.yar

@@ -33,6 +33,7 @@ rule Octowave_Loader_03_2025 {
 	0x5bb3e F3A5                          rep movsd dword ptr es:[edi], dword ptr [esi]
 	0x5bb40 83601000                      and dword ptr [eax + 10h], 0
 	 */
+        id = "d583c416-be20-5fcf-848e-edd037e3b0d4"
 	strings:
 		$opcode_1 = {
 			55

yara/mal_phish_feb25.yar

@@ -6,6 +6,7 @@ rule MAL_PHISH_ShellCode_Enc_Payload_Feb25 {
       hash = "247e6a648bb22d35095ba02ef4af8cfe0a4cdfa25271117414ff2e3a21021886"
       date = "2025-02-14"
       score = 80
+      id = "8459c5ba-37ec-59bd-8d4a-5ab7b6bb4553"
    strings:
      $op1 = { 48 89 EA FF D0 48 89 E9 4C 8D 4C 24 ?? 41 B8 ?? ?? ?? ?? 48 89 C7 48 89 C3 48 89 EA F3 A4 48 89 C1 41 FF D4 31 C9 FF D3}
    condition:
@@ -20,6 +21,7 @@ rule MAL_PHISH_Final_Payload_Feb25 {
       hash = "de384aba6b0c6800095eb530954aa718d4ed96cccfc0b1e5e4d01404f3518a77"
       date = "2025-02-14"
       score = 80
+      id = "9014e1f2-09c2-5ba0-8b7c-6ae8c069d1f7"
    strings:
       $s1 = "%lu: %s %s" wide
       $s2 = "(Direct Inbound)" wide
@@ -46,6 +48,7 @@ rule SUSP_Sysinternals_Desktops_Anomaly_Feb25 {
       hash = "9a5b9d89686de129a7b1970d5804f0f174156143ccfcd2cf669451c1ad4ab97e"
       hash = "ff82c4c679c5486aed2d66a802682245a1e9cd7d6ceb65fa0e7b222f902998e8"
       hash = "1da91d2570329f9e214f51bc633283f10bd55a145b7b3d254e03175fd86292d9"
+      id = "5a586222-9263-5079-be48-9cfa464440d4"
    strings:
       $s1 = "Software\\Sysinternals\\Desktops" wide fullword
       $s2 = "Sysinternals Desktops" wide fullword
@@ -70,6 +73,7 @@ rule SUSP_PE_Compromised_Certificate_Feb25 {
       hash = "9a5b9d89686de129a7b1970d5804f0f174156143ccfcd2cf669451c1ad4ab97e"
       hash = "ff82c4c679c5486aed2d66a802682245a1e9cd7d6ceb65fa0e7b222f902998e8"
       hash = "1da91d2570329f9e214f51bc633283f10bd55a145b7b3d254e03175fd86292d9"
+      id = "2e6ad630-b24e-53b2-8ffe-622c51914568"
    strings:
       $sb1 = { 44 B8 66 73 57 BB 95 65 1D 61 D0 61 } // compromised certificate serial
       $sb2 = { 4F 23 43 D9 61 54 B9 41 DB 0A 26 B2 } // compromised certificate serial

yara/mal_win_go_backorder_loader.yar

@@ -7,6 +7,7 @@ rule MAL_BACKORDER_LOADER_WIN_Go_Jan23 {
       score = 80
       tags = "loader, golang, BACKORDER, malware, windows"
       hash = "70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8"
+      id = "90a82f2c-be92-5d0b-b47e-f47db2b15867"
    strings:
       $GoBuildId = "Go build" ascii
       // Debug symbols commonly seen in BACKORDER loader

yara/mixed_open_source_export.yar

@@ -6,6 +6,7 @@ rule SUSP_LNK_Suspicious_Folders_Jan25 {
       reference = "Internal Research"
       date = "2025-01-24"
       score = 65
+      id = "5f1bcd18-abec-5831-b24f-519c92a2454e"
    strings:
       $x1 = "RECYCLER.BIN\\" wide
       $x2 = "Perflogs\\" wide

yara/seaspy_backdoor_jan25.yar

@@ -11,6 +11,7 @@ rule SUSP_LNX_ByteEncoder_Jan25 {
       hash = "b0b83e1c69aa8df6da4383230bef1ef46e09f3bf26cec877eac53a9d48dc53ca"
       hash = "d21b40645e33638bd36b63582c2c6ad5e8230c731236a54e8e5f4139bad31fdf"
       score = 75
+      id = "4866348a-2129-5f6a-9498-8ab1acfa74b4"
    strings:
       $op1 = {8B 45 FC 48 63 D0 48 8B 45 A8 48 01 C2 8B 45 BC C1 F8 04 83 E0 0F 48 98 0F B6 44 05 E0 88 02} // Encode upper nibbl
       $op2 = {8B 45 FC 48 98 48 8D 50 01 48 8B 45 A8 48 01 C2 8B 45 BC 83 E0 0F 48 98 0F B6 44 05 C0 88 02} // Encode lower nibble
@@ -34,6 +35,7 @@ rule SUSP_LNX_StackString_Technique_Jan25 {
       hash = "654b7c5b667e4d70ebb5fb1807dcd1ee5b453f45424eb59a287d86ad8d0598a1"
       hash = "ac6a8ec0b92935b7faab05ca21a42ed9eecdc9243fcf1449cc8f050de38e4c4f"
       score = 75
+      id = "6c81d8c1-0cfa-54d9-89d3-2b025cc22f13"
    strings:
       $op1 = {C7 45 E0 70 71 72 73 C7 45 E4 74 75 76 77 C7 45 E8 78 79 7A 61 C7 45 EC 62 63 64 65 C6 45 F0 00 C7 45 C0 30 31 32 33 C7 45 C4 34 35 36 37 C7 45 C8 38 39 61 62 C7 45 CC 63 64 65 66} // tack-based string manipulation technique
    condition:

yara/susp_email_redirection_spoofing.yar

@@ -8,6 +8,7 @@ rule SUSP_Email_Redirection_Spoofing_Feb25 {
       hash = "c4eb35c1a1c10226bff9bb0c88ca516441208d193b4994eeb292a66e53a2cc04"
       hash = "e3b8ea03a472348814c6ac81088234836e627a1878ec36e46ce62526e1390935"
       score = 70
+      id = "bf3a2b06-4dc5-5f0f-bf1f-2bd6a1cc4a8d"
    strings:
       $sa1 = "Content-Transfer-Encoding:" ascii
       $sa2 = "Subject:" ascii

yara/thor-hacktools.yar

@@ -4405,6 +4405,7 @@ rule SUSP_shellpop_Bash {
       modified = "2021-01-25"
       score = 70
       hash1 = "36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b"
+      id = "771b7d01-272a-5986-af07-7417b84c52ed"
    strings:
       $x1 = "bash -i >& /dev/tcp/" ascii