Update third-party rules as of 2025-11-07 (#1203)

octo-sts[bot] · github-actions[bot] · web-flow · commit c79276861a4b · 2025-11-07T07:22:26.000-06:00
Co-authored-by: Update third-party rules &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/third_party/yara/elastic/RELEASE b/third_party/yara/elastic/RELEASE
@@ -1 +1 @@
-1c9bd9ee2bea7d2684951df058705f0e3142cd40
+c339a4ff1c0244fc2c6e916e6551bf672a25422a
diff --git a/third_party/yara/elastic/Windows_Trojan_Gh0st.yar b/third_party/yara/elastic/Windows_Trojan_Gh0st.yar
@@ -22,35 +22,3 @@ rule Windows_Trojan_Gh0st_ee6de6bc {
         all of them
 }
 
-rule Windows_Trojan_Gh0st_9e4bb0ce {
-    meta:
-        author = "Elastic Security"
-        id = "9e4bb0ce-b1ed-45dc-8d86-943eb76f0bb4"
-        fingerprint = "4fb0eafc58972ef6fef87a88e43ae320420d760f545a66aab28dc3a65f629631"
-        creation_date = "2025-05-08"
-        last_modified = "2025-05-27"
-        threat_name = "Windows.Trojan.Gh0st"
-        reference_sample = "2d93a17f04bf2fcd51c2142043af3840895ae7ba43909a26420c4879d214a3c3"
-        severity = 100
-        arch_context = "x86"
-        scan_context = "file, memory"
-        license = "Elastic License v2"
-        os = "windows"
-    strings:
-        $a1 = "PluginMe" ascii fullword
-        $a2 = "\\cmd.exe -Puppet" ascii fullword
-        $a3 = "ERROR 1" ascii fullword
-        $a4 = "ERROR 2" ascii fullword
-        $a5 = "AYAgent.aye" ascii fullword
-        $a6 = "mssecess.exe" ascii fullword
-        $a7 = "shell\\open\\command" ascii fullword
-        $a8 = "WinSta0\\Default" ascii fullword
-        $a9 = { C6 44 24 ?? 53 C6 44 24 ?? 74 C6 44 24 ?? 61 C6 44 24 ?? 30 C6 44 24 ?? 5C }
-        $a10 = { C6 44 24 ?? 41 C6 44 24 ?? 6C C6 44 24 ?? 69 C6 44 24 ?? 63 C6 44 24 ?? 61 C6 44 24 ?? 74 C6 44 24 ?? 69 }
-        $a11 = { C6 44 24 ?? 2F C6 44 24 ?? 34 C6 44 24 ?? 2E C6 44 24 ?? 30 C6 44 24 ?? 20 C6 44 24 ?? 28 C6 44 24 ?? 63 }
-        $a12 = "%c%c%c%c%c%c" ascii fullword
-        $a13 = { 25 2D 32 34 73 20 25 2D 31 35 00 }
-    condition:
-        5 of them
-}
-
diff --git a/third_party/yara/elastic/Windows_Trojan_RoningLoader.yar b/third_party/yara/elastic/Windows_Trojan_RoningLoader.yar
@@ -0,0 +1,23 @@
+rule Windows_Trojan_RoningLoader_a4e851ac {
+    meta:
+        author = "Elastic Security"
+        id = "a4e851ac-7787-4f75-9aab-32c17c253c7a"
+        fingerprint = "42d19ba97783f3807c096c1d1d5d17052530cc734d680c5baa8fc3c50cc10eee"
+        creation_date = "2025-10-20"
+        last_modified = "2025-11-03"
+        threat_name = "Windows.Trojan.RoningLoader"
+        reference_sample = "c84764a19543e9bdfe06263d3dd68bbf9df381bbe4d0c0da480bc4eddea293b6"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $binary0 = { 48 89 45 80 8B 05 C5 E8 0C 00 48 0F 47 4C 24 70 66 89 04 51 48 8D 44 24 70 66 44 89 6C 51 02 }
+        $str0 = "Successfully created PPL process with PID: " wide fullword
+        $str1 = "C:\\Windows\\System32\\ClipUp.exe" wide fullword
+        $str2 = "regsvr32.exe /S"
+    condition:
+        $binary0 or all of ($str*)
+}
+

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-1c9bd9ee2bea7d2684951df058705f0e3142cd40`
	`1`	`+c339a4ff1c0244fc2c6e916e6551bf672a25422a`