Update third-party rules as of 2026-02-04 (#1351)

Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>

Author: octo-sts[bot]

third_party/yara/elastic/RELEASE

@@ -1 +1 @@
-103842377447ea43059390d35b7dc393f5144c55
+dc64ed57860f4a150c7d1fe33d645d69f384506e

third_party/yara/elastic/Windows_Ransomware_DragonForce.yar

@@ -0,0 +1,24 @@
+rule Windows_Ransomware_DragonForce_44bb8f0d {
+    meta:
+        author = "Elastic Security"
+        id = "44bb8f0d-9648-426d-bd1c-0e16ccc8ad04"
+        fingerprint = "990654f2598e9f9878ba61e0eeef67522cc6e851c49fc9ca4874131a26c120bb"
+        creation_date = "2025-05-28"
+        last_modified = "2026-02-02"
+        threat_name = "Windows.Ransomware.DragonForce"
+        reference_sample = "d06b5a200292fedcfb4d4aecac32387a2e5b5bb09aaab5199c56bab3031257d6"
+        severity = 100
+        arch_context = "x86, arm64"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $str_1 = "%04d-%02d-%02dT%02d:%02d:00Z" wide fullword
+        $str_2 = ".dragonforce_encrypted" wide fullword
+        $seq_1 = { C6 44 24 19 45 C6 44 24 1A 55 C6 44 24 1B 3C C6 44 24 1C 55 C6 44 24 1D 3A C6 44 24 1E 55 C6 44 24 1F 3F }
+        $seq_2 = { C6 45 D4 00 C6 45 D5 4F C6 45 D6 69 C6 45 D7 28 C6 45 D8 69 C6 45 D9 1A C6 45 DA 69 C6 45 DB 3B C6 45 DC }
+        $seq_3 = { C6 45 8C 00 C6 45 8D 55 C6 45 8E 02 C6 45 8F 4C C6 45 90 02 C6 45 91 73 C6 45 92 02 }
+    condition:
+        3 of them
+}
+

third_party/yara/elastic/Windows_Trojan_BadIIS.yar

@@ -0,0 +1,76 @@
+rule Windows_Trojan_BadIIS_2a604c44 {
+    meta:
+        author = "Elastic Security"
+        id = "2a604c44-80ad-4b25-abdc-6f57074a3b37"
+        fingerprint = "3568b0878dd8404aa5a99101c132b158cea015a5397a114a28fc2057258a6f24"
+        creation_date = "2026-01-26"
+        last_modified = "2026-02-02"
+        threat_name = "Windows.Trojan.BadIIS"
+        reference_sample = "1b723a5f9725b607926e925d1797f7ec9664bb308c9602002345485e18085b72"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = { 48 FF C0 80 3C 01 00 75 F7 48 8B 72 08 }
+        $a2 = { 0F 11 45 D8 4C 89 75 E8 4C 89 75 F0 4D 8B EE 4C 89 75 E8 41 BC }
+        $a3 = { 49 8B C7 48 C1 E8 04 4C 8D 25 [2] 02 00 46 0F B6 }
+        $a5 = { 48 8B 45 C7 48 83 F8 01 72 29 48 FF }
+        $a6 = { 0F B6 44 37 FF 48 2B F8 }
+    condition:
+        3 of them
+}
+
+rule Windows_Trojan_BadIIS_56117744 {
+    meta:
+        author = "Elastic Security"
+        id = "56117744-f09a-4efa-bfc6-0f2273e6025c"
+        fingerprint = "d83da4a12e47bf898a4150b2c2c4c2815f9bcf59e48ea7cd416ff2a8382580ba"
+        creation_date = "2026-01-26"
+        last_modified = "2026-02-02"
+        threat_name = "Windows.Trojan.BadIIS"
+        reference_sample = "a69a5fe19eae825c463e83265f7bbe31d1e514176e11ba5f63c25351542c46b6"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = "bing|google|naver" fullword
+        $a2 = "bingbot|Googlebot|Yeti" fullword
+        $a3 = "bingbot|Googlebot|coccocbot" fullword
+        $a4 = "|split'.split('|'),0,{}))</script>\n" fullword
+        $a5 = "iPhone|iPad|iPod|iOS|Android|uc|BlackBerry|HUAWEI" fullword
+        $a6 = ".js|.css|.jpg|.jpeg|.png|.gif|.bmp|.ico|.svg|.tif|.pict|.tiff|.swf" fullword
+        $a7 = "tee|pat|and|app|poker|gam|sto|vid|bea|slo|fis|bac|pac|tig|bmw|fru|bull|card|gods|fish|mahj" fullword
+        $a8 = "return||if|replace|while||13|eval|toString|String||new||RegExp|script|window|document||write|type|text|javascript|src" fullword
+    condition:
+        4 of them
+}
+
+rule Windows_Trojan_BadIIS_71069efd {
+    meta:
+        author = "Elastic Security"
+        id = "71069efd-75a4-4752-8b31-a8ac0a17cfc0"
+        fingerprint = "e775c597c743e41dd11e4aedce991609d81764fd3b31ed29efcea1cc57fce81f"
+        creation_date = "2026-01-26"
+        last_modified = "2026-02-02"
+        threat_name = "Windows.Trojan.BadIIS"
+        reference_sample = "c5abe6936fe111bbded1757a90c934a9e18d849edd70e56a451c1547688ff96f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = "hm.baidu.com/hm.js" fullword
+        $a2 = "googletagmanager.com/gtag/js?id" fullword
+        $a3 = "</div>\n<a id=\"js-alert-btn\" class=\"alert-btn\" href=\"" fullword
+        $a4 = "index.php?domain=" fullword
+        $seq1 = { C7 45 C4 [4] C7 45 C8 04 00 00 00 C7 45 CC [4] C7 45 D0 04 00 00 00 }
+        $seq2 = { C7 45 E8 07 00 00 00 C7 45 EC [4] C7 45 F0 04 00 00 00 C7 45 F4 [4] C7 45 F8 09 00 00 00 }
+    condition:
+        2 of ($a*) and 1 of ($seq*)
+}
+

third_party/yara/elastic/Windows_Trojan_Generic.yar

@@ -361,3 +361,52 @@ rule Windows_Trojan_Generic_9e4bb0ce {
         5 of them
 }
 
+rule Windows_Trojan_Generic_41da339f {
+    meta:
+        author = "Elastic Security"
+        id = "41da339f-0266-4e8e-bae6-9b4c58210856"
+        fingerprint = "6c6d63d9595bc37714bf33ccda155825c507f566b1654182a85e86e0e3bffb49"
+        creation_date = "2026-01-26"
+        last_modified = "2026-02-02"
+        threat_name = "Windows.Trojan.Generic"
+        reference_sample = "2340f152e8cb4cc7d5d15f384517d756a098283aef239f8cbfe3d91f8722800a"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $pdb = { 43 3A 5C 55 73 65 72 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C E6 9B BF E6 8D A2 E9 85 8D E7 BD AE E6 96 87 E4 BB B6 5C 77 33 77 70 2D 73 76 63 68 6F 73 74 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C 43 62 73 4D 73 67 41 70 69 2E 70 64 62 }
+        $str1 = "C:\\Windows\\System32\\drivers\\WUDFPfprot.sys" fullword
+        $str2 = "C:\\Windows\\System32\\drivers\\WppRecorderpo.sys" fullword
+        $str3 = "C:\\Windows\\System32\\drivers\\WppRecorderrt.sys" fullword
+        $str4 = "WsmRes64.dll" fullword
+        $str5 = "CbsMsgApi.dll" fullword
+    condition:
+        $pdb or 4 of ($str*)
+}
+
+rule Windows_Trojan_Generic_4a773368 {
+    meta:
+        author = "Elastic Security"
+        id = "4a773368-deaf-4248-b0ec-c4e924cc7428"
+        fingerprint = "96329cbe576ba9772259c068916b928e7c33afcd18616ddd04d82227459d6a7f"
+        creation_date = "2026-01-26"
+        last_modified = "2026-02-02"
+        threat_name = "Windows.Trojan.Generic"
+        reference_sample = "055bdcaa0b69a1e205c931547ef863531e9fdfdaac93aaea29fb701c7b468294"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $pdb = { 43 3A 5C 55 73 65 72 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C E6 9B BF E6 8D A2 E9 85 8D E7 BD AE E6 96 87 E4 BB B6 5C 77 33 77 70 73 65 72 76 69 63 65 2D 73 76 63 68 6F 73 74 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C 43 62 73 4D 73 67 41 70 69 2E 70 64 62 }
+        $str1 = "AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD" wide fullword
+        $str2 = "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide fullword
+        $str3 = "ExcuteEnLargeDll failed with error code " fullword
+        $str4 = "ChangeServiceConfig2 (SERVICE_CONFIG_DESCRIPTION) failed with error code" fullword
+    condition:
+        $pdb or 3 of ($str*)
+}
+

third_party/yara/elastic/Windows_Trojan_Vidar.yar

@@ -113,3 +113,47 @@ rule Windows_Trojan_Vidar_65d3d7e5 {
         6 of them
 }
 
+rule Windows_Trojan_Vidar_5e3e5c75 {
+    meta:
+        author = "Elastic Security"
+        id = "5e3e5c75-00a6-4dca-ac29-1a4d3554b9bd"
+        fingerprint = "6a21d58bd025d08b40c64fd38df8af637bc97938b268143427aaa96c79a8caa7"
+        creation_date = "2025-12-16"
+        last_modified = "2026-02-02"
+        threat_name = "Windows.Trojan.Vidar"
+        reference_sample = "0f8976f8b0f6f717ffdfb22cfc1620eee53ce462975bb270929bff3497d22beb"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = "%DRIVE_FIXED%" fullword
+        $e = "%DRIVE_REMOVABLE%" fullword
+        $d = "_0.indexeddb.leveldb" fullword
+        $c = "key4.db" fullword
+    condition:
+        all of them
+}
+
+rule Windows_Trojan_Vidar_4ed00a37 {
+    meta:
+        author = "Elastic Security"
+        id = "4ed00a37-9101-4c54-ad42-06e81051be69"
+        fingerprint = "92f3a503d66bc9873691a36f8259aee86948e0b9594e6b8c492b970d9d587500"
+        creation_date = "2025-12-16"
+        last_modified = "2026-02-02"
+        threat_name = "Windows.Trojan.Vidar"
+        reference_sample = "0f8976f8b0f6f717ffdfb22cfc1620eee53ce462975bb270929bff3497d22beb"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = { 8A 1C 32 44 30 C3 88 1C 31 }
+        $b = { 42 8A 1C 1A 44 30 C3 42 88 1C 19 }
+    condition:
+        all of them
+}
+

third_party/yara/elastic/Windows_VulnDriver_ThrottleStop.yar

@@ -0,0 +1,23 @@
+rule Windows_VulnDriver_ThrottleStop_166b7608 {
+    meta:
+        author = "Elastic Security"
+        id = "166b7608-f65c-4bb1-9986-4fb99542ebf4"
+        fingerprint = "944d96cd7dadc43e327ef96e54498ed9956a7896ce080e9e849f2057827e5fc0"
+        creation_date = "2025-12-10"
+        last_modified = "2026-02-02"
+        description = "Subject: TechPowerUp LLC, Version: <= 3.0.0.0"
+        threat_name = "Windows.VulnDriver.ThrottleStop"
+        reference_sample = "16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0"
+        severity = 50
+        arch_context = "x86"
+        scan_context = "file"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $subject_name = { 06 03 55 04 03 [2] 54 65 63 68 50 6F 77 65 72 55 70 20 4C 4C 43 }
+        $version = /V\x00S\x00_\x00V\x00E\x00R\x00S\x00I\x00O\x00N\x00_\x00I\x00N\x00F\x00O\x00\x00\x00{0,4}\xbd\x04\xef\xfe[\x00-\xff]{4}(([\x00-\x00][\x00-\x00])([\x00-\x03][\x00-\x00])([\x00-\x00][\x00-\x00])([\x00-\x00][\x00-\x00])|([\x00-\xff][\x00-\xff])([\x00-\x02][\x00-\x00])([\x00-\xff][\x00-\xff])([\x00-\xff][\x00-\xff]))/
+        $str1 = "Driver.pdb"
+    condition:
+        int16(uint32(0x3C) + 0x5c) == 0x0001 and int16(uint32(0x3C) + 0x18) == 0x020b and $subject_name and $version and $str1
+}
+

third_party/yara/elastic/Windows_VulnDriver_TopazOFD.yar

@@ -0,0 +1,24 @@
+rule Windows_VulnDriver_TopazOFD_86b87a80 {
+    meta:
+        author = "Elastic Security"
+        id = "86b87a80-1080-4a24-8cdf-352ded07e95d"
+        fingerprint = "232be04d29f158eef348266f55c94544de4f37541a55aa200aef1025b0b1a5ea"
+        creation_date = "2026-01-22"
+        last_modified = "2026-02-02"
+        description = "Subject: TPZ SOLUCOES DIGITAIS LTDA, Name: wsftprm.sys, Version: 2.0.0.0, Product Name: wsddprm"
+        threat_name = "Windows.VulnDriver.TopazOFD"
+        reference_sample = "ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8"
+        severity = 50
+        arch_context = "x86"
+        scan_context = "file"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $subject_name = { 06 03 55 04 03 [2] 54 50 5A 20 53 4F 4C 55 43 4F 45 53 20 44 49 47 49 54 41 49 53 20 4C 54 44 41 }
+        $original_file_name = { 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 [1-8] 77 00 73 00 66 00 74 00 70 00 72 00 6D 00 2E 00 73 00 79 00 73 00 00 }
+        $product_version = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E [1-8] 32 00 2E 00 30 00 2E 00 30 00 2E 00 30 }
+        $product_name = { 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 [1-8] 77 00 73 00 64 00 64 00 70 00 72 00 6D 00 }
+    condition:
+        int16(uint32(0x3C) + 0x5c) == 0x0001 and int16(uint32(0x3C) + 0x18) == 0x020b and $subject_name and $original_file_name and $product_version and $product_name
+}
+