Curated YARA and Sigma rules for malware families, exploitation behaviors, and incident artifacts analyzed by Binautopsy Labs.
- What's here: rules tied to published autopsies and CVE briefs on binautopsy.com/research/. Every rule has a reference URL pointing to the analysis it came from.
- What's NOT here: opportunistic IOC dumps, generic malware-family rules pulled from third-party feeds, rules without provenance.
- Every rule has metadata: author, date, version, reference URL, sample hash, license. No anonymous rules.
- Every rule cites the autopsy or brief it came from.
- False-positive notes included where benign software resembles the malicious pattern.
yara/— YARA rules (validated againstyara>= 4.5)sigma/— Sigma rules (validated againstsigma-cli>= 1.0)
Open a GitHub issue with: rule name, the benign sample/process, the matching condition, environment context. We respond within 1 business week.
External contributions are welcomed via PR but evaluated against the quality bar above. We curate, we don't aggregate — a rule must come from defensible analysis, not from speculation.
Apache-2.0. Use freely in commercial and non-commercial detection tools, including MDR/MSSP integrations. Attribution appreciated.
Binautopsy Labs is a specialist cybersecurity lab focused on artifact-first investigations. https://binautopsy.com/