From 9103ccdfbd6e5041cf97f51d7fa8c3958392d9b5 Mon Sep 17 00:00:00 2001 From: Wilhelm Roth Date: Wed, 1 Apr 2026 08:27:05 +0200 Subject: [PATCH 1/2] fix: add FP exclusion for AWS CLI docs in Certutil_Decode_OR_Download Add false positive exclusion for AWS CLI documentation (.rst files) that contain legitimate certutil -decode usage examples. The string 'https://docs.aws.amazon.com' appears in all affected documentation files (awscli pip package) and excludes them from detection without weakening the rule for actual malicious scripts. --- yara/gen_mal_scripts.yar | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/yara/gen_mal_scripts.yar b/yara/gen_mal_scripts.yar index de5e2431..eec44d13 100644 --- a/yara/gen_mal_scripts.yar +++ b/yara/gen_mal_scripts.yar @@ -75,7 +75,7 @@ rule Certutil_Decode_OR_Download { reference = "Internal Research" score = 40 date = "2017-08-29" - modified = "2023-10-19" + modified = "2025-04-01" id = "63bdefd2-225a-56d5-b615-5e236c97f050" strings: $a1 = "certutil -decode " ascii wide @@ -86,6 +86,7 @@ rule Certutil_Decode_OR_Download { $a6 = "certutil.exe -urlcache -split -f http" ascii wide $fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 } + $fp_doc = "https://docs.aws.amazon.com" ascii condition: filesize < 700KB and 1 of ($a*) From c14386a452be426fb3f97d96a2f53d82403ec766 Mon Sep 17 00:00:00 2001 From: Wilhelm Roth Date: Wed, 1 Apr 2026 08:30:22 +0200 Subject: [PATCH 2/2] fix: correct modified date to 2026 --- yara/gen_mal_scripts.yar | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yara/gen_mal_scripts.yar b/yara/gen_mal_scripts.yar index eec44d13..47438172 100644 --- a/yara/gen_mal_scripts.yar +++ b/yara/gen_mal_scripts.yar @@ -75,7 +75,7 @@ rule Certutil_Decode_OR_Download { reference = "Internal Research" score = 40 date = "2017-08-29" - modified = "2025-04-01" + modified = "2026-04-01" id = "63bdefd2-225a-56d5-b615-5e236c97f050" strings: $a1 = "certutil -decode " ascii wide