strelka-ui icon indicating copy to clipboard operation
strelka-ui copied to clipboard
verified publisher icon target

Known Malicious YARA Match Highlight

Open skalupa opened this issue 9 months ago • 1 comments

Currently, all YARA matches are marked as "potential classifiers" and are all the same grey highlight.

This issue proposes we add additional highlighting to these classifiers to mark known suspicious matches in a separate color, such as a red highlight, to ensure that these matches jump out at someone analysing a file using the UI.

skalupa avatar Feb 27 '25 18:02 skalupa

Currently I see this behavior:

  • rules deemed "suspicious" will show as "Potentially Suspicious": Image

  • rules are marked as suspicious if the matched rule name contains any of these values:

  const suspiciousYaraRules = [
    'autoopen',
    'screenshot',
    'maldoc',
    'exploit',
    'download',
    'crowdstrike',
    'keylogger',
    'malicious',
    'suspicious',
    'network',
  ]

Is this different than the proposed behavior? Is there something else we need to use to determine if a match is known suspicious?

Flet avatar Mar 18 '25 17:03 Flet