From e869a43eb7bc4bb0e240fdbf32b2844fa8d39cd0 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 12 Feb 2025 11:29:08 +0100
Subject: [PATCH] fix: Go marker

---
 yara/gen_fireeye_redteam_tools.yar  | 4 ++--
 yara/gen_lnx_malware_indicators.yar | 2 +-
 yara/gen_powershell_obfuscation.yar | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/yara/gen_fireeye_redteam_tools.yar b/yara/gen_fireeye_redteam_tools.yar
index 03f9dcd6..5ef831d4 100644
--- a/yara/gen_fireeye_redteam_tools.yar
+++ b/yara/gen_fireeye_redteam_tools.yar
@@ -59,7 +59,7 @@ rule APT_Backdoor_Win_GORAT_3
         $dirty4 = "gorat" ascii nocase wide
         $dirty5 = "flare" ascii nocase wide
         $go1 = "go.buildid" ascii wide
-        $go2 = "Go build ID:" ascii wide
+        $go2 = "Go build" ascii wide
         $json1 = "json:\"pid\"" ascii wide
         $json2 = "json:\"key\"" ascii wide
         $json3 = "json:\"agent_time\"" ascii wide
@@ -1460,7 +1460,7 @@ rule APT_Backdoor_Win_GORAT_2
         id = "e2c47711-d088-5cb4-8d21-f8199a865a28"
     strings:
         $go1 = "go.buildid" ascii wide
-        $go2 = "Go build ID:" ascii wide
+        $go2 = "Go build" ascii wide
         $json1 = "json:\"pid\"" ascii wide
         $json2 = "json:\"key\"" ascii wide
         $json3 = "json:\"agent_time\"" ascii wide
diff --git a/yara/gen_lnx_malware_indicators.yar b/yara/gen_lnx_malware_indicators.yar
index c60c7b52..4df9b898 100644
--- a/yara/gen_lnx_malware_indicators.yar
+++ b/yara/gen_lnx_malware_indicators.yar
@@ -1,7 +1,7 @@
 
 rule SUSP_LNX_Linux_Malware_Indicators_Aug20_1 {
    meta:
-      description = "Detects indicators often found in linux malware samples"
+      description = "Detects indicators often found in linux malware samples. Note: This detection is based on common characteristics typically associated with the mentioned threats, must be considered a clue and does not conclusively prove maliciousness."
       author = "Florian Roth (Nextron Systems)"
       score = 65
       reference = "Internal Research"
diff --git a/yara/gen_powershell_obfuscation.yar b/yara/gen_powershell_obfuscation.yar
index 5842402d..11fd30ed 100644
--- a/yara/gen_powershell_obfuscation.yar
+++ b/yara/gen_powershell_obfuscation.yar
@@ -56,7 +56,7 @@ rule SUSP_PowerShell_Caret_Obfuscation_2 {
 
 rule SUSP_OBFUSC_PowerShell_True_Jun20_1 {
    meta:
-      description = "Detects indicators often found in obfuscated PowerShell scripts"
+      description = "Detects indicators often found in obfuscated PowerShell scripts. Note: This detection is based on common characteristics typically associated with the mentioned threats, must be considered a clue and does not conclusively prove maliciousness."
       author = "Florian Roth (Nextron Systems)"
       reference = "https://github.com/corneacristian/mimikatz-bypass/"
       date = "2020-06-27"