Skip to main content
This page showcases actual detection rules from the Dr.Semu codebase, demonstrating practical implementations of both Lua and Python rules.

WannaCry Kill Switch Detection

This Lua rule detects WannaCry ransomware by identifying its kill switch URL. File: run_detections/dr_rules_files/wannacry_url.lua 
utils = require "utils"

function check(report_directory)

    local status = "CLEAN"

    -- open the first json file and read content
    local first_dynamic = utils.get_first_process_json(report_directory)
    local first_static = utils.get_first_static(report_directory)

    -- static information
    local is_x86 = false
    if first_static ~= nil then
        is_x86 = first_static.generic.is_x86
    end

    -- dynamic information
    if first_dynamic ~= nil then
        -- enumerate json
        for index, win_func in pairs(first_dynamic) do

            if win_func.InternetOpenUrlA and win_func.InternetOpenUrlA.before.url then
                local url = win_func.InternetOpenUrlA.before.url:lower()
                if url == "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" then
                    return "Win32.WannaCry.DR"
                end
            end

        end
    end
    
    return status
end
This rule demonstrates network behavior analysis by monitoring InternetOpenUrlA API calls for the specific kill switch domain used by WannaCry.

Key Techniques

  • Static + Dynamic Analysis: Loads both static and dynamic data (though only dynamic is used)
  • API Monitoring: Watches InternetOpenUrlA for network connections
  • Case-Insensitive Matching: Uses string:lower() for robust URL comparison
  • Null Safety: Checks for nil before accessing nested fields

EICAR Test Detection

This Python rule detects samples that spawn the EICAR test file executable. File: run_detections/dr_rules_files/dr_semu_eicar.py 
import json
import os

import dr_semu_utils

# don't forget to add module names into py_imports.config file

def check(report_directory):
    
    image_path, pid, sha_256 = dr_semu_utils.get_starter_details(report_directory)
    static_info = dr_semu_utils.get_json_from_file(report_directory + b"\\" + sha_256.encode() + b".json")
    dynamic_info = dr_semu_utils.get_json_from_file(report_directory + b"\\" + str(pid).encode() + b".json")

    # code here
    verdict = b"CLEAN"

    for win_func in dynamic_info:
        if "NtCreateUserProcess" in win_func:
            image_path = win_func["NtCreateUserProcess"]["before"]["image_path"]
            if image_path.lower().endswith("drsemu_eicar.exe"):
                return b"Win32.EICAR.Dr"

    return verdict


if __name__ == "__main__":
    pass
This rule demonstrates process creation monitoring to detect when malware spawns specific executables.

Key Techniques

  • Process Monitoring: Watches NtCreateUserProcess for child process creation
  • Path Analysis: Examines the image path of spawned processes
  • Case-Insensitive Matching: Uses lower() and endswith() for flexible detection
  • Bytes Handling: Properly returns verdict as bytes (b"...") as required

Sample Rule Template

This comprehensive Lua template demonstrates multiple detection techniques. File: run_detections/dr_rules_files/sample_rule.lua 
utils = require "utils"

function check(report_directory)

    local status = "CLEAN"

    -- open the first json file and read content
    local first_dynamic = utils.get_first_process_json(report_directory)
    local first_static = utils.get_first_static(report_directory)

    -- static information
    local is_x86 = false
    if first_static ~= nil then
        is_x86 = first_static.generic.is_x86
    end

    -- dynamic information
    if first_dynamic ~= nil then
        -- enumerate json
        for index, win_func in pairs(first_dynamic) do

            -- get information from a call, e.g. if the call is NtCreateUserProcess
            if win_func.NtCreateUserProcess then
                -- Get a PID of a new process, with PID we can enumerate calls from a new process
                if win_func.NtCreateUserProcess.success == true then
                    local target_PID = win_func.NtCreateUserProcess.after.proc_id
                    local decoded_json = utils.get_json_pid(report_directory, target_PID)
                    if not decoded_json.empty then
                        -- enumerate a json of the child process
                    end
                end

                -- and check the new process parameters 
                if win_func.NtCreateUserProcess.before.image_path ~= nil then
                    if win_func.NtCreateUserProcess.before.image_path:find("whoami") then
                        return "WHOAMI!EXE"
                    end
                end
            end

            -- other check for reg key creation
            if win_func.NtCreateKey and win_func.NtCreateKey.success == true then
            	if win_func.NtCreateKey.before.key_path:find("malicious_key_for_dr_semu") then
            		return "Dr.Semu!TEST"
            	end
            end

        end
    end
    
    return status
end
This template showcases multiple detection patterns including child process analysis, registry monitoring, and path-based detection.

Key Techniques

  1. Child Process Analysis (lines 23-36)
    • Extracts child process PID from NtCreateUserProcess.after.proc_id
    • Loads child process JSON using utils.get_json_pid()
    • Allows recursive analysis of process trees
  2. Process Path Detection (lines 39-44)
    • Checks image path of spawned processes
    • Uses string:find() for substring matching
    • Detects suspicious tools like whoami.exe
  3. Registry Key Monitoring (lines 47-51)
    • Watches NtCreateKey for registry operations
    • Checks success status before analyzing
    • Matches suspicious registry key paths
  4. Static Analysis Integration (lines 17-20)
    • Extracts PE metadata like architecture
    • Can combine static and dynamic indicators

Detection Patterns

Network IOC Detection

-- From wannacry_url.lua
if win_func.InternetOpenUrlA and win_func.InternetOpenUrlA.before.url then
    local url = win_func.InternetOpenUrlA.before.url:lower()
    if url == "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" then
        return "Win32.WannaCry.DR"
    end
end

Process Spawning Detection

-- From sample_rule.lua
if win_func.NtCreateUserProcess then
    if win_func.NtCreateUserProcess.before.image_path ~= nil then
        if win_func.NtCreateUserProcess.before.image_path:find("whoami") then
            return "WHOAMI!EXE"
        end
    end
end

Registry Persistence Detection

-- From sample_rule.lua
if win_func.NtCreateKey and win_func.NtCreateKey.success == true then
    if win_func.NtCreateKey.before.key_path:find("malicious_key_for_dr_semu") then
        return "Dr.Semu!TEST"
    end
end

Child Process Analysis

-- From sample_rule.lua
if win_func.NtCreateUserProcess then
    if win_func.NtCreateUserProcess.success == true then
        local target_PID = win_func.NtCreateUserProcess.after.proc_id
        local decoded_json = utils.get_json_pid(report_directory, target_PID)
        if not decoded_json.empty then
            -- enumerate a json of the child process
            for index, child_func in pairs(decoded_json) do
                -- Analyze child behavior
            end
        end
    end
end

Real-World Use Cases

Ransomware Detection

Combining multiple indicators from the examples: 
utils = require "utils"

function check(report_directory)
    local status = "CLEAN"
    local first_dynamic = utils.get_first_process_json(report_directory)
    
    if first_dynamic ~= nil then
        local created_suspicious_file = false
        local accessed_kill_switch = false
        
        for index, win_func in pairs(first_dynamic) do
            -- Check for kill switch URL (WannaCry pattern)
            if win_func.InternetOpenUrlA and win_func.InternetOpenUrlA.before.url then
                local url = win_func.InternetOpenUrlA.before.url:lower()
                if url:find("iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea") then
                    accessed_kill_switch = true
                end
            end
            
            -- Check for file creation with suspicious extensions
            if win_func.NtCreateFile then
                local file_path = win_func.NtCreateFile.before.file_path
                if file_path and file_path:find("\.wncry$") then
                    created_suspicious_file = true
                end
            end
        end
        
        if accessed_kill_switch and created_suspicious_file then
            return "Win32.WannaCry.DR"
        end
    end
    
    return status
end

Information Stealer Detection

Building on the sample rule patterns: 
import dr_semu_utils

def check(report_directory):
    verdict = b"CLEAN"
    
    image_path, pid, sha_256 = dr_semu_utils.get_starter_details(report_directory)
    dynamic_info = dr_semu_utils.get_json_from_file(
        report_directory + b"\\" + str(pid).encode() + b".json"
    )
    
    if not dynamic_info:
        return verdict
    
    spawned_recon = False
    accessed_credentials = False
    
    for win_func in dynamic_info:
        # Check for reconnaissance tools (from sample_rule pattern)
        if "NtCreateUserProcess" in win_func:
            img = win_func["NtCreateUserProcess"]["before"]["image_path"].lower()
            if "whoami" in img or "ipconfig" in img or "netstat" in img:
                spawned_recon = True
        
        # Check for credential file access
        if "NtCreateFile" in win_func:
            file_path = win_func["NtCreateFile"]["before"]["file_path"].lower()
            if "credential" in file_path or "passwords" in file_path:
                accessed_credentials = True
    
    if spawned_recon and accessed_credentials:
        return b"Win32.InfoStealer.DR"
    
    return verdict

Lessons from Examples

All examples check for nil/None before accessing data:Lua:
if first_static ~= nil then
    is_x86 = first_static.generic.is_x86
end
Python:
if not dynamic_info:
    return verdict
All string matching uses lowercase conversion:Lua:
local url = win_func.InternetOpenUrlA.before.url:lower()
Python:
if image_path.lower().endswith("drsemu_eicar.exe"):
Verify operations succeeded before using results:
if win_func.NtCreateKey.success == true then
    -- Safe to access results
end
All examples return as soon as malware is detected:
if suspicious_pattern then
    return "Malware.Detected"  -- Stop processing
end

Next Steps

Lua Rules

Learn Lua rule API reference

Python Rules

Learn Python rule API reference

Best Practices

Optimize your rule development

Build docs developers (and LLMs) love

Get started for freeTalk to us