Contenu connexe Similaire à Yet Another YARA Allocution (YAYA) (20) Yet Another YARA Allocution (YAYA) 2. © Fidelis Cybersecurity
Introduction
2
John Laycock:
• B.S. Mechanical Engineering from Northern Illinois
University
• Cognitech/Ocean Systems Forensic Video Analyst
• Government Contractor
DC3 – DCFL Forensic Examiner/DCISE/NCIJTF
• General Dynamics/Fidelis Commercial Forensics Team
• Fidelis Threat Research Team
John Laycock
Systems, Threat Research
Email: john.laycock@fidelissecurity.com
3. © Fidelis Cybersecurity
Introduction
3
Monty St John
Email: monty@atxforensics.com
site: www.atxforensics.com
Monty St John:
• 25 years of security, digital forensics, reverse engineering,
threat intelligence
• Two decades supporting federal, state, and local LE while
in uniform
Forensics and Threat Intelligence
• Last decade acting as a key member of forensic and TI
teams deconstructing, analyzing and providing insights
into threats and how to thwart them
4. © Fidelis Cybersecurity
Disclaimer
4
This is an introductory level talk to folks that do not necessarily build Yara rules
on a daily basis. Many of the concepts we will be showing you are from a high
level view. You can refer to some of the references in the appendix to drill
down into these concepts in more detail.
TL:DR This is an intro to a deep topic. We’re showing some basic concepts and
sharing some resources that you can hopefully use to build upon.
5. © Fidelis Cybersecurity
What is YARA?
5
YARA is a tool aimed at (but not limited to) helping threat analysts and malware
researchers to identify and classify malware samples. It can:
● Dissect files
● Use patterns to link files or file fragments
● Perform heuristic tests
● Find out what’s missing in files (that should be there)
6. © Fidelis Cybersecurity
Basic Layout and Types – Rule Name
6
Let’s start with a rule name.
● It begins with the word “rule” and is followed by the rule name (identifier)
● First character of the rule name can not be a digit.
● Rule names are case sensitive and cannot exceed 128 characters.
● The curly bracket after the rule name is the start of the actual rule.
rule ExampleRule
{
7. © Fidelis Cybersecurity
Basic Layout and Types - Keywords
7
YARA keywords
all and any ascii at condition contains
entrypoint FALSE filesize fullword for global in
import include int8 int16 int32 int8be int16be
int32be matches meta nocase not or of
private rule strings them TRUE uint8 uint16
uint32 uint8be uint16be uint32be wide
8. © Fidelis Cybersecurity
Basic Layout and Types - Metadata
8
Add Metadata to provide additional information:
rule ExampleRule {
meta:
description = "This is just an example"
author = “Emil Verban”
Nickname = “Dutch”
9. © Fidelis Cybersecurity
Basic Layout and Types - Metadata
9
● Use metadata, especially as the number of yara rules increase.
● Metadata can describe the content of rules
● Metadata can help id where a rule is to save you time digging for it
● Useful for metrics, especially when using the include directive
10. © Fidelis Cybersecurity
Basic Layout and Types
10
Rules consist of two sections: strings and a condition. The strings section is
optional, but the condition section is always required.
rule Example
{
strings:
$my_text_string = ”play ball"
$my_hex_string = {BA 5E BA 11}
condition:
$my_text_string or $my_hex_string
}
11. © Fidelis Cybersecurity
Basic Layout and Types - Strings
11
● Each string has an identifier ($) followed by a sequence of alphanumeric
characters and underscores.
● Strings can be defined in ascii or unicode forms. Text strings are enclosed
on double quotes. Identify unicode with the “wide” keyword, like below:
$my_text_string = “play ball”
$my_unicode_string = “play ball” wide
12. © Fidelis Cybersecurity
Basic Layout and Types - Keywords
12
YARA keywords
all and any ascii at condition contains
entrypoint FALSE filesize fullword for global in
import include int8 int16 int32 int8be int16be
int32be matches meta nocase not or of
private rule strings them TRUE uint8 uint16
uint32 uint8be uint16be uint32be wide
13. © Fidelis Cybersecurity
Basic Layout and Types - Strings
13
● If a word boundary exists before and after the word, use the keyword
“fullword”, like below:
$my_fullword_string = “baseball” fullword
For example the string “baseball”, if defined as fullword, won’t match
www.onebaseball.com but it matches www.baseball-reference.com and
www.baseball.com.
14. © Fidelis Cybersecurity
Basic Layout and Types - Strings
14
● Hex strings are enclosed by curly brackets. Decimal numbers are not
allowed in hex strings.
$my_hex_string = {BA 5E BA 11 23}
● Hexadecimal strings allow three special constructions that make them more
flexible: wild-cards, jumps, and alternatives. Wild-cards (?) are placeholders
to indicate some bytes are unknown and they should match anything.
$my_hex_string = {BA ?? BA ?? 11 23}
15. © Fidelis Cybersecurity
Basic Layout and Types - Strings
15
● You can also define strings with chunks of variable content and length. In
those situations you can use jumps instead of wild-cards:
$my_hex_string = {BA 5E BA [2-4] 11 23}
16. © Fidelis Cybersecurity
Basic Layout and Types - Strings
16
● Alternatives can also be expressed by enclosing them in a parenthesis and
use a pipe for separation:
$my_hex_string = {BA ( 5E BA | 5E BB) 11 23}
The above would return on BA 5E BA 11 23 or BA 5E BB 11 23
● Regular expressions can be used and are enclosed in forward slashes.
$re1 = /md5: [0-9a-fA-F]{32}/
The regex above would return on return on a 32 character alpha numeric value
17. © Fidelis Cybersecurity
Basic Layout and Types - Conditions
17
The condition section is where the logic of the rule resides. This section
contains the logic that satisfies the rule or not. The condition section can
contain boolean operators (and, or and not), like below:
condition:
$my_text_string or $my_hex_string
18. © Fidelis Cybersecurity
Basic Layout and Types - Conditions
18
● Relational operators (>=, <=, <, >, == and !=) and counting (#):
condition:
#my_text_string == 3 or ( #my_hex_string <= 7 and #re_1 >=2 )
● Other rule names can be used as a part of its logic, employing the same
logical operators.
condition:
Ghost-rule and $my_hex_string
Note: Any rule you reference must have already been processed before
you reference it.
19. © Fidelis Cybersecurity
Basic Layout and Types - Conditions
19
● Sets of strings can be used in conditions
rule baseball
{
strings:
$a = "Chicago"
$b = "Cubs"
$c = "Baseball"
condition:
2 of ($a,$b,$c)
}
20. © Fidelis Cybersecurity
Basic Layout and Types –Include Files
20
YARA provides the include directive. The following example will include the
content of other.yar into the current file:
include "other.yar”
The base path will be the same directory where the Yara file resides. You
can also specify relative paths and absolute paths to the include file.
22. © Fidelis Cybersecurity
Rule Organization
22
Organize rules into groups
Include groups of rules you want into your main rule file
using the include directive, e.g. include “other.yar”
Maintain a single, primary rule file and include groups of
rules as you want and exclude those you don’t
24. © Fidelis Cybersecurity
Rule Organization
24
Rule order within a single yar file can also be leveraged.
Preceding rules can be referenced in the condition line of
rules that follow
Great place to employ private rules that contain elements of
interest but you do not want to alert on within more
context.
Similar to Global rules but only apply to the rules you employ
them as a condition
25. © Fidelis Cybersecurity
Rule Organization
25
This type of organization lets you perform rudimentary
IF...THEN logic with your rules
IF Rule 1 THEN
IF Rule 1 AND Rule 2 THEN
IF Rule 1 AND Rule 2 AND Rule 3 THEN
27. © Fidelis Cybersecurity
Rule Organization
27
Or like this:
IF Rule 1 THEN
IF Rule 1 AND NOT Rule 2 THEN
IF Rule 1 AND NOT Rule 2 AND NOT Rule 3 THEN
31. © Fidelis Cybersecurity
Tools / Resources - yarGen
31
A Rule Generator for Yara Rules - written by Florian Roth
What does YarGen do?
● Create yara rules from strings found in files while removing strings that also
appear in goodware files.
● Uses naive-bayes-classifier to classify strings and detect useful words instead of
compression/encryption garbage.
● Can extract opcode elements from .text sections of PE files
● Supports Binarly to let you search on arbitrary byte patterns to create better
rules
32. © Fidelis Cybersecurity
Tools / Resources – Yara Exchange
32
Yara-Exchange Google Group (by invitation only)
http://www.deependresearch.org/2012/08/yara-signature-
exchange-google-group.html
33. © Fidelis Cybersecurity
Tools / Resources – Fidelis Yara
33
We have a publicly available page on github with various indicators,
yara rules etc.
Yara specific
https://github.com/fideliscyber/indicators
34. © Fidelis Cybersecurity
References
34
The following are a series of links to references and tools we have found useful.
Many are beyond the scope of a short talk but we have included them for
future reference.
● https://github.com/Yara-Rules
● https://github.com/Neo23x0/yarGen
● http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-
malware/
● https://bruteforce.gr/yara-a-beginners-guide.html
● https://github.com/BayshoreNetworks/yextend
● https://github.com/plusvic/yara
35. © Fidelis Cybersecurity
References
35
● https://github.com/kevthehermit/YaraManager
● https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/
● https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7 (Yara Guide)
● http://yara.readthedocs.io/en/v3.5.0/writingrules.html
● https://github.com/Neo23x0/yarAnalyzer
● https://gist.github.com/wxsBSD/019740e83faa7a7206f4
● https://gist.github.com/williballenthin/3abc9577bede0aeef25526b2017322
46
● http://www.binar.ly/search