search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.27k stars 1.44k forks source link

Yara cuckoo module not hitting on any report attributes #1082

Open bufu1003 opened 5 years ago

bufu1003 commented 5 years ago

Sample rule 

import "cuckoo"
import "math"
import "pe"

rule testing
{
    condition:
        cuckoo.sync.mutex(/Global\\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7/) 
}

Running from command line using the following command:

yara -x cuckoo=cuckoo/reports/report.json myrulesFile.yar badSample.exe

This same issue applies for all cuckoo module attributes, ie: filesystem.files_accesses(), registry keys, etc. Have tried everything but no hits on any of the Cuckoo report attributes.

Is it a formatting issue with the json I am passing in (json is from the reports/report.json which is given in the analysis.zip file downloaded from GUI)? I have also tried using a variety of regexp formats when writing to rule.

wroersma commented 5 years ago

What version is the Cuckoo report? Yara doesn't currently support 1.3 or 2.x +

On Mon, Jun 24, 2019, 6:07 PM Bufu1003 notifications@github.com wrote:

Sample rule

import "cuckoo" import "math" import "pe"

rule testing { condition: cuckoo.sync.mutex(/Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7/) }

Running from command line using the following command:

yara -x cuckoo=cuckoo/reports/report.json myrulesFile.yar badSample.exe

This same issue applies for all cuckoo module attributes, ie: filesystem.files_accesses(), registry keys, etc. Have tried everything but no hits on any of the Cuckoo report attributes.

Is it a formatting issue with the json I am passing in (json is from the reports/report.json which is given in the analysis.zip file downloaded from GUI)? I have also tried using a variety of regexp formats when writing to rule.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/VirusTotal/yara/issues/1082?email_source=notifications&email_token=ABGVQIQVKZ5H2YLHFZUBWT3P4FAQ3A5CNFSM4H3CWWTKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G3M2ZRQ, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGVQIS42PNT52XIKX72JGTP4FAQ3ANCNFSM4H3CWWTA .

bufu1003 commented 5 years ago

What version is the Cuckoo report? Yara doesn't currently support 1.3 or 2.x + On Mon, Jun 24, 2019, 6:07 PM Bufu1003 @.***> wrote: Sample rule import "cuckoo" import "math" import "pe" rule testing { condition: cuckoo.sync.mutex(/Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7/) } Running from command line using the following command: yara -x cuckoo=cuckoo/reports/report.json myrulesFile.yar badSample.exe This same issue applies for all cuckoo module attributes, ie: filesystem.files_accesses(), registry keys, etc. Have tried everything but no hits on any of the Cuckoo report attributes. Is it a formatting issue with the json I am passing in (json is from the reports/report.json which is given in the analysis.zip file downloaded from GUI)? I have also tried using a variety of regexp formats when writing to rule. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1082?email_source=notifications&email_token=ABGVQIQVKZ5H2YLHFZUBWT3P4FAQ3A5CNFSM4H3CWWTKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G3M2ZRQ>, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGVQIS42PNT52XIKX72JGTP4FAQ3ANCNFSM4H3CWWTA .

Cuckoo version 2.0.6. Any idea if there is a way to circumvent this issue? Possibly by modifying source code in Yara Cuckoo module, specifically where it pulls it's file info, regkey info, mutex info from?

Also any idea if the Yara rules using Cuckoo module will work in VTI? Guessing it depends on version of Cuckoo VT is using

wroersma commented 5 years ago

I have a PR open if you want to grab that which supports 2.0.6 I just haven't added backwards compatible code so it's not merged yet.

On Mon, Jun 24, 2019, 9:39 PM Bufu1003 notifications@github.com wrote:

What version is the Cuckoo report? Yara doesn't currently support 1.3 or 2.x + … <#m6230808447622098027> On Mon, Jun 24, 2019, 6:07 PM Bufu1003 @.***> wrote: Sample rule import "cuckoo" import "math" import "pe" rule testing { condition: cuckoo.sync.mutex(/Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7/) } Running from command line using the following command: yara -x cuckoo=cuckoo/reports/report.json myrulesFile.yar badSample.exe This same issue applies for all cuckoo module attributes, ie: filesystem.files_accesses(), registry keys, etc. Have tried everything but no hits on any of the Cuckoo report attributes. Is it a formatting issue with the json I am passing in (json is from the reports/report.json which is given in the analysis.zip file downloaded from GUI)? I have also tried using a variety of regexp formats when writing to rule. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1082 https://github.com/VirusTotal/yara/issues/1082?email_source=notifications&email_token=ABGVQIQVKZ5H2YLHFZUBWT3P4FAQ3A5CNFSM4H3CWWTKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4G3M2ZRQ>, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGVQIS42PNT52XIKX72JGTP4FAQ3ANCNFSM4H3CWWTA .

Cuckoo version 2.0.6. Any idea if there is a way to circumvent this issue? Possibly by modifying source code in Yara Cuckoo module, specifically where it pulls it's file info, regkey info, mutex info from?

Also any idea if the Yara rules using Cuckoo module will work in VTI? Guessing it depends on version of Cuckoo VT is using

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/VirusTotal/yara/issues/1082?email_source=notifications&email_token=ABGVQIRJNUM6HSEUWIDYUQ3P4FZOJA5CNFSM4H3CWWTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYOWIIQ#issuecomment-505242658, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGVQIU4NAJD5MJCZDMY4CTP4FZOJANCNFSM4H3CWWTA .

bufu1003 commented 5 years ago

Much appreciated, definitely what’s needed. Also I see what’s on the PR thread re backwards compatibility requirements, not sure how far along you are in meeting them but I’d be up to help out if need be. Definitely extremely useful for VTI hunting

wroersma commented 5 years ago

I really haven't done much with it yet to be honest I wouldn't say no to help. I'm basically working on the open source version of vti with Yara rule management and cuckoo reports with the web UI.

On Mon, Jun 24, 2019, 10:42 PM Bufu1003 notifications@github.com wrote:

Much appreciated, definitely what’s needed. Also I see what’s on the PR thread re backwards compatibility requirements, not sure how far along you are in meeting them but I’d be up to help out if need be. Definitely extremely useful for VTI hunting

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/VirusTotal/yara/issues/1082?email_source=notifications&email_token=ABGVQIR7SWJ4ZGFCLZYKCQTP4GAZDA5CNFSM4H3CWWTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYOZU7Q#issuecomment-505256574, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGVQISNIDX7I4DEFTXQX6DP4GAZDANCNFSM4H3CWWTA .

bufu1003 commented 5 years ago

I really haven't done much with it yet to be honest I wouldn't say no to help. I'm basically working on the open source version of vti with Yara rule management and cuckoo reports with the web UI. On Mon, Jun 24, 2019, 10:42 PM Bufu1003 @.***> wrote: Much appreciated, definitely what’s needed. Also I see what’s on the PR thread re backwards compatibility requirements, not sure how far along you are in meeting them but I’d be up to help out if need be. Definitely extremely useful for VTI hunting — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1082?email_source=notifications&email_token=ABGVQIR7SWJ4ZGFCLZYKCQTP4GAZDA5CNFSM4H3CWWTKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYOZU7Q#issuecomment-505256574>, or mute the thread https://github.com/notifications/unsubscribe-auth/ABGVQISNIDX7I4DEFTXQX6DP4GAZDANCNFSM4H3CWWTA .

Using the same ES dashboards from the video presentation on threat actor tracking in VTI? Definitely thinking of setting one of those up for our VTI. Re Cuckoo, I'll see if I can work with the fork so that it has backwards compatibility. Issue is, until they merge it, either the rules won't hit on 2.x+ + behavioral reports, or they won't hit on any behavioral reports prior to version 2.0.6.

NguyenNgoc0411 commented 1 year ago

i had the same problem as you fixed it.