Open WDavid404 opened 8 months ago
Integrating With Other Libraries Frameworks such as the Cuckoo Sandbox or Python's PE Module allow you to improve the technicality of your Yara rules ten-fold.
Cuckoo Sandbox is an automated malware analysis environment. This module allows you to generate Yara rules based upon the behaviours discovered from Cuckoo Sandbox. As this environment executes malware, you can create rules on specific behaviours such as runtime strings and the like.
Python's PE module allows you to create Yara rules from the various sections and elements of the Windows Portable Executable (PE) structure.
This structure is the standard formatting of all executables and DLL files on windows. Including the programming libraries that are used. Examining a PE file's contents is an essential technique in malware analysis; this is because behaviours such as cryptography or worming can be largely identified without reverse engineering or execution of the sample.
LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth. Based on the GitHub page, detection is based on 4 methods:
THOR Lite is Florian's newest multi-platform IOC AND YARA scanner. There are precompiled versions for Windows, Linux, and macOS. A nice feature with THOR Lite is its scan throttling to limit exhausting CPU resources.
This is the 3rd tool created by Neo23x0 (Florian Roth). Fenrir is a bash script; it will run on any system capable of running bash (nowadays even Windows).
YAYA was created by the EFF (Electronic Frontier Foundation) and released in September 2020. Based on their website, "YAYA is a new open-source tool to help researchers manage multiple YARA rule repositories. YAYA starts by importing a set of high-quality YARA rules and then lets researchers add their own rules, disable specific rulesets, and run scans of files."
https://github.com/Neo23x0/yarGen yarGen is a generator for YARA rules. From the README - "The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use."
To use yarGen to generate a Yara rule for file 2, you can run the following command:
python3 yarGen.py -m /home/cmnatic/suspicious-files/file2 --excludegood -o /home/cmnatic/suspicious-files/file2.yar
Valhalla is an online Yara feed created and hosted by Nextron-Systems (erm, Florian Roth). By now, you should be aware of the ridiculous amount of time and energy Florian has dedicated to creating these tools for the community. Maybe we should have just called this the Florian Roth room. (lol)
Per the website, "Valhalla boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules."
Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file. Rules are used to label these patterns.
https://zhuanlan.zhihu.com/p/361359544 YARA 是一个旨在(但不限于)帮助恶意软件研究人员识别和分类恶意软件样本的开源工具。目前使用YARA 的知名软件有赛门铁克、火眼、卡巴斯基、VirusTotal、安天等。 YARA的每一条描述、规则都由一系列字符串和一个布尔型表达式构成,并阐述其逻辑。YARA规则可以与文件或在运行的进程,以帮助研究人员识别其是否属于某个已进行规则描述的恶意软件等。 YARA 支持在Windows、Linux 和 Mac OS X 平台上运行。
项目地址: https://github.com/VirusTotal/yara 官方文档:https://yara.readthedocs.io/
简单用法:
yara silent_banker.yar testfile
silent_banker.yar
The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in this documentation.