rule command_line_args {
meta:
description = "Command line args"
Block = true
strings:
$s1 = "This string should not be anywhere except in command line args"
condition:
any of them
}
Run this command:
cmd.exe "This string should not be anywhere except in command line args"
The result is that cmd.exe is able to run and an alert is generated when cmd.exe exits.
This is presumably because at process creation time the command line arguments are located in the PEB region and are not within the address space range scanned by YARA. As soon as the process starts running one of the first things it does is gets a copy of the command line via the Win32 API CommandLineToArgvW(), which creates a copy of the args within the normal address space rage and this is what is found during memory scanning at process termination.
The cmdline plugin manually extracts the arguments by traversing the PEB which is how it logs command lines. It should be extended to scan these arguments with YARA.
The question is where should rules come from? Rules meant to match command line arguments will be relatively short and could generate a lot of false positives if applied to full files or address spaces, so they should not be included as part of the rules used to scan files or memory.
One option is to have the 'cmdline' plugin get rules from a rule file that only contains rules used for scanning the command line.
Memory scanning at process start does not include command line arguments. This is reproducible by doing the following:
procfilter.ini:
localrules\master.yara:
Run this command:
The result is that cmd.exe is able to run and an alert is generated when cmd.exe exits.
This is presumably because at process creation time the command line arguments are located in the PEB region and are not within the address space range scanned by YARA. As soon as the process starts running one of the first things it does is gets a copy of the command line via the Win32 API CommandLineToArgvW(), which creates a copy of the args within the normal address space rage and this is what is found during memory scanning at process termination.
The cmdline plugin manually extracts the arguments by traversing the PEB which is how it logs command lines. It should be extended to scan these arguments with YARA.
The question is where should rules come from? Rules meant to match command line arguments will be relatively short and could generate a lot of false positives if applied to full files or address spaces, so they should not be included as part of the rules used to scan files or memory.
One option is to have the 'cmdline' plugin get rules from a rule file that only contains rules used for scanning the command line.