google / grr

GRR Rapid Response: remote live forensics for incident response
https://grr-doc.readthedocs.io/
Apache License 2.0
4.79k stars 763 forks source link

Add ability to hunt for files via yara rules #226

Closed kudowins closed 7 years ago

kudowins commented 9 years ago

In an effort to proactively identify malware it would be beneficial to leverage the power of yara rules related to the filesystem.

grrrrrrrrr commented 8 years ago

The next client generation will have this.

kudowins commented 8 years ago

Any timeline as to when we might expect this next client release?

Thanks Andreas

On Thursday, March 3, 2016, Andreas Moser notifications@github.com wrote:

The next client generation will have this.

— Reply to this email directly or view it on GitHub https://github.com/google/grr/issues/226#issuecomment-191875767.

grrrrrrrrr commented 8 years ago

The client is mostly done so very soon. Outstanding issues we still have is that the windows nanny doesn't start on Windows server 2008 and similar and, for the Linux version, we need to sort out some startup script problems.

kudowins commented 8 years ago

Looks like this feature wasn't incorporated into the new release. Will it perhaps make an appearance on the next release?

exp0se commented 8 years ago

+1 for this

Yara support would be much appreciated

seanthegeek commented 8 years ago

@grrrrrrrrr +1 Any news on this?

threatcrowd commented 8 years ago

Performance wise might be worth doing this just for running processes / loadded dlls + drivers

scudette commented 8 years ago

Just as an FYI this works in the upcoming release via a rekall plugin.

On 17 Jun 2016 05:53, "threatcrowd" notifications@github.com wrote:

Performance wise might be worth doing this just for running processes / loadded dlls + drivers

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/google/grr/issues/226#issuecomment-226761085, or mute the thread https://github.com/notifications/unsubscribe/ADrYosJF_qY25AT5t6wB4fKVxqLv6UWQks5qMpjGgaJpZM4FaE3c .

CmdrMichael commented 8 years ago

@grrrrrrrrr - Any update for this? Any timeline? @scudette - Will the upcomming rekall plugin with yara support also have the ability to use the yara rules for filesystem scanning or only for memory forensics?

scudette commented 8 years ago

We did this in the recent DFRWS workshop - not sure if you were there... See the slide "Run a yara rule against all executables in the windows directory." for an explanation of how to do it with Rekall.

http://dfrws2016.rekall-forensic.com/DFRWS2016_Rekall_Workshop.pdf

It should work with GRR as well providing you issue the same request in the Rekall flow (AnalyzeClientMemory) interface although I have not tested yet.

grrrrrrrrr commented 7 years ago

This is available now, I'll close this issue. Let us know if this doesn't work for you.