Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Yet Another YARA Allocution (YAYA)

1.010 Aufrufe

Veröffentlicht am

Are you a security professional looking for ways to identify and classify malware families? While most commonly associated with malware, YARA can actually be used against any file. In this presentation, we’ll pull back the curtain and give you an introduction to how you can use this powerful tool.

In this short time, we’ll discuss the basic format and structure of a YARA rule and introduce a few tricks to increase efficiency and performance. We will walk you through a few examples and show you some automated tools and how they can help. Lastly, we'll tie things up with some pointers on how organize rules for best effect.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Yet Another YARA Allocution (YAYA)

  1. 1. © Fidelis Cybersecurity BSidesDC 2016 Yet Another YARA Allocution (YAYA) John Laycock, Threat Systems Fidelis Cybersecurity Monty St John ATX Forensics
  2. 2. © Fidelis Cybersecurity Introduction 2 John Laycock: • B.S. Mechanical Engineering from Northern Illinois University • Cognitech/Ocean Systems Forensic Video Analyst • Government Contractor DC3 – DCFL Forensic Examiner/DCISE/NCIJTF • General Dynamics/Fidelis Commercial Forensics Team • Fidelis Threat Research Team John Laycock Systems, Threat Research Email: john.laycock@fidelissecurity.com
  3. 3. © Fidelis Cybersecurity Introduction 3 Monty St John Email: monty@atxforensics.com site: www.atxforensics.com Monty St John: • 25 years of security, digital forensics, reverse engineering, threat intelligence • Two decades supporting federal, state, and local LE while in uniform Forensics and Threat Intelligence • Last decade acting as a key member of forensic and TI teams deconstructing, analyzing and providing insights into threats and how to thwart them
  4. 4. © Fidelis Cybersecurity Disclaimer 4 This is an introductory level talk to folks that do not necessarily build Yara rules on a daily basis. Many of the concepts we will be showing you are from a high level view. You can refer to some of the references in the appendix to drill down into these concepts in more detail. TL:DR This is an intro to a deep topic. We’re showing some basic concepts and sharing some resources that you can hopefully use to build upon.
  5. 5. © Fidelis Cybersecurity What is YARA? 5 YARA is a tool aimed at (but not limited to) helping threat analysts and malware researchers to identify and classify malware samples. It can: ● Dissect files ● Use patterns to link files or file fragments ● Perform heuristic tests ● Find out what’s missing in files (that should be there)
  6. 6. © Fidelis Cybersecurity Basic Layout and Types – Rule Name 6 Let’s start with a rule name. ● It begins with the word “rule” and is followed by the rule name (identifier) ● First character of the rule name can not be a digit. ● Rule names are case sensitive and cannot exceed 128 characters. ● The curly bracket after the rule name is the start of the actual rule. rule ExampleRule {
  7. 7. © Fidelis Cybersecurity Basic Layout and Types - Keywords 7 YARA keywords all and any ascii at condition contains entrypoint FALSE filesize fullword for global in import include int8 int16 int32 int8be int16be int32be matches meta nocase not or of private rule strings them TRUE uint8 uint16 uint32 uint8be uint16be uint32be wide
  8. 8. © Fidelis Cybersecurity Basic Layout and Types - Metadata 8 Add Metadata to provide additional information: rule ExampleRule { meta: description = "This is just an example" author = “Emil Verban” Nickname = “Dutch”
  9. 9. © Fidelis Cybersecurity Basic Layout and Types - Metadata 9 ● Use metadata, especially as the number of yara rules increase. ● Metadata can describe the content of rules ● Metadata can help id where a rule is to save you time digging for it ● Useful for metrics, especially when using the include directive
  10. 10. © Fidelis Cybersecurity Basic Layout and Types 10 Rules consist of two sections: strings and a condition. The strings section is optional, but the condition section is always required. rule Example { strings: $my_text_string = ”play ball" $my_hex_string = {BA 5E BA 11} condition: $my_text_string or $my_hex_string }
  11. 11. © Fidelis Cybersecurity Basic Layout and Types - Strings 11 ● Each string has an identifier ($) followed by a sequence of alphanumeric characters and underscores. ● Strings can be defined in ascii or unicode forms. Text strings are enclosed on double quotes. Identify unicode with the “wide” keyword, like below: $my_text_string = “play ball” $my_unicode_string = “play ball” wide
  12. 12. © Fidelis Cybersecurity Basic Layout and Types - Keywords 12 YARA keywords all and any ascii at condition contains entrypoint FALSE filesize fullword for global in import include int8 int16 int32 int8be int16be int32be matches meta nocase not or of private rule strings them TRUE uint8 uint16 uint32 uint8be uint16be uint32be wide
  13. 13. © Fidelis Cybersecurity Basic Layout and Types - Strings 13 ● If a word boundary exists before and after the word, use the keyword “fullword”, like below: $my_fullword_string = “baseball” fullword For example the string “baseball”, if defined as fullword, won’t match www.onebaseball.com but it matches www.baseball-reference.com and www.baseball.com.
  14. 14. © Fidelis Cybersecurity Basic Layout and Types - Strings 14 ● Hex strings are enclosed by curly brackets. Decimal numbers are not allowed in hex strings. $my_hex_string = {BA 5E BA 11 23} ● Hexadecimal strings allow three special constructions that make them more flexible: wild-cards, jumps, and alternatives. Wild-cards (?) are placeholders to indicate some bytes are unknown and they should match anything. $my_hex_string = {BA ?? BA ?? 11 23}
  15. 15. © Fidelis Cybersecurity Basic Layout and Types - Strings 15 ● You can also define strings with chunks of variable content and length. In those situations you can use jumps instead of wild-cards: $my_hex_string = {BA 5E BA [2-4] 11 23}
  16. 16. © Fidelis Cybersecurity Basic Layout and Types - Strings 16 ● Alternatives can also be expressed by enclosing them in a parenthesis and use a pipe for separation: $my_hex_string = {BA ( 5E BA | 5E BB) 11 23} The above would return on BA 5E BA 11 23 or BA 5E BB 11 23 ● Regular expressions can be used and are enclosed in forward slashes. $re1 = /md5: [0-9a-fA-F]{32}/ The regex above would return on return on a 32 character alpha numeric value
  17. 17. © Fidelis Cybersecurity Basic Layout and Types - Conditions 17 The condition section is where the logic of the rule resides. This section contains the logic that satisfies the rule or not. The condition section can contain boolean operators (and, or and not), like below: condition: $my_text_string or $my_hex_string
  18. 18. © Fidelis Cybersecurity Basic Layout and Types - Conditions 18 ● Relational operators (>=, <=, <, >, == and !=) and counting (#): condition: #my_text_string == 3 or ( #my_hex_string <= 7 and #re_1 >=2 ) ● Other rule names can be used as a part of its logic, employing the same logical operators. condition: Ghost-rule and $my_hex_string Note: Any rule you reference must have already been processed before you reference it.
  19. 19. © Fidelis Cybersecurity Basic Layout and Types - Conditions 19 ● Sets of strings can be used in conditions rule baseball { strings: $a = "Chicago" $b = "Cubs" $c = "Baseball" condition: 2 of ($a,$b,$c) }
  20. 20. © Fidelis Cybersecurity Basic Layout and Types –Include Files 20 YARA provides the include directive. The following example will include the content of other.yar into the current file: include "other.yar” The base path will be the same directory where the Yara file resides. You can also specify relative paths and absolute paths to the include file.
  21. 21. © Fidelis Cybersecurity Any Questions so far?
  22. 22. © Fidelis Cybersecurity Rule Organization 22 Organize rules into groups Include groups of rules you want into your main rule file using the include directive, e.g. include “other.yar” Maintain a single, primary rule file and include groups of rules as you want and exclude those you don’t
  23. 23. © Fidelis Cybersecurity Rule Organization 23
  24. 24. © Fidelis Cybersecurity Rule Organization 24 Rule order within a single yar file can also be leveraged. Preceding rules can be referenced in the condition line of rules that follow Great place to employ private rules that contain elements of interest but you do not want to alert on within more context. Similar to Global rules but only apply to the rules you employ them as a condition
  25. 25. © Fidelis Cybersecurity Rule Organization 25 This type of organization lets you perform rudimentary IF...THEN logic with your rules IF Rule 1 THEN IF Rule 1 AND Rule 2 THEN IF Rule 1 AND Rule 2 AND Rule 3 THEN
  26. 26. © Fidelis Cybersecurity Rule Organization 26
  27. 27. © Fidelis Cybersecurity Rule Organization 27 Or like this: IF Rule 1 THEN IF Rule 1 AND NOT Rule 2 THEN IF Rule 1 AND NOT Rule 2 AND NOT Rule 3 THEN
  28. 28. © Fidelis Cybersecurity Rule Organization 28
  29. 29. © Fidelis Cybersecurity Yara in Action 29
  30. 30. © Fidelis Cybersecurity Yara in Action 30
  31. 31. © Fidelis Cybersecurity Tools / Resources - yarGen 31 A Rule Generator for Yara Rules - written by Florian Roth What does YarGen do? ● Create yara rules from strings found in files while removing strings that also appear in goodware files. ● Uses naive-bayes-classifier to classify strings and detect useful words instead of compression/encryption garbage. ● Can extract opcode elements from .text sections of PE files ● Supports Binarly to let you search on arbitrary byte patterns to create better rules
  32. 32. © Fidelis Cybersecurity Tools / Resources – Yara Exchange 32 Yara-Exchange Google Group (by invitation only) http://www.deependresearch.org/2012/08/yara-signature- exchange-google-group.html
  33. 33. © Fidelis Cybersecurity Tools / Resources – Fidelis Yara 33 We have a publicly available page on github with various indicators, yara rules etc. Yara specific https://github.com/fideliscyber/indicators
  34. 34. © Fidelis Cybersecurity References 34 The following are a series of links to references and tools we have found useful. Many are beyond the scope of a short talk but we have included them for future reference. ● https://github.com/Yara-Rules ● https://github.com/Neo23x0/yarGen ● http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting- malware/ ● https://bruteforce.gr/yara-a-beginners-guide.html ● https://github.com/BayshoreNetworks/yextend ● https://github.com/plusvic/yara
  35. 35. © Fidelis Cybersecurity References 35 ● https://github.com/kevthehermit/YaraManager ● https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/ ● https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7 (Yara Guide) ● http://yara.readthedocs.io/en/v3.5.0/writingrules.html ● https://github.com/Neo23x0/yarAnalyzer ● https://gist.github.com/wxsBSD/019740e83faa7a7206f4 ● https://gist.github.com/williballenthin/3abc9577bede0aeef25526b2017322 46 ● http://www.binar.ly/search
  36. 36. © Fidelis Cybersecurity Questions & Thank You! John Laycock / john.laycock@fidelissecurity.com Monty St John/monty@atxforensics.com

×