SlideShare a Scribd company logo

Operationalizing yara

C
cr8917

The document provides information on operationalizing YARA for analyzing malware indicators. It begins with an introduction to YARA and discusses how YARA breaks rules down into atomic substrings called "atoms" to efficiently scan for malware patterns. Examples are given of atoms in regular expressions and hexadecimal strings. The document then demonstrates how YARA can be used to detect malware indicators in network traffic and static files by writing YARA rules with relevant string patterns and associated conditions.

Technology
1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
OPERATIONALIZING  YARA JUNE  2015 CIRCLE  CITY  CON  2015
CircleCityCon  2015  -­‐  TLP:WHITE “YARA is to files what Snort is to network traffic.” -- Victor  Manual  Alvarez,  YARA  Developer
Bio CircleCityCon  2015  -­‐  TLP:WHITE    Chad  Robertson    Threat  Researcher      Fidelis  Cybersecurity   YARA Exchange since 2012 CCE, GCIH Gold, GPEN Gold, GCFA Gold, CISA Prior incident response lead Authored research papers on HIPS, memory forensics, and malicious PDF obfuscation
Agenda CircleCityCon  2015  -­‐  TLP:WHITE YARA  Atoms Malware  indicators: Network        StaTc Memory
CircleCityCon  2015  -­‐  TLP:WHITE YARA Atoms
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms Atoms are undivided substrings found in a regexps and hex strings. { 01 02 03 04 05 ?? 06 07 08 [1-2] 09 0A } /abc.*ed[0-9]+fgh/ Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms /(abc|efg)/ Sometimes a single atom is enough (like in the previous example "abc" is enough for finding /abc.*ed[0-9]+fgh/), but sometimes a single atom isn't enough like in the regexp /(abc|efg)/. In this case YARA must search for both "abc" AND "efg" and fully evaluate the regexp whenever one of those atoms is found. Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms Atom Tree: /Look(at|into)this/ -AND |- "Look" | |- OR | | | |- "at" | - "into" | - "this” In the regexp /Look(at|into)this/ YARA can search for "Look", or search for "this", or search for both "at" and "into". Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms {00 00} {01 01 01 01} {01 02 03 04} Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms {00 00} Atom 00 00 has a very low quality, because it's only two bytes long and both bytes are zeroes. {01 01 01 01} Atom 01 01 01 01 is better but still not optimal, because the same byte is repeated. {01 02 03 04} Atom 01 02 03 04 is an optimal one. Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms The worse strings are those that contain no atoms at all: /d.*d/ /[A-Za-z]{50,100}w+/ Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms FASTEST - only one atom is generated $s1 = "cmd.exe" (ascii only) $s2 = "cmd.exe" ascii (ascii only, same than $s1) $s3 = "cmd.exe" wide (UTF-16 only) FAST - two atoms will be generated $s4 = "cmd.exe" ascii wide (both ascii and UTF-16) SLOW - many atoms will be generated $s5 = "cmd.exe" nocase (all different cases, e.g. "Cmd.exe", "cMd.exe", "cmD.exe" .. https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7
CircleCityCon  2015  -­‐  TLP:WHITE Malware Network  Indicators  
CircleCityCon  2015  -­‐  TLP:WHITE C2  
CircleCityCon  2015  -­‐  TLP:WHITE B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE rule demo { strings: $a1 = {b11c6cb1f4102211} condition: all of them }   B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE rule  demo_adv   {   strings:   $a1  =  {b11c6cb1f4102211}   condiAon:   ($a1  in  (0..11))  and  filesize  <  32   }     $  yara  demo.yar  pcaps/   demo  pcaps//0471c3cf5192f2ff76adae77a087d3ef533e160d4686ff132569d99ec2ad6ba2   demo  pcaps//d4ee1078b9545c876662d942e32024cfa1f63df3bQ401db60404f4359e73f16   demo  pcaps//5a445083067de28f42e799594ecdc72a51ec27333e31b71dc25623aaa12e2003   demo  pcaps//5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639   $  yara  demo.yar  flows/   demo  flows//010.000.002.015.01044-­‐209.126.109.113.00443   demo  flows//010.000.002.015.01057-­‐005.254.115.009.00777   demo  flows//010.000.002.015.01056-­‐005.254.098.040.00777   demo  flows//010.000.002.015.01043-­‐209.126.109.113.00443   demo  flows//010.000.002.015.01055-­‐005.254.115.009.00443   demo  flows//010.000.002.015.01044-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01048-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01051-­‐005.254.115.024.00443   demo  flows//010.000.002.015.01049-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01050-­‐005.254.115.009.00443   demo  flows//010.000.002.015.01055-­‐005.254.098.040.00777   demo  flows//010.000.002.015.01047-­‐209.126.109.113.00443   demo  flows//010.000.002.015.01053-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01054-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01045-­‐209.126.109.113.00777   $  yara  demo-­‐adv.yar  pcaps/   $  yara  demo-­‐adv.yar  flows/   demo_adv  flows//010.000.002.015.01044-­‐209.126.109.113.00443   demo_adv  flows//010.000.002.015.01056-­‐005.254.098.040.00777   demo_adv  flows//010.000.002.015.01043-­‐209.126.109.113.00443   demo_adv  flows//010.000.002.015.01044-­‐209.239.122.212.00443   demo_adv  flows//010.000.002.015.01048-­‐209.239.122.212.00443   demo_adv  flows//010.000.002.015.01047-­‐209.126.109.113.00443   demo_adv  flows//010.000.002.015.01055-­‐005.254.098.040.00777   demo_adv  flows//010.000.002.015.01053-­‐209.239.122.212.00443   demo_adv  flows//010.000.002.015.01054-­‐209.239.122.212.00443   B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE Malware StaTc  Indicators  
CircleCityCon  2015  -­‐  TLP:WHITE
CircleCityCon  2015  -­‐  TLP:WHITE B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE rule     staAc   {     strings:     $a1  =  {  b1  1c  6c  b1  ??  ??  ??  f4  10  22  11  }     condiAon:     all  of  them     }     26  matches:   demo:6bd9715444Q8e24e41147231afd6bec508cb068615a1bbaf92c0cafc6b3412c   demo:0022ee274f8faece15b65783b0119ffc04f93debde5456e8261ae8e4905550d6   demo:158b53bbc5327dac2d046b476a0ea060b651855ff26bd4e4376b94e1bc723aed   demo:45bcc20a5d87198cff82418c2cc9a8face30060454fe4b9b89607b6ef578a57b   demo:5d085b2449dee95646c8783d150dbe4d4792943f841e560410399708de3b01e7   demo:c35e22fc93691a8594db4db66c36eba5b9c860bd01cbac510868fa4d9c6e36a8   demo:005418c326f23c8db33d337c242a87297f3e7d736120b1286f48ee01de3123e2   demo:7eaW76de4b17cb9bf25324d2c35b3294bf77c6b3483eea6f193efc62f6f159   demo:0c388c0308663bd90de9bf75cb2267087c8f08fe57bb359a095e679b2cbdf151   demo:f1e18d0d3b90f141eee92ae826a0b51e964e6c11521d2f49506d8920584af8b3   demo:db324b966d63eda1a78a346b0327b9c89675aa2a668bc58e3a15ef3d4e7a4b78   demo:9ed9f814e00de3Q30a569323a2602fdbf0dee6f29cde13d6afe632461cbfaea   demo:91e7fd3bc60abf1a8521d20181356a636d552b327dade0f2aea9138844caf0b2   demo:f38798096456a264d758d686fd7c6a7a23a0fa97eca1e44cae9fdd4e41d707fc   demo:2f9294b516d7edf639ddb38d994afc218f05423c7a869edb1b0a9aa715092a75   demo:1644130e603d418493c89cad8bf6f4de4b9ad761248d3481e16304a64c58f66d   demo:1950b0a07cabc27f34c7ef3b7356460f145818f4760bbe94fd5ddeec0454Q84   demo:dfa32564b9f35225fd7f83812ef046d142af0aQ428050ced67ae628498e09f2   demo:4aeeaaec315b4856594ff823898e7603bb7d050397aaa8a7e3484b09b2f0a5ab   demo:fef057e51a7e914bf84688c4df7428770bbd22b7156b8989cb84895f4fe6b62c   demo:f81e5b770eee63b4cbf026df01209724d89a6f92fed4b63885a1020dd9003e16   demo:32d09412aa6b9d1b772b266723fd520bdea5846ac6f7b16a2b4fe1b0ae2839ab   demo:d6981c7a03505a67e020c97e345097248b455b65206efae768cce72a4b71cba7   demo:b85aa01d4818b397cc4a0c7274fda01697b4aac5d396155391b424e84eccb970   demo:5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639   demo:45a1ece87537ed1ba89ba5caeff536462895a86d7eacf59ed9c48fceb3fd5cd5   B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE rule     staAc   {     strings:     $a1  =  {  b1  1c  6c  b1  ??  ??  ??  f4  10  22  11  }     condiAon:     all  of  them     }     B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE Malware Memory  Indicators  
CircleCityCon  2015  -­‐  TLP:WHITE $  yara  -­‐s  demo.yar  preso.mem                                                                                                                 demo  preso.mem                                                                                                                                                                                                                     0x7e236036:$a1:  B1  1C  6C  B1  F4  10  22  11                                                                                                                             0x7e483036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7e48b036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7e493036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7e49b036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7e4bb036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7faa1200:$a1:    B1  1C  6C  B1  F4  10  22  11     rule network { strings: $a1 = {b11c6cb1f4102211} condition: all of them }   B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE $  yara  -­‐s  staAc.yar  preso.mem     demo  preso.mem   0x16a304ee:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x1e141aae:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x1fafab96:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x1fe42b96:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x45aeeb96:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x48d90f96:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   rule  staAc   {     strings:     $a1  =  {  b1  1c  6c  b1  ??  ??  ??  f4  10  22  11  }     condiAon:     all  of  them     }   B1  1C  6C  B1  F4  10  22  11  
CircleCityCon  2015  -­‐  TLP:WHITE Summary YARA  atoms Malware  Indicators -­‐>  Network -­‐>  StaTc   -­‐>  Memory
CircleCityCon  2015  -­‐  TLP:WHITE YARA  3.3  Modules PE ELF Cuckoo Magic Hash Math
Input  a  directory  of  malware  samples  and  it  outputs  Yara   rules  that  try  to  avoid  known  goodware  strings  and   a[empts  to  use  blacklisted  strings  from  PE  Studio YarGen hYps://github.com/Neo23x0/yarGen   CircleCityCon  2015  -­‐  TLP:WHITE
CircleCityCon  2015  -­‐  TLP:WHITE References YARA Exchange: http://www.deependresearch.org/2012/08/yara-signature- exchange-google-group.html MD5s: demo:6bd9715444Q8e24e41147231afd6bec508cb068615a1bbaf92c0cafc6b3412c   demo:0022ee274f8faece15b65783b0119ffc04f93debde5456e8261ae8e4905550d6   demo:158b53bbc5327dac2d046b476a0ea060b651855ff26bd4e4376b94e1bc723aed   demo:45bcc20a5d87198cff82418c2cc9a8face30060454fe4b9b89607b6ef578a57b   demo:5d085b2449dee95646c8783d150dbe4d4792943f841e560410399708de3b01e7   demo:c35e22fc93691a8594db4db66c36eba5b9c860bd01cbac510868fa4d9c6e36a8   demo:005418c326f23c8db33d337c242a87297f3e7d736120b1286f48ee01de3123e2   demo:7eaW76de4b17cb9bf25324d2c35b3294bf77c6b3483eea6f193efc62f6f159   demo:0c388c0308663bd90de9bf75cb2267087c8f08fe57bb359a095e679b2cbdf151   demo:f1e18d0d3b90f141eee92ae826a0b51e964e6c11521d2f49506d8920584af8b3   demo:db324b966d63eda1a78a346b0327b9c89675aa2a668bc58e3a15ef3d4e7a4b78   demo:9ed9f814e00de3Q30a569323a2602fdbf0dee6f29cde13d6afe632461cbfaea   demo:91e7fd3bc60abf1a8521d20181356a636d552b327dade0f2aea9138844caf0b2   demo:f38798096456a264d758d686fd7c6a7a23a0fa97eca1e44cae9fdd4e41d707fc   demo:2f9294b516d7edf639ddb38d994afc218f05423c7a869edb1b0a9aa715092a75   demo:1644130e603d418493c89cad8bf6f4de4b9ad761248d3481e16304a64c58f66d   demo:1950b0a07cabc27f34c7ef3b7356460f145818f4760bbe94fd5ddeec0454Q84   demo:dfa32564b9f35225fd7f83812ef046d142af0aQ428050ced67ae628498e09f2   demo:4aeeaaec315b4856594ff823898e7603bb7d050397aaa8a7e3484b09b2f0a5ab   demo:fef057e51a7e914bf84688c4df7428770bbd22b7156b8989cb84895f4fe6b62c   demo:f81e5b770eee63b4cbf026df01209724d89a6f92fed4b63885a1020dd9003e16   demo:32d09412aa6b9d1b772b266723fd520bdea5846ac6f7b16a2b4fe1b0ae2839ab   demo:d6981c7a03505a67e020c97e345097248b455b65206efae768cce72a4b71cba7   demo:b85aa01d4818b397cc4a0c7274fda01697b4aac5d396155391b424e84eccb970   demo:5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639   demo:45a1ece87537ed1ba89ba5caeff536462895a86d7eacf59ed9c48fceb3fd5cd5  
QUESTIONS? THANK  YOU chad.robertson@fidelissecurity.com Twi[er:  @chrooted

More Related Content

PDF
2014-10-27 - Yara Corporate Presentation 2014
Yara International
 
PDF
Crossing the Production Barrier: Development at Scale
jgoulah
 
PDF
The Chief Consumer Officer at Kongress der Deutschen Marktforschung
InSites on Stage
 
PDF
Universal Brands at Qualitative 360
InSites on Stage
 
PDF
Yara Q4 presentation 11 February 2015
Yara International
 
PPT
Final Presentation Logo Design
avyas
 
PDF
CAS_Overall_Findings
David Grant
 
PPTX
Team Building
K. M. Hasan Ripon
 
2014-10-27 - Yara Corporate Presentation 2014
Yara International
 
Crossing the Production Barrier: Development at Scale
jgoulah
 
The Chief Consumer Officer at Kongress der Deutschen Marktforschung
InSites on Stage
 
Universal Brands at Qualitative 360
InSites on Stage
 
Yara Q4 presentation 11 February 2015
Yara International
 
Final Presentation Logo Design
avyas
 
CAS_Overall_Findings
David Grant
 
Team Building
K. M. Hasan Ripon
 

Viewers also liked (12)

PDF
Minority Report in Research Communities
Tom De Ruyck
 
PPTX
Why Team work is important?
Grape5
 
PPT
Team Building: Creating Effective Teams
Dr. John Persico
 
PPTX
Data Summit Brussels | 'Small Data, Big Insights'
Tom De Ruyck
 
PPT
Team Building
rajeshtolia
 
PPT
Teamwork Presentation
Jo Woolery
 
PPT
Teamwork presentation
ct231
 
PPT
Team Building PowerPoint PPT Content Modern Sample
Andrew Schwartz
 
PPT
TEAM BUILDING POWERPOINT
Andrew Schwartz
 
PDF
Designing Teams for Emerging Challenges
Aaron Irizarry
 
PDF
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
PDF
Build Features, Not Apps
Natasha Murashev
 
Minority Report in Research Communities
Tom De Ruyck
 
Why Team work is important?
Grape5
 
Team Building: Creating Effective Teams
Dr. John Persico
 
Data Summit Brussels | 'Small Data, Big Insights'
Tom De Ruyck
 
Team Building
rajeshtolia
 
Teamwork Presentation
Jo Woolery
 
Teamwork presentation
ct231
 
Team Building PowerPoint PPT Content Modern Sample
Andrew Schwartz
 
TEAM BUILDING POWERPOINT
Andrew Schwartz
 
Designing Teams for Emerging Challenges
Aaron Irizarry
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
Drift
 
Build Features, Not Apps
Natasha Murashev
 
Ad

Similar to Operationalizing yara (14)

PDF
first_2014_-_schuster-_andreas_-_yara_basic_and_advanced_20140619.pdf
AppleRaju1
 
PPTX
Yara
Akshay Jain
 
PDF
Introduction to YARA rules
n|u - The Open Security Community
 
PDF
Automatic tool for static analysis
Chong-Kuan Chen
 
PDF
Webinar alain-2009-03-04-clamav
thc2cat
 
PDF
Yara user's manual 1.6
Vijay Kumar
 
PDF
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Kaspersky
 
PPTX
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
PPT
Malware Classification Using Structured Control Flow
Silvio Cesare
 
PPTX
Chasing the Adder. A tale from the APT world...
Stefano Maccaglia
 
PDF
Bash vs. vista_power_shell
Thomas Lee
 
PPT
Signature based virus detection and protection system
Md. Hasan Basri (Angel)
 
PPTX
Yet Another YARA Allocution (YAYA)
John Laycock
 
ODP
Bash Geekcamp
guest7f4365d
 
first_2014_-_schuster-_andreas_-_yara_basic_and_advanced_20140619.pdf
AppleRaju1
 
Yara
Akshay Jain
 
Introduction to YARA rules
n|u - The Open Security Community
 
Automatic tool for static analysis
Chong-Kuan Chen
 
Webinar alain-2009-03-04-clamav
thc2cat
 
Yara user's manual 1.6
Vijay Kumar
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Kaspersky
 
Let's Talk Technical: Malware Evasion and Detection
James Haughom Jr
 
Malware Classification Using Structured Control Flow
Silvio Cesare
 
Chasing the Adder. A tale from the APT world...
Stefano Maccaglia
 
Bash vs. vista_power_shell
Thomas Lee
 
Signature based virus detection and protection system
Md. Hasan Basri (Angel)
 
Yet Another YARA Allocution (YAYA)
John Laycock
 
Bash Geekcamp
guest7f4365d
 
Ad

Recently uploaded (20)

PPTX
Simple and concise overview about Quantum computing..pptx
mughal641
 
PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
Doc9.....................................
SofiaCollazos
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
PDF
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Simple and concise overview about Quantum computing..pptx
mughal641
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
Doc9.....................................
SofiaCollazos
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
AI-Cloud-Business-Management-Platforms-The-Key-to-Efficiency-Growth.pdf
Artjoker Software Development Company
 
CIFDAQ's Market Wrap : Bears Back in Control?
CIFDAQ
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 

Operationalizing yara

  • 2. CircleCityCon  2015  -­‐  TLP:WHITE “YARA is to files what Snort is to network traffic.” -- Victor  Manual  Alvarez,  YARA  Developer
  • 3. Bio CircleCityCon  2015  -­‐  TLP:WHITE    Chad  Robertson    Threat  Researcher      Fidelis  Cybersecurity   YARA Exchange since 2012 CCE, GCIH Gold, GPEN Gold, GCFA Gold, CISA Prior incident response lead Authored research papers on HIPS, memory forensics, and malicious PDF obfuscation
  • 4. Agenda CircleCityCon  2015  -­‐  TLP:WHITE YARA  Atoms Malware  indicators: Network        StaTc Memory
  • 5. CircleCityCon  2015  -­‐  TLP:WHITE YARA Atoms
  • 6. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms Atoms are undivided substrings found in a regexps and hex strings. { 01 02 03 04 05 ?? 06 07 08 [1-2] 09 0A } /abc.*ed[0-9]+fgh/ Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
  • 7. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
  • 8. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms
  • 9. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms /(abc|efg)/ Sometimes a single atom is enough (like in the previous example "abc" is enough for finding /abc.*ed[0-9]+fgh/), but sometimes a single atom isn't enough like in the regexp /(abc|efg)/. In this case YARA must search for both "abc" AND "efg" and fully evaluate the regexp whenever one of those atoms is found. Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
  • 10. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms Atom Tree: /Look(at|into)this/ -AND |- "Look" | |- OR | | | |- "at" | - "into" | - "this” In the regexp /Look(at|into)this/ YARA can search for "Look", or search for "this", or search for both "at" and "into". Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
  • 11. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms {00 00} {01 01 01 01} {01 02 03 04} Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
  • 12. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms {00 00} Atom 00 00 has a very low quality, because it's only two bytes long and both bytes are zeroes. {01 01 01 01} Atom 01 01 01 01 is better but still not optimal, because the same byte is repeated. {01 02 03 04} Atom 01 02 03 04 is an optimal one. Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
  • 13. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms The worse strings are those that contain no atoms at all: /d.*d/ /[A-Za-z]{50,100}w+/ Source: https://code.google.com/p/yara-project/source/browse/trunk/libyara/atoms.c?r=261
  • 14. CircleCityCon  2015  -­‐  TLP:WHITE YARA  -­‐  Atoms FASTEST - only one atom is generated $s1 = "cmd.exe" (ascii only) $s2 = "cmd.exe" ascii (ascii only, same than $s1) $s3 = "cmd.exe" wide (UTF-16 only) FAST - two atoms will be generated $s4 = "cmd.exe" ascii wide (both ascii and UTF-16) SLOW - many atoms will be generated $s5 = "cmd.exe" nocase (all different cases, e.g. "Cmd.exe", "cMd.exe", "cmD.exe" .. https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7
  • 15. CircleCityCon  2015  -­‐  TLP:WHITE Malware Network  Indicators  
  • 16. CircleCityCon  2015  -­‐  TLP:WHITE C2  
  • 17. CircleCityCon  2015  -­‐  TLP:WHITE B1  1C  6C  B1  F4  10  22  11  
  • 18. CircleCityCon  2015  -­‐  TLP:WHITE rule demo { strings: $a1 = {b11c6cb1f4102211} condition: all of them }   B1  1C  6C  B1  F4  10  22  11  
  • 19. CircleCityCon  2015  -­‐  TLP:WHITE rule  demo_adv   {   strings:   $a1  =  {b11c6cb1f4102211}   condiAon:   ($a1  in  (0..11))  and  filesize  <  32   }     $  yara  demo.yar  pcaps/   demo  pcaps//0471c3cf5192f2ff76adae77a087d3ef533e160d4686ff132569d99ec2ad6ba2   demo  pcaps//d4ee1078b9545c876662d942e32024cfa1f63df3bQ401db60404f4359e73f16   demo  pcaps//5a445083067de28f42e799594ecdc72a51ec27333e31b71dc25623aaa12e2003   demo  pcaps//5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639   $  yara  demo.yar  flows/   demo  flows//010.000.002.015.01044-­‐209.126.109.113.00443   demo  flows//010.000.002.015.01057-­‐005.254.115.009.00777   demo  flows//010.000.002.015.01056-­‐005.254.098.040.00777   demo  flows//010.000.002.015.01043-­‐209.126.109.113.00443   demo  flows//010.000.002.015.01055-­‐005.254.115.009.00443   demo  flows//010.000.002.015.01044-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01048-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01051-­‐005.254.115.024.00443   demo  flows//010.000.002.015.01049-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01050-­‐005.254.115.009.00443   demo  flows//010.000.002.015.01055-­‐005.254.098.040.00777   demo  flows//010.000.002.015.01047-­‐209.126.109.113.00443   demo  flows//010.000.002.015.01053-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01054-­‐209.239.122.212.00443   demo  flows//010.000.002.015.01045-­‐209.126.109.113.00777   $  yara  demo-­‐adv.yar  pcaps/   $  yara  demo-­‐adv.yar  flows/   demo_adv  flows//010.000.002.015.01044-­‐209.126.109.113.00443   demo_adv  flows//010.000.002.015.01056-­‐005.254.098.040.00777   demo_adv  flows//010.000.002.015.01043-­‐209.126.109.113.00443   demo_adv  flows//010.000.002.015.01044-­‐209.239.122.212.00443   demo_adv  flows//010.000.002.015.01048-­‐209.239.122.212.00443   demo_adv  flows//010.000.002.015.01047-­‐209.126.109.113.00443   demo_adv  flows//010.000.002.015.01055-­‐005.254.098.040.00777   demo_adv  flows//010.000.002.015.01053-­‐209.239.122.212.00443   demo_adv  flows//010.000.002.015.01054-­‐209.239.122.212.00443   B1  1C  6C  B1  F4  10  22  11  
  • 20. CircleCityCon  2015  -­‐  TLP:WHITE Malware StaTc  Indicators  
  • 22. CircleCityCon  2015  -­‐  TLP:WHITE B1  1C  6C  B1  F4  10  22  11  
  • 23. CircleCityCon  2015  -­‐  TLP:WHITE B1  1C  6C  B1  F4  10  22  11  
  • 24. CircleCityCon  2015  -­‐  TLP:WHITE rule     staAc   {     strings:     $a1  =  {  b1  1c  6c  b1  ??  ??  ??  f4  10  22  11  }     condiAon:     all  of  them     }     26  matches:   demo:6bd9715444Q8e24e41147231afd6bec508cb068615a1bbaf92c0cafc6b3412c   demo:0022ee274f8faece15b65783b0119ffc04f93debde5456e8261ae8e4905550d6   demo:158b53bbc5327dac2d046b476a0ea060b651855ff26bd4e4376b94e1bc723aed   demo:45bcc20a5d87198cff82418c2cc9a8face30060454fe4b9b89607b6ef578a57b   demo:5d085b2449dee95646c8783d150dbe4d4792943f841e560410399708de3b01e7   demo:c35e22fc93691a8594db4db66c36eba5b9c860bd01cbac510868fa4d9c6e36a8   demo:005418c326f23c8db33d337c242a87297f3e7d736120b1286f48ee01de3123e2   demo:7eaW76de4b17cb9bf25324d2c35b3294bf77c6b3483eea6f193efc62f6f159   demo:0c388c0308663bd90de9bf75cb2267087c8f08fe57bb359a095e679b2cbdf151   demo:f1e18d0d3b90f141eee92ae826a0b51e964e6c11521d2f49506d8920584af8b3   demo:db324b966d63eda1a78a346b0327b9c89675aa2a668bc58e3a15ef3d4e7a4b78   demo:9ed9f814e00de3Q30a569323a2602fdbf0dee6f29cde13d6afe632461cbfaea   demo:91e7fd3bc60abf1a8521d20181356a636d552b327dade0f2aea9138844caf0b2   demo:f38798096456a264d758d686fd7c6a7a23a0fa97eca1e44cae9fdd4e41d707fc   demo:2f9294b516d7edf639ddb38d994afc218f05423c7a869edb1b0a9aa715092a75   demo:1644130e603d418493c89cad8bf6f4de4b9ad761248d3481e16304a64c58f66d   demo:1950b0a07cabc27f34c7ef3b7356460f145818f4760bbe94fd5ddeec0454Q84   demo:dfa32564b9f35225fd7f83812ef046d142af0aQ428050ced67ae628498e09f2   demo:4aeeaaec315b4856594ff823898e7603bb7d050397aaa8a7e3484b09b2f0a5ab   demo:fef057e51a7e914bf84688c4df7428770bbd22b7156b8989cb84895f4fe6b62c   demo:f81e5b770eee63b4cbf026df01209724d89a6f92fed4b63885a1020dd9003e16   demo:32d09412aa6b9d1b772b266723fd520bdea5846ac6f7b16a2b4fe1b0ae2839ab   demo:d6981c7a03505a67e020c97e345097248b455b65206efae768cce72a4b71cba7   demo:b85aa01d4818b397cc4a0c7274fda01697b4aac5d396155391b424e84eccb970   demo:5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639   demo:45a1ece87537ed1ba89ba5caeff536462895a86d7eacf59ed9c48fceb3fd5cd5   B1  1C  6C  B1  F4  10  22  11  
  • 25. CircleCityCon  2015  -­‐  TLP:WHITE rule     staAc   {     strings:     $a1  =  {  b1  1c  6c  b1  ??  ??  ??  f4  10  22  11  }     condiAon:     all  of  them     }     B1  1C  6C  B1  F4  10  22  11  
  • 26. CircleCityCon  2015  -­‐  TLP:WHITE Malware Memory  Indicators  
  • 27. CircleCityCon  2015  -­‐  TLP:WHITE $  yara  -­‐s  demo.yar  preso.mem                                                                                                                 demo  preso.mem                                                                                                                                                                                                                     0x7e236036:$a1:  B1  1C  6C  B1  F4  10  22  11                                                                                                                             0x7e483036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7e48b036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7e493036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7e49b036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7e4bb036:$a1:  B1  1C  6C  B1  F4  10  22  11       0x7faa1200:$a1:    B1  1C  6C  B1  F4  10  22  11     rule network { strings: $a1 = {b11c6cb1f4102211} condition: all of them }   B1  1C  6C  B1  F4  10  22  11  
  • 28. CircleCityCon  2015  -­‐  TLP:WHITE $  yara  -­‐s  staAc.yar  preso.mem     demo  preso.mem   0x16a304ee:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x1e141aae:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x1fafab96:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x1fe42b96:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x45aeeb96:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   0x48d90f96:$a1:  B1  1C  6C  B1  C7  46  06  F4  10  22  11   rule  staAc   {     strings:     $a1  =  {  b1  1c  6c  b1  ??  ??  ??  f4  10  22  11  }     condiAon:     all  of  them     }   B1  1C  6C  B1  F4  10  22  11  
  • 29. CircleCityCon  2015  -­‐  TLP:WHITE Summary YARA  atoms Malware  Indicators -­‐>  Network -­‐>  StaTc   -­‐>  Memory
  • 30. CircleCityCon  2015  -­‐  TLP:WHITE YARA  3.3  Modules PE ELF Cuckoo Magic Hash Math
  • 31. Input  a  directory  of  malware  samples  and  it  outputs  Yara   rules  that  try  to  avoid  known  goodware  strings  and   a[empts  to  use  blacklisted  strings  from  PE  Studio YarGen hYps://github.com/Neo23x0/yarGen   CircleCityCon  2015  -­‐  TLP:WHITE
  • 32. CircleCityCon  2015  -­‐  TLP:WHITE References YARA Exchange: http://www.deependresearch.org/2012/08/yara-signature- exchange-google-group.html MD5s: demo:6bd9715444Q8e24e41147231afd6bec508cb068615a1bbaf92c0cafc6b3412c   demo:0022ee274f8faece15b65783b0119ffc04f93debde5456e8261ae8e4905550d6   demo:158b53bbc5327dac2d046b476a0ea060b651855ff26bd4e4376b94e1bc723aed   demo:45bcc20a5d87198cff82418c2cc9a8face30060454fe4b9b89607b6ef578a57b   demo:5d085b2449dee95646c8783d150dbe4d4792943f841e560410399708de3b01e7   demo:c35e22fc93691a8594db4db66c36eba5b9c860bd01cbac510868fa4d9c6e36a8   demo:005418c326f23c8db33d337c242a87297f3e7d736120b1286f48ee01de3123e2   demo:7eaW76de4b17cb9bf25324d2c35b3294bf77c6b3483eea6f193efc62f6f159   demo:0c388c0308663bd90de9bf75cb2267087c8f08fe57bb359a095e679b2cbdf151   demo:f1e18d0d3b90f141eee92ae826a0b51e964e6c11521d2f49506d8920584af8b3   demo:db324b966d63eda1a78a346b0327b9c89675aa2a668bc58e3a15ef3d4e7a4b78   demo:9ed9f814e00de3Q30a569323a2602fdbf0dee6f29cde13d6afe632461cbfaea   demo:91e7fd3bc60abf1a8521d20181356a636d552b327dade0f2aea9138844caf0b2   demo:f38798096456a264d758d686fd7c6a7a23a0fa97eca1e44cae9fdd4e41d707fc   demo:2f9294b516d7edf639ddb38d994afc218f05423c7a869edb1b0a9aa715092a75   demo:1644130e603d418493c89cad8bf6f4de4b9ad761248d3481e16304a64c58f66d   demo:1950b0a07cabc27f34c7ef3b7356460f145818f4760bbe94fd5ddeec0454Q84   demo:dfa32564b9f35225fd7f83812ef046d142af0aQ428050ced67ae628498e09f2   demo:4aeeaaec315b4856594ff823898e7603bb7d050397aaa8a7e3484b09b2f0a5ab   demo:fef057e51a7e914bf84688c4df7428770bbd22b7156b8989cb84895f4fe6b62c   demo:f81e5b770eee63b4cbf026df01209724d89a6f92fed4b63885a1020dd9003e16   demo:32d09412aa6b9d1b772b266723fd520bdea5846ac6f7b16a2b4fe1b0ae2839ab   demo:d6981c7a03505a67e020c97e345097248b455b65206efae768cce72a4b71cba7   demo:b85aa01d4818b397cc4a0c7274fda01697b4aac5d396155391b424e84eccb970   demo:5a56ad8b79d505013e964c3725fefc4fa03f565482bee3cf0c3ecbfef146d639   demo:45a1ece87537ed1ba89ba5caeff536462895a86d7eacf59ed9c48fceb3fd5cd5