Embed Size (px)
Citation preview
© Fidelis Cybersecurity
BSidesDC 2016Yet Another YARA Allocution (YAYA)John Laycock, Threat SystemsFidelis Cybersecurity
Monty St JohnATX Forensics
© Fidelis Cybersecurity
Introduction
2
John Laycock:
• B.S. Mechanical Engineering from Northern Illinois University
• Cognitech/Ocean Systems Forensic Video Analyst• Government Contractor
DC3 – DCFL Forensic Examiner/DCISE/NCIJTF• General Dynamics/Fidelis Commercial Forensics Team• Fidelis Threat Research Team
John LaycockSystems, Threat ResearchEmail: [email protected]
© Fidelis Cybersecurity
Introduction
3
Monty St JohnEmail: [email protected]: www.atxforensics.com
Monty St John:
• 25 years of security, digital forensics, reverse engineering, threat intelligence
• Two decades supporting federal, state, and local LE while in uniform
Forensics and Threat Intelligence• Last decade acting as a key member of forensic and TI
teams deconstructing, analyzing and providing insights into threats and how to thwart them
© Fidelis Cybersecurity
Disclaimer
4
This is an introductory level talk to folks that do not necessarily build Yara rules on a daily basis. Many of the concepts we will be showing you are from a high level view. You can refer to some of the references in the appendix to drill down into these concepts in more detail.
TL:DR This is an intro to a deep topic. We’re showing some basic concepts and sharing some resources that you can hopefully use to build upon.
© Fidelis Cybersecurity
What is YARA?
5
YARA is a tool aimed at (but not limited to) helping threat analysts and malware researchers to identify and classify malware samples. It can:
● Dissect files
● Use patterns to link files or file fragments
● Perform heuristic tests
● Find out what’s missing in files (that should be there)
© Fidelis Cybersecurity
Basic Layout and Types – Rule Name
6
Let’s start with a rule name.
● It begins with the word “rule” and is followed by the rule name (identifier)
● First character of the rule name can not be a digit.
● Rule names are case sensitive and cannot exceed 128 characters.
● The curly bracket after the rule name is the start of the actual rule.
rule ExampleRule {
© Fidelis Cybersecurity
Basic Layout and Types - Keywords
7
YARA keywordsall and any ascii at condition contains
entrypoint FALSE filesize fullword for global in
import include int8 int16 int32 int8be int16be
int32be matches meta nocase not or of
private rule strings them TRUE uint8 uint16
uint32 uint8be uint16be uint32be wide
© Fidelis Cybersecurity
Basic Layout and Types - Metadata
8
Add Metadata to provide additional information:
rule ExampleRule {
meta: description = "This is just an example" author = “Emil Verban”Nickname = “Dutch”
© Fidelis Cybersecurity
Basic Layout and Types - Metadata
9
● Use metadata, especially as the number of yara rules increase.
● Metadata can describe the content of rules
● Metadata can help id where a rule is to save you time digging for it
● Useful for metrics, especially when using the include directive
© Fidelis Cybersecurity
Basic Layout and Types
10
Rules consist of two sections: strings and a condition. The strings section is optional, but the condition section is always required.
rule Example { strings: $my_text_string = ”play ball" $my_hex_string = {BA 5E BA 11}
condition: $my_text_string or $my_hex_string }
© Fidelis Cybersecurity
Basic Layout and Types - Strings
11
● Each string has an identifier ($) followed by a sequence of alphanumeric
characters and underscores.
● Strings can be defined in ascii or unicode forms. Text strings are enclosed on
double quotes. Identify unicode with the “wide” keyword, like below:
$my_text_string = “play ball” $my_unicode_string = “play ball” wide
© Fidelis Cybersecurity
Basic Layout and Types - Keywords
12
YARA keywordsall and any ascii at condition contains
entrypoint FALSE filesize fullword for global in
import include int8 int16 int32 int8be int16be
int32be matches meta nocase not or of
private rule strings them TRUE uint8 uint16
uint32 uint8be uint16be uint32be wide
© Fidelis Cybersecurity
Basic Layout and Types - Strings
13
● If a word boundary exists before and after the word, use the keyword
“fullword”, like below:$my_fullword_string = “baseball” fullword
For example the string “baseball”, if defined as fullword, won’t match
www.onebaseball.com but it matches www.baseball-reference.com and
www.baseball.com.
© Fidelis Cybersecurity
Basic Layout and Types - Strings
14
● Hex strings are enclosed by curly brackets. Decimal numbers are not allowed
in hex strings. $my_hex_string = {BA 5E BA 11 23}
● Hexadecimal strings allow three special constructions that make them more
flexible: wild-cards, jumps, and alternatives. Wild-cards (?) are placeholders
to indicate some bytes are unknown and they should match anything.$my_hex_string = {BA ?? BA ?? 11 23}
© Fidelis Cybersecurity
Basic Layout and Types - Strings
15
● You can also define strings with chunks of variable content and length. In those situations you can use jumps instead of wild-cards:
$my_hex_string = {BA 5E BA [2-4] 11 23}
© Fidelis Cybersecurity
Basic Layout and Types - Strings
16
● Alternatives can also be expressed by enclosing them in a parenthesis and
use a pipe for separation:
$my_hex_string = {BA ( 5E BA | 5E BB) 11 23}
The above would return on BA 5E BA 11 23 or BA 5E BB 11 23
● Regular expressions can be used and are enclosed in forward slashes. $re1 = /md5: [0-9a-fA-F]{32}/
The regex above would return on return on a 32 character alpha numeric
value
© Fidelis Cybersecurity
Basic Layout and Types - Conditions
17
The condition section is where the logic of the rule resides. This section contains
the logic that satisfies the rule or not. The condition section can contain
boolean operators (and, or and not), like below:
condition: $my_text_string or $my_hex_string
© Fidelis Cybersecurity
Basic Layout and Types - Conditions
18
● Relational operators (>=, <=, <, >, == and !=) and counting (#):condition: #my_text_string == 3 or ( #my_hex_string <= 7 and #re_1 >=2 )
● Other rule names can be used as a part of its logic, employing the same
logical operators. condition: Ghost-rule and $my_hex_string
Note: Any rule you reference must have already been processed before you reference it.
© Fidelis Cybersecurity
Basic Layout and Types - Conditions
19
● Sets of strings can be used in conditions
rule baseball{ strings: $a = "Chicago" $b = "Cubs" $c = "Baseball"
condition: 2 of ($a,$b,$c)}
© Fidelis Cybersecurity
Basic Layout and Types –Include Files
20
YARA provides the include directive. The following example will include the content of other.yar into the current file:
include "other.yar”
The base path will be the same directory where the Yara file resides. You can also specify relative paths and absolute paths to the include file.
© Fidelis Cybersecurity
Any Questions so far?
© Fidelis Cybersecurity
Rule Organization
22
Organize rules into groups
Include groups of rules you want into your main rule file using the include directive, e.g. include “other.yar”
Maintain a single, primary rule file and include groups of rules as you want and exclude those you don’t
© Fidelis Cybersecurity
Rule Organization
23
© Fidelis Cybersecurity
Rule Organization
24
Rule order within a single yar file can also be leveraged.
Preceding rules can be referenced in the condition line of rules that follow
Great place to employ private rules that contain elements of interest but you do not want to alert on within more context.
Similar to Global rules but only apply to the rules you employ them as a condition
© Fidelis Cybersecurity
Rule Organization
25
This type of organization lets you perform rudimentary IF...THEN logic with your rules
IF Rule 1 THEN
IF Rule 1 AND Rule 2 THEN
IF Rule 1 AND Rule 2 AND Rule 3 THEN
© Fidelis Cybersecurity
Rule Organization
26
© Fidelis Cybersecurity
Rule Organization
27
Or like this:
IF Rule 1 THEN
IF Rule 1 AND NOT Rule 2 THEN
IF Rule 1 AND NOT Rule 2 AND NOT Rule 3 THEN
© Fidelis Cybersecurity
Rule Organization
28
© Fidelis Cybersecurity
Yara in Action
29
© Fidelis Cybersecurity
Yara in Action
30
© Fidelis Cybersecurity
Tools / Resources - yarGen
31
A Rule Generator for Yara Rules - written by Florian Roth
What does YarGen do?
● Create yara rules from strings found in files while removing strings that also
appear in goodware files.
● Uses naive-bayes-classifier to classify strings and detect useful words instead of
compression/encryption garbage.
● Can extract opcode elements from .text sections of PE files
● Supports Binarly to let you search on arbitrary byte patterns to create better
rules
© Fidelis Cybersecurity
Tools / Resources – Yara Exchange
32
Yara-Exchange Google Group (by invitation only)http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.html
© Fidelis Cybersecurity
Tools / Resources – Fidelis Yara
33
We have a publicly available page on github with various indicators, yara rules etc.
Yara specific
https://github.com/fideliscyber/indicators
© Fidelis Cybersecurity
References
34
The following are a series of links to references and tools we have found useful. Many are beyond the scope of a short talk but we have included them for future reference.
● https://github.com/Yara-Rules● https://github.com/Neo23x0/yarGen ● http://resources.infosecinstitute.com/yara-simple-effective-way-dissecting-
malware/
● https://bruteforce.gr/yara-a-beginners-guide.html● https://github.com/BayshoreNetworks/yextend ● https://github.com/plusvic/yara
© Fidelis Cybersecurity
References
35
● https://github.com/kevthehermit/YaraManager● https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/● https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7 (Yara Guide)● http://yara.readthedocs.io/en/v3.5.0/writingrules.html● https://github.com/Neo23x0/yarAnalyzer● https://gist.github.com/wxsBSD/019740e83faa7a7206f4● https://gist.github.com/williballenthin/3abc9577bede0aeef25526b2017322
46● http://www.binar.ly/search
© Fidelis Cybersecurity
Questions & Thank You!
John Laycock / [email protected]
Monty St John/[email protected]
