=Start=
缘由:
https://github.com/search?o=desc&q=yara&s=stars&type=Repositories&utf8=%E2%9C%93
正文:
参考解答:
YARA是什么?
模式匹配中的瑞士军刀(The pattern matching swiss knife)
YARA是一款旨在(但不限于)帮助恶意软件研究人员识别和分类恶意软件样本的工具。使用YARA,您可以根据文本或二进制模式创建恶意软件家族(或您想要描述的任何东西)的描述。每一个描述,称为规则,由一组字符串和一个决定其逻辑的布尔表达式组成。
YARA的优势在哪?
- YARA适用于多平台,可运行在Windows、Linux和Mac OS X上,并且可以通过它的命令行接口或在你自己编写的Python脚本中引入yara-python扩展来使用它。
- 有社区帮你维护/更新各种规则,不论是恶意软件还是webshell。
YARA有哪些应用?
参考链接:
https://github.com/VirusTotal/yara
http://yara.readthedocs.io/en/latest/index.html
https://github.com/Yara-Rules/rules
https://github.com/nbs-system/php-malware-finder
https://github.com/Neo23x0/yarGen
https://github.com/Neo23x0/yarAnalyzer
https://github.com/mitre/multiscanner
https://github.com/Xen0ph0n/YaraGenerator
https://github.com/godaddy/procfilter
https://github.com/Yara-Rules/rules/tree/master/Webshells
https://github.com/phishme/malware_analysis/tree/master/yara_rules
https://github.com/tenable/yara-rules
https://www.tenable.com/blog/hunting-for-web-shells
http://www.tenable.com/blog/hunting-linux-malware-with-yara
http://www.tenable.com/blog/threat-hunting-with-yara-and-nessus
=END=
《 “YARA之what&why&how” 》 有 23 条评论
恶意软件/远控的源码收集仓库(Malware source code database)
https://github.com/mwsrc
用于查找相关样本和狩猎的yara规则生成器(A Yara rule generator for finding related samples and hunting)
https://github.com/AlienVault-OTX/yabin
fame: 恶意软件分析平台 FAME
https://github.com/certsocietegenerale/fame
malwarecage – 用于自动化恶意软件收集/分析系统的组件,由 Python2 编写,支持 REST API
https://github.com/CERT-Polska/malwarecage
恶意软件样本从哪儿来?
https://xianzhi.aliyun.com/forum/topic/1279
(在github上搜索malware可以找到一些)A curated list of awesome malware analysis tools and resources
https://github.com/rshipp/awesome-malware-analysis
一些极好的YARA规则、工具、资源列表(A curated list of awesome YARA rules, tools, and people.)
https://github.com/InQuest/awesome-yara
编写 Yara 规则检测嵌入在 OLE 对象中的 EXE 文件
https://www.nextron-systems.com/2018/01/22/write-yara-rules-detect-embedded-exe-files-ole-objects/
ARM 汇编编写反弹 Shell 的 shellcode 并编写对应的 Yara 检测规则(HOW TO WRITE ARM 32-BIT SHELLCODE IN SIX MINUTES)
https://azeria-labs.com/downloads/SAS-v1.0-Azeria.pdf
卡巴斯基实验室发布 Klara 项目,旨在协助研究人员使用 Yara 规则快速寻找恶意软件
https://github.com/KasperskyLab/klara
YARA Rules for Finding and Analyzing in InfoSec(yara规则在信息安全中起到的查找和分析作用)
https://www.alienvault.com/blogs/security-essentials/yara-rules-for-finding-and-analyzing-in-infosec
VirusTotal 平台支持自定义 Yara 规则,实时检索或发现恶意软件以及企业相关的威胁向量
https://github.com/yt0ng/SAS/blob/master/MNeis_dont_push_the_button_SAS2017_PUBLIC.pdf
http://www.virscan.org/language/zh-cn/
https://www.virustotal.com/#/home/upload
https://x.threatbook.cn/
恶意软件分析工具
http://malwareanalysis.tools/
https://github.com/lockfale/OSINT-Framework
mquery – 基于 Yara 规则快速查询恶意软件的工具
https://github.com/CERT-Polska/mquery
BinSequencer – 通过使用 byte -> opcode 抽象方法来匹配不同文件代码的相似部分从而生成YARA 规则的脚本工具
http://ropgadget.com/posts/intro_binsequencer.html
https://github.com/karttoon/binsequencer
kraken – Go 语言编写的 YARA 跨平台扫描器
https://github.com/botherder/kraken
对 YARA 规则的详细介绍
http://blog.inquest.net/blog/2018/09/30/yara-performance/
Fnord – 混淆代码的 YARA 规则创建工具
https://github.com/Neo23x0/Fnord
优化 Yara 规则的方法介绍
https://www.nextron-systems.com/2019/01/02/50-shades-of-yara/
基于 Yara 引擎的二进制文件扫描
https://blog.didiyun.com/index.php/2018/12/18/yara/
Malice – 一款类似 VirusTotal 的开源版软件
https://github.com/maliceio/malice
yara的安装与使用
https://paper.tuisec.win/detail/75f580b93a1a91a
https://www.giantbranch.cn/2019/05/23/yara%E7%9A%84%E5%AE%89%E8%A3%85%E4%B8%8E%E4%BD%BF%E7%94%A8/
`
1. 下载
2. 用官方最简单的示例测试是否可用
3. 获取yara规则
4. 获取样本测试
5. 简单总结
6. reference
`
静态扫描之Yara第一话–安装及使用Yara
https://blog.csdn.net/m0_37552052/article/details/79012453
YARI – 对编写的 YARA 规则进行 Debug 的工具
https://engineering.avast.io/yari-a-new-era-of-yara-debugging/
https://github.com/avast/yari
特征检测和行为检测两种威胁检测方案的比较
The difference between signature-based and behavioural detections
https://s3cur3th1ssh1t.github.io/Signature_vs_Behaviour/
`
In this blog post, the main difference between signature-based and behavior-based Detections are explained. In addition, examples are shown with respective Detection bypasses.
There are multiple Detection-techniques, which a Packer can bypass and there are others, which technically cannot get bypassed. Writing a blog post about this topic is at least for me the easiest way to answer this, as in the future I can just send one link for these kind of questions. 😉
# Signature-based Detections
Signature-based Detections are very simple. The very first AV solutions had a signature database with File-Hashes and they just compared the Hash of any executable on disk with the known malicious executable softwares Hash. E.g. this database contained the SHA1/MD5 Hash of the release binary for Mimikatz. Changing the Hash of an executable is as simple as manipulating a single byte in it, so this Detection is not really reliable and at least I hope not commonly used anymore anyway in 2022.
# Behaviour-based Detections – some examples and bypasses
But which behaviours could trigger an AV/EDR action or a Memory Scan on runtime? This can basically be everything. Writing stuff into Memory, loading specific libraries in a specific order and/or time-frame, creating registry entries, do initial HTTP requests or any other action.
I’ll give some few examples here with corresponding bypass techniques for Defender.
From my personal experience the least common action an AV/EDR does after detecting a specific behaviour is instantly killing the Process. Why is that? Well, AV/EDR vendors don’t want to have too many false positive findings. As false positive findings with the action of killing a Process can lead to disruptions in production environments which is really bad. So they need to be nearly 100% sure, that a behaviour is definitely Malware to kill the corresponding Process. This is also the reason, why many vendors combine the Detection of a behaviour with a Memory Scan afterwards to verify they found something Malicious.
# Conclusion
On the one hand, I wanted to use this article to give an overview of what a Packer can technically bypass and at what point the Operator has to take action himself. Some things should hopefully be clear:
* The Operator should know what his Payload is doing
* The Operator should know about the Indicators of Compromise (IoCs) for his Payloads
* Behaviour-based Detections can only get bypassed by the Operator himself via Payload modification
On the other hand I showed some examples on how to bypass behaviour-based Detections from Defender for
* The Fodhelper UAC Bypass
* Meterpreter
* Cobalt Strike
For Cobalt Strike detections in other mature environments – well at some point I stopped digging deeper as it was just too much of a BlackBox for me. I’m still excited about it’s future development and will follow all those changes. Who knows, maybe someday I’ll pick it up again.
The post ended up with the fundamental question about if all this stuff is even needed at all. Sometimes you will not get around it because the software/tool is closed source and known malicious. I personally think, that it’s not. But this just depends on which Payload you’re using. With custom tools or obfuscation many evasion techniques should not be needed at all. But as custom tools or heavy modification for each tool needs a lot of effort, the alternative of more and more evasion techniques has to be accepted in many cases. At one point you just have to question yourself, if additional effort for evasion is worth getting a known malicious Payload to work. I’m curious, where this pushing will lead to in the next years. Maybe there will be a Point at some time, where people prefer more one-time-effort against a constant up-to-date evasion practice.
`