From d4812383367affa29fae63440fdf88fea238eb31 Mon Sep 17 00:00:00 2001 From: Matthew Green Date: Fri, 29 Sep 2023 12:34:32 +1000 Subject: [PATCH] Add Yara device scanning (#44) (#2978) Add Yara device scanning and tests --- .../Windows/Detection/Yara/Device.yaml | 91 ++++++++++++++++++ artifacts/testdata/files/MBR | Bin 0 -> 512 bytes .../server/testcases/yara_detection.in.yaml | 6 ++ .../server/testcases/yara_detection.out.yaml | 15 +++ 4 files changed, 112 insertions(+) create mode 100644 artifacts/definitions/Windows/Detection/Yara/Device.yaml create mode 100755 artifacts/testdata/files/MBR diff --git a/artifacts/definitions/Windows/Detection/Yara/Device.yaml b/artifacts/definitions/Windows/Detection/Yara/Device.yaml new file mode 100644 index 00000000000..3092b862832 --- /dev/null +++ b/artifacts/definitions/Windows/Detection/Yara/Device.yaml @@ -0,0 +1,91 @@ +name: Windows.Detection.Yara.Device +author: Matt Green - @mgreen27 +description: | + This artifact enables running Yara over a Physical device and offset + specific targeting. + + There are 2 kinds of Yara rules that can be deployed: + + 1. Url link to a yara rule. + 2. or a Standard Yara rule attached as a parameter. + + Only one method of Yara will be applied and search order is as above. The + default is targeting the Master Boot Record (MBR). + + Note: by default the Yara scan will stop after one hit. Multi-string rules will also only + show one string in returned rows. + + Due to scanning raw devices and size being potentially very large I have included + an example on how to upload the MBR as the default yara rule. + +parameters: + - name: DevicePath + default: \\.\PHYSICALDRIVE0 + description: Raw Device for main disk to target. + - name: StartOffest + type: int + default: 0 + - name: ScanLength + type: int + default: 512 + - name: YaraUrl + description: If configured will attempt to download Yara rules from Url + type: upload + - name: YaraRule + type: yara + default: | + rule MBR { + meta: + author = "Matt Green - @mgreen27" + description = "Checks MBR header at offset 510 and collects MBR in HitContext" + strings: + $mbr = /^.{512}$/ //first entry covering bytes we want to upload. + $mbrheader = { 55 AA } + condition: + $mbr and $mbrheader at 510 + } + - name: NumberOfHits + description: THis artifact will stop by default at one hit. This setting allows additional hits + default: 1 + type: int + - name: ContextBytes + description: Include this amount of bytes around hit as context. + default: 0 + type: int64 + +sources: + - query: | + -- check which Yara to use + LET yara_rules <= YaraUrl || YaraRule + + -- target yara with raw_file pachspec + SELECT + DevicePath, + StartOffest, + ScanLength, + Namespace, + Rule, + Meta, + Tags, + String.Name as YaraString, + String.Offset AS HitOffset, + upload( + accessor='data', + file=String.Data, + name=format(format='%s_%s', + args=[basename(path=DevicePath),str(str=String.Offset)]) + ) AS HitContext + FROM yara(files=pathspec( + DelegateAccessor="raw_file", + DelegatePath=DevicePath, + Path=StartOffest), + accessor='offset', + start=0, + end=ScanLength, + rules=yara_rules, + context=ContextBytes, + number=NumberOfHits ) + +column_types: + - name: HitContext + type: upload_preview diff --git a/artifacts/testdata/files/MBR b/artifacts/testdata/files/MBR new file mode 100755 index 0000000000000000000000000000000000000000..9ba4ffa47c414dbf217d9d6bba390b38ea1b99dc GIT binary patch literal 512 zcmXp$(05@ELrvd-z8m`(YW6d*?POs3^La@?h78;3-#b|t_U>bEsAFKL;pT7UV{ASu z@aW@NiHUKM&)IJStt@ptH|QqJ!O85v5L|G5dIB{b9tFqEjJ zWiS9i+W#^RAR~jJCWDb71E|fZD~zH0%UR+1%|`_0y%yQQ$h4cG1}N55#@OY@)Ro74 zRyZxOSmvLfU?~sK0S){uT@0HVUbloAJprl$TKIZiqusw+pp|+5%NSntGL(w{+Hmn% z%8O=(4fmfVyr^N=@E^!4W%#{=VfR_7H01-O)@hBuL!1K~ON| z*4QwVaPDSj*ur;K;Pt03um5VFe3J5-L51nT4;7}vo_S@7IhiR61&Ku^nI)O|c?u