Tool release: yaml2yara

A common problem for incident responders & blue teams is quickly creating effective detection capability for malicious files. New indicators are found daily, for example, malicious code signing certificates and OLE class identifiers.

Today we have released a very simple tool, yaml2yara, that aims to speed up the generation of bulk YARA rules. It decouples the input data from output logic, meaning that all rules can be updated quickly. The tool generates output which should be friendly to source code management systems such as git.

A small set of sample data has also been released. This data includes a number of Office exploits and abused code signing certificates. For example, here’s the data entry for a code signing certificate which was stolen by an APT group a few years ago:

esupplychain:
added_by: David Cannings
description: "esupplychain.com.tw stolen certificate, used by Dark
Hotel"
ref: https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf
serial: 65:c8:08:10
subject: www.esupplychain.com.tw
issuer: TaiCA Secure CA

 The yaml2yara tool can be run as below, generating YARA rules from this input data:

./generate.py --template authenticode --input 
sample_data/authenticode/stolen_certs.yaml

This generates a YARA rule like below, with the relevant fields and input data taken from YAML data:

rule authenticode_esupplychain {
meta:
author = "David Cannings"
description = "esupplychain.com.tw stolen certificate, used by Dark
Hotel"

ref = "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf"


condition:
for any i in (0..pe.number_of_signatures - 1):
(

pe.signatures[i].serial == "65:c8:08:10"
and pe.signatures[i].subject contains "www.esupplychain.com.tw"
and pe.signatures[i].issuer contains "TaiCA Secure CA"
)

}

It’s quite common that rules need to be refined and updated following launch to improve detection capability or fix mistakes. When this happens it is possible to update the template and run the tool again, generating new rules to fix problems.

You can find the tool and sample data on GitHub here: https://github.com/nccgroup/yaml2yara. Feedback is welcome, either directly via Twitter or through GitHub issues. 

Published date:  08 May 2018

Written by:  David Cannings

comments powered by Disqus

Filter By Service

Filter By Date