Beruflich Dokumente
Kultur Dokumente
Detection
JULY 2020
TLP GREEN
Introduction
The Australian Cyber Security Centre and other cyber security organisations may produce YARA rules in order to help
customers detect malicious software present on a system. This document provides an overview of YARA rules and
guidance on how to effectively utilise YARA rules within your organisation’s IT environment.
What is YARA?
YARA is an open source project aimed at providing the means to describe and detect malicious software. The YARA
project consists of:
The means to describe how malicious software may be detected through the creation of YARA rules, and
A software tool, also called YARA, used for scanning files, memory or other data for malware described in YARA
rules.
Further detailed information on YARA as well as for copies of the YARA software please see the YARA website at
https://virustotal.github.io/yara/.
1
Considerations when utilising YARA
The following are some general considerations when utilising YARA within your organisation’s IT environment,
regardless of the source of the YARA rules.
2
An additional consideration for use of YARA within a network is considering the future need to run YARA rules across a
network in a repeatable, sustainable manner. Organisations could consider incorporating a YARA tool into standard
operating environments. This would remove the need to deploy YARA to hosts every time a widespread YARA scan is
performed.
3
Example YARA usage
When utilising the standard YARA tool on the command-line an overview of the configuration options are available at:
https://yara.readthedocs.io/en/latest/commandline.html. The ACSC recommends that organisations review this
documentation to understand the below examples and to allow for modifications to best suit their environments.
At the time of writing the latest YARA version was 4.0.2 and the information included below is compatible with that
version.
-s: Prints the matching strings within the file. Useful for triaging and investigating hits after scan completion.
-f: Fast scan mode, stops searching for additional occurrences of a pattern string after the first match.
-p: Specify the number of threads used when scanning a directory. The ‘8’ value is included as an example and
should be tailored based on the environment where the YARA tool is being run and potential performance impact
considerations. A lower value should reduce the potential performance impact of a YARA scan.
It is also recommended that the output of the YARA tool be captured through an output redirection mechanism
appropriate for the target system.
A privileged account may be required to scan certain files or folders, based on applied permissions.
4
Get-ChildItem –File –Recurse –Path ‘C:\Inetpub’ | Where-Object –FilterScript {$_.Name –
match “\.aspx|\.php” } | % { & ‘C:\yara\yara.exe’ -f -s C:\Users\ACSC\rules.yar
$_.FullName } >> C:\Users\ACSC\yara_scan_results.txt
Enumerate all files ending in .aspx or .php within C:\Inetpub and any sub-folders.
Scan these files with the YARA tool using the rules within rules.yar.
Capture the results within yara_scan_results.txt.
5
Scanning specific process memory by process name on Windows
An example of utilising PowerShell to scan all instances of the process or processes identified by name (using
notepad.exe and calc.exe as examples). Note: scanning process memory will likely require an elevated PowerShell or
command prompt.
Get-Process notepad,calc –ErrorAction SilentlyContinue | % { C:\yara\yara.exe –s
C:\Users\ACSC\rules.yar $_.Id } –ErrorAction SilentlyContinue >>
C:\Users\ACSC\yara_scan_results.txt
Enumerate all processes named notepad.exe or calc.exe and retrieve their process IDs.
Scan these process IDs with the YARA tool using the rules within rules.yar
Capture the results within yara_scan_results.txt
Scanning all process memory on Windows
Performs the same steps as above, but on all running processes. Note: scanning process memory will likely require an
elevated PowerShell or command prompt.
Get-Process | % { C:\yara\yara.exe –s C:\Users\ACSC\rules.yar $_.Id } –ErrorAction
SilentlyContinue >> C:\Users\ACSC\yara_scan_results.txt
Scanning specific process memory by process name on Linux
An example Bash script to scan all instances of the process or processes identified by name (using gedit and bash as
example processes). The use of sudo has been included in the example as it is a likely requirement to scan process
memory within most environments.
pids=$(ps –C gedit,bash –o pid=); for i in $pids; do sudo /usr/bin/local/yara –s
$HOME/rules.yar $i &> $HOME/yara_scan_results.txt; done
Enumerate all processes named gedit or bash and retrieve their process IDs.
Scan these process IDs with the YARA tool (utilising sudo for privileged access) using the rules within rules.yar
Capture the results, and any error messages, within yara_scan_results.txt
Performs the same steps as above, but on all running processes. The use of sudo has been included in the example as it
is a likely requirement to scan process memory within most environments.
pids=$(ps –e –o pid=); for i in $pids; do sudo /usr/bin/local/yara –s $HOME/rules.yar $i
>> $HOME/yara_scan_results.txt; done
6
Triaging and investigating YARA results
YARA rules can vary greatly in the conditions which must be met to match a rule. YARA rules can be written to be very
specific causing little to no false positives, or they may be written to match a broader set of criteria to increase the
chance of detecting malicious activity at the cost of increased false positives.
After performing a YARA scan any hits should be investigated to confirm any malicious hits and to rule out any false
positives. The triage of hits should involve the following:
Reviewing the matching YARA rule to better understand its matching criteria, its intent and any comments or
meta information contained within the rule.
Review the specific data in a file or memory which matched the YARA rule, as well as the surrounding data. This
can help identify potential false positives.
Identify whether the matched data can be verified as legitimate.
The process of investigating YARA hits is similar to the processes organisations should follow when investigating an alert
raised by anti-virus software or other detection capabilities.
If you are unable to confirm whether a file or process is legitimate after it was identified using an ACSC-provided YARA
rule and your organisation believes it may be related to malicious activity, contact the ACSC by
emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).
7
Frequently Asked Questions
Do I have to use the standard YARA tool distributed through https://virustotal.github.io/yara/?
No. Any tool which supports the use of YARA rules which can be used. Certain tools may not support the same
configuration options available in the standard YARA tool.
Does the ACSC have any recommendations for a commercial tool which supports YARA rules?
No, organisations should select a tool which meets the organisations identified requirements.
I’m experiencing issues running a YARA tool. Can the ACSC help?
Errors experienced while running a YARA tool are likely one of three types:
A problem with the YARA tool or the environment, or
A syntax error in the YARA rules.
Warning messages produced by the YARA tool.
Errors with the YARA Tool or the Environment
If organisations experience errors similar to the following (but not limited to these specific errors):
yara: error while loading shared libraries: libyara.so.4
error scanning /path/to/file: could not open file
The program can’t start because VCRUNTIME140.dll is missing from your computer.
These errors are indicative of a problem with the YARA tool being used or the environment in which it is running. The
ACSC cannot assist in this troubleshooting and organisations are recommended to consult product documentation.
Some errors may prevent the YARA tool from running at all. Other errors, such as permission or access-related errors,
may only affect the successful scanning of those specific files.
8
YARA Rule Syntax Errors
If organisations receive a syntax error, such as:
rules.yar (10): error: syntax error, unexpected ‘}’
This is indicative of a syntax error within the YARA rule itself. To confirm that it is a syntax error, as opposed to an error
with the YARA tool or the environment, the following test rule produced by the YARA project can be used:
rule dummy
{
condition:
false
}
If there is no problem with the YARA tool or the environment scanning a file with the above rule should result in the
YARA tool running and exiting successfully with no output.
YARA Warning Messages
The standard YARA tool may produce warning messages about certain rules or components of rules. For example:
rules.yar(5): warning in rule “warning_example” : $regex contains .* or .+, consider using .{,N}
or .{1,N} with a reasonable value for N
rules.yar(5): warning in rule “warning_example”: $regex is slowing down scanning
These warning will not prevent the standard YARA tool from scanning correctly and can be ignored.
If your organisation experience’s problems when utilising ACSC-provided YARA rules please report any rules related
errors or issues to asd.assist@defence.gov.au. Please note that the ACSC cannot help troubleshoot issues with installing
or running YARA software in general, or issues with rules not provided by the ACSC.
Are there common sources of false positives when performing a YARA scan?
The potential for false positives are highly dependent on the rules themselves, however there are some more common
causes of false positives amongst all rules particularly if the rules utilise plaintext strings for matches. These can include:
Detection of the YARA rules themselves, either as they exist as a file on disk or in process memory, such as stored
in Terminal Services clipboard data (e.g. rdpclip.exe).
Detection of anti-virus definition files, or of those same anti-virus definitions in memory.
Anti-virus software has identified the YARA rules file as malicious. What should I do?
Due to the way that detection conditions are written YARA rules may contain some segments of the same data which
malicious files contain, particularly strings. Anti-virus definitions may be written to detect this same content leading to
YARA rules files being flagged as malicious. If a YARA rule file is being flagged as malicious by anti-virus software,
organisations can explicitly allow this file within the organisation’s anti-virus software.
9
Contact details
Organisations or individuals with questions regarding this advice can email asd.assist@defence.gov.au.
Incident Reporting
If you have indications that your environment has been compromised, contact the ACSC by
emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).
10