Search the Community
Showing results for tags 'yara'.
-
MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner. On Macro-enabled Office documents we can quickly use oletools mraptor to determine whether document is malicious. If we want to dissect it further, we could bring in oletools olevba or oledump. To dissect malicious MSI files, so far we had only one, but reliable and trustworthy lessmsi. However, lessmsi doesn't implement features I was looking for: quick triage Binary data extraction YARA scanning Hence this is where msidump comes into play. Here we can see that input MSI is injected with suspicious VBScript and contains numerous executables in it. Now we want to take a closer look at this VBScript by extracting only that record. [Hidden Content]
- 1 reply
-
- 2
-
- incorporates
- and
- (and 15 more)
-
FindYara Use this IDA python plugin to scan your binary with Yara rules. All the Yara rule matches will be listed with their offset so you can quickly hop to them! Using FindYara The plugin can be launched from the menu using Edit->Plugins->FindYara or using the hot-key combination Ctrl-Alt-Y. When launched the FindYara will open a file selection dialogue that allows you to select your Yara rules file. Once the rule file has been selected FindYara will scan the loaded binary for rule matches. All rule matches are displayed in a selection box that allows you to double click the matches and jump to their location in the binary. [hide][Hidden Content]]
-
Hyara is IDA Plugin that provides convenience when writing yard rules. You can designate the start and end addresses to automatically create rules. It was created based on GUI, and adding features and improvements are currently underway. Features Hyara start screen and 2 options When you run Hyara, it aligns to the right like the below picture and the output window is aligned to the left. Select/Exit button uses IDAViewWrapper api to get the clicked address in IDA View. After done, you have to press it again to finish. After specifying the address, press the “Make” button to show the specified hexadecimal or strings as a result. When you click “Save”, those results will be saved in the table below. Press “Export Yara Rule” to finally create the yararule using variables stored in the previous step. The comment option on the upper right side annotates the assemblies nicely. The wildcard option works but further development are still ongoing. [hide][Hidden Content]]
-
Kraken is a simple cross-platform Yara scanner that can be built for Windows, Mac, FreeBSD and Linux. It is primarily intended for incident response, research and ad-hoc detections (not for endpoint protection). Following are the core features: Scan running executables and memory of running processes with provided Yara rules (leveraging go-yara). Scan executables installed for autorun (leveraging go-autoruns). Scan the filesystem with the provided Yara rules. Report any detection to a remote server provided with a Django-based web interface. Run continuously and periodically check for new autoruns and scan any newly-executed processes. Kraken will store events in a local SQLite3 database and will keep copies of autorun and detected executables. Some features are still under work or almost completed: Installer and launcher to automatically start Kraken at startup. Download updated Yara rules from the server. [hide][Hidden Content]]