YARA and CyberChef

Published: 2021-03-08. Last Updated: 2021-03-08 17:38:57 UTC
by Didier Stevens (Version: 1)
0 comment(s)

If you prefer a graphical user interface to match YARA rules, you can try CyberChef.

YARA is a pattern matching tool, known as "The pattern matching swiss knife".

CyberChef is a web app for all kinds of (file) analysis techniques, known as "The Cyber Swiss Army Knife".

And what do you get when you combine 2 Swiss Knifes? One really big Swiss Knife :-)

CyberChef supports YARA rules.

Here I added one YARA rule to detect Office files with VBA macros. More precisely: ole files that contain the premise of a compressed, default VBA source code header.

YARA rules that match the input (a Word document, .doc,  with VBA code in this example) are listed in the output.

Since CyberChef also has an unzip function, you can apply YARA rules on the files contained in a ZIP file (something the YARA tool itself can not do):

If you want to copy the recipes, they are below.

Just YARA:

https://gchq.github.io/CyberChef/#recipe=YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

UNZIP + YARA:

https://gchq.github.io/CyberChef/#recipe=Unzip('',false)YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

And know I need to close my tabs and let the browser update itself :-) .

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
0 comment(s)
ISC Stormcast For Monday, March 8th, 2021 https://isc.sans.edu/podcastdetail.html?id=7402

Comments


Diary Archives