Developing YARA Rules: a Practical Example - SANS Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Handler on Duty: Didier Stevens

Threat Level: green

Developing YARA Rules: a Practical Example
Xavier mentioned a YARA rule for the detection of DDE code injection in CSV files. A simple YARA rule to achieve this would look like this: rule csv_dde { strings: $a = "=cmd\|" condition: $a } This rule triggers on any file that contains the ASCII string "=cmd\|". This rule is case-sensitive. It will only match lowercase string cmd, and not CMD for example. Although =CMD\| can also be used for DDE command injection. A revised rule to handle this case uses the nocase string modifier: rule csv_dde { strings: $a = "=cmd\|" nocase condition: $a } Whitespace characters are allowed between = and cmd. A revised rule to handle this case uses a regular expression: rule csv_dde { strings: $a = /=\scmd\\|/ nocase condition: $a } \s is the escape sequence for a whitespace character, and is a quantifier that specifies how many whitespace characters are allowed: from none (0) to unlimited. Since the pipe character \| has special meaning in regular expressions (alternation), it needs to be escaped: \\|. This YARA rule will match any file that contains this sequence, but this sequence will not lead to DDE command injection in all cases: it has to appear at the beginning of the file, the beginning of a line (after a newline), or the beginning of a cell (after a comma separator). Thus the revised rule becomes: rule csv_dde { strings: $a = /(^\|\n\|,)=\s*cmd\\|/ nocase condition: $a } Unfortunately, CSV files have no magic header, we can not specify a condition like "MZ" at 0 like we do for PE files. Thus we still risk to match many files that are actually not CSV files. That is the problem with a file format like CSV: because of the lack of a header, it can be difficult to write a program/rule to match CSV files. We can add some additional conditions, like looking for a small file size (condition: "$a and filesize < 10000" for example) and/or a low entropy (condition: "$a and math.entropy(0, filesize) < 5.0" for example). Remark that I did not let performance considerations guide the development of this YARA rule. If you have ideas how to further improve this rule, please post a comment. Didier Stevens Senior handler Microsoft MVP blog.DidierStevens.com DidierStevensLabs.com	DidierStevens 677 Posts ISC Handler Oct 2nd 2018
Thread locked Subscribe	Oct 2nd 2018 3 years ago