Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: YARA and CyberChef SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
YARA and CyberChef

If you prefer a graphical user interface to match YARA rules, you can try CyberChef.

YARA is a pattern matching tool, known as "The pattern matching swiss knife".

CyberChef is a web app for all kinds of (file) analysis techniques, known as "The Cyber Swiss Army Knife".

And what do you get when you combine 2 Swiss Knifes? One really big Swiss Knife :-)

CyberChef supports YARA rules.

Here I added one YARA rule to detect Office files with VBA macros. More precisely: ole files that contain the premise of a compressed, default VBA source code header.

YARA rules that match the input (a Word document, .doc,  with VBA code in this example) are listed in the output.

Since CyberChef also has an unzip function, you can apply YARA rules on the files contained in a ZIP file (something the YARA tool itself can not do):

If you want to copy the recipes, they are below.

Just YARA:

https://gchq.github.io/CyberChef/#recipe=YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

UNZIP + YARA:

https://gchq.github.io/CyberChef/#recipe=Unzip('',false)YARA_Rules('rule%20ole_vba%20%7B%5Cn%20%20%20%20strings:%5Cn%20%20%20%20%20%20%20%20$a%20%3D%20%22Attribut%5C%5Cx00e%22%5Cn%20%20%20%20condition:%5Cn%20%20%20%20%20%20%20%20$a%20and%20uint32be(0)%20%3D%3D%200xd0cf11e0%5Cn%7D',false,false,false,false)

And know I need to close my tabs and let the browser update itself :-) .

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

558 Posts
ISC Handler
Mar 8th 2021

Sign Up for Free or Log In to start participating in the conversation!