Monday, October 19, 2015

Autopsy Python YARA Scan Module



YARA is a great tool to help with the identification of malware that can be found at: https://plusvic.github.io/yara/.  You can write your own rules or here is a super nice prebuilt repository that can be used at: http://yararules.com.  I needed a fast way to search through some disk images thus decided it was time to build a quick Autopsy Python YARA Scan Module found for download at: https://github.com/jblukach/AutopsyModules.

Setup required dropping the YARA executable in the Autopsy Python Module folder.  I also created a centralized YARA Rule File containing the following: include "rules-master\antidebug.yar" statements for the list as an example.   



You can easily change the following two lines of code if you want to use a different storage location.


What is the objective of your YARA Scan?  The search syntax uses SQLite thus in this example %.doc is looking for any word documents.  There are no path dependencies as it is set with the percentage sign a.k.a. %.


If you wanted to find any executable files that were located in a temporary folder the line of code could be changed to the following.  Any files that are marked as KNOWN by Hash Analysis will be excluded from the YARA Scan.

files = fileManager.findFiles(dataSource, “%.exe”, “%temp%”)


These two lines can be commented out with the pound sign a.k.a. # to get the quantity and listing of files that will be processed.  First line exports the file to the Temporary folder inside the case directory structure.  The second line runs the YARA scan against the exported file.  Windows Defender on my investigation machine also examines the files during extraction that may identify some very low hanging fruit too. 



The report will overwrite the YARA.txt file every time the module is run.  The file is located in the Reports folder inside the case directory structure.  You may need to update the report name depending on changes to your search requirements.   



Once the YARA Scan module completes, Autopsy will fire an alert showing the number of files scanned.


Under Reports, the generated text file will be linked so that you can double click and review the results.  Top line is the YARA results and the bottom line shows where the file is located in the Autopsy interface. 


Hopefully this helps your hunting too!

John

No comments:

Post a Comment