YARA: Detect The Unexpected ...
A friend and colleague of mine, @DhaeyerWolf, asked me for a bit of help with the design of a YARA rule.
It’s to detect OneNote files with embedded files, that are not images.
He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ...
So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences.
Take this YARA string:
$FileDataStoreObjectGUID = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC }
If we want to count the number of occurrences of string $FileDataStoreObjectGUID inside a file, we use this expression: #FileDataStoreObjectGUID (# is the operator to count occurences of a string).
A condition might then be:
condition: #FileDataStoreObjectGUID > 2
A rule with this condition will trigger if there are more than 2 occurrences of string $FileDataStoreObjectGUID inside a file (and by extension, more than 2 embedded files inside that file).
This string detects embedded PNG files:
$FileDataStoreObjectGUIDPNG = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 89 50 4E 47 0D 0A 1A 0A }
To write a rule that detects OneNote files with embedded files that are not PNG files, we can do the following:
rule onenote_suspicious {
strings:
$FileDataStoreObjectGUID = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC }
$FileDataStoreObjectGUIDPNG = { E7 16 E3 BD 65 26 11 45 A4 C4 8D 4D 0B 7A 9E AC ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 00 00 00 00 00 00 00 00 00 89 50 4E 47 0D 0A 1A 0A }
condition: #FileDataStoreObjectGUID > #FileDataStoreObjectGUIDPNG
}
This rule triggers if we have more embedded files overall than embedded files that are PNG files. If that’s the case, then we have embedded files that are not PNG files. And these are suspicious to us.
Of course, other image types might be present, and these have been accounted for by my colleague in his blog post.
This method works because all embedded files are prefixed by a data structure (FileDataStoreObject) that starts with a unique GUID. Thus we just have to make strings to count all embedded files and strings for all embedded file types we consider to be benign. If there is a difference between these 2 counts, then we trigger an alert.
Best case: the rule triggers on malicious embedded files.
Worst case: the rule triggers on benign embedded files of a type we did not know about or did not expect.
This generic method works as long as it is easy to count generic objects (e.g., any embedded file) and specific objects (e.g., embedded images): then you just have to compare counters.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago