How to run Yara Rules during Incident Response
A core part of intelligence driven incident response is searching relevant indicators across a compromised network. Yara is a popular choice for scanning the contents of files (as opposed to something like OpenIOC which can be used to quickly search across just meta-data).
But there are a number of ways to run Yara rules during incident response, beyond just the default Yara build.
We’ve built a platform to automate incident response and forensics in AWS — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.
Vanilla Yara
You can download Yara compiled for Windows here (later releases are listed on this page — search for “windows binaries” in your browser to find the latest download link). If you get a complaint about missing, you’ll need to download the Microsoft Visual C++ 2010 Redistributable Package.
On Debian based systems such as Ubuntu, you can install Yara with:
apt-get install yara
On a Mac, you can run:
brew install yara
You can run yara rules easily, eg;
yara yara.rules -r /mnt/mounted
You can download a large set of Yara rules here, and there is an excellent guide on how to write your own Yara rules here.
You may want to compile the Yara rules — partially for speed, but also to protect them from stolen. Note however, that the rules can still be dumped from memory.
ClamAV
ClamAV now has the ability to run (most) Yara signtures, in addition to it’s own signature format.
ClamAV can be installed on Debian based systems with:
apt-get install clamav
Or on Redhat:
yum install clamav
Or downloaded directly for Windows.
You can then run yara rules with:
clamscan -d yara.rule -r /mnt
To scan all files under /mnt
ClamAV supports a number of command line paramters that can be useful when scanning during incident response.
For example, --max-filesize=
can be used to restrict the maximum sized file that will be scanned.
Other Tools
There are a number of host-agent style tools that now allow you to scan systems with Yara. OsQuery and Yara-Endpoint are two great options, and there are many commercial solutions too.
C and Python Bindings
There are also python bindings for C and Python, that lets you write your own tools to scan systems with Yara.
Scanning Memory with Yara
You can scan the memory of systems with Yara using CrowdResponse or Google’s Rapid Response.
We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.