A core part of intelligence driven incident response is searching relevant indicators across a compromised network. Yara is a popular choice for scanning the contents of files (as opposed to something like OpenIOC which can be used to quickly search across just meta-data).
But there are a number of ways to run Yara rules during incident response, beyond just the default Yara build.
We’ve built a platform to automate incident response and forensics in AWS — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.
You can download Yara compiled for Windows here (later releases are listed on this page — search for “windows binaries” in your browser to find the latest download link). If you get a complaint about missing, you’ll need to download the Microsoft Visual C++ 2010 Redistributable Package.
On Debian based systems such as Ubuntu, you can install Yara with:
apt-get install yara
On a Mac, you can run:
brew install yara
You can run yara rules easily, eg;
yara yara.rules -r /mnt/mounted
You may want to compile the Yara rules — partially for speed, but also to protect them from stolen. Note however, that the rules can still be dumped from memory.
ClamAV now has the ability to run (most) Yara signtures, in addition to it’s own signature format.
ClamAV can be installed on Debian based systems with:
apt-get install clamav
Or on Redhat:
yum install clamav
Or downloaded directly for Windows.
You can then run yara rules with:
clamscan -d yara.rule -r /mnt
To scan all files under /mnt
ClamAV supports a number of command line paramters that can be useful when scanning during incident response.
--max-filesize= can be used to restrict the maximum sized file that will be scanned.
C and Python Bindings
Scanning Memory with Yara
We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.