How to use YarGen tool during IR and Threat Hunting
Creating yara rules requires time and during an IR, time is very essential. We need to create yara rules as soon as possible after collecting evidences. For example, you found some webshell in one of you web directory. And lots of other projects are also present in the same web server. Now you need to make sure whether this same shell present any of your other directories or not.
In this case, yarGen tool will help you. This tool is created by Florian Roth. You will give this tool artifacts and based on that this tool will create yara rules for you. How cool is that?
Then you can use your rule to scan your systems.
Commands:
git clone https://github.com/Neo23x0/yarGen.git
cd yarGen
Pip or pip3 install -r requirements.txt
python3 yarGen.py --update
You need to give the above command python3 yarGen.py showing on the above screenshot to check the version.
Now let’s see how to use this awesome tool.
python3 yarGen.py -m ./evidences
or
python3 yarGen.py -m ./evidences -o pdf_rule.yar- m : Path to scan for malware or malicious files.
- -o : You can use this flag to set a name of the rule that will be generated. If nothing used then default name will be taken.
Evidences is the folder where malicious files are present. For example, you put so many different shells in that folder.
Now let’s scan the file using this rule.
As we can see that without -s paramter we only see the rules name (_evidences_Update) and what file against the rule applied for (evidences/Update.pdf)
But with -s parameter we can see that what are the conditions that matched from the rule against that file Update.pdf
Thanks. I hope this blog will help you to keep you better equipped during an incident. Please subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
