Applies To: WatchGuard Advanced EPDR
YARA (Yet Another Recursive Acronym) is a rule-based language used to create descriptions of malware families with text or binary patterns. These rules include a set of strings and Boolean expressions to define their logic and are used in Indicators of Compromise (IOC) searches on files.
In the IOC Gallery, when you add an IOC, it automatically becomes available for the IOC search task. The IOC properties can include a single YARA rule. When the search task runs, the YARA rule identifies files with content that match the pattern described in the rule.
For information on how to create an IOC, go to Manage IOCs.
If a rule does not comply with YARA syntax, an error message appears and you cannot save the IOC. This topic includes two example YARA rules to illustrate correct syntax.
These examples require YARA version 3.0 or higher. To check your installed version, run the command yara -v.
Malware Rule
You can create a YARA rule to identify well-known malware. In this example, if the YARA rule identifies the advanced persistent threat called Clandestine Wolf during the IOC search task, Endpoint Security generates an IOC detection.
/*
This YARA ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/ gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule OpClandestineWolf
{meta:
alert_severity = "HIGH"
log = "false"
author = "NDF"
weight = 10
alert = true
source = " https://www.fireeye.com/blog/threat-research/2015/06/operation- clandestine-wolf-adobe-flashzero-day.html"
version = 1
date = "2015-06-23"
description = "Operation Clandestine Wolf signature based on OSINT from 06.23.15"
hash0 = "1a4b710621ef2e69b1f7790ae9b7a288"
hash1 = "917c92e8662faf96fffb8ffe7b7c80fb"
hash2 = "975b458cb80395fa32c9dda759cb3f7b"
hash3 = "3ed34de8609cd274e49bbd795f21acc4"
hash4 = "b1a55ec420dd6d24ff9e762c7b753868"
hash5 = "afd753a42036000ad476dcd81b56b754"
hash6 = "fad20abf8aa4eda0802504d806280dd7"
hash7 = "ab621059de2d1c92c3e7514e4b51751a"
hash8 = "510b77a4b075f09202209f989582dbea"
hash9 = "d1b1abfcc2d547e1ea1a4bb82294b9a3"
hash10 = "4692337bf7584f6bda464b9a76d268c1"
hash11 = "7cae5757f3ba9fef0a22ca0d56188439"
hash12 = "1a7ba923c6aa39cc9cb289a17599fce0"
hash13 = "f86db1905b3f4447eb5728859f9057b5"
hash14 = "37c6d1d3054e554e13d40ea42458ebed"
hash15 = "3e7430a09a44c0d1000f76c3adc6f4fa"
hash16 = "98eb249e4ddc4897b8be6fe838051af7"
hash17 = "1b57a7fad852b1d686c72e96f7837b44"
hash18 = "ffb84b8561e49a8db60e0001f630831f"
hash19 = "98eb249e4ddc4897b8be6fe838051af7"
hash20 = "dfb4025352a80c2d81b84b37ef00bcd0"
hash21 = "4457e89f4aec692d8507378694e0a3ba"
hash22 = "48de562acb62b469480b8e29821f33b8"
hash23 = "7a7eed9f2d1807f55a9308e21d81cccd"
hash24 = "6817b29e9832d8fd85dcbe4af176efb6"
strings:
$s0 = "flash.Media.Sound()"
$s1 = "call Kernel32!VirtualAlloc(0x1f140000hash$=0x10000hash$=0x1000hash$=0x40)"
$s2 = "{4D36E972-E325-11CE-BFC1-08002BE10318}"$s3 = "NetStream"
condition:
all of them
}
CVE Rule
You can create a YARA rule to identify specific Common Vulnerabilities and Exposures (CVEs). In this example, if the YARA rule identifies "333C7BC4-460F-11D0-BC04-0080C7055A83" (case insensitive and the full string is not part of a longer string) or the three specified strings during the IOC search task, Endpoint Security generates an IOC detection.
/*
This YARA ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/ gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule MSIETabularActivex
{meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
author = "@d3t0n4t0r"
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = "true"
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
}