26 Jun 2020

Blogs

How to use the YARA rules for the "Copy-paste compromises" advisory

Regarding today’s “copy-paste compromises” advisory from the ACSC, we’ve had a lot of enquiries on how to download and consume the indicators of compromise (IoCs) provided.

This is a how-to guide for YARA rules you may have received. Here is our full commentary on the alert.

Downloading the files

Feel free to download them from the original source; however, we’ve had some enquiries asking for assistance with this, so have re-published the public files in CloudStor, as well as imported them directly into our member MISP instances for members of the CAUDIT-ISAC and AusMISP agreements.

Original ACSC source on cyber.gov.au
AUSCERT CAUDIT-ISAC MISP on CAUDIT MISP
AUSCERT AusMISP on AusMISP

The files comprise a list of IoCs in CSV (comma-separated values) format, plus source code for a web shell in .txt (text) format, as well as PDF and Word versions of the advisory. You may also have received a list of YARA rules under the green level of the Traffic Light Protocol, in which case here’s how to use them. The green level does not permit us to redistribute them.

Indicators of compromise in CSV

We’re not aware of a single simple way to consume these. You can massage them into a suitable format or formats to search for them, but YARA rules are the standard automated way to do this, and are the focus of this guide.

YARA rules

YARA rules are a widely-used way to format IoCs in a way which can be used by scanning engines. Some more info, and the official source, and the official documentation.

How to use Yara rules on your entire fleet (if you’re prepared and lucky)

Many Endpoint Detection and Response (EDR) solutions provide Yara support. If you have one deployed, you can import the Yara rules and run it, which will be relatively quick and easy.

If not, you could try using your existing fleet management system to deploy Yara and run a scan. E.g. for Windows, perhaps push out an installation via SCCM or Group Policy and then some kind of group policy background script to run the scan and deliver results. If you try this, we’d love to hear how it goes, and we’d also love any info or scripts you can provide that might help other members.

Consider whether this is worth doing for your fleet. Otherwise, keep reading.

How to use Yara rules on Windows

Official binaries are available so you’re in good shape. Head to their Releases page and grab the latest binary for your architecture (at time of writing, yara-v4.0.1-1323-win32.zip or yara-v4.0.1-1323-win64.zip).

Once in, you can scan individual directories or drives, ideally in an admin shell:

yara64.exe -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" C:

(the yarac.exe binary is for compiling rules, which you probably don’t need to do.)

How to use Yara rules on Linux

Your distribution’s package manager will likely have a version available. Give that a try first. However, the YARA project notes that the version available in some distros’ repositories is out of date and may contain security vulnerabilities, so check the version – the latest release at time of writing is v4.0.1, updated mid-May 2020.

yum install yara

apt install yara

To scan your entire system:

yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" /

If the error messages for file permissions are giving you more noise than signal, you can mute them:

yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null

You may wish to run this as a privileged user to ensure maximum access, but balance this with the security risk of older versions.

If your distribution’s version is unacceptable, the Yara project has some information on compiling from source. Compiling from source is an often time-consuming and fiddly process.

How to use Yara rules on macOS

Homebrew (an unofficial but very widely-used package manager) seems to be the best way other than compiling from source. It has the very latest release, v4.0.1, without the known security issues of older versions.

brew install yara

To scan your entire system:

yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" /

If the error messages for file permissions are giving you more noise than signal, you can mute them:

yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" / 2>/dev/null

 Or only scan specific parts:

yara -r "2020-008_ACSC_Advisory_YARA_Rules_TLP_GREEN.txt" /path/to/likely/folders/or/mounts

What to do if you find something

Firstly, any rule matches starting with “heuristic” are just that – heuristics. You may wish to investigate them in closer detail, but there will be plenty of false positives, so don’t panic when you see them, and don’t start by investigating them.

Consider advising the ACSC that you need assistance. Copying their advice here for convenience:

If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

If you are an AUSCERT member, you can call the 24/7 Member Hotline (login required) for advice.

It’s also worth noting that the ACSC’s advisory states that this has been a ramping up of events over time, and our interpretation of that is that most organisations will not need to spend all weekend frantically digging – just make it a priority on Monday.