This Assemblyline service repo contains two services:
- YARA
- Tagcheck
NOTE: Both services do not require you to buy any licence and are preinstalled and working after a default installation
This Assemblyline service runs the YARA application against all file types.
Currently AL runs YARA 4.3.0, and therefore supports the following external modules:
- Dotnet
- ELF
- Hash
- Magic
- Math
- PE
AL YARA rules follow the CCCS standard. Detailed information on writing YARA rules, as well as the MALWARE standard, can be found at the following locations:
Rule creation:
CCCS Standard:
Yara uses signature sources to sync it's signature set at a given interval:
The default configured source is the following:
sources:
- name: yr_git
pattern: .*_index.yar$
uri: https://github.com/Yara-Rules/rules.git
It will run every 24 hours, fetch all rules found in the git repo at the specified URL and make sure they are in sync in the system.
This is a post-processing service that compares all TAGs generated by other services to a signature set using the YARA signatures. It uses the exact same code as the YARA service except that it populates the YARA externals features with all the Tags that were previously generate by other services.
By default, the tagcheck service runs a small set of signatures located at https://assemblyline-support.s3.amazonaws.com/tagcheck.rules. Those rules are mainly geared toward dynamic analysis results analysis.
Tagcheck also uses the CCCS signature format but with the added external this allows signature writters to reference AL tags inside their signature. Here is an exemple:
rule UPX_Packer_PE_Section {
meta:
version = "1.0"
description = "Identifies UPX packer by PE section names"
source = "CCCS"
author = "assemblyline_devs@CCCS"
status = "RELEASED"
sharing = "TLP:WHITE"
category = "TECHNIQUE"
technique = "packer:UPX"
mitre_att = "T1045"
condition:
al_file_pe_sections_name matches /UPX[0-9]/
}
In this rule we are checking if the file.pe.sections.name tags include a value of UPX0 to UPX9. In this service, any previously generated Assemblyline tag can be inspected by using the following format:
al_(tag_name) where '.' in the tag_name are replaced by '_'
# i.e. if you want to match on network.ip tags you would use al_network_ip
The way that externals are implemented in YARA, we cannot give a list of values for a tag type field. Therefor, if there are multiple values for one tag type, they will be concatenated using pipes.
For exemple, if a result has the following network.static.ip tags: 127.0.0.1, 127.0.0.11. This will be represented in Yara externals as: "127.0.0.1 | 127.0.1.1". This means that you cannot use exact matches inside your signature and you cannot use startswith and endswith regexes (^$) because you don't know how many tags of a different type have been generated.
That said you could use word delimiter boundaries to find an exact match. So if you wanted to match to localhost IP in the previous exemple you could use the following:
al_network_static_ip matches /\b127\.0\.0\.1\b/
For any PRs or issues, be sure to tag: @cccs-rs