Symantec sep配置自定义yara规则
0x00 背景
SEP 为 Symantec Endpoint Protection 产品。Symantec Endpoint Protection 功能
YARA规则是VirusTotal的开发人员发布的,用于恶意样本的批量检索和查杀。
对于SEP无法检出的病毒或恶意后门,人工分析后将自定义特征编写成yara规则,并通过sep主机完整性检查功能推送下发到终端。
0x01 安装yara
以centos环境为例:
yum install autoconf automake libtool
curl -k -v -L https://github.com/VirusTotal/yara/archive/refs/tags/v4.2.1.zip -o v4.2.1.zip
解压
./bootstrap.sh
./configure
make
make install
printenv 查看当前环境变量
unset key 移除环境变量
调用时临时添加环境变量引用
export PATH=/usr/local/bin:$PATH
yara -v
4.2.0
可能是开发者忘记改小版本号了
cat configure.ac |grep AC_INIT
AC_INIT([yara], [4.2.0], [vmalvarez@virustotal.com])
0x02 编译一条 yara自定义规则
新建 a.yar
目的是匹配没有签名的exe或有签名但签名过期的exe
import "pe"
rule check_exe_without_signature{
meta:description = "检测未进行数字签名的可执行文件(EXE)"author = "leeezp"version = "1.0"strings: // 示例:过期证书的颁发者名称片段(需替换为实际值)$expired_issuer = "DigiCert Assured ID Code Signing CA-1" wide ascii// 示例:过期证书的序列号(十六进制格式)$expired_serial = { 08 93 8e 06 3f 2c 05 9f fc f5 54 22 39 a4 83 65 }condition:// 条件 1:文件是 EXE 类型uint16(0) == 0x5A4D and //uint16(0) == 0x5A4D 验证文件以 “MZ” 开头(DOS 头)uint32(uint32(0x3C)) == 0x00004550 and //uint32(uint32(0x3C)) == 0x00004550 验证 PE 头偏移地址指向 "PE\0\0"// 条件 2:数字签名不存在 (签名数量为 0)pe.number_of_signatures == 0or pe.number_of_signatures > 0 and $expired_issuer in (0..filesize) and $expired_serial in (0..filesize)$yara -s a.yar eval.exe
check_exe_without_signature eval.exe # 回显表示命中了规则
编译 yar 为 yarac文件:
yarac a.yar test.yarac
测试编译后的 test.yarac 能否命中恶意文件:
yara -C test.yarac eval.exe
check_exe_without_signature eval.exe
0x03 sep推送yara规则到终端
SEP 14.3 RU4 and newer version does support the YARA rules, please refer to link below for the step-by-step instructions:
Scanning the SEP client computer using custom YARA rules
YARA has proven to be extremely popular within the infosec community, the reason being is there are a number of use cases for implementing YARA:
• Identify and classify malware
• Find new samples based on family-specific patterns
• Incident Responders can deploy YARA rules to identify samples and compromised devices
• Proactive deployment of custom YARA rules can increase an organization’s defenses
• https://www.varonis.com/blog/yara-rules
winitor.com
| 工具 | 语法高亮 | 规则测试 | 集成调试 | 适用场景 |
| VS Code + 插件 | ✅ | ✅ | ✅ | 日常开发、团队协作 |
| Yaralyzer | ✅ | ✅ | ✅ | 逆向工程、深度分析 |
| 在线编辑器 | ✅ | ✅ | ❌ | 快速验证、公开样本测试 |
| YARA Rules Manager | ✅ | ✅ | ❌ | 自动规则生成 |
14.3 RU4 and 14.3 RU5 require the YARA compiler 4.2.1
The YARA compiler is third-party application, therefore it must be manually update and cannot download via LiveUpdate or LiveUpdate Administrator.
sep 的 Yara 检测开启前置条件
1.liveupdate 勾选第三方扩展
2.Host Integrity Policy - Requirements - Select requirements - 勾选 Custom requirement
如下是说明:
1.Antivirus Requirement:
Create a Host Integrity rule to check that an antivirus application is installed and running on client computers.
If not, options are provided to download antivirus software,start the software,and check the signature file age to remediate the system.
创建一个主机完整性规则,用于检查客户端计算机上是否安装并运行了防病毒应用程序。
如果未安装或未运行,则提供以下选项以下载防病毒软件、启动软件并检查签名文件的新旧程度,以修复系统。
2.Antispyware Requirement:
Create a Host Integrity rule to check that Antispyware is installed and running on client computers.If not, options are provided to download,install,and start the antispyware to remediate the system.
创建一个主机完整性规则,用于检查客户端计算机上是否安装并运行了反间谍软件。
如果未安装或未运行,则提供以下选项以下载、安装并启动反间谍软件,以修复系统。
3.Firewall Requirement:
Create a Host Integrity rule to check that a firewall is installed and running on client computers.If not, options are provided to download,install,and start the firewall to remediate the system.
创建一个主机完整性规则,用于检查客户端计算机上是否安装并运行了防火墙。
如果未安装或未运行,则提供以下选项以下载、安装并启动防火墙,以修复系统。
4.Patch Requirement:
Create a Host Integrity rule to check that a specific security patch (such as a Windows HotFix) is installed on client computers. If not, options are provided to download and install the patch to remediate the system.
创建一个主机完整性规则,用于检查客户端计算机上是否安装了特定的安全补丁(例如 Windows 热修复补丁)。
如果未安装,则提供以下选项以下载并安装该补丁,以修复系统。
5.Service Pack Requirement:
Create a Host Integrity rule to check that a particular operating system service pack is installed on client computers.If not,options are provided to download and install the service pack to remediate the system.
创建一个主机完整性规则,用于检查客户端计算机上是否安装了特定的操作系统服务包。
如果未安装,则提供以下选项以下载并安装该服务包,以修复系统。
6.Custom Requirement:
Create a Custom Host Integrity rule to check a client computer for software,processes,services,registry values,or files (including age,data,size,version, or fingerprint). You can specify a sequence of conditions and actions for the custom requirement.
创建一个自定义主机完整性规则,用于检查客户端计算机上的软件、进程、服务、注册表值或文件(包括文件的新旧程度、数据、大小、版本或指纹)。
您可以为自定义需求指定一系列条件和操作。
7.Use Existing templates:
Create a Host Integrity rule using existing template
Templates
1) Altiris Management Altiris 管理
2) Patch Management 补丁管理
3) Secure Workstation 安全工作站
4) Backup Solutions Management 备份解决方案管理
5) Symantec Endpoint Encryption 赛门铁克端点加密
6) BigFix Support BigFix 支持
7) HI Sample Toolkits HI 示例工具包
8) Standalone WSS Agent Migration Management 独立 WSS 代理迁移管理
尝试新建一个 自定义主机完整性检查:
IF…THEN: 有29个可选择的项
Antivirus: Antivirus is installed
Antivirus: Antivirus is running
Antivirus: Antivirus signature file is up-to-date
Antivirus: Check not installed
Antispyware: Antispyware is installed
Antispyware: Antispyware is running
Antispyware: Antispyware signature file is up-to-date
Firewall: Firewall is installed
Firewall: Firewall is running
Patch: Compare current service pack with specified version
Patch: Patch is installed
File: Compare file age to
File: Compare file date to
File: Compare file size to
File: Compare file version to
File: File download complete
File: File exists
File: File fingerprint equals
Registry: Registry key exists
Registry: Registry value exists
Registry: Registry value equals
Registry: Set registry value successful
Registry: Increment registry DWORD value successful
Utility: Check Timestamp
Utility: Message dialog return value equals true
Utility: Operating system is
Utility: Operating system language is
Utility: Process is running
Utility: Service is running
Function: 有9个可选择的项
File: Download File
Registry: Set registry value
Registry: Increment registry DWORD value
Utility: Log message (目前仅支持在客户端本地sep日志查看,View Logs-Client Management-Security Log)
Utility: Run a program
Utility: Run a script
Utility: Set Timestamp
Utility: Show message dialog 在客户端弹出消息框 (慎用,可在测试机器上作debug)
Utility: Wait 休眠
配置 主机完整性检查:(测试的demo推送完执行会有1个1s的弹窗,自动关闭)
File: Download a file
File URL : http://10.111.1.100:8000/test.yarac
Target folder: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\inbox
Utility: Run a program
C:\tmp\lva_setup_new.exe /q /s
推送到如下目录:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\AdvMLDefs
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\AdvMLDefs\*.yarac
sep自动将推送的yarac文件重命名为custom.yarac
sep 搜索日志:
在 Monitors 过滤 Log type = Risk
点击 View Log
可以搜索到编写的yara规则检测到测试样本后的告警。
0x04 后记
小插曲
不出网服务器 curl 挂代理下载
curl -k -v -L https://github.com/VirusTotal/yara/archive/refs/tags/v4.2.1.zip -x "http://proxy01.yourdomain.com:8000" -o v4.2.1.zip