Okay, so we’ve integrated Yara into the RegRipper workflow, and created “YARR”…now what? The capability is great…at least, I think so. The next step (in the vein of the series) is really leveraging it by creating rules that allow analysts to realize this capability to it’s full potential. To take advantage of this, we need to consider the types of data that might be present, and leverage what may already be available and apply to the use case (data written to Registry values) at hand.
Use Available Rules
A great place to start is by using what is already available, and applying those to our use case; however, not everything will apply. For example, using a Yara rule for something that’s never had any indication that it’s been written to a Registry value likely won’t make a great deal of sense to use, at least not at first. That doesn’t mean that something about the rule won’t be useful; I’m simply saying that it might make better sense to start by looking at what’s being written to Registry values first, and start there.
It certainly makes sense to use what’s already available as a basis for building out your rule set to run against Registry values. Some of the things I’ve been looking around for, to see what’s already out there and available, are looking for indications of PE files within Registry values, using different techniques and not relying solely on the data beginning with “MZ”; encoded data; strings that include “http://” or “https://”; etc. From these more general cases, we can start to build a corpus of what we’re seeing, and begin excluding those things that we determine to be “normal”, and highlighting those things we find to be “suspicious” or “bad”.
Writing Rules
Next, we can write our own rules, or modify existing ones, based on what we’re seeing in our own case work. After all, this was the intention behind RegRipper in the first place, that analysts would see the value in such a tool, not just as something to run but as something to grow and evolve, to add to and develop.
For writing your own rule
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: