Searches for a specific malicious file or set of files by a Yara rule.
name: Windows.Search.Yara
description: |
Searches for a specific malicious file or set of files by a Yara rule.
parameters:
- name: nameRegex
description: Only file names that match this regular expression will be scanned.
default: "(exe|txt|dll|php)$"
type: regex
- name: AlsoUpload
type: bool
description: Also upload matching files.
- name: yaraRule
type: yara
description: The Yara Rule to search for.
default: |
rule Hit {
strings:
$a = "Keyword" nocase wide ascii
condition:
any of them
}
- name: NTFS_CACHE_TIME
type: int
description: How often to flush the NTFS cache. (Default is never).
default: "1000000"
precondition:
SELECT * FROM info() WHERE OS =~ "windows"
sources:
- query: |
LET Root = pathspec(parse="C:", path_type="ntfs")
-- Progress logging for newer clients
LET fileList = SELECT * FROM if(condition=version(function="log") > 1,
then={
SELECT Root + OSPath AS OSPath
FROM parse_mft(accessor="ntfs",filename=Root+"$MFT")
WHERE InUse
AND log(message="Processing entry %v", args=EntryNumber, dedup=5)
AND FileName =~ nameRegex
AND NOT OSPath =~ "WinSXS"
AND log(message="Scanning file %v", args=OSPath, dedup=5)
}, else={
SELECT Root + OSPath AS OSPath
FROM parse_mft(accessor="ntfs",filename=Root+"$MFT")
WHERE InUse
AND FileName =~ nameRegex
AND NOT OSPath =~ "WinSXS"
})
-- These files are typically short - only report a single hit.
LET search = SELECT Rule, String.Offset AS HitOffset,
str(str=String.Data) AS HitContext,
FileName,
File.Size AS Size,
File.ModTime AS ModTime
FROM yara(
rules=yaraRule, key="A",
files= OSPath)
LIMIT 1
SELECT *, if(condition=AlsoUpload, then=upload(file=FileName)) AS Upload
FROM foreach(row=fileList, query=search)