-
Notifications
You must be signed in to change notification settings - Fork 0
/
Custom.Client.FindByMagics.yaml
91 lines (75 loc) · 2.83 KB
/
Custom.Client.FindByMagics.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: Custom.Client.FindByMagics
description: |
Identifies files via file magics using Yara.
reference:
- https://en.wikipedia.org/wiki/Magic_number_(programming)#In_files
parameters:
- name: search_root
description: |
The filesystem path to recusively search from.
This can be any path as displayed in the VFS browser.
default: C:\Users\
- name: search_depth
description: |
How many subdirectory levels to search (0 means the current level only)
type: int
default: 10
- name: file_accessor
type: hidden
description: |
The file accessor to use. Using 'file' on an NTFS drive is faster and
will fall back to the raw 'ntfs' accessor if the file cannot be accessed.
default: file
- name: target_includes
description: The list of regex patterns to include in the search.
type: csv
default: |
regexes
.
- name: target_excludes
description: The list of regex patterns to exclude from the search.
type: csv
default: |
regexes
WinSXS
Servicing
- name: yara_rules
type: hidden
default: |
rule winevtx {
strings:
$a = "ElfFile\x00"
condition:
$a at 0
}
rule pe_32 {
condition:
uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550
}
resources:
timeout: 3600
sources:
- query:
-- Create a single regex pattern for the path includes
LET regex_includes <= join(array=target_includes.regexes, sep="|")
-- Create a single regex pattern for the path excludes
LET regex_excludes <= join(array=target_excludes.regexes, sep="|")
-- Remove possible trailing slash from search_root
LET search_root <= regex_replace(source=search_root, re='''[/\\]$''', replace="")
-- Switch to the ntfs accessor if the search_root is a VSS path
LET file_accessor <= if(condition=search_root=~"HarddiskVolumeShadowCopy",
then="ntfs", else=file_accessor)
-- Get a list of potential target files
LET targets = SELECT _FullPath AS target, Mode AS _Mode
FROM Artifact.System.VFS.ListDirectory(Path=search_root, Depth=search_depth, Accessor=file_accessor)
-- Mode.IsRegular doesn't seem to be available from the raw ntfs accessor, so we have to regex it to be safe
WHERE NOT Mode =~ "^d"
AND _FullPath =~ regex_includes
AND NOT _FullPath =~ regex_excludes
-- Check each target file for a file magic using Yara
SELECT * FROM foreach(
row=targets,
query={ SELECT Rule AS magic_id, FileName AS target_fullpath, file_accessor
FROM yara(rules=yara_rules, files=target, key="A", end=8, number=1, accessor=file_accessor)
LIMIT 1 }, async=true)