Kali Linux

Factual-Rules-Generator : An Open Source Project Which Aims To Generate YARA Rules

Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a running operating system.

The goal of the software is to be able to use a set of rules against collected or acquired digital forensic evidences and find installed software in a timely fashion.

The software can be used to baseline known software from Windows system and create a set of rules for finding similar installation on other systems.

Dependencies

  • pefile
  • psutil
  • ndjson
  • python-tlsh
  • PyInstaller (to change client.py to client.exe)
  • ssdeep
    • On Ubuntu:
      • sudo apt-get install build-essential libffi-dev python3 python3-dev python3-pip libfuzzy-dev
      • pip install ssdeep

Tools requirement

Some tools are required on the host operating system some are Unix standard tools and some additional ones:

  • xxd
  • curl

For the Windows virtual machine, the following software is required to be installed:

  • SDelete
  • AsA (AttackSurfaceAnalyzer)

Install

  • Install all Python dependencies defined requirements.txt
  • Create a shared folder to communicate with VM
  • Install a Windows VM
    • Install chocolatey on Windows VM
    • Complete bin/OnWindows/Varclient.py
    • Change bin/OnWindows/client.py in an executable file with PyInstaller and put in startup folder
  • Update etc/allVariables.py to match your desired configuraiton

In test/ some examples of software to install is given, the following specific format is required:

  • First, select the name of the packages to install using chocolatey before :, or the name of the file in case of msi or exe file.
  • Second, after : there’s the name of the exe to extract and run it (without extension).
  • The second part after , follow the same system with the word installer first and after : the type of installer :
    • choco
    • msiexec
    • exe
  • Finally, the third part, uninstaller follow by : and the uninstaller like choco, msiexec or exe

Run and generate the rules

  • bin/Generator.py is the only script to run, don’t forget to update etc/allVariables.py (critical step).

Public YARA rules repository

  • factual-rules – Sample rules generated from some very common software.

Overview of factual rules generator

R K

Recent Posts

Install Opera Web Browser on Ubuntu 18.04: Complete Setup Guide

Opera is one of the most popular cross-platform web browsers in the world, available on Windows,…

5 hours ago

Install Gogs on Ubuntu 18.04: Self-Hosted Git Server Setup Guide

Gogs is a free, self-hosted Git service written in Go. It gives you a private GitHub-like…

5 hours ago

Install Elasticsearch on Ubuntu 18.04: Setup and Config Guide

Elasticsearch is an open-source distributed search and analytics engine built on Apache Lucene. It supports RESTful…

5 hours ago

Install Flask on Ubuntu 18.04: venv Setup and Hello World App

Flask is a free, open-source micro web framework for Python. It is built on Werkzeug and…

5 hours ago

Install Memcached on Ubuntu 18.04: Setup, Config, and Client Guide

Memcached is a free, open-source, high-performance in-memory caching system. It stores data as key-value pairs in…

5 hours ago

Install TensorFlow on Ubuntu 18.04: Python venv Setup and Usage

TensorFlow is a free, open-source machine learning platform developed by Google. It is used by major…

1 day ago