Kali Linux

Factual-Rules-Generator : An Open Source Project Which Aims To Generate YARA Rules

Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a running operating system.

The goal of the software is to be able to use a set of rules against collected or acquired digital forensic evidences and find installed software in a timely fashion.

The software can be used to baseline known software from Windows system and create a set of rules for finding similar installation on other systems.

Dependencies

  • pefile
  • psutil
  • ndjson
  • python-tlsh
  • PyInstaller (to change client.py to client.exe)
  • ssdeep
    • On Ubuntu:
      • sudo apt-get install build-essential libffi-dev python3 python3-dev python3-pip libfuzzy-dev
      • pip install ssdeep

Tools requirement

Some tools are required on the host operating system some are Unix standard tools and some additional ones:

  • xxd
  • curl

For the Windows virtual machine, the following software is required to be installed:

  • SDelete
  • AsA (AttackSurfaceAnalyzer)

Install

  • Install all Python dependencies defined requirements.txt
  • Create a shared folder to communicate with VM
  • Install a Windows VM
    • Install chocolatey on Windows VM
    • Complete bin/OnWindows/Varclient.py
    • Change bin/OnWindows/client.py in an executable file with PyInstaller and put in startup folder
  • Update etc/allVariables.py to match your desired configuraiton

In test/ some examples of software to install is given, the following specific format is required:

  • First, select the name of the packages to install using chocolatey before :, or the name of the file in case of msi or exe file.
  • Second, after : there’s the name of the exe to extract and run it (without extension).
  • The second part after , follow the same system with the word installer first and after : the type of installer :
    • choco
    • msiexec
    • exe
  • Finally, the third part, uninstaller follow by : and the uninstaller like choco, msiexec or exe

Run and generate the rules

  • bin/Generator.py is the only script to run, don’t forget to update etc/allVariables.py (critical step).

Public YARA rules repository

  • factual-rules – Sample rules generated from some very common software.

Overview of factual rules generator

R K

Recent Posts

Install Pip on Ubuntu 18.04: Python 3 and Python 2 Setup Guide

Pip is the official package manager for Python and the standard way to install libraries from…

2 days ago

Install R on Ubuntu 18.04 from CRAN: Statistical Computing Setup

R is an open-source programming language and environment built for statistical computing and data visualization. It…

2 days ago

Install Jenkins on Ubuntu 18.04: CI/CD Server Setup Guide

Jenkins is an open-source automation server that makes it easy to build CI/CD pipelines. Continuous integration…

2 days ago

Install Android Studio on Ubuntu 18.04 with Snap and OpenJDK 8

Android Studio is the official IDE for Android development, built on JetBrains' IntelliJ IDEA platform. It…

2 days ago

Install and Configure GitLab on Ubuntu 18.04 with Omnibus

GitLab is a web-based, open-source Git repository manager written in Ruby. It includes built-in tools for…

2 days ago

Install Anaconda on Ubuntu 18.04: Python Data Science Setup Guide

Anaconda is the most widely used Python distribution for data science and machine learning. It bundles…

3 days ago