How to post-process YARA rules generated by yarGen
Long ago I abandoned the objective of creating perfect YARA rules in a fully automatic process.
Therefore, the main purpose of yarGen is to create the best possible rules for manual post-processing. I can understand that this step of manual post-processing seems to be a tedious task. But believe me, the combination of clever automatic preselection and a critical human analyst beats both the fully manual and fully automatic generation process.
I’d like to show you how to create two great YARA rules for recently published Sofacy / APT28 / Tsar Team / Group 74 / Sednit / Fancy Bear / Pawn Storm samples. The video shows you how to process two YARA rules created by yarGen for the two Sofacy samples in about 5:30 minutes.
The results of the test run look very good. We’ve detected more related samples and don’t see a single false positive.
Samples on which the YARA rules matched:
142f524121fe16e1c67031f12015be4adec42bb7 90d814baef9ed32ad1db5994abbd3eefa41204fb cbeac781bd254bbc79f4eef5f0357e083491647d 476fc1d31722ac26b46154cbf0c631d60268b28a 142f524121fe16e1c67031f12015be4adec42bb7 8a68f26d01372114f660e32ac4c9117e5d0577f1I committed the final rule to my signature-base repository:
Links
You can find the report on Group 74 activity by Cisco Talos threat intel team member Paul Rascagnères here:
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
yarGen Github repository:
