Welcome back to another entry in our Triage Thursday update blog series. We’ve got a bit of a special one today, as we’re pleased to be able to announce a major new feature for Triage. In this post we’ll take a look at the new feature, and demonstrate how to use it.
So what is this new feature? Well you’ve probably already seen the title but you can now use your own custom Yara rules in Triage analyses! Add your rules through our new in-browser editor, and they will be run against analysis files just like our own built-in rules.
This feature is available to all private cloud users, and to Researcher accounts only on the public Triage server.
Details
Triage supports most features of Yara but there are a few things you should be aware of to get the most out of the new system.
Like the built-in rules, custom Yara is run against not only the submitted sample, but also dropped files and memory dumps created by Triage during behavioural analysis. This allows you to - for example - target the binary after it has been unpacked during execution, or match particular DLLs or secondary payloads downloaded by the initial sample.
It should also be noted that currently rules can only be run against new submissions, and can not be used in Search queries. Support for hunting in existing analyses will be made available in future updates.
As mentioned above, the custom Yara feature is now available to all Private Cloud users. It is also available free of charge to those with Researcher accounts on the public tria.ge server.
You can find the Yara editor in the top menu on Triage, replacing the old Profiles option - it will look slightly different depending on whether you are using the private or public cloud.
In this section you will find all available options related to your account and/or Organisation - analysis profiles, user management, and of course Yara.
Creating Custom Rules
Under the Organization tab (private cloud) or Researcher tab (public cloud), select Yara from the submenu and select New Yara Rule. Enter a name for the file and use the editor box to write your rule.
In general Triage’s Yara support follows the same format as any Yara rule. You can also include any metadata you want, but there are certain values recommended to ensure that the signature is fully displayed in the Triage interface and reports:
description: This field is used as the ’title’ of the signature, which appears in the main UI.triage_description: Optional. This field is used to provide a more detailed description of the signature. In the UI, it is visible in the dropdown section of the signature.triage_score: Optional - defaults to 1 if not defined. The score value that should be assigned to the signature. As a rough guideline:- 1-4 = Benign/informational
- 5-7 = Possibly malicious
- 8-9 = Likely malicious
- 10 = Known bad
triage_tags: Optional. Used to define tags which are applied to the analysis as a whole. These are generally intended to define the class of malware - e.g.dropper,trojan,ransomwareetc. These can be used in Search to find samples with these tags applied using thetag:query. Note that these tags are also visible to anyone else who has access to your analyses.triage_family: Optional. This is used to mark a sample as belonging to a particular malware family. The value defined here appears as a tag in the UI and can be used in Search with thefamily:query. Note that if this tag is defined then a sample will automatically receive a score of 10 regardless of the value set intriage_score.
When finished, select Save in the bottom right of the screen. The editor will notify you of any errors or warnings which might affect your rule - you can make any required modification and click Update to save.
And that’s it! Once it’s saved it will be run against any new analyses you create, with the output visible in the Triage UI and usable in Search.
We hope that this feature will be useful to many of you using Triage, and help you to get more out of the platform. We’ll be continuing to expand on this in the future, with support for searching existing analyses with custom Yara already planned.
If you have any feedback or suggestions about this or other improvements, please do get in touch. You can reach us through the contact form on our website, on Twitter, or by using the Feedback button within the Triage UI.
If you would like access to this new feature but currently are not registered as a Researcher, you can apply to have your account upgraded free of charge in the account settings page - we will review your application as quickly as possible. We just ask that you provide some additional information through the registration form to help us understand your usage.
Not signed up yet? Register for your free account here.