YARA is a pattern matching swiss army knife often used by malware researchers. The strength of YARA is to quickly and easily identify files based on rules which are mostly aimed at identifying byte patterns. This aides malware researches, threat intelligence and forensic investigators to identify malware samples.
We can of course use the same approach to identify files containing juicy information which like always will hopefully aid us to pwn some network somewhere. Most of the files that we use like ntds.dit/registry hives reside at fixed location or at the bare minimum at configurable locations. This usually causes us to write pretty awesome scripts to retrieve and process these files to get the juicy info. YARA can be a nice tool to account for the unexpected events of system administrators placing these and many other files in unexpected locations.
To start with the end result, let’s see the results of searching for file with passwords (loosely used to also identify hashes) inside a directory:
sudo yara -r -t hashed_passwords juicy_files.txt /etc shadow_file /etc/shadow shadow_file /etc/shadow-
and if we do this inside a directory which contains some test files:
yara -r -t hashed_passwords juicy_files.txt files shadow_file files/shadow hive_file files/mysecurity hive_file files/mysam hive_file files/system ntds_file files/ntds.dit hive_file files/mysystem
Like you can imagine you can use this approach to search entire filesystems at once as well as network shares. Since the rules are very powerful and easy to write I think it’s much easier to maintain a repository of rules instead of custom scripts for each juicy file that we encounter during our pwnage. You can find the repository over here, feel free to commit more rules :)