This program is using yara64.exe with multithreading to perform yara process scanning in Windows OS.
- Multithreading to spawn yara64 for scanning processes
- Log in text and Result in Json format (Especially for EDR remote terminal)
Although using Multithreading, the scanning time is still quite long. Almost about 30mins depends on the Computer Spec.
https://github.com/VirusTotal/yara
- All processes
- Suggested Core ruleset: https://github.com/YARAHQ/yara-forge/releases
- C2/RAT filtered: https://github.com/PoundofAntonio/yara-forge-c2-rat-process
- Windows OS only
- VC++ runtime for yara64.exe https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#visual-studio-2015-2017-2019-and-2022
- dot net framework 4.7.2 runtime https://dotnet.microsoft.com/en-us/download/dotnet-framework/net47
- yara64.exe
- yara rules file
yara-ps.exe <exePath> <yaraPath> <stdoutFilePath> <stderrFilePath> <jsonFilePath>
Usage: yara-ps.exe [options]
Options:
<exePath> Path to the executable file. Default is 'yara64.exe'.
<yaraPath> Path to the Yara rule file. Default is 'yara-rules-core-C2-RAT.yar'.
<stdoutFilePath> Path to the standard output file. Default is 'yara64-stdout.txt'.
<stderrFilePath> Path to the standard error file. Default is 'yara64-stderr.txt'.
<jsonFilePath> Path to the JSON file. Default is 'detected-process.json'.
-h, --help Show this help message and exit.
- exePath: required
- yaraPath: required
- stdoutFilePath: optional
- stderrFilePath: optional
- jsonFilePath: optional
Since the remote terminal mode will time out if idle, the schtask is more suggested.
- Define max thread in args
- MDE Sample PowerShell Scripts Testing and enhance debug message