Using Yara with query

[rmccurdyDOTcom rmccurdyDOTcom]

Any syntax guru people here ? 

//WORKING ! 

select * from file_yara( paths: (select path.filename from glob("c:\windows\*.exe")).filename,yara_expression: "rule r1 {strings: $a = \"Microsoft\" wide condition: any of them}") 

 // what i want to work select * from yarascan()   or however I can use query to run yara scan on mem dump and filter out known FP

//error I get when I run the above 

 CRITICAL:rekall.1:You must specify a yara rule file or string to match. 

 //working yarascan yarascan yara_file="C:\DELETE\BlueTeamPortable\yara_rules\CAPE\LuxNet.yar"

just not sure how to pass the yara_file param to the select * from yarascan()

  https://rekall.readthedocs.io/en/latest/plugins.html reference

[Michael Cohen]

Rekall is not maintained any more. If you want to do Yara scans across the filesystem or memory using a query you should check out velociraptor at https://www.velocidex.com/

--
You received this message because you are subscribed to the Google Groups "rekall-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rekall-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rekall-discuss/f341c626-d949-4287-b61e-e7a80560877dn%40googlegroups.com.

[rmccurdyDOTcom rmccurdyDOTcom]

So I figured it out:
select * from yarascan(yara_file: "Yara_Rules_Powershell.yara", hits: 5 ) where proc.name != "rekal.exe"

the script:
@echo off

echo [+] Info Pulling bunch of yara rules ...

del .\Yara_Rules_Powershell.yara

rd /q/s yara_rules
mkdir yara_rules
cd yara_rules


FOR /F "tokens=* delims=" %%A in ('type ..\_SUPPORT\yara_svn_urls.txt ') do ( ..\TortoiseSVN\svn.exe --force export "%%A" >> ..\output\_Pull_Yara_Rules.log 2>&1 )

echo [+] Info Pulling all rules with Powershell in them because we can't run all the yara scripts at once...
powershell "Get-ChildItem  -Path .\  -Recurse | Select-String -Pattern 'powershell'  | Select Path -Unique  | Get-Content | Out-File .\Yara_Rules_Powershell.yara"    >> ..\output\_Pull_Yara_Rules.log 2>&1



echo [+] Info Running rekal in live memory mode
REM "c:\Program Files\rekall\rekal.exe" --live Memory     <       ..\_SUPPORT\_Yara_Input.txt   >> _Rekall.log 2>&1
"c:\Program Files\rekall\rekal.exe" --live Memory < ..\_SUPPORT\_Yara_Input.txt >> ..\output\_Rekall.log 2>&1

explorer "..\output\_Rekall.log"

also here the git paths that are used with svn to pull just a folder

https://github.com/ctxis/CAPE/trunk/data/yara/CAPE
https://github.com/deadbits/yara-rules/trunk/rules
https://github.com/stvemillertime/ConventionEngine/trunk/
https://github.com/deadbits/yara-rules/trunk/rules
https://github.com/Neo23x0/signature-base/trunk/yara
https://github.com/intezer/yara-rules/trunk/
https://github.com/InQuest/yara-rules/trunk/
https://github.com/jeFF0Falltrades/YARA-Signatures/trunk
https://github.com/reversinglabs/reversinglabs-yara-rules/trunk/yara
https://github.com/Yara-Rules/rules/trunk/exploit_kits
https://github.com/Yara-Rules/rules/trunk/maldocs
https://github.com/Yara-Rules/rules/trunk/malware
https://github.com/Yara-Rules/rules/trunk/webshells
https://github.com/Yara-Rules/rules/trunk/packers