phish-kit-yara
is a yara module (imported as phishkit
) and pre-built docker container designed to aid in fingerprinting phishing kits. Archives and their contents are expanded in memory allowing for functions to; find specific strings, regexes, hashes, file and directory paths. This project contains an environment to allow you to quickly spin up a container with the compiled phish-kit-yara
module and run rules within ./rules/
against any archives within ./files/
.
The module provides several additional functions to aid in fingerprinting malicious indicators or specific phishing kits. Some functions support additional flags represented as f
and cf
. An overview of values for these flags are defined at the bottom of this section.
-
phishkit.has_file("file.php", f)
Return a match if the file is present within the archive.
Iff
is0
the file path must be an exact match. Iff
is1
any matching filenames will return a match regardless of which directory it is in. -
phishkit.has_string("string", cf)
Return a match if the provided string is present within any file in the archive.
cf
should be0
for case-sensitive matching or1
for case-insensitive. -
phishkit.file_has_string("file.php", "string", f, cf)
Return a match if the specified file within the archive contains the provided string.
Iff
is0
the path must be exact. Iff
is1
the function will run on any matching filenames regardless of parent directory.cf
should be0
for case-sensitive matching or1
for case-insensitive. -
phishkit.has_regex(/regex/)
Return a match if there are any matches for the provided regular expression within the archive. -
phishkit.file_has_regex("file.php", /regex/, f)
Return a match if the specified file contains a matching regex within the archive.
Iff
is0
the path must be exact. Iff
is1
the function will run on any matching filenames regardless of parent directory. -
phishkit.has_dir("root/subdir/", f)
Return a match if the specified directory exists within the archive.
Iff
is0
the path must be exact. Iff
is1
the path can be partial. -
phishkit.has_sha1("sha1hash")
Return a match if the specified SHA1 hash exists within the archive. -
phishkit.file_has_sha1("file.php", "sha1hash", f)
Return a match if the specified file has the provided SHA1 hash. Iff
is0
the path must be exact. Iff
is1
the path can be partial.
Flag | Value | Description | Example | Supported Functions |
---|---|---|---|---|
f |
0 |
Match on exact path | func("root/subdir/file.php", 0) |
has_file , file_has_string , file_has_regex , has_dir , file_has_sha1 |
f |
1 |
Match on file name | func("file.php", 1) |
has_file , file_has_string , file_has_regex , has_dir , file_has_sha1 |
cf |
0 |
Case sensitive match | func("string", 0) |
has_string , file_has_string |
cf |
1 |
Case insensitive match | func("StRiNg", 1) |
has_string , file_has_string |
import "phishkit"
rule example_rule
{
meta:
description = "Example rule"
author = "@sysgoblin"
condition:
phishkit.has_file("page1.php", 0) or // Match if page1.php exists
phishkit.has_string("echo", 0) or // Match if string "echo" (case-sensitive) exists anywhere
phishkit.file_has_string("page2.php", "This is a phish!", 0, 0) or // Match if string (case-sensitive) exists in file page2.php
phishkit.has_regex(/\sphish\!/) or // Match if regex exists anywhere
phishkit.file_has_regex("page2.php", /\sphish\!/, 0) or // Match if regex exists in page2.php
phishkit.has_dir("subdir/", 0) // Match if directory exists
}
Feature requests and rules wanted. Submit a PR with your rules to be merged in to main
branch.
- Download
docker
anddocker compose
git clone https://github.com/zerofox-oss/phish-kit-yara.git
cd ./phish-kit-yara/
docker compose build
and either
docker compose up -d
./get_shell.sh phishkityara
(Drop yourself in a shell in the docker container)
or
docker-compose run --rm phishkityara yara rules/example.yar files/example_phish.zip
(This will auto remove the container once execution has finished)
If you wish to install the module and its dependencies locally you need to compile yara with the modules from source. (Only tested with Yara v.4.0.0)
wget https://github.com/VirusTotal/yara/archive/v4.0.0.tar.gz -O yara.tar.gz
tar -xzvf yara.tar.gz
cp ./libyara/miniz.c yara-4.0.0/libyara/miniz.c
cp ./libyara/include/yara/miniz.h yara-4.0.0/libyara/include/yara/miniz.h
cp ./libyara/modules/phishkit.c yara-4.0.0/libyara/modules/phishkit.c
cp ./libyara/modules/module_list yara-4.0.0/libyara/modules/module_list
cp ./libyara/Makefile.am yara-4.0.0/libyara/Makefile.am
cd yara-4.0.0
./bootstrap.sh
./configure --enable-cuckoo
make
make install
More information can be found here: https://yara.readthedocs.io/en/v4.0.0/gettingstarted.html
Shout out to VT for maintining the Yara project, richgel999 for the data compression library miniz, and to stoerchl whose zip module served as the inspiration/foundation for this project.