<< back to Showcase

YARA Analysis Scripts for Enterprise EDR Binary Toolkit

Example YARA scripts in a pre-built docker container that query your VMware Carbon Black Cloud Enterprise EDR data for matching and submitting binaries.

Published by Craig Strubhart

View source code for this contribution

Disclaimer: This app was created and submitted by a member of the developer community. All sample content and code in the Community Showcase is licensed to you by the sample’s author. VMware does not guarantee the samples; they are provided “AS IS”.

Problem:

The VMware Carbon Black Developer Relations team provides SDKs, toolkits and example scripts for all of the VMware Carbon Black products. One of the many examples is the Binary Toolkit. The Binary Toolkit lets you integrate between Carbon Black Cloud Enterprise EDR and a binary analysis engine, like YARA.

When the toolkit receives hashes of binaries encountered by your organization, it sets off a process where it fetches metadata about the binaries from the Unified Binary Store (UBS) and then sends the binaries through the analysis engine. The results from the engine and the metadata are consolidated and sent back to the Carbon Black Cloud where you can subscribe and monitor your environment in Watchlists.

This works great for a single binary that you want to send through the analysis engine, but what if I wanted to constantly look through my environment and submit any binary found through this analysis engine? This project shows you an example of a couple rudimentary scripts in a pre-built docker container that query your VMware Carbon Black Cloud Enterprise EDR data for matching binaries and submits them every 15 minutes. The Binary Toolkit keeps a DB of already analyzed binaries, so once a search comes back with an already seen binary, it will not send it through the analysis engine again preventing multiple submissions.

What can it do?

The Binary Toolkit provides the conduit for a user to pull a binary and run it through an analysis engine. The binary analysis with the Carbon Black Cloud scripts will implement this in a way that could be used in a production like environment. The current implementation of the script will run a query every 15 minutes looking for any process that matches criteria provided in the scripts, when there is a match it will use the Binary Toolkit to pull the binary from VMware Carbon Black Cloud’s Universal Binary Store and send it to a YARA engine (built into the Binary Toolkit).

Optionally if there are matches to your YARA rules it will create IOC’s/Reports in a watchlist that will then alert the user via VMware Carbon Black Cloud if other instances of that binary exist in the environment. This pre-built docker container is meant to be an example of how you could automate this across your environment.

Prior to this, a user would have to manually submit hashes to the binary toolkit or have to create their own scripts or tooling to interact with the Binary Toolkit, Universal Binary Store, and watchlists. The capability of these scripts closely mirror the YARA connector capabilities of the Carbon Black EDR (formerly CB Response) YARA Connector.


Getting Started

Head to this docker repo and follow setup instructions: https://hub.docker.com/r/strubie/yara.

Video tutorial

Last modified on February 10, 2021