Use Copilot for Security to Convert Yara Rules

Converted for good

Did you know that you can use Copilot for Security to convert rules from other sources to KQL that Microsoft products can use? Here’s an example.

The following yara rule comes from https://github.com/Yara-Rules/rules/blob/master/cve_rules/CVE-2016-5195.yar

The following prompt simply asks Copilot for Security to convert a rule that was acquired from a GitHub repository. This yara rule looks up indicators for CVE-2012-0056 and CVE-2016-5195.

Convert the following yara rule to a Microsoft Sentinel analytics rule:

/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/

rule Linux_DirtyCow_Exploit {
   meta:
      description = "Detects Linux Dirty Cow Exploit - CVE-2012-0056 and CVE-2016-5195"
      author = "Florian Roth"
      reference = "http://dirtycow.ninja/"
      date = "2016-10-21"
   strings:
      $a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }

      $b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
      $b2 = { E8 ?? FC FF FF B8 00 00 00 00 }

      $source1 = "madvise(map,100,MADV_DONTNEED);"
      $source2 = "=open(\"/proc/self/mem\",O_RDWR);"
      $source3 = ",map,SEEK_SET);"

      $source_printf1 = "mmap %x"
      $source_printf2 = "procselfmem %d"
      $source_printf3 = "madvise %d"
      $source_printf4 = "[-] failed to patch payload"
      $source_printf5 = "[-] failed to win race condition..."
      $source_printf6 = "[*] waiting for reverse connect shell..."

      $s1 = "/proc/self/mem"
      $s2 = "/proc/%d/mem"
      $s3 = "/proc/self/map"
      $s4 = "/proc/%d/map"

      $p1 = "pthread_create" fullword ascii
      $p2 = "pthread_join" fullword ascii
   condition:
      ( uint16(0) == 0x457f and $a1 ) or
      all of ($b*) or
      3 of ($source*) or
      ( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )
}

Plugging the prompt into Copilot for Security:

The result turns out to be pretty good.

DeviceProcessEvents
| where TimeGenerated > ago(5d)
| where ProcessCommandLine contains "/proc/self/mem" or ProcessCommandLine contains "/proc/%d/mem" or ProcessCommandLine contains "pthread_create" or ProcessCommandLine contains "pthread_join" or ProcessCommandLine contains "[-] failed to patch payload" or ProcessCommandLine contains "[-] failed to win race condition..."
| project TimeGenerated, DeviceName, ProcessCommandLine

Give it a try and let me know your results.

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[ Subscribe to the Bi-weekly Copilot for Security Newsletter]

[Subscribe to the Weekly SIEM and XDR Newlsetter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

** Need a Tech break?? Sure, we all do! Check out my fiction novels: Sword of the Shattered Kingdoms: Ancient Crystal of Eldoria and WW2045: Alien Revenge