I was looking for a tool that would scan multiple hosts at the same time using YARA. Every tool that I could find was either utilizing WMIC or over the network communication with a server listening to a specific port.
This script allows you to scan multiple remote nodes using PsExec and native OS commands. CrowdResponse is used instead of simple YARA due to its reporting capabilities and the ability to scale as it has many features that can be turned on on-demand (just make sure that you edit the script).
It goes without saying that you have to have rights and be able to run PsExec on remote hosts for this to work. The script will be copying the necessary file, run the command and checking every X minutes (5 minutes by default) to see if the command has finished running. When the command finishes, it copies the files XML files under the folder "results" inside the CrowdResponse directory (read steps below). As a final task, it runs CRConvert.exe to convert the XML files to HTML.
Installation
You will need to follow the below instructions to avoid any errors:
- Download CrowdResponse (https://www.crowdstrike.com/wp-content/community-tools/CrowdResponse.zip).
- Extract CrowdResponse under "C:\" or anywhere else you like (Just make sure that you modify the variable at the start of the script).
- Create a folder named results under the CrowdResponse directory from step 2.
- Copy the PsExec.exe to be in the same directory as the yara_scanner.py.
Arguments
- -f, --file, [*] Specify the file that contains the target hosts/IPs.
- -m, --pull, [*] Specify the pulling frequency(in minutes. Default = 5 mins).
- -d, --directory, [*] Specify the directory to scan on the remote host(full path).
- -y, --yara_files, [*] Specify the directory of the YARA rules (on local host) to use against the remote machines(full path).