Yara Write-up
Description
Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting! This is a room on TryHackMe.
What is Yara?
- Can identify binary and textual patterns inside a file
Questions
- What is the name of the base-16 numbering system that Yara can detect? hex
- Would the text “Enter your Name” be a string in an application? (Yay/Nay) Yay
Install Yara
Ubuntu:
- Repo:
sudo apt install yara
- Source:
sudo apt install automake libtool make gcc flex bison libssl-dev libjansson-dev libmagic-dev pkg-config
, then Download yara source from GitHub
Introduction to Yara Rules
- Every rule has a name and condition
- Standard extension:
.yar
Basic structure
rule examplerule {
condition: true
}
Execute Rule
yara rule.yar somefile
Expanding on Yara Rules
Meta
- Descriptive information by the author
Strings
- Strings are used to search for specific text or hexadecimal in files or programs
strings:
$hello = "Hello World!"
Conditions
any of them
true
- Operators:
<=
,>=
,!=
- Combining keywords:
and
,not
,or
Yara Modules
- Cuckoo-Module: Create rules based on behaviours discovered from Cuckoo Sandbox
- Python PE Module: Create yara rules based on various sections and elements of the Windows PE structure
Other tools and Yara
- List of YARA rules
- Loki: IOC scanner
- THOR: IOC and YARA scanner
- Fenrir: Bash script without dependencies
- YAYA: Tool to manage multiple YARA rule repositories
Using LOKI and its Yara rule set
- Rules are created based on threat intelligence research
Commands:
-h
: Help Menu--update
: Update rules-p <path>
: Path to scan
Scanning file1 directory with following command:
python loki.py -p ~/suspicious-files/file1/
Scanning file2 directory with following command:
python loki.py -p ~/suspicious-files/file2/
The actual Yara file:
Finding the web shell name and version inside file 2:
Create Yara rules with yarGen
- Typically done in case of an incident
- yarGen: Generator for Yara rules; removes strings that can be found in Goodware, extracts strings in malware
Commands:
--update
: Update database-m <path>
: Path to file for what rules should be created for--excludegood
: force to exclude all goodware strings-o <path>
: Location and name where rule should be outputted- yarAnalyzer: Another tool to create rules
Further reading:
- https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/
- https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/
- https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/
Questions
From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?
yara files2.yar file2/1ndex.php
Did Yara rule flag file 2? (Yay/Nay)
Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)
Inspect the Yara rule, how many strings were generated?
Valhalla
- Online Yara feed
Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group?
After that search on Valhalla for that hash.
Do the same for file 2. What is the name of the first Yara rule to detect file 2?
Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?
Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)
Besides .PHP, what other extension is recorded for this file?
Back to Valhalla, inspect the Info for this rule. Under Statistics what was the highest rule match per month in the last 2 years? (YYYY/M)
What JavaScript library is used by file 2?
Search for the library inside the file: