We covered an introduction to YARA rules and how to create them to detect malwares using patterns that match common indicators of compromise. YARA rules are created and stored inside rule files that have .yar extension and rules are written in YAML language. We also used LOKI python script as a tool to scan for malicious files using Yara rules. We also covered how to generate Yara rules using yaraGen tool. Finally we explained how to research and download Yara rules using VALHALLA feed. This was part of TryHackMe Yara which is under SOC Level 1 Pathway.

Get COMPTIA Security+ Certificate Notes

The Complete Practical Web Application Penetration Testing Course

Video Highlights

“The pattern matching swiss knife for malware researchers (and everyone else)” (Virustotal., 2020)
 
With such a fitting quote, Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.
Rules are used to label these patterns. For example, Yara rules are frequently written to determine if a file is malicious or not, based upon the features – or patterns – it presents. Strings are a fundamental component of programming languages. Applications use strings to store data such as text.
Using a Yara rule is simple. Every yara command requires two arguments to be valid, these are:
1) The rule file we create
2) Name of file, directory, or process ID to use the rule for.Every rule must have a name and condition.For example, if we wanted to use “myrule.yar” on directory “some directory”, we would use the following command:
yara myrule.yar somedirectory

LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth.

Based on the GitHub page, detection is based on 4 methods:

  1. File Name IOC Check
  2. Yara Rule Check (we are here)
  3. Hash Check
  4. C2 Back Connect Check

There are additional checks that LOKI can be used for. For a full rundown, please reference the GitHub readme.

LOKI can be used on both Windows and Linux systems and can be downloaded here.

As a security analyst, you may need to research various threat intelligence reports, blog postings, etc. and gather information on the latest tactics and techniques used in the wild, past or present. Typically in these readings, IOCs (hashes, IP addresses, domain names, etc.) will be shared so rules can be created to detect these threats in your environment, along with Yara rules. On the flip side, you might find yourself in a situation where you’ve encountered something unknown, that your security stack of tools can’t/didn’t detect. Using tools such as Loki, you will need to add your own rules based on your threat intelligence gathers or findings from an incident response engagement (forensics).

Room Answers

What is the name of the base-16 numbering system that Yara can detect?

Would the text “Enter your Name” be a string in an application? (Yay/Nay)

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

What Yara rule did it match on?

What does Loki classify this file as?

Based on the output, what string within the Yara rule did it match on?

What is the name and version of this hack tool?

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

Inspect file 2. What is the name and version of this web shell?

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

Did Yara rule flag file 2? (Yay/Nay)

Copy the Yara rule you created into the Loki signatures directory.

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

What is the name of the variable for the string that it matched on?

Inspect the Yara rule, how many strings were generated?

One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

Besides .PHP, what other extension is recorded for this file?

What JavaScript library is used by file 2?
Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles