Introduction

The video is a tutorial on using YARA for threat detection within a cybersecurity context, specifically as part of TryHackMe’s YARA room. YARA is explained as a tool for file pattern matching based on rules, commonly used to label files as potentially malicious based on patterns in file data.

Challenge Description

This room will expect you to understand basic Linux familiarity, such as installing software and commands for general navigation of the system. Moreso, this room isn’t designed to test your knowledge or for point-scoring. It is here to encourage you to follow along and to experiment with what you have learned here.

As always, I hope you take a few things away from this room, namely, the wonder that Yara (Yet Another Ridiculous Acronym) is and it’s importance in infosec today. Yara was developed by Victor M. Alvarez (@plusvic) and @VirusTotal. Check the GitHub repo here.

Blue Team Study Notes

HackTheBox Certified Defensive Security Analyst (CDSA) Study Notes

YARA Explained

  • Definition: YARA matches file patterns using rules based on binary, hexadecimal, or string-based data, useful for detecting malware by analyzing file contents for known signatures.
  • Components of a YARA Rule:
    • Rule Name: Identifies the rule.
    • Meta Section: Describes the rule’s purpose.
    • Strings Section: Defines variables or patterns to match, like specific strings, IPs, or indicators of compromise.
    • Condition: Specifies the conditions under which the rule triggers, often indicating whether any or all defined strings appear in the file.

Practical Usage of YARA:

  • Creating a YARA Rule: The tutorial provides an example where a rule checks for strings like “hello world” in various cases (uppercase, lowercase). By setting the condition, users can specify which strings to match, allowing customization based on the threat scenario.
  • Running YARA: The syntax for YARA scans is demonstrated, with commands that apply a rule file to a target file, showing rule matching if the file meets the defined conditions.

Alternative Tools:

  • Loki: A tool incorporating pre-configured YARA rules to detect indicators of compromise, simplifying malware detection. Users can scan files and directories for suspicious activity without needing to manually create YARA rules.
  • YARAgen: A YARA rule generator that helps build new YARA rules based on malware samples.
  • Valhalla: A search engine and tool for finding YARA rules, useful for expanding rule libraries or accessing public rules for common threats.

Practical Example with Loki:

  • The tutorial walks through using Loki to scan files in a suspicious directory. Loki scans and matches a web shell YARA rule with a file, indicating potential malicious behavior. The video also covers how to examine Loki’s YARA rules to understand the logic and patterns for different malware types.

Examples of Rule Matching:

  • Rule Matching Explanation: The example includes matching rules for known threats, like detecting specific strings used by malware. The YARA rule includes both meta descriptions and condition settings that detect malicious activity if defined conditions are met.

TryHackMe Yara | Room Answers

Answers

What is the name of the base-16 numbering system that Yara can detect?

Would the text “Enter your Name” be a string in an application? (Yay/Nay)

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

What Yara rule did it match on?

What does Loki classify this file as?

Based on the output, what string within the Yara rule did it match on?

What is the name and version of this hack tool?

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

Inspect file 2. What is the name and version of this web shell?

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

Did Yara rule flag file 2? (Yay/Nay)

Copy the Yara rule you created into the Loki signatures directory.

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

What is the name of the variable for the string that it matched on?

Inspect the Yara rule, how many strings were generated?

One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

Besides .PHP, what other extension is recorded for this file?

Back to Valhalla, inspect the Info for this rule. Under Statistics what was the highest rule match per month in the last 2 years? (YYYY/M)

What JavaScript library is used by file 2?
Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)

Video Walkthrough

 

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles