We covered an introduction to YARA rules and how to create them to detect malwares using patterns that match common indicators of compromise. YARA rules are created and stored inside rule files that have .yar extension and rules are written in YAML language. We also used LOKI python script as a tool to scan for malicious files using Yara rules. We also covered how to generate Yara rules using yaraGen tool. Finally we explained how to research and download Yara rules using VALHALLA feed. This was part of TryHackMe Yara which is under SOC Level 1 Pathway.
yara command requires two arguments to be valid, these are:
1) The rule file we create
2) Name of file, directory, or process ID to use the rule for.Every rule must have a name and condition.For example, if we wanted to use “myrule.yar” on directory “some directory”, we would use the following command:
yara myrule.yar somedirectory
LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth.
Based on the GitHub page, detection is based on 4 methods:
There are additional checks that LOKI can be used for. For a full rundown, please reference the GitHub readme.
As a security analyst, you may need to research various threat intelligence reports, blog postings, etc. and gather information on the latest tactics and techniques used in the wild, past or present. Typically in these readings, IOCs (hashes, IP addresses, domain names, etc.) will be shared so rules can be created to detect these threats in your environment, along with Yara rules. On the flip side, you might find yourself in a situation where you’ve encountered something unknown, that your security stack of tools can’t/didn’t detect. Using tools such as Loki, you will need to add your own rules based on your threat intelligence gathers or findings from an incident response engagement (forensics).
Would the text “Enter your Name” be a string in an application? (Yay/Nay)
What Yara rule did it match on?
What does Loki classify this file as?
Based on the output, what string within the Yara rule did it match on?
What is the name and version of this hack tool?
Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?
Scan file 2. Does Loki detect this file as suspicious/malicious or benign?
Inspect file 2. What is the name and version of this web shell?
Did Yara rule flag file 2? (Yay/Nay)
Copy the Yara rule you created into the Loki signatures directory.
Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)
What is the name of the variable for the string that it matched on?
Inspect the Yara rule, how many strings were generated?
One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?
Do the same for file 2. What is the name of the first Yara rule to detect file 2?
Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?
Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)
Besides .PHP, what other extension is recorded for this file?