Hunting for Malicious Executables on Disk with YARA
As we saw in the previous section, YARA is a potent weapon in the arsenal of cybersecurity professionals for detecting and hunting malicious executables on a disk. With custom YARA rules or established ones at our disposal, we can pinpoint suspicious or potentially malicious files based on distinct patterns, traits, or behaviors.
We'll first examine the malware sample inside a hex editor (HxD, located at C:\Program Files\HxD) to identify the previously discovered string C:\crysis\Release\PDB\payload.pdb.
If we scroll almost to the bottom, we will notice yet another seemingly unique sssssbsss string.
Going forward, we will craft a rule grounded in these patterns and then utilize the YARA utility to scour the filesystem for similar executables.
Note: In a Linux machine the hexdump utility could have been used to identify the aforementioned hex bytes as follows.
As we can see, the pdf_reader.exe, microsoft.com, check_updates.exe, and KB5027505.exe files are detected by this rule (in addition to dharma_sample.exe of course).
Hunting for Evil Within Running Processes with YARA
To ascertain if malware lurks in ongoing processes, we'll unleash the YARA scanner on the system's active processes. Let's demonstrate using a YARA rule that targets Metasploit's meterpreter shellcode, believed to be lurking in a running process.
htb_sample_shell.exe injects Metasploit's meterpreter shellcode into the cmdkey.exe process. Let's activate it, ensuring successful injection.
With the injection executed, let's scan every active system process as follows, through another PowerShell terminal (Run as administrator).
PS C:\Windows\system32> Get-Process | ForEach-Object { "Scanning with Yara for meterpreter shellcode on PID "+$_.id; & "yara64.exe" "C:\Rules\yara\meterpreter_shellcode.yar" $_.id }
Scanning with Yara for meterpreter shellcode on PID 9000
Scanning with Yara for meterpreter shellcode on PID 9016
Scanning with Yara for meterpreter shellcode on PID 4940
Scanning with Yara for meterpreter shellcode on PID 5716
Scanning with Yara for meterpreter shellcode on PID 9084
meterpreter_reverse_tcp_shellcode 9084
Scanning with Yara for meterpreter shellcode on PID 7112
Scanning with Yara for meterpreter shellcode on PID 8400
Scanning with Yara for meterpreter shellcode on PID 9180
Scanning with Yara for meterpreter shellcode on PID 416
error scanning 416: can not attach to process (try running as root)
Scanning with Yara for meterpreter shellcode on PID 492
error scanning 492: can not attach to process (try running as root)
Scanning with Yara for meterpreter shellcode on PID 1824
error scanning 1824: can not attach to process (try running as root)
Scanning with Yara for meterpreter shellcode on PID 8268
Scanning with Yara for meterpreter shellcode on PID 3940
Scanning with Yara for meterpreter shellcode on PID 7960
Scanning with Yara for meterpreter shellcode on PID 988
Scanning with Yara for meterpreter shellcode on PID 6276
Scanning with Yara for meterpreter shellcode on PID 4228
Scanning with Yara for meterpreter shellcode on PID 772
Scanning with Yara for meterpreter shellcode on PID 780
Scanning with Yara for meterpreter shellcode on PID 1192
Scanning with Yara for meterpreter shellcode on PID 7972
meterpreter_reverse_tcp_shellcode 7972
Scanning with Yara for meterpreter shellcode on PID 0
error scanning 0: could not open file
Scanning with Yara for meterpreter shellcode on PID 6788
Scanning with Yara for meterpreter shellcode on PID 924
Scanning with Yara for meterpreter shellcode on PID 636
Scanning with Yara for meterpreter shellcode on PID 1780
error scanning 1780: can not attach to process (try running as root)
We're leveraging a concise PowerShell script. The Get-Process command fetches running processes, and with the help of the pipe symbol (|), this data funnels into the script block ({...}). Here, ForEach-Object dissects each process, prompting yara64.exe to apply our YARA rule on each process's memory.
From the results, the meterpreter shellcode seems to have infiltrated a process with PID 9084. We can also guide the YARA scanner with a specific PID as follows.
A quick recap first. According to Microsoft, Event Tracing For Windows (ETW) is a general-purpose, high-speed tracing facility provided by the operating system. Using a buffering and logging mechanism implemented in the kernel, ETW provides a tracing mechanism for events raised by both user-mode applications and kernel-mode device drivers.
Controllers: Controllers possess functionalities that encompass initiating and terminating trace sessions. They also have the capability to enable or disable providers within a specific trace.
Providers: Providers are crucial, as they generate events and channel them to the designated ETW sessions.
Consumers: Consumers are the subscribers to specific events. They tap into these events and then receive them for in-depth processing or analysis.
Useful Providers
Microsoft-Windows-Kernel-Process
Microsoft-Windows-Kernel-File
Microsoft-Windows-Kernel-Network
Microsoft-Windows-SMBClient/SMBServer
Microsoft-Windows-DotNETRuntime
OpenSSH
Microsoft-Windows-VPN-Client
Microsoft-Windows-PowerShell
Microsoft-Windows-Kernel-Registry
Microsoft-Windows-CodeIntegrity
Microsoft-Antimalware-Service
WinRM
YARA Rule Scanning on ETW (Using SilkETW)
SilkETW is an open-source tool to work with Event Tracing for Windows (ETW) data. SilkETW provides enhanced visibility and analysis of Windows events for security monitoring, threat hunting, and incident response purposes. The best part of SilkETW is that it also has an option to integrate YARA rules. It includes YARA functionality to filter or tag event data.
Example 1: YARA Rule Scanning on Microsoft-Windows-PowerShell ETW Data
The command below executes the SilkETW tool with specific options to perform event tracing and analysis on PowerShell-related events in Windows.
-t user: Specifies the event tracing mode. In this case, it is set to "user," indicating that the tool will trace user-mode events (events generated by user applications).
-pn Microsoft-Windows-PowerShell: Specifies the name of the provider or event log that you want to trace.
-ot file: Specifies the output format for the collected event data. In this case, it is set to "file," meaning that the tool will save the event data to a file.
-p ./etw_ps_logs.json: Specifies the output file path and filename. The tool will save the collected event data in JSON format to a file named "etw_ps_logs.json" in the current directory.
-l verbose: Sets the logging level to "verbose." This option enables more detailed logging information during the event tracing and analysis process.
-y C:\Rules\yara: Enables YARA scanning and specifies a path containing YARA rules. This option indicates that the tool will perform YARA scanning on the collected event data.
-yo Matches: Specifies the YARA output option. In this case, it is set to "Matches," meaning that the tool will display YARA matches found during the scanning process.
Inside the C:\Rules\yara directory of this section's target there is a YARA rules file named etw_powershell_hello.yar that looks for certain strings in PowerShell script blocks.
Let's now execute the following PowerShell command through another PowerShell terminal and see if it will get detected by SilkETW (where the abovementioned YARA rule has been loaded).
Invoke-Command -ScriptBlock {Write-Host "Hello from PowerShell"}
We have a match!
Example 2: YARA Rule Scanning on Microsoft-Windows-DNS-Client ETW Data
The command below executes the SilkETW tool with specific options to perform event tracing and analysis on DNS-related events in Windows.
Inside the C:\Rules\yara directory of this section's target there is a YARA rules file named etw_dns_wannacry.yar that looks for a hardcoded domain that exists in Wannacry ransomware samples in DNS events.
Let's now execute the following command through another PowerShell terminal and see if it will get detected by SilkETW (where the abovementioned YARA rule has been loaded).
PS C:\Users\htb-student> ping iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Reply from 104.17.244.81: bytes=32 time=14ms TTL=56
Reply from 104.17.244.81: bytes=32 time=14ms TTL=56
Reply from 104.17.244.81: bytes=32 time=14ms TTL=56
Reply from 104.17.244.81: bytes=32 time=14ms TTL=56
Ping statistics for 104.17.244.81:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 14ms, Average = 14ms
Now let's start working on the lab.
1) Study the "C:\Rules\yara\shell_detector.yar" YARA rule that aims to detect "C:\Samples\MalwareAnalysis\shell.exe" inside process memory. Then, specify the appropriate hex values inside the "$sandbox" variable to ensure that the "Sandbox detected" message will also be detected. Enter the correct hex values as your answer. Answer format: Remove any spaces