Hunting Evil with YARA (Windows Edition)
Hunting for Malicious Executables on Disk with YARA
As we saw in the previous section, YARA is a potent weapon in the arsenal of cybersecurity professionals for detecting and hunting malicious executables on a disk. With custom YARA rules or established ones at our disposal, we can pinpoint suspicious or potentially malicious files based on distinct patterns, traits, or behaviors.
We'll first examine the malware sample inside a hex editor (HxD
, located at C:\Program Files\HxD
) to identify the previously discovered string C:\crysis\Release\PDB\payload.pdb
.
If we scroll almost to the bottom, we will notice yet another seemingly unique sssssbsss
string.
Going forward, we will craft a rule grounded in these patterns and then utilize the YARA utility to scour the filesystem for similar executables.
Note: In a Linux machine the hexdump
utility could have been used to identify the aforementioned hex bytes as follows.
Let's incorporate all identified hex bytes into a rule, enhancing our ability to detect this string across any disk-based executable.
Initiating the YARA executable with this rule, let's observe if it highlights other analogous samples on the disk.
As we can see, the pdf_reader.exe
, microsoft.com
, check_updates.exe
, and KB5027505.exe
files are detected by this rule (in addition to dharma_sample.exe
of course).
Hunting for Evil Within Running Processes with YARA
To ascertain if malware lurks in ongoing processes, we'll unleash the YARA scanner on the system's active processes. Let's demonstrate using a YARA rule that targets Metasploit's meterpreter shellcode, believed to be lurking in a running process.
YARA Rule Source: https://github.com/cuckoosandbox/community/blob/master/data/yara/shellcode/metasploit.yar
htb_sample_shell.exe
injects Metasploit's meterpreter shellcode into the cmdkey.exe
process. Let's activate it, ensuring successful injection.
With the injection executed, let's scan every active system process as follows, through another PowerShell terminal (Run as administrator
).
We're leveraging a concise PowerShell script. The Get-Process
command fetches running processes, and with the help of the pipe symbol (|
), this data funnels into the script block ({...}
). Here, ForEach-Object
dissects each process, prompting yara64.exe
to apply our YARA rule on each process's memory.
From the results, the meterpreter shellcode seems to have infiltrated a process with PID 9084
. We can also guide the YARA scanner with a specific PID as follows.
Hunting for Evil Within ETW Data with YARA
A quick recap first. According to Microsoft, Event Tracing For Windows (ETW)
is a general-purpose, high-speed tracing facility provided by the operating system. Using a buffering and logging mechanism implemented in the kernel, ETW provides a tracing mechanism for events raised by both user-mode applications and kernel-mode device drivers.
Controllers
: Controllers possess functionalities that encompass initiating and terminating trace sessions. They also have the capability to enable or disable providers within a specific trace.Providers
: Providers are crucial, as they generate events and channel them to the designated ETW sessions.Consumers
: Consumers are the subscribers to specific events. They tap into these events and then receive them for in-depth processing or analysis.
Useful Providers
Microsoft-Windows-Kernel-Process
Microsoft-Windows-Kernel-File
Microsoft-Windows-Kernel-Network
Microsoft-Windows-SMBClient/SMBServer
Microsoft-Windows-DotNETRuntime
OpenSSH
Microsoft-Windows-VPN-Client
Microsoft-Windows-PowerShell
Microsoft-Windows-Kernel-Registry
Microsoft-Windows-CodeIntegrity
Microsoft-Antimalware-Service
WinRM
YARA Rule Scanning on ETW (Using SilkETW)
SilkETW is an open-source tool to work with Event Tracing for Windows (ETW) data. SilkETW provides enhanced visibility and analysis of Windows events for security monitoring, threat hunting, and incident response purposes. The best part of SilkETW is that it also has an option to integrate YARA rules. It includes YARA functionality to filter or tag event data.
Example 1: YARA Rule Scanning on Microsoft-Windows-PowerShell ETW Data
The command below executes the SilkETW tool with specific options to perform event tracing and analysis on PowerShell-related events in Windows.
Command Breakdown:
-t user
: Specifies the event tracing mode. In this case, it is set to "user," indicating that the tool will trace user-mode events (events generated by user applications).-pn Microsoft-Windows-PowerShell
: Specifies the name of the provider or event log that you want to trace.-ot file
: Specifies the output format for the collected event data. In this case, it is set to "file," meaning that the tool will save the event data to a file.-p ./etw_ps_logs.json
: Specifies the output file path and filename. The tool will save the collected event data in JSON format to a file named "etw_ps_logs.json" in the current directory.-l verbose
: Sets the logging level to "verbose." This option enables more detailed logging information during the event tracing and analysis process.-y C:\Rules\yara
: Enables YARA scanning and specifies a path containing YARA rules. This option indicates that the tool will perform YARA scanning on the collected event data.-yo Matches
: Specifies the YARA output option. In this case, it is set to "Matches," meaning that the tool will display YARA matches found during the scanning process.
Inside the C:\Rules\yara
directory of this section's target there is a YARA rules file named etw_powershell_hello.yar
that looks for certain strings in PowerShell script blocks.
Let's now execute the following PowerShell command through another PowerShell terminal and see if it will get detected by SilkETW (where the abovementioned YARA rule has been loaded).
We have a match!
Example 2: YARA Rule Scanning on Microsoft-Windows-DNS-Client ETW Data
The command below executes the SilkETW tool with specific options to perform event tracing and analysis on DNS-related events in Windows.
Inside the C:\Rules\yara
directory of this section's target there is a YARA rules file named etw_dns_wannacry.yar
that looks for a hardcoded domain that exists in Wannacry ransomware samples in DNS events.
Let's now execute the following command through another PowerShell terminal and see if it will get detected by SilkETW (where the abovementioned YARA rule has been loaded).
Now let's start working on the lab.
1) Study the "C:\Rules\yara\shell_detector.yar" YARA rule that aims to detect "C:\Samples\MalwareAnalysis\shell.exe" inside process memory. Then, specify the appropriate hex values inside the "$sandbox" variable to ensure that the "Sandbox detected" message will also be detected. Enter the correct hex values as your answer. Answer format: Remove any spaces
This is a hex pattern representing the string iugqerfsodp9ifjaposdfjhgosurijfaewrrwergwea.com
.
To ensure that the "Sandbox detected" message will also be detected, we can use Python to retrieve the hexadecimal value.
So here is the rule.
Last updated