My notes on THM room.
Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.
Introduction to Yara Rules:
Using a Yara rule is simple. Every yara command requires two arguments to be valid, these are:
1) The rule file we create
2) Name of file, directory, or process ID to use the rule for.
Every rule must have a name and condition.
For example, if we wanted to use “myrule.yar” on directory “some directory” we would use the following command:
yara myrule.yar somedirectoryExapanding on Yara Rules
Yara has a bunch of conditions, below are some of the most common ones:
- Keyword: Moreover, you can use keywords such as: and, not, or to combine multiple conditions
- Meta: reserved for descriptive information by the author of the rule. For example, you can use `desc`, short for description, to summarise what your rule checks for. Anything within this section does not influence the rule itself. Similar to commenting code, it is useful to summarise your rule
- Strings: You can use strings to search for specific text or hexadecimal in files or programs
- Conditions: Much like regular programming, you can use operators such as: (<= less than or equal to), (>= more than or equal to), (!= not equal to) as well as True and Any of them to deal with case matching/lower/uppercase variations.
Other Tools and Yara
LOKI is a free open source IOC scanner created/written by Florian Roth.
Based on the GitHub page, detection is based on 4 methods:
- File Name IOC Check
- Yara Rule Check (we are here)
- Hash Check
- C2 Back Connect Check
THOR
THOR Lite is Florian’s newest multi-platform IOC AND YARA scanner
FENRIR
YAYA
YAYA is a new open-source tool to help researchers manage multiple YARA rule repositories. YAYA starts by importing a set of high-quality YARA rules and then lets researchers add their own rules, disable specific rulesets, and run scans of files
Using LOKI and its Yara rules
As a security analyst, you may need to research various threat intelligence reports, blog postings, etc. and gather information on the latest tactics and techniques used in the wild, past or present. Typically in these readings, IOCs (hashes, IP addresses, domain names, etc.) will be shared so rules can be created to detect these threats in your environment, along with Yara rules. On the flip side, you might find yourself in a situation where you’ve encountered something unknown, that your security stack of tools can’t/didn’t detect. Using tools such as Loki, you will need to add your own rules based on your threat intelligence gathers or findings from an incident response engagement (forensics).
As mentioned before, Loki already has a set of Yara rules that we can benefit from and start scanning for evil on the endpoint straightaway.
Run python loki.py -h to see what options are available.
If you are running Loki on your own system, the first command you should run is --update. This will add the signature-base directory, which Loki uses to scan for known evil. This command was already executed within the attached VM.
Scenario: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the suspicious-files directory. Use Loki to answer the questions below.
FILE: /home/cmnatic/suspicious-files/file1/ind3x.php SCORE: 70 TYPE: PHP SIZE: 80992
FIRST_BYTES: 3c3f7068700a2f2a0a09623337346b20322e320a / <?php/*b374k 2.2
MD5: 1606bdac2cb613bf0b8a22690364fbc5
SHA1: 9383ed4ee7df17193f7a034c3190ecabc9000f9f
SHA256: 5479f8cd1375364770df36e5a18262480a8f9d311e8eedb2c2390ecb233852ad CREATED: Mon Nov 9 15:15:32 2020 MODIFIED: Mon Nov 9 13:06:56 2020 ACCESSED: Mon Sep 20 16:43:00 2021
REASON_1: Yara Rule MATCH: webshell_metaslsoft SUBSCORE: 70
DESCRIPTION: Web Shell - file metaslsoft.php REF: -
MATCHES: Str1: $buff .= "<tr><td><a href=\\"?d=".$pwd."\\">[ $folder ]</a></td><td>LINK</t
[NOTICE] Results: 0 alerts, 1 warnings, 7 notices
[RESULT] Suspicious objects detected!
[RESULT] Loki recommends a deeper analysis of the suspicious objects.Scan file 1. Does Loki detect this file as suspicious/malicious or benign?
Yes, Loki identifies this file as suspicious/malicious.
What Yara rule did it match on?
webshell_metaslsoft
What does Loki classify this file as?
Web Shell
Based on the output, what string within the Yara rule did it match on?
Str1
What is the name and version of this hack tool?
b374k 2.2
Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?
One, only the string that caused the Yara file to return true
Scan file 2. Does Loki detect this file as suspicious/malicious or benign?
Benign
Inspect file 2. What is the name and version of this web shell?
We inspect the file but since its contents are greater than that can be displayed, we use the command to view the first 20 lines
head -n 20 1ndex.phpWe find the name and version to be
b374k shell 3.2.3
Creating Yara rules with yarGen
From the previous section, we realized that we have a file that Loki didn’t flag on. At this point, we are unable to run Loki on other web servers because if file 2 exists in any of the webs servers, it will go undetected.
We need to create a Yara rule to detect this specific web shell in our environment. Typically this is what is done in the case of an incident, which is an event that affects/impacts the organization in a negative fashion.
We can manually open the file and attempt to sift through lines upon lines of code to find possible strings that can be used in our newly created Yara rule.
That would be a long and tedious process, instead we can use yarGen. What is yarGen? yarGen is a generator for YARA rules.
From the README — “The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.”
Navigate to the yarGen directory, which is within tools. If you are running yarGen on your own system, you need to update it first by running the following command: python3 yarGen.py --update.
To use yarGen to generate a Yara rule for file 2, you can run the following command:
python3 yarGen.py -m /home/cmnatic/suspicious-files/file2 --excludegood -o /home/cmnatic/suspicious-files/file2.yarA brief explanation of the parameters above:
-mis the path to the files you want to generate rules for--excludegoodforce to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)-olocation & name you want to output the Yara rule
Generally, you would examine the Yara rule and remove any strings that you feel might generate false positives. For this exercise, we will leave the generated Yara rule as is and test to see if Yara will flag file 2 or no.
Note: Another tool created to assist with this is called yarAnalyzer . We will not examine that tool in this room, but you should read up on it, especially if you decide to start creating your own Yara rules.
Questions
From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?
cmnatic@thm-yara:~/suspicious-files$ yara file2.yar file2/1ndex.php
_home_cmnatic_suspicious_files_file2_1ndex file2/1ndex.phpDid Yara rule flag file 2? (Yay/Nay)
Yay
Copy the Yara rule you created into the Loki signatures directory.
Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)
Yay
FILE: /home/cmnatic/suspicious-files/file2/1ndex.php SCORE: 70 TYPE: PHP SIZE: 223978
FIRST_BYTES: 3c3f7068700a2f2a0a09623337346b207368656c / <?php/*b374k shel
MD5: c6a7ebafdbe239d65248e2b69b670157
SHA1: 3926ab64dcf04e87024011cf39902beac32711da
SHA256: 53fe44b4753874f079a936325d1fdc9b1691956a29c3aaf8643cdbd49f5984bf CREATED: Mon Nov 9 15:16:03 2020 MODIFIED: Mon Nov 9 13:09:18 2020 ACCESSED: Mon Sep 20 16:52:23 2021
REASON_1: Yara Rule MATCH: _home_cmnatic_suspicious_files_file2_1ndex SUBSCORE: 70
DESCRIPTION: file2 - file 1ndex.php REF: https://github.com/Neo23x0/yarGen
MATCHES: Str1: var Zepto=function(){function G(a){return a==null?String(a):z[A.call(a)]||"object"}function H(a){return G(a)=="function"}fun Str2: re ... (truncated)
[NOTICE] Results: 0 alerts, 1 warnings, 7 notices
[RESULT] Suspicious objects detected!
[RESULT] Loki recommends a deeper analysis of the suspicious objects.
[INFO] Please report false positives via https://github.com/Neo23x0/signature-base
[NOTICE] Finished LOKI Scan SYSTEM: thm-yara TIME: 20210920T17:27:46ZWhat is the name of the variable for the string that it matched on?
Zepto
Inspect the Yara rule, how many strings were generated?
20 strings
cmnatic@thm-yara:~/tools/Loki$ cat ~/suspicious-files/file2.yar
/*
YARA Rule Set
Author: yarGen Rule Generator
Date: 2021-09-20
Identifier: file2
Reference: https://github.com/Neo23x0/yarGen
*//* Rule Set ----------------------------------------------------------------- */rule _home_cmnatic_suspicious_files_file2_1ndex {
meta:
description = "file2 - file 1ndex.php"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2021-09-20"
hash1 = "53fe44b4753874f079a936325d1fdc9b1691956a29c3aaf8643cdbd49f5984bf"
strings:
$x1 = "var Zepto=function(){function G(a){return a==null?String(a):z[A.call(a)]||\"object\"}function H(a){return G(a)==\"function\"}fun" ascii
$s2 = "return (res = new RegExp('(?:^|; )' + encodeURIComponent(key) + '=([^;]*)').exec(document.cookie)) ? (res[1]) : null;" fullword ascii
$s3 = "$cmd = trim(execute(\"ps -p \".$pid));" fullword ascii
$s4 = "$cmd = execute(\"taskkill /F /PID \".$pid);" fullword ascii
$s5 = "$buff = execute(\"wget \".$url.\" -O \".$saveas);" fullword ascii
$s6 = "$buff = execute(\"curl \".$url.\" -o \".$saveas);" fullword ascii
$s7 = "(d=\"0\"+d);dt2=y+m+d;return dt1==dt2?0:dt1<dt2?-1:1},r:function(a,b){for(var c=0,e=a.length-1,g=h;g;){for(var g=j,f=c;f<e;++f)0" ascii
$s8 = "$cmd = execute(\"kill -9 \".$pid);" fullword ascii
$s9 = "$cmd = execute(\"tasklist /FI \\\"PID eq \".$pid.\"\\\"\");" fullword ascii
$s10 = "$body = preg_replace(\"/<a href=\\\"http:\\/\\/www.zend.com\\/(.*?)<\\/a>/\", \"\", $body);" fullword ascii
$s11 = "execute(\"tar xzf \\\"\".basename($archive).\"\\\" -C \\\"\".$target.\"\\\"\");" fullword ascii
$s12 = "ngs.mimeType||xhr.getResponseHeader(\"content-type\")),result=xhr.responseText;try{dataType==\"script\"?(1,eval)(result):dataTyp" ascii
$s13 = "execute(\"tar xf \\\"\".basename($archive).\"\\\" -C \\\"\".$target.\"\\\"\");" fullword ascii
$s14 = "$check = strtolower(execute(\"ruby -h\"));" fullword ascii
$s15 = "$check = strtolower(execute(\"javac -help\"));" fullword ascii
$s16 = "$check = strtolower(execute(\"node -h\"));" fullword ascii
$s17 = "src:url(data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAAGkYAA8AAAAAp+gAAQABAAAAAAAAAAAAAAAAAAAAAAAAAABGRlRNAAABWA" ascii
$s18 = "$buff = execute(\"lynx -source \".$url.\" > \".$saveas);" fullword ascii
$s19 = "$check = strtolower(execute(\"python -h\"));" fullword ascii
$s20 = "$check = strtolower(execute(\"nodejs -h\"));" fullword ascii
condition:
uint16(0) == 0x3f3c and filesize < 700KB and
1 of ($x*) and 4 of them
}
One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?
700KB
Vahalla
Valhalla is an online Yara feed created and hosted by Nextron-Systems . Per the website, “VALHALLA boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules.”
Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)
Yay
Do the same for file 2. What is the name of the first Yara rule to detect file 2?
Webshell_b374k_rule1
Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?
THOR APT Scanner
Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)
Nay
Besides .PHP, what other extension is recorded for this file?
.exe
Back to Valhalla, inspect the Info for this rule. Under Statistics what was the highest rule match per month in the last 2 years? (YYYY/M)
2021/3
What JavaScript library is used by file 2?
Zepto
Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)
Nay, it was not detected in our initial scan and when examining thor-webshell.yar it was not found.
