Task 1: Introduction https://tryhackme.com/room/yara
This room will expect you to understand basic Linux familiarity, such as installing software and commands for general navigation of the system. More so, this room isn’t designed to test your knowledge or for point-scoring. It is here to encourage you to follow along and experiment with what you have learned here.
As always, I hope you take a few things away from this room, namely, the wonder that Yara (Yet Another Ridiculous Acronym) is and its importance in infosec today. Yara was developed by Victor M. Alvarez (@plusvic) and @VirusTotal. Check the GitHub repo here.
Task 2: What is Yara?
Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.
Rules are used to label these patterns. For example, Yara rules are frequently written to determine if a file is malicious or not, based upon the features – or patterns – it presents. Strings are a fundamental component of programming languages. Applications use strings to store data such as text.
For example, the code snippet below prints “Hello World” in Python. The text “Hello World” would be stored as a string.
print("Hello World!")We could write a Yara rule to search for “hello world” in every program on our operating system if we would like.
Why does Malware use Strings?
Malware, just like our “Hello World” application, uses strings to store textual data. Here are a few examples of the data that various malware types store within strings:
| Type | Data | Description |
| Ransomware | 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw | Bitcoin Wallet for ransom payments |
| Botnet | 12.34.56.7 | The IP address of the Command and Control (C&C) server |
Caveat: Malware Analysis
Explaining the functionality of malware is vastly out of scope for this room due to the sheer size of the topic. I have covered strings in much more detail in “Task 12 – Strings” of my MAL: Introductory room. In fact, I am creating a whole Learning Path for it. If you’d like to get a taster whilst learning the fundamentals, I’d recommend my room.
Questions:
- What is the name of the base-16 numbering system that Yara can detect?
The answer is hexadecimal
This is found here “Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file.”
- Would the text “Enter your Name” be a string in an application? (Yay/Nay)
The answer is Yay
Task 3:
Simply either start the In-Browser Machine or VPN > SSL using provided credentials
Questions:
- I’ve connected to my instance!
No answer needed
Task 4:
Your First Yara Rule
The proprietary language that Yara uses for rules is fairly trivial to pick up, but hard to master. This is because your rule is only as effective as your understanding of the patterns you want to search for.
Using a Yara rule is simple. Every yara command requires two arguments to be valid, these are:
1) The rule file we create
2) Name of file, directory, or process ID to use the rule for.
Every rule must have a name and condition. For example, if we wanted to use “myrule.yar” on directory “some directory”, we would use the following command:yara myrule.yar somedirectory
Note that .yar is the standard file extension for all Yara rules. We’ll make one of the most basic rules you can make below.
1.Make a file named “somefile” via touch somefile
2. Create a new file and name it “myfirstrule.yar” like below:
3. Open the “myfirstrule.yar” using a text editor such as nano and input the snippet below and save the file:
rule examplerule {
condition: true
}When in nano ctrl + x to exit will provide you a time to save the file
The name of the rule in this snippet is examplerule, where we have one condition – in this case, the condition is condition.
As previously discussed, every rule requires both a name and a condition to be valid. This rule has satisfied those two requirements.
Simply, the rule we have made checks to see if the file/directory/PID that we specify exists via condition: true. If the file does exist, we are given the output of examplerule
Let’s give this a try on the file “somefile” that we made in step one:yara myfirstrule.yar somefile
If “somefile” exists, Yara will say examplerule because the pattern has been met – as we can see below:
Congrats! You’ve made your first rule.
Questions:
No answer needed
Task 5: Expanding on Yara Rules
Anatomy of a Yara Rule
Information security researcher “fr0gger_” has recently created a handy cheatsheet that breaks down and visualizes the elements of a YARA rule (shown above, all image credits go to him). It’s a great reference point for getting started!
Questions:
No answer needed
Task 6: Yara Modules
Integrating With Other Libraries
Frameworks such as the Cuckoo Sandbox or Python’s PE Module allow you to improve the technicality of your Yara rules ten-fold.
Cuckoo
Cuckoo Sandbox is an automated malware analysis environment. This module allows you to generate Yara rules based upon the behaviors discovered from Cuckoo Sandbox. As this environment executes malware, you can create rules on specific behaviors such as runtime strings and the like.
Python PE
Python’s PE module allows you to create Yara rules from the various sections and elements of the Windows Portable Executable (PE) structure.
Explaining this structure is out of scope as it is covered in my malware introductory room. However, this structure is the standard formatting of all executables and DLL files on windows. Including the programming libraries that are used.
Examining a PE file’s contents is an essential technique in malware analysis; this is because behaviours such as cryptography or worming can be largely identified without reverse engineering or execution of the sample.
Questions:
No answer needed
Task 7: Other tools and Yara
No answer needed
Task 8: Using LOKI and its Yara rule set
Navigate to the Loki directory. Run python loki.py -h to see what options are available.
To run Loki, you can use the following command (note that I am calling Loki from within the file 1 directory)
cd /suspicious-files/file1/
This is there the File in question is located
Python ../../tools/Loki/loki.py -p .
Awesome! It worked and we are now seeing the Loki scan of the contents of file1.
Scenario: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the suspicious-files directory. Use Loki to answer the questions below.
Questions:
- Scan file 1. Does Loki detect this file as suspicious/malicious or benign?
A quick scroll into the scan we see the following!
The Answer is suspicious
2. What Yara rule did it match on?
The answer is webshell_metaslsoft
3. What does Loki classify this file as?
The answer is Web Shell
4. Based on the output, what string within the Yara rule did it match on?
The answer is str1
5. What is the name and version of this hack tool?
The Answer is b374k 2.2
6. Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?
The answer is 1
7. Scan file 2. Does Loki detect this file as suspicious/malicious or benign?
We need to travel to the file2 folder and scan
The answer is benign
8. Inspect file 2. What is the name and version of this web shell?
For this answer we need to check this file out further, to do that I opened it with nano and found the answer at the top.
The answer is b374k 3.2.3
Task 9: Creating Yara rules with yarGen
Before we get to the questions, part of the room asks to create a new yara rule for the file2 above that did not show up in the scan. Lets do that now!
To use yarGen to generate a Yara rule for file 2, Navigate to the yarGen directory which is within tools. Once there you can run the following command:
python3 yarGen.py -m /home/cmnatic/suspicious-files/file2 --excludegood -o /home/cmnatic/suspicious-files/file2.yar
A brief explanation of the parameters above:
-mis the path to the files you want to generate rules for--excludegoodforce to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)-olocation & name you want to output the Yara rule
If all is well, you should see the following output.
Using yarGen to generate a rule for file2
Questions:
- From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?
The answer is yara file2.yar file2/1ndex.php
2. Did Yara rule flag file 2? (Yay/Nay)
The answer is Yay
3. Copy the Yara rule you created into the Loki signatures directory.
For this step we need to move the file2.yar for the current folder we are in to the Loki/signature-base folder. I used the command mv file2.yar /home/cmnatic/tools/Loki/signature-base/yara
No answer needed
4. Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)
Navigate to the files2 folder and use command Python ../../tools/Loki/loki.py -p . to start the scan again.
Looks like it worked!
The answer is Yay
5. What is the name of the variable for the string that it matched on?
The answer is zepto
Question 6. Inspect the Yara rule, how many strings were generated?
Next we moved into the /signature-base/yara folder and nano file2.yar
We count the Strings..
The answer is 20
Question 7. One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?
The answer is 700kb
Task 10: Valhalla
Valhalla is an online Yara feed created and hosted by Nextron-Systems
Per the website, “Valhalla boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules.“
Questions:
- Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)
Enter in the SHA256 hash from file1: 5479f8cd1375364770df36e5a18262480a8f9d311e8eedb2c2390ecb233852ad
In column 3 it mentions APT
The answer is Yay
2. Do the same for file 2. What is the name of the first Yara rule to detect file 2?
Enter in the SHA256 hash from file2 53fe44b4753874f079a936325d1fdc9b1691956a29c3aaf8643cdbd49f5984bf
The questions says to name the first rule which is Webshell_b374k_rule1.
Answer: Webshell_b374k_rule1
3. Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?
Now click the Virus Total Icon next to our rule1
Clicking the icon takes us to Virus total and shows us more information about the yara result
The answer is THOR APT Scanner
4. Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)
In Virus Total input the hash from file 2 again. We can see that 36 of 62 vendors flagged this as malicious.
The answer is Nay
5. Besides .PHP, what other extension is recorded for this file?
Clicking on the Details tab I found under the “names” section other extensions.
The answer is EXE
6. What JavaScript library is used by file 2?
Time to head back to Valhalla! Click the Ref button to head on over to Github.
Within a quick glance we can see the answer for our question:
The answer is zepto
7. Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)
The answer is Nay
If you recall we have to make a new rule for us to even start this journey!
Task 11: Conclusion
In this room, we explored Yara, how to use Yara, and manually created basic Yara rules. We also explored various open-source tools to hit the ground running that utilizes Yara rules to detect evil on endpoints.
By going through the room scenario, you should understand the need (as a blue teamer) to know how to create Yara rules effectively if we rely on such tools. Commercial products, even though not perfect, will have a much richer Yara ruleset than an open-source product. Both commercial and open-source will allow you to add Yara rules to expand its capabilities further to detect threats.
If it is not clear, the reason why file 2 was not detected is that the Yara rule was not in the Yara file used by Loki to detect the hack tool (web shell) even though its the hack tool has been around for years and has even been attributed to at least 1 nation-state. The Yara rule is present in the commercial variant of Loki, which is Thor.
There is more that can be done with Yara and Yara rules. We encourage you to explore this tool further at your own leisure.
