Creating Detection Rules

YARA

YARA (Yet Another Recursive Acronym) is a widely used open source pattern recognition and matching tool to detect malware.

To draft a YARA rule:

rule Shell_Sandbox_Detection {
    strings:
        $sandbox_string = "Sandbox detected"
    condition:
        $sandbox_string
}

YarGen

We can automatically create a yara file with YarGen

$ sudo python3 yarGen.py -m /home/htb-student/Samples/MalwareAnalysis/Test/
------------------------------------------------------------------------
                   _____            
    __ _____ _____/ ___/__ ___      
   / // / _ `/ __/ (_ / -_) _ \     
   \_, /\_,_/_/  \___/\__/_//_/     
  /___/  Yara Rule Generator        
         Florian Roth, July 2020, Version 0.23.3
   
  Note: Rules have to be post-processed
  See this post for details: https://medium.com/@cyb3rops/121d29322282
------------------------------------------------------------------------
[+] Using identifier 'Test'
[+] Using reference 'https://github.com/Neo23x0/yarGen'
[+] Using prefix 'Test'
[+] Processing PEStudio strings ...
[+] Reading goodware strings from database 'good-strings.db' ...
    (This could take some time and uses several Gigabytes of RAM depending on your db size)
[+] Loading ./dbs/good-imphashes-part3.db ...
[+] Total: 4029 / Added 4029 entries
[+] Loading ./dbs/good-strings-part9.db ...
[+] Total: 788 / Added 788 entries
[+] Loading ./dbs/good-strings-part8.db ...
[+] Total: 332082 / Added 331294 entries
[+] Loading ./dbs/good-imphashes-part4.db ...
[+] Total: 6426 / Added 2397 entries
[+] Loading ./dbs/good-strings-part2.db ...

Detect Malware using YARA

To detect malware we can run the yara command against a directory or file:

$ yara yargen_rules.yar ./MalwareAnalysis/shell ./MalwareAnalysis/shell.exe

Yara References

LogoWriting YARA rules โ€” yara 4.2.0 documentation
LogoGitHub - InQuest/awesome-yara: A curated list of awesome YARA rules, tools, and people.GitHub
LogoGitHub - The-DFIR-Report/Yara-RulesGitHub

SIGMA

Sigma is a standard rule format used by security analaysts and Security Information and Event Management (SIEM) systems.

Construct a SIGMA rule:

title: Suspicious File Drop in Users Temp Location
status: experimental
description: Detects suspicious activity where a file is dropped in the temp location

logsource:
    category: process_creation
detection:
    selection:
        TargetFilename:
            - '*\\AppData\\Local\\Temp\\svchost.exe'
    condition: selection
    level: high

falsepositives:
    - Legitimate exe file drops in temp location

In this instance, the rule is designed to identify when the file svchost.exe is dropped in the Temp directory.

Sigma References

LogoSpecificationGitHub
Logosigma/rules at master ยท SigmaHQ/sigmaGitHub
https://github.com/The-DFIR-Report/Sigma-Rules/tree/main/rules
Previous.NET BinaryNextTools

Last updated