YARA Rules For Detection Flashcards
YARA For Detection
YARA rules are a way of identifying specific files by looking at the characteristics of a large number of files to see if any of them match the profile, somewhat similar to how antivirus solutions work with virus signatures. YARA was developed by Victor Alvarez who works at VirusTotal and is widely used for security monitoring and detection.
In this lesson, we’re going to cover how to install YARA on Linux systems (your Kali VM!), how to write rules, how to automatically generate rules from files such as malware, and finally end with a threat-hunting style activity!
Installing YARA on Linux
To install YARA on Linux we’re going to download the .tar.gz file from the YARA github at the following link: https://github.com/virustotal/yara/releases/tag/v4.0.2. Make sure you download this file while on your Kali Linux virtual machine.
Next, there are some dependencies we need to install, other tools and functions that allow YARA to run properly. We can use the command: sudo apt-get install automake libtool make gcc pkg-config.
Then we want to open a terminal in the same location as the YARA .tar.gz file, and run the following commands to extract and install yara to our Linux system.
tar -zxf yara-4.0.2.tar.gz
cd yara-4.0.2/
./bootstrap.sh
Then we need to compile and install YARA with the following three commands:
./configure
make
sudo make install
Once these have completed, we need to check if everything has installed correctly using the command: make check. Everything should pass, as shown in the screenshot below.
Great, we have YARA installed on our Kali virtual machine! If you run into any issues, read the following resources:
https: //askubuntu.com/questions/265471/autoreconf-not-found-error-during-making-qemu-1-4-0
https: //stackoverflow.com/questions/18978252/error-libtool-library-used-but-libtool-is-undefined
https: //yara.readthedocs.io/en/stable/gettingstarted.html
Writing YARA Rules
When writing rules, there are three core components that we need to include. The rule name, identification values, and conditions. Below is a screenshot of an extremely simple Yara rule we have made, and we will talk through the components.
We need to define the name of the rule.
We need to define the characteristics the rule is looking for in files.
We need to define the conditions under which a file will be flagged.
Let’s explain what this rule is trying to achieve.
On the first line we have defined the rule name as “HelloString” and a short-hand name of “Hello”.
On Line 3 we declare a file property, in this case, a text string that should be present inside the file. We use the variable $a to hold the value of “Hello”.
On Line 6 we declare the condition that needs to be met for a file to be flagged. Because we’ve used $a, this means if any scanned files contain the string “Hello” they will be flagged to us.
Let’s show you what we mean with an example. We have a directory (YARA Demo) on our desktop that includes a text file with the word Hello in it (Line 5). We can use this simple YARA rule to look for any files that contain the word Hello.
So let’s run our YARA rule against the YARA Demo directory and see if we can detect the fact that this file contains the string Hello!
It worked! To develop your understanding of YARA rules, let’s continue to build on this one. Next, let’s add a human-readable description and our own “threat level” value to the output of our scan results. To do this we can edit the rule file, and add these values under a new heading named “meta”. Here’s our updated rule:
Now let’s run the command again and see what the output looks like now. We need to make one small change, which is including the “-m” flag, telling YARA to print meta information from the alerting rule.
This can be a good place to store basic information, such as who wrote the YARA rule, what version it is, and a description of what it’s doing. None of this information is considered during file analysis and is purely for human consumption. Let’s build on our rule again by adding in some additional properties and conditions. Instead of just looking for the string, let’s also look for the strings “chocolate” and “cookies”. We can add these as new variables to our rule.
Because we haven’t changed the condition, this rule will continue to only alert on $a, which is “Hello”. We have two options here:
Use OR statements to allow the rule to flag any files that contain any of the strings.
Use AND statements to allow the rule to flag any files that contain at least two of the strings.
For example, if we set the condition to $a or $b or $c, YARA would alert us to any files that contained one or more of the text strings. If we set the condition to $a and $b and $c, YARA would alert on files that contain all three of these strings. Let’s set the condition to use the OR operator.
Let’s also change the meta description value to “File detected containing a defined string”. If we run this rule without any additional flags, it will simply highlight files to us that match the condition, but this doesn’t tell us which of the strings has been detected. To show this, we can use the flag -s to print matched strings. Let’s try it out!
From this output we can see the alerting rule, the meta information, the file paths and file names, and the strings that have been matched from our YARA rule. Before we finish with this section, let’s quickly cover some important YARA flags:
- m // Prints the associated meta information to the terminal after a YARA scan.
- s // Prints the matching strings to the terminal after a YARA scan.
- r // Recursively scan all subfolders within the target location to ensure everything is scanned.
Creating Rules with yarGen
YarGen is a python tool that allows us to automatically generate rules for malicious files, and can save us a lot of time, and prevent human errors when writing rules. We’re going to walk you through installing YarGen, and how to use it. You’ll be doing this in the next threat hunting activity, so make sure you have it installed on your Kali Linux virtual machine!
If you run into any issues with yargen or its dependencies, try using the python3 and pip3 commands instead of python and pip.
First, we need to open the following webpage in our Kali machine, go to the releases page, and scroll to the bottom so we can download the .tar.gz file – https://github.com/Neo23x0/yarGen/releases
Then we need to open a terminal in the location of the downloaded .tar.gz file, and the run the following command to extract YarGen: tar -zxf yarGen-0.18.0.tar.gz. Next we need to use pip to download and install some additional dependencies. Try running the command pip in a terminal. If it states that the command is not found then you need to install python-pip using the command sudo apt-get install python-pip. Now execute the following two commands:
sudo pip install pefile cd
sudo pip install scandir lxml naiveBayesClassifier
Now use cd to move into the extracted YarGen directory, and run the following command to ensure everything is updated: python yarGen.py –update. Great, everything is ready. We can now type the command python yarGen.py –help to see the available options for generating rules with this tool.
The flags we’re interested in are -m which allows us to define the path to the file or files we want to generate rules from, and -o which allows us to define the name and path of the rules generated by YarGen. Let’s test it out on a malicious .exe file. The command we want to execute is: python yarGen.py -m /root/Desktop/Malware -o ./TestRule.yara
python yarGen.py – Runs the yarGen python script (we need to be in the same directory as this file, or provide the file path to yarGen.py)
- m /root/Desktop/Malware – Create rules for files inside the Malware folder on the Desktop of our current user, root
- o ./TestRule.yara – Output the generated rule to the current folder of the terminal (./) in our case, the yarGen folder, and name the file TestRule.yara
It took about 3 minutes for the rule to be generated in our lab. Once we saw the “All rules written” message we used CTRL + C to exit, then used the following command to read the rule from the terminal: cat TestRule.yara. Let’s take a look at what was generated!
The above rule has selected a number of strings from the binary (wallpaperHD.exe) and the condition also includes the file size and the file hash. Due to how the condition is written, the rule is able to look for a combination of all the indicators of compromise (IOCs) we have pulled from the file, and we could now import this YARA rule into our endpoint detection and response platform (EDR) to use this for detection on a large scale.
Now that you understand how YARA works, and how to use YarGen, it’s time for a threat hunting activity!
