Tools Deep Dive: YARA Part ll
Part ll: YARA
This is a follow up to the previous post about YARA, the versatile pattern matching tool.
As a recap of some of the things you can accomplish with YARA.
matching on a specific type of malware
scanning emails/ internal files
building on new detections internally
The basic syntax for a rule is you give it a name, description, strings to match, and a condition. Out of these, only the condition is mandatory.
Here’s an example rule that uses the method of counting strings as a condition.
This rule will count the amount of times a given string is found. ( >20 for string $s1, >15 for $s2 and so forth). If the condition is matched, it will trigger the rule.
This sets the stage for what would be one off rules.
Now, let’s take a look at some Enterprise level use cases.
Use Cases at Scale
An example use case for internal detection is scanning files before they are uploaded in production. This can be done through a custom sandbox. Cuckoo Sandbox is an industry standard, often used because it is open source and has built-in modules for YARA. But you can opt for other options.
Another use case at the enterprise level is integrating with OSQuery. Currently, OSQuery allows for scanning on filesystems through a specific query pack.
This can be done at scale for on-demand file scanning with osquery. Facebook started osquery, which has since had many additions to it.
Check out the documentation about this here.
https://osquery.readthedocs.io/en/stable/deployment/yara/
This can get resource intensive, but the benefits are great as you can uncover a specific piece of malware, and find all instances of this. It makes for a great hunting tool.
This can also be done at the S3 level, where all files uploaded can be analyzed by the YARA rules. AirBnb has done this.
Check out their blog post and repo here.
This is by no means an exhaustive list of use cases. Just a few highlighted ones at scale, to get the wheels churning.
YARA Resources
In the previous post in this YARA series, I shared a lab that serves as an intro to the subject matter.
If you’re looking for more on this, here’s a course by Network Defense. It covers some of the basics of writing rules, and has 20 hours of video content to further build on these skills.
Link to the course here
https://www.networkdefense.co/courses/yara/
The premise of this course is a foundation to detection engineering through YARA.
It goes over the following
Testing your rules
Bulk creation
General malware masquerading
Detecting obfuscated strings
I might write a future post reviewing the course.
Testing Rules
For testing your rules, you can use these to get malware samples in your lab environment.
VirusTotal, Malwr, or AnyRun.
If you’re looking for a larger sample set, Vx-Underground
Test with Clean samples
Microsoft, or Ubuntu ISO’s
The idea here is you want to test with known malware and known goodware. i.e. get a True Positive, and a True Negative. If you’re able to do both, you have an effective rule.
As with most tools, there is the possibility for False Positives but the above approach will be the best chance at good detection rules.
For ideas on rules panning several different threats, see Nextron Systems rules.
And for the ultimate compilation of all things YARA, check out this Github.
https://github.com/InQuest/awesome-yara
Conclusion
These are some of the top use cases for YARA and examples of implementation.
matching on a specific type of malware
scanning emails/internal files
building on new detections internally
We took a look at a few Enterprise use cases and the impact they were able to achieve.
See you in the next one.