Hunting Patterns — YARA Rules — A Beginner Friendly Journey
In this universe, where we were brought into place (earth) everything has a pattern. Even our daily lives follow a particular pattern. If we don’t follow it, we get depressed, stressed, sleep deprived and much more. If we get back to nature and to the scientists who have done great research to bring realities in the limelight.
Just as we talk about, below we can just read about the patterns in our natural lives.
This same phenomenon applies to the digital world i.e. Cyber World a.k.a The Internet World. Everything that happens over the internet follows a pattern. Well, yes there are some abnormalities happening over the internet, but similar to those happen in our daily lives as well.
Things are changing, the world is changing and so does the Cyber Criminals. They are updating themselves with the latest tools of the trade just so they can get themselves into the most secure environments. Main motive? Well, Yes! MONEY, Trade Secrets, National Secrets which can be utilized against the countries, to bring down enemies to their knees and whatsoever.
DFIR Guys, SOC Guys, Blue Team Guys, Malware Analysts are always looking for these patterns, trying to figure out if something bad has happened. If yes, then they have to figure out the complete pattern (complete attack journey) to uncover hidden secrets i.e. how the attack happened, what was done, what was bypassed, when it was done, why it was done etc.
The same knowledge has been brought forward in the name of YARA (Yet Another/Ridiculous Acronym). YARA is purely written in python language with the aim to classify malwares, malicious samples, abnormalities in an easy way. You will still be having a question to why we are reading this? What is the purpose of YARA/YARA Rules?
Suppose, you are working in a financial sector and unfortunately you got hit by some spywares, keyloggers cause one of your employees clicked on a link he received via a disguised IT Support email. The issue is brought to you and you have to investigate it further. After taking out the malicious samples, you are going to do the following:
- Calculate the HASH
- Check the HASH on VirusTotal and other platforms to see if it is indeed malicious
- Perform Static Analysis (IP Address, API Calls, URLs etc)
- Dynamic Analysis (Well, to understand everything in general).
During all this you have spent plenty of your time looking after these malicious samples, including findings these on the user system. You can not waste your time by repeating the whole process again. So, YARA comes into play, you write a simple YARA Rule and you run it on all of your organization's systems. If the match is found, it means that system is compromised and actions are required to be taken.
Our 1st YARA Rule
Like other rulesets YARA rules structure is also defined.
- It begins with the name of your rule.
- Meta Section allows you to add description of your rule.
- Strings are the actual patterns which you are looking for.
- Conditions are the conditions which will result either TRUE or FALSE.
Now, let’s consider that you know a password “HelloKitty” and you want to check in which files it is reflected. So, we can write a simple YARA RULE.
Once the rule is written, we can simply run it via by runnin the below command and we can see that ./password.txt has been brought into the light. The same file in which the password is written.
Now, let’s change the password in our YARA Rule.
Now, we can clearly see that YARA has not highlighted the password.txt file because the password written in password.txt is not similar to the one written in our YARA Rule.
Where Confusion Happens
You must be wondering that in order to get your hands onto YARA Rules, you will be needing to do a lot of manual work from dissecting the malwares to writing rules to hunting them down.
Well, that is not the case, there are different tools in the market which automate a lot of work for you.
- YARGEN — https://github.com/Neo23x0/yarGen
- YAYA — https://github.com/EFForg/yaya
YARGEN can be used to automatically generate YARA Rule. But you will have to remove the information that is not required to ensure the rule created works as intended.
YAYA is an automation tool written in Go-Language. It pulls loads of YARA Rules from different repositories and allows you to scan your samples against the rule. If the rules matches the sample, it will give you a hit.
Anatomy of a Yara Rule
