Introduction

First off, YARA has one of the best names of a tool. It stands for “Yet Another Ridiculous Acronym.” Respect.

There’s a good explanation of YARA here: https://docs.virustotal.com/docs/what-is-yara

Essentially, YARA is an open-source tool designed to help malware researchers identify and classify malware. Think of it as a supercharged search engine for finding malicious software. It works by using rules that define patterns to look for in files. These patterns can be specific strings of text, hexadecimal values, or even regular expressions. When YARA scans a file, it checks if any of these patterns match, helping to detect and describe different types of malware. It’s like having a detective that knows exactly what clues to look for in a sea of data.

Scenario

The scenario here is real, and so are the links. Don’t be dumb - don’t open any of the links outside of the THM environment. You’ve been warned.

In this scenario, you’re part of Belgium’s national CSIRT, working closely with cyber threat intelligence and incident response teams. Your mission is to analyze threat intelligence related to a targeted cyber attack on a German political party. The threat intelligence team has provided detailed information using the diamond model, which includes the adversary (APT29), the victim (German political party), TTPs (Tactics, Techniques, and Procedures), and IOCs (Indicators of Compromise). Your task is to use this information to hunt for the described threats using YARA rules.

Threat Hunting

Based on the threat intelligence provided, there are several opportunities to mount a threat hunt:

  1. Structured Hunting: This style uses Indicators of Attack and TTPs (Tactics, Techniques, and Procedures) to detect possible attacks early in the Kill Chain. The intelligence provided includes specific TTPs attributed to APT29, enabling a structured hunting approach.

  2. Unstructured Hunting: This style uses Indicators of Compromise (IOCs) to search for threats within the environment. The provided threat intelligence includes IOCs and YARA rules, which can be used for unstructured hunting.

  3. Situational/Entity-Driven Hunting: This combines elements of both structured and unstructured hunting, driven by changes in the threat landscape. The intelligence provided allows for a situational approach, combining TTPs and IOCs to hunt for threats.

In this scenario, the focus will be on using the provided IOCs and YARA rules to hunt for the WINELOADER malware, demonstrating the practical application of unstructured hunting.

Threat Hunting Process

images/threat_hunting.png

Threat Hunting Phases - credit: TryHackMe

Threat hunting consists of 3 phases:

  1. Trigger: This is what initiates the threat hunt. This can be an IOC, a set of TTPs, a hypothesis, a system that behaves abnormally, articles on external blogs, reports by third parties, etc.

  2. Investigation: A specific trigger is selected and used as a starting point for hunting activities. The threat hunter can use various tools to support the hunt for anomalies, such as YARA rules, Volatility, malware scanners, packet analyzers like Wireshark, and many more.

  3. Resolution: If the threat hunter finds evidence of a breach, the incident response team is notified, and the incident response procedure is started. Depending on the procedure, the threat hunter can support the IR team by scoping and digging deeper into the evidence found.

Based on the threat intel given about APT29, the rest of the room focuses on YARA rules to hunt further.

YARA

A YARA rule describes a malware family based on a pattern using a set of strings and Boolean logic.

Structure of a YARA Rule

A YARA rule uses descriptive language to define a pattern consisting of strings to match a Boolean condition specified at the end of the rule.

The main parts of a YARA rule are the rule name, meta, strings, and condition. Below, we will discuss each part.

Rule Name

The Rule name is a descriptive name for the rule and starts with the keyword rule. Best practices include setting a name that clarifies what the rule is used for.

Meta

This part defines extra information like description, author, and more. Custom identifiers and value pairs can be freely created. The information defined in meta cannot be used in the condition part. Whether to include this part or not is entirely up to you. The rule will work completely fine without it. It is, however, recommended to include the meta part with some basic information, including the author and the description of what to use the rule for.

Strings

In this part of the rule, matching strings are defined. Multiple types of strings can be defined, which is essential for creating functional rules.

Condition

In this part of the rule, a matching condition is defined using the identifiers defined in the strings part.

Yara Example

rule ExampleRule {
    meta:
        author = "Your Name"
        description = "Detects example malware"
    strings:
        $a = "example string"
        $b = { E2 34 B6 C8 A3 FB }
    condition:
        all of them
}

Only two parts are required for a rule to function: the rule name and the condition. All the other parts are optional. However, adding strings to a rule is recommended if you want to create complex, functional YARA rules.

Practice

I highly recommend accessing this room on tryhackme.com and interacting with the provided environment.

Conclusion

I intentionally left quite a bit out of this post. Head over to https://tryhackme.com/r/room/threathuntingwithyara and check this room out for a great introduction to a fantastic tool for Threat Hunting.

Additionally, check out this GitHub repo: https://github.com/InQuest/awesome-yara