Creating Detection Rules
Detecting malware involves defining rules to identify indicators in files, processes, or logs. Two essential tools for this task are YARA (for file-based detection) and Sigma (for log-based detection in SIEMs). Below is a structured guide to creating detection rules for a malware sample.
YARA Rules
YARA, a rule-based pattern-matching tool, helps create custom rules for detecting specific characteristics within files. Our example uses shell.exe, which exhibited sandbox evasion messages like "Sandbox detected."
Basic YARA Rule Example
A simple rule to detect the "Sandbox detected" message:
rule Shell_Sandbox_Detection {
strings:
$sandbox_string = "Sandbox detected"
condition:
$sandbox_string
}Enhanced YARA Rule Creation with yarGen
To generate a more robust rule, we use yarGen, a tool that automates YARA rule creation by extracting unique strings and patterns.
Set Up Test Directory:
mkdir /home/htb-student/Samples/MalwareAnalysis/Test cp /home/htb-student/Samples/MalwareAnalysis/shell.exe /home/htb-student/Samples/MalwareAnalysis/Test/Run yarGen:
cd /home/htb-student/yarGen-0.23.4 sudo python3 yarGen.py -m /home/htb-student/Samples/MalwareAnalysis/Test/Generated Rule Example: A file named
yargen_rules.yaris generated, containing unique patterns for shell.exe:rule _home_htb_student_Samples_MalwareAnalysis_Test_shell { meta: description = "Test - file shell.exe" author = "yarGen Rule Generator" date = "2023-08-02" hash1 = "bd841e796feed0088ae670284ab991f212cf709f2391310a85443b2ed1312bda" strings: $x1 = "C:\\Windows\\System32\\cmd.exe" fullword ascii $s2 = "http://ms-windows-update.com/svchost.exe" fullword ascii $s3 = "45.33.32.156" fullword ascii $s4 = "[-] Error code is : %lu" fullword ascii $s5 = "Connection sent to C2" fullword ascii $s6 = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 60KB and 3 of ($s*) }Use the Rule for Detection:
yara /home/htb-student/yarGen-0.23.4/yargen_rules.yar /home/htb-student/Samples/MalwareAnalysis/Output should confirm detection if
shell.exeis present in the specified directory.
YARA Resources
Documentation: YARA Documentation
Community Rules: InQuest’s Awesome YARA
Sigma Rules
Sigma is a rule format for detecting security threats in SIEM systems. Sigma rules standardize detection across platforms, helping detect malicious patterns or events based on log analysis.
Basic Sigma Rule Example
Below is an example Sigma rule to detect a file named svchost.exe dropped in the Temp folder:
title: Suspicious File Drop in Users Temp Location
status: experimental
description: Detects suspicious activity where a file is dropped in the temp location
logsource:
category: process_creation
detection:
selection:
TargetFilename:
- '*\\AppData\\Local\\Temp\\svchost.exe'
condition: selection
level: high
falsepositives:
- Legitimate exe file drops in temp locationExample Detection Rule with Sysmon Logs
Sysmon provides detailed event logging on processes, files, and network connections, which can be used to create more complex Sigma rules. Example rule for process creation in response to shell.exe behavior:
Sysmon Process Creation Log Rule:
title: Suspicious Process Creation for Registry Modification logsource: category: process_creation product: windows detection: selection: Image: 'C:\\Windows\\System32\\cmd.exe' CommandLine: '*ping 127.0.0.1 -n 5*' condition: selection level: high description: Detects process creation with command line arguments related to sleep or delay commandsSysmon Network Connection Log Rule:
title: Suspicious Network Connection to C2 IP logsource: category: network_connection product: windows detection: selection: DestinationIp: '45.33.32.156' DestinationPort: 31337 condition: selection level: high description: Detects network connections to a known C2 server IP
Sigma Resources
Documentation: Sigma Specification
Community Rules: SigmaHQ Rules
References and Additional Resources
Yara Documentation: YARA Rules
Sigma Documentation: Sigma Rules
DFIR Report: YARA and Sigma Rules by DFIR
Last updated