LinkedinTryHackme

Creating Detection Rules

Detecting malware involves defining rules to identify indicators in files, processes, or logs. Two essential tools for this task are YARA (for file-based detection) and Sigma (for log-based detection in SIEMs). Below is a structured guide to creating detection rules for a malware sample.

YARA Rules

YARA, a rule-based pattern-matching tool, helps create custom rules for detecting specific characteristics within files. Our example uses shell.exe, which exhibited sandbox evasion messages like "Sandbox detected."

Basic YARA Rule Example

A simple rule to detect the "Sandbox detected" message:

rule Shell_Sandbox_Detection {
    strings:
        $sandbox_string = "Sandbox detected"
    condition:
        $sandbox_string
}

Enhanced YARA Rule Creation with yarGen

To generate a more robust rule, we use yarGen, a tool that automates YARA rule creation by extracting unique strings and patterns.

  1. Set Up Test Directory:

    mkdir /home/htb-student/Samples/MalwareAnalysis/Test
cp /home/htb-student/Samples/MalwareAnalysis/shell.exe /home/htb-student/Samples/MalwareAnalysis/Test/

  2. Run yarGen:

    cd /home/htb-student/yarGen-0.23.4
sudo python3 yarGen.py -m /home/htb-student/Samples/MalwareAnalysis/Test/

  3. Generated Rule Example: A file named yargen_rules.yar is generated, containing unique patterns for shell.exe:

    rule _home_htb_student_Samples_MalwareAnalysis_Test_shell {
   meta:
      description = "Test - file shell.exe"
      author = "yarGen Rule Generator"
      date = "2023-08-02"
      hash1 = "bd841e796feed0088ae670284ab991f212cf709f2391310a85443b2ed1312bda"
   strings:
      $x1 = "C:\\Windows\\System32\\cmd.exe" fullword ascii
      $s2 = "http://ms-windows-update.com/svchost.exe" fullword ascii
      $s3 = "45.33.32.156" fullword ascii
      $s4 = "[-] Error code is : %lu" fullword ascii
      $s5 = "Connection sent to C2" fullword ascii
      $s6 = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 60KB and 3 of ($s*)
}

  4. Use the Rule for Detection:

    yara /home/htb-student/yarGen-0.23.4/yargen_rules.yar /home/htb-student/Samples/MalwareAnalysis/

    Output should confirm detection if shell.exe is present in the specified directory.

YARA Resources

Sigma Rules

Sigma is a rule format for detecting security threats in SIEM systems. Sigma rules standardize detection across platforms, helping detect malicious patterns or events based on log analysis.

Basic Sigma Rule Example

Below is an example Sigma rule to detect a file named svchost.exe dropped in the Temp folder:

Example Detection Rule with Sysmon Logs

Sysmon provides detailed event logging on processes, files, and network connections, which can be used to create more complex Sigma rules. Example rule for process creation in response to shell.exe behavior:

  1. Sysmon Process Creation Log Rule:

  2. Sysmon Network Connection Log Rule:

Sigma Resources

References and Additional Resources

PreviousDebuggingNextYARA & Sigma for SOC Analysts

Last updated