Hunting Evil with YARA (Windows Edition)

Overview

Using YARA on Windows systems is effective for identifying threats on disk and in memory.

Connect to Target System:
- Launch the target system.
- Use RDP to connect with provided credentials.

Hunting for Malicious Executables on Disk

Sample File: dharma_sample.exe located in C:\Samples\YARASigma.
Hex Analysis: Using HxD to inspect strings like C:\crysis\Release\PDB\payload.pdb and sssssbsss.
YARA Rule Example: Detecting patterns in malicious executables.

rule ransomware_dharma {
    meta:
        author = "Madhukar Raina"
        version = "1.0"
        description = "Detect strings from Dharma ransomware"
        reference = "https://www.virustotal.com"

    strings:
        $string_pdb = { 433A5C6372797369735C52656C656173655C5044425C7061796C6F61642E706462 }
        $string_ssss = { 73 73 73 73 73 62 73 73 73 }

    condition: all of them
}

Command to Execute YARA Scan on Files

yara64.exe -s C:\Rules\yara\dharma_ransomware.yar C:\Samples\YARASigma\ -r 2>null

Detected Files: pdf_reader.exe, microsoft.com, check_updates.exe, KB5027505.exe.

Hunting for Malware in Running Processes

Target Process: Example with meterpreter shellcode injection.
YARA Rule for Metasploit Meterpreter:

rule meterpreter_reverse_tcp_shellcode {
    meta:
        author = "FDD @ Cuckoo sandbox"
        description = "Metasploit meterpreter reverse tcp shellcode"

    strings:
        $s1 = { fce8 8?00 0000 60 }
        $s2 = { 648b ??30 }
        $s3 = { 4c77 2607 }
        $s4 = "ws2_"
        $s5 = { 2980 6b00 }
        $s6 = { ea0f dfe0 }
        $s7 = { 99a5 7461 }

    condition: 5 of them
}

Scanning Active Processes

Get-Process | ForEach-Object { "Scanning with Yara for meterpreter shellcode on PID "+$_.id; & "yara64.exe" "C:\Rules\yara\meterpreter_shellcode.yar" $_.id }

Result: Detects shellcode in process PID 9084.

Hunting for Evil Within ETW Data with YARA

Key ETW Providers

Microsoft-Windows-Kernel-Process: Tracks process activities.
Microsoft-Windows-Kernel-File: Monitors file operations.
Microsoft-Windows-DNS-Client: Logs DNS activity (useful for C2 detection).

YARA and SilkETW Integration Example

PowerShell ETW Provider:

.\SilkETW.exe -t user -pn Microsoft-Windows-PowerShell -ot file -p ./etw_ps_logs.json -l verbose -y C:\Rules\yara -yo Matches

YARA Rule for PowerShell Strings:

rule powershell_hello_world_yara {
    strings:
        $s0 = "Write-Host" ascii wide nocase
        $s1 = "Hello" ascii wide nocase
        $s2 = "from" ascii wide nocase
        $s3 = "PowerShell" ascii wide nocase
    condition: 3 of ($s*)
}

DNS Client Provider:

.\SilkETW.exe -t user -pn Microsoft-Windows-DNS-Client -ot file -p ./etw_dns_logs.json -l verbose -y C:\Rules\yara -yo Matches

YARA Rule for Wannacry Domain:

rule dns_wannacry_domain {
    strings:
        $s1 = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii wide nocase
    condition: $s1
}

PreviousDeveloping YARA Rules NextHunting Evil with YARA (Linux Edition)

Last updated 1 month ago

hashtagOverview

hashtagHunting for Malicious Executables on Disk

hashtagCommand to Execute YARA Scan on Files

hashtagHunting for Malware in Running Processes

hashtagScanning Active Processes

hashtagHunting for Evil Within ETW Data with YARA

hashtagKey ETW Providers

hashtagYARA and SilkETW Integration Example

Overview

Hunting for Malicious Executables on Disk

Command to Execute YARA Scan on Files

Hunting for Malware in Running Processes

Scanning Active Processes

Hunting for Evil Within ETW Data with YARA

Key ETW Providers

YARA and SilkETW Integration Example