First and foremost, I would like to thank Gerald Auger from Simply Cyber for creating an incredibly informative YouTube video featuring SOC Expert Eric Capuano. It was through Auger’s video that I discovered Eric’s remarkable blog post titled “So You Want to Be a SOC Analyst?” I am truly grateful for their valuable insights and guidance, as they played a significant role in helping me build this lab. Here’s the link if you’d rather follow https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro
Automated YARA Scanning
The goal of this post is to take advantage of the advanced capabilities of the technology of and advanced capabilities of our EDR by incorporating YARA scanning to automate the process of scanning files and processes on YARA signatures to detect malware.
What is YARA?
YARA is a tool used to identify malware and classify them based off of binary and textual patterns. It allows security researchers to craft rules specifically for it that describe unique strings of specific malware families or behavior’s. These rules can be applied to files, processes, or even network traffic to detect potential threats. When inspecting a compromised systems, YARA helps sniff through large amounts of data to find malicious strings by matching them against a set of predefined rules.
YARA was created by a malware researcher named Victor M. Alvarez while working for his previous employer who was associated with VirusTotal service. Due to its effectiveness and utility YARA was released as an open-source tool, quickly becoming popular malware research tool within the cybersecurity industry. Over the years, it became the standard for malware research, threat hunting, and incident response, thanks to the active community grown around it.
There a ton of open source YARA scanners and rulesets. Read more about YARA from VirusTotal or explore one of the many open source YARA rulesets. A solid premium ruleset is the one maintained by Nextron systems.
Let’s put it into action!
We are going to start our LimaCharlie instance to process our file system and processes to trigger events for YARA to scan.
Add a Yara Signature for our C2 Payload
Since, we are going to be using our Sliver C2 payload, we can be specific in creating a specific signature looking out for it. Luckily the good folks at the UK National Cyber Security Centre published some fantastic intel on Sliver, including YARA signatures and other useful detections. Only downside its all crammed into this PDF making it difficult to extract manually luckily this guide makes it simple!
- NOTE: If you encounter a permission error on this page, no worries — easy fix.
- On the left side menu, click “Access Management” > “Users & Roles
- Click your username (likely your email address)
- Toggle “ON” the “Select All” at the top right of the permissions list to give yourself all permissions
- Scroll down and click “Update Permissions & Close”
- Proceed back to “Automations” > “Yara Rules” and continue to the next step.
Within LimaCharlie, browse to “Automation” > “YARA Rules”
Click Add Yara Rule on your right
Name the rule “Sliver“
Copy and paste the contents of this gist into the Rule block it should look like this below:
Scroll down and click “Save Rule”
- Now create one more YARA rule that we’ll use later on for a more specific purpose. I’ll explain this later on in the post.
- Name the rule
sliver-process - Copy and paste the contents of this gist into the Rule block.
- Name the rule
Now, before we use these YARA rules, we want to setup a few generic D&R rules that will generate alerts whenever a YARA detection occurs.
- Browse to “Automation” > “D&R Rules”
- Create a new rule
- In the Detect block, paste the following:
event: YARA_DETECTION
op: and
rules:
- not: true
op: exists
path: event/PROCESS/*
- op: exists
path: event/RULE_NAMENotice: that we’re detecting on YARA detections not involving a PROCESS object, that’ll be its own rule shortly.
In the Respond block, paste the following:
- action: report
name: YARA Detection {{ .event.RULE_NAME }}
- action: add tag
tag: yara_detection
ttl: 80000
Save the rule and title it “YARA Detection”
Create another rule
In the Detect block, paste the following:
event: YARA_DETECTION
op: and
rules:
- op: exists
path: event/RULE_NAME
- op: exists
path: event/PROCESS/*
Notice: that this detection is looking for YARA Detections specifically involving a PROCESS object.In the Respond block, paste the following:
- action: report
name: YARA Detection in Memory {{ .event.RULE_NAME }}
- action: add tag
tag: yara_detection_memory
ttl: 80000
Save the rule and name it “YARA Detection in Memory“
Let’s test our new YARA signature
Since we already have a Sliver implant sitting in the downloads folder on our Windows VM, we can test our signature by starting a manual YARA scan using the EDR sensor. This will give us a proper check if we have been following along correctly at this point.
In LimaCharlie, browse to the “Sensors List” and click on our Windows VM sensor
Access the EDR Sensor Console which allows us to run sensor commands against this endpoint
Run the following command to kick off a manual YARA scan of our Sliver payload. You will need to know the name of your Sliver executable created in Part 2 – Step 3.
Replace [payload_name] with your actual payload name
yara_scan hive://yara/sliver -f C:\Users\User\Downloads\[payload_name].exe
Hit the enter key twice to execute this command
It should look like mines below, indicating a positive hit on one of the signatures contained within the Sliver YARA rule.
Now let’s comfirm that we have a new detection by clicking the “Detections” tab on our left hand side
If you’re able to get to this point we’re able to automate this process!
Automatically YARA scan downloaded EXE files
- Browse to “Automation” > “D&R Rules”
- Create a new rule
- In the Detect block, paste the following:
event: NEW_DOCUMENT
op: and
rules:
- op: starts with
path: event/FILE_PATH
value: C:\Users\
- op: contains
path: event/FILE_PATH
value: \Downloads\
- op: ends with
path: event/FILE_PATH
value: .exe
Notice: that this detection is simply looking for NEW .exe files to appear in any users Downloads directory.
In the respond block, paste the following:
- action: report
name: EXE dropped in Downloads directory
- action: task
command: >-
yara_scan hive://yara/sliver -f "{{ .event.FILE_PATH
}}"
investigation: Yara Scan Exe
suppression:
is_global: false
keys:
- '{{ .event.FILE_PATH }}'
- Yara Scan Exe
max_count: 1
period: 1mThis response action generates an alert for the EXE creation, but more importantly, kicks off a YARA scan using the Sliver signature against the newly created EXE.
Save this rule and title it “YARA Scan Downloaded EXE“
Automatically YARA scan processes launched from Downloads directory
- Browse to “Automation” > “D&R Rules”
- Create a new rule
- In the Detect block, paste the following:
event: NEW_PROCESS
op: and
rules:
- op: starts with
path: event/FILE_PATH
value: C:\Users\
- op: contains
path: event/FILE_PATH
value: \Downloads\
This rule is matching any process that is launched from a user Downloads directory
In the Respond block, paste the following: - action: report
name: Execution from Downloads directory
- action: task
command: yara_scan hive://yara/sliver-process --pid "{{ .event.PROCESS_ID }}"
investigation: Yara Scan Process
suppression:
is_global: false
keys:
- '{{ .event.PROCESS_ID }}'
- Yara Scan Process
max_count: 1
period: 1mNotice: In this rule, we’re no longer scanning the FILE_PATH, but the actual running process by specifying its PROCESS_ID. We are also now using the other YARA rule we created, sliver-process
Save the rule and title it: YARA Scan Process Launched from Downloads
Let’s trigger our new rules!
Scanning New EXEs in Downloads
We will simulate this situation by simply moving it to another location and then putting it back into C:\Users\User\Downloads
Run the following PowerShell command to move your Sliver payload from Downloads to Documents
- Replace
[payload_name]with your actual payload name
Move-Item -Path C:\Users\User\Downloads\[payload_name].exe -Destination C:\Users\User\Documents\[payload_name].exe
Now, put it back to generate the NEW_DOCUMENT event for an EXE being dropped into the Downloads folder
Replace [payload_name] with your actual payload nameMove-Item -Path C:\Users\User\Documents\[payload_name].exe -Destination C:\Users\User\Downloads\[payload_name].exeHead over to your Detections tab and see what happened!
- It may take a moment or so, maybe a refresh, to see the new detections
- We should see an initial alert for EXE dropped in Downloads directory followed shortly by a YARA detection once the scan kicked off and found Sliver inside the EXE
- If you do not see these detections, pop into the Timeline of your system and search for the payload name and make sure you have
NEW_DOCUMENTevents showing the move from Documents → Downloads
Scanning processes launched from Downloads
Now let’s test our NEW_PROCESS rule to scan running processes launched from Downloads
Launch an Administrative PowerShell prompt
- First, let’s kill any existing instances of our Sliver C2 from previous labs
- Replace
[payload_name]with your actual payload name WITHOUT.exe– for instance, if your payload name isSTRIKING_PASSION.exe, just useSTRIKING_PASSIONin this command
- Replace
Get-Process [payload_name] | Stop-Process
If you get an error, either you didn’t have one running (which is fine), or you messed up the [payload_name] part.
Execute your Sliver payload to create the NEW_PROCESS event we need to trigger the scanning of a process launched from the Downloads directory
C:\Users\User\Downloads\[payload_name].exe
Head over to Detections again and see what happened! 
We should see an initial alert for Execution from Downloads directory followed shortly by a YARA detection in Memory once the scan kicked off and found Sliver inside the EXE
If you got this far! You’ve crushed it! 🙂
Keep Learning! Don’t stop here!
- Scan new files in web server wwwroot directories for webshells
- Scan suspicious rundll32 processes for CobaltStrike
- Automatically terminate processes or delete files matching a YARA detection🔥
These are some ideas to start but there’s no limitation for what you can do it’s just a matter of researching and figuring it out on your own as a SOC analyst you’re going to do a lot of troubleshooting and malware research or reverse engineering.
Now go find evil. Remember be Legendary!