Using yara rules in a large scale enterprise
I've always wondered how yara rules could be used in a large scale enterprise to detect nalware.
I understand the premise of yara rules and how they work, and understand how individual files can be scanned using a number of yara rules each designed to detect a specific piece of malware, or how an individual yara rule can be run against a large number of files - but I do not understand how this can be used at scale in a large, segmented network.
I've read that sigma rules can be integrated into azure sentinel and threat hunts performed where logs are aggregated there but does anyone know if similar functionality exists for yara rules? Or whether there are other industry best practices that should be used?
🗣JoeBeOneKenobi
Velociraptor can do yara scans on the hosts in mass. Other tools that let you interrogate endpoints may have this capability as well.
Kansa might, or you could probably build a module that will allow you to do it.
👤jumpinjelly789
I've seen YARA pitched as a detection capability (implying enterprise-wide) but rarely see orgs using it that way. Here are a couple notes/resources I've been compiling around this.
If your org uses an internal sandbox, you could run the YARA rules there for malware classification and maybe provide leads for further hunting.
One way to "use" YARA without actually deploying rules at scale is to take advantage of feeds of IOCs derived from large-scale YARA scanning (e.g. over VT) and use those IOCs for further correlation/detection/blocking in your own org. See for example the long list of hashes here, and this is just for one of many rules: https://valhalla.nextron-systems.com/info/rule/SUSP\_RAR\_With\_File\_MacroEnabled\_MsOffice\_Content\_Jun22
Then there are a bunch of apparent ways to scale up YARA deployment, but I can't say I've really seen orgs using many/any of these with success (besides maybe the first couple that rely on commercial capabilities). I'm always reminded of pieces like this that highlight the performance issues of YARA deployment at scale.
I recall seeing a few EDR that can apparently run their own or in some cases user-submitted YARA at scale (Tanium, CB, Cybereason), even SOAR (XSOAR). Sorry I don't have links handy
Executing yara with powershell on domain computers
[Loki](https://www.nextron-systems.com/loki/) \- Python-based open sourced IOC scanner from the publisher of a large library of yara rules
"YARA as Endpoint" using Go
[YARA-based scanning with osquery](https://osquery.readthedocs.io/en/stable/deployment/yara/)
How to integrate YARA with Wazuh
[Using YARA rules in ClamAV](https://www.clamav.net/documents/using-yara-rules-in-clamav)
A large repository of other tools
👤Trop_Chaud
Stream files extracted from Zeek to something that will process them through YARA, and then put the results in a SIEM
👤toop4
🎖@malwr
I've always wondered how yara rules could be used in a large scale enterprise to detect nalware.
I understand the premise of yara rules and how they work, and understand how individual files can be scanned using a number of yara rules each designed to detect a specific piece of malware, or how an individual yara rule can be run against a large number of files - but I do not understand how this can be used at scale in a large, segmented network.
I've read that sigma rules can be integrated into azure sentinel and threat hunts performed where logs are aggregated there but does anyone know if similar functionality exists for yara rules? Or whether there are other industry best practices that should be used?
🗣JoeBeOneKenobi
Velociraptor can do yara scans on the hosts in mass. Other tools that let you interrogate endpoints may have this capability as well.
Kansa might, or you could probably build a module that will allow you to do it.
👤jumpinjelly789
I've seen YARA pitched as a detection capability (implying enterprise-wide) but rarely see orgs using it that way. Here are a couple notes/resources I've been compiling around this.
If your org uses an internal sandbox, you could run the YARA rules there for malware classification and maybe provide leads for further hunting.
One way to "use" YARA without actually deploying rules at scale is to take advantage of feeds of IOCs derived from large-scale YARA scanning (e.g. over VT) and use those IOCs for further correlation/detection/blocking in your own org. See for example the long list of hashes here, and this is just for one of many rules: https://valhalla.nextron-systems.com/info/rule/SUSP\_RAR\_With\_File\_MacroEnabled\_MsOffice\_Content\_Jun22
Then there are a bunch of apparent ways to scale up YARA deployment, but I can't say I've really seen orgs using many/any of these with success (besides maybe the first couple that rely on commercial capabilities). I'm always reminded of pieces like this that highlight the performance issues of YARA deployment at scale.
I recall seeing a few EDR that can apparently run their own or in some cases user-submitted YARA at scale (Tanium, CB, Cybereason), even SOAR (XSOAR). Sorry I don't have links handy
Executing yara with powershell on domain computers
[Loki](https://www.nextron-systems.com/loki/) \- Python-based open sourced IOC scanner from the publisher of a large library of yara rules
"YARA as Endpoint" using Go
[YARA-based scanning with osquery](https://osquery.readthedocs.io/en/stable/deployment/yara/)
How to integrate YARA with Wazuh
[Using YARA rules in ClamAV](https://www.clamav.net/documents/using-yara-rules-in-clamav)
A large repository of other tools
👤Trop_Chaud
Stream files extracted from Zeek to something that will process them through YARA, and then put the results in a SIEM
👤toop4
🎖@malwr
Reddit
From the blueteamsec community on Reddit
Explore this post and more from the blueteamsec community
From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
Recordedfuture
From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations | Recorded Future
With Taiwan in focus, Insikt Group® analyzes China’s weishe coercion theory and assess China’s strategies, preparations, and capabilities in cyber warfare.
The Windows Subsystem for Linux in the Microsoft Store is now generally available on Windows 10 and 11
🗣plawwell
Microsoft might just be the coolest Linux company in 2022.
👤plawwell
I’m staying on the LSL
👤oscarbeebs2010
So what have I been using for the past couple of years?!
👤Drate_Otin
🎖@malwr
🗣plawwell
Microsoft might just be the coolest Linux company in 2022.
👤plawwell
I’m staying on the LSL
👤oscarbeebs2010
So what have I been using for the past couple of years?!
👤Drate_Otin
🎖@malwr
Microsoft News
The Windows Subsystem for Linux in the Microsoft Store is now generally available on Windows 10 and 11
Today the Windows Subsystem for Linux (WSL) in the Microsoft Store is dropping its “Preview” label and becomes generally available with our latest release! We are also making the Store version of WSL the default for new users who run wsl --install and easily…
Professional stealers: opportunistic scammers targeting users of Steam, Roblox, and Amazon in 111 countries
🗣digicat
🎖@malwr
🗣digicat
🎖@malwr
Group-IB
Professional stealers: opportunistic scammers targeting users of Steam, Roblox, and Amazon in 111 countries
Group-IB has identified 34 Russian-speaking groups that are distributing info-stealing malware under the stealer-as-a-service model.
Encase- Index search issue
Hello,
I have created a .L01 image of a .PST file and need to perform searches. I ran the processor option 'index text and metadata', the job completed successfully according to Processor Manager. However, when I attempt to search using the index, I get zero hits.
I know for a fact these words appear in the data since I also ran a keyword search through the processor which provided matches. Any ideas what the issue might be?
Thanks!
🗣forvestic
Check the cache folder with the corresponding GUID for your .L01 file and see if it contains a folder called LucenIndex; under that should be a folder called Standard with a bunch of files in it. Check to make sure the files have some kind of size; not all of them will. There are also some .csv files in the main cache folder for that GUID that should basically recreate the data in the the performance monitor tabs for the Evidence processor the you could go through to check if the Indexing actually completed. Lastly I would do several raw keyword searches on your data and see if you get hits that way. If you're still having issues, I'd create a tech support case.
I've had issues recently with Encase's evidence processor hanging with one or two items to complete. I would also suggest re-running the process and monitoring it off and on to see if this might be your issue. If it is, definitely create a support case.
👤mkel2010
🎖@malwr
Hello,
I have created a .L01 image of a .PST file and need to perform searches. I ran the processor option 'index text and metadata', the job completed successfully according to Processor Manager. However, when I attempt to search using the index, I get zero hits.
I know for a fact these words appear in the data since I also ran a keyword search through the processor which provided matches. Any ideas what the issue might be?
Thanks!
🗣forvestic
Check the cache folder with the corresponding GUID for your .L01 file and see if it contains a folder called LucenIndex; under that should be a folder called Standard with a bunch of files in it. Check to make sure the files have some kind of size; not all of them will. There are also some .csv files in the main cache folder for that GUID that should basically recreate the data in the the performance monitor tabs for the Evidence processor the you could go through to check if the Indexing actually completed. Lastly I would do several raw keyword searches on your data and see if you get hits that way. If you're still having issues, I'd create a tech support case.
I've had issues recently with Encase's evidence processor hanging with one or two items to complete. I would also suggest re-running the process and monitoring it off and on to see if this might be your issue. If it is, definitely create a support case.
👤mkel2010
🎖@malwr
Reddit
r/computerforensics on Reddit: Encase- Index search issue
Posted by u/forvestic - 9 votes and 3 comments
[LIVE Nov 25, 2022 11AM PT Off By One Security : Introduction to Linux Heap Exploitation](https://www.youtube.com/watch?v=dMDoC9DlVzA)
🗣soupcreamychicken
🎖@malwr
🗣soupcreamychicken
🎖@malwr
YouTube
Introduction to Linux Heap Exploitation
In this stream I will cover remedial heap exploitation on Linux. This technique only works on older heap implementations lacking the Safe Unlink protection. Though dated, it serves as a great way to get started with exploring the heap and how one approaches…