Sigma and YARA Rules
- 1. YARA & SIGMA Rules Lionel Faleiro 1
- 2. #WHOAMI • Lionel Faleiro • Practice Lead – Forensics • 10 years experience in IT and Cybersecurity • Key Domains – Malware Analysis, Log Analysis, IR and Security Analytics, Training • Gamer, Photographer • @sandmaxprime
- 3. 3
- 4. Yara 4
- 5. What is YARA? • A detection rule system for files • Based upon defined patterns or characteristics • Developed by Victor Alvarez of Virustotal • Open-Source System which is primarily used for Malware Hunting • Has extension of .YAR • Filtration • Hunting
- 6. Uses of YARA? • Triaging • Memory Analysis • Email Analysis • Back Hunting • Forward Hunting
- 7. Who Uses YARA? • Cuckoo Sandbox • ESET • FireEye • Joe Security
- 8. Who Uses YARA? • Kaspersky Lab • PhishMe • Tenable • LOKI 8
- 9. Writing YARA Rules • Pros: • Easy to Understand • Easily sharable • Cons: • Runs slowly on large number of files • Issues running against files that are packed or having obfuscation • Need to be written manually
- 10. Writing YARA Rules 10 • Each rule consists: • Set of strings • Boolean expressions - Determine the logic for detection
- 11. Writing YARA Rules • Text strings • Hex strings are placed inside parenthesis • Regular expressions are enclosed in backslashes • Yara keywords: • all, and, any, ascii, at, condition, contains, entrypoint, false, filesize, fullword, for, global, in, import, include, int8, int16, int32, matches, meta. nocase, not, or, of, private, rule, strings, them, true, uint8, uint16, uint32, wide. 11
- 12. Writing YARA Rules • condition: • all of ($foo*) • condition: • $foo1 and $foo2 and $foo3 and $foo4 and $foo5 • condition: • $foo1 or $foo2 12
- 14. Hafnium Privileged & Confidential | ©2021, Network Intelligence. All Rights Reserved. 14
- 18. Other Tools
- 19. SIGMA Rules 19
- 20. Log File To Detection Log Files SIEM Search Correlation Manual Analysis
- 21. Sample Events Account Process Windows Application
- 22. Problems • Lots of data available online but in an unstructured format • Manual creation of queries due to different formats in SIEM systems • Mixed Environments
- 23. Unleash SIGMA
- 24. What is SIGMA? • Open-source rule system to be used by SIEM’s • Rule format is a very structured format • Mapped to Log Events • Rules are written in YAML • Open repository present for ules 24
- 25. Use Cases of SIGMA? • Describe the detection methods and make it available. • Invest in generating rules for Sigma and use on many different (e.g. SIEM) systems. • Use Sigma to share the signature with other threat intel communities. 25
- 28. SIGMA Rule Structure • Metadata (id, tags, author, title, references, level) • Scope - Log source • Search Parameters – values, ID • Condition 28
- 30. SIGMAUI
- 31. SIGMAUI
- 32. Hafnium SIGMA 32
- 33. Hafnium SIGMA 33
- 34. Hafnium SIGMA 34
- 35. References • SIGMA Rule Wiki - https://github.com/SigmaHQ/sigma/wiki/Sp ecification • SIGMA Repo - https://github.com/SigmaHQ/sigma • Yara Rules Repo - https://github.com/Yara- Rules/rules • YarGen - https://github.com/Neo23x0/yarGen • Yara Wiki - https://yara.readthedocs.io/en/v3.4.0/writin grules.html