# Part 6 - Automated YARA Scanning ## Automated YARA Scanning ### What is YARA? YARA helps detect malware by using custom rules to find suspicious patterns in files, processes, and network traffic. It's widely used for threat hunting and incident response. ### Implementing YARA Scanning with LimaCharlie #### Setting Up YARA Rules We will prepare our LimaCharlie instance to detect file system and process activities to trigger YARA scans. **Adding a YARA Signature for the Sliver C2 Payload** 1. Navigate to **Automation** > **YARA Rules** in LimaCharlie.

2. Create a new YARA rule: * **Name**: `sliver` * **Rules Block**: Copy and Paste the YARA signature below ⇒
### **Rules** ```yara rule sliver_github_file_paths_function_names { meta: author = "NCSC UK" description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary" strings: $p1 = "/sliver/" $p2 = "sliverpb." $fn1 = "RevToSelfReq" $fn2 = "ScreenshotReq" $fn3 = "IfconfigReq" $fn4 = "SideloadReq" $fn5 = "InvokeMigrateReq" $fn6 = "KillSessionReq" $fn7 = "ImpersonateReq" $fn8 = "NamedPipesReq" condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*)) } rule sliver_proxy_isNotFound_retn_cmp_uniq { meta: author = "NCSC UK" description = "Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur" strings: $ = {C644241800C381F9B3B5E9B2} $ = {8B481081F90CAED682} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } rule sliver_nextCCServer_calcs { meta: author = "NCSC UK" description = "Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur" strings: $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } ```
* Click **Create** to save the **Rule**.

3. Create another YARA rule: * **Name**: `sliver-process` * **Rule Block**: Copy and Paste the second YARA signature here ⇒ \ \ **Rules** ``` rule sliver_strings { meta: author = "Eric Capuano, inspired by NCSC UK" description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)" strings: $p1 = "/sliver/" $p2 = "sliverpb" condition: all of ($p*) } ``` ###
* Click **Create** to save the **Rule**.

### Setting Up Detection and Response (D\&R) Rules We will configure LimaCharlie to generate alerts when a YARA detection occurs. **Rule 1: YARA Detection** 1. Navigate to **Automation** > **D\&R Rules**. 2. Create a new rule: * **Detect Block**: ```yaml event: YARA_DETECTION op: and rules: - not: true op: exists path: event/PROCESS/* - op: exists path: event/RULE_NAME ``` * **Respond Block**: ```yaml - action: report name: YARA Detection {{ .event.RULE_NAME }} - action: add tag tag: yara_detection ttl: 80000 ``` * Save the rule as **YARA Detection**. **Rule 2: YARA Detection in Memory** 1. Create another rule: * **Detect Block**: ```yaml event: YARA_DETECTION op: and rules: - op: exists path: event/RULE_NAME - op: exists path: event/PROCESS/* ``` * **Respond Block**: ```yaml - action: report name: YARA Detection in Memory {{ .event.RULE_NAME }} - action: add tag tag: yara_detection_memory ttl: 80000 ``` * Save the rule as **YARA Detection in Memory**. ### Testing YARA Scanning Since we know a Sliver implant is in the Downloads folder of our Windows VM, we can verify our YARA signature by running a manual scan with the EDR sensor. This ensures everything is working correctly. ### Manual YARA Scan 1. In LimaCharlie, go to **Sensors List** and **s**elect your Windows VM sensor.

2. Open the **EDR Sensor Console**.

3. Run the following command, replacing `[payload_name]` with your actual payload name from [part-2-detecting-c2-activity](https://osamaa.gitbook.io/osama_homepage/cybersecurity-soc-analyst-labs/home-lab-c2-detection-ransomware-defense-and-yara-automation/part-2-detecting-c2-activity "mention") ```shell yara_scan hive://yara/sliver -f C:\Users\User\Downloads\[payload_name].exe ``` 4. Press **Enter twice** to run the command.\

5. ### Verify Detection * If successful, you should see output indicating a **positive hit** on one of the Sliver YARA signatures. * Check the **Detections screen** for a new detection event.

**Now we’re ready to automate this process 💪.** ### Automating YARA Scans #### Scanning Downloaded EXEs 1. Create a new D\&R rule:\ \ This rule **detects and scans any process that runs from the Downloads folder**. Since malware is often executed from Downloads, this helps catch potential threats in real time. * **Detect Block**: ```yaml event: NEW_DOCUMENT op: and rules: - op: starts with path: event/FILE_PATH value: C:\Users\ - op: contains path: event/FILE_PATH value: \Downloads\ - op: ends with path: event/FILE_PATH value: .exe ``` * **Respond Block**: ```yaml - action: report name: EXE dropped in Downloads directory - action: task command: >- yara_scan hive://yara/sliver -f "{{ .event.FILE_PATH }}" investigation: Yara Scan Exe suppression: is_global: false keys: - '{{ .event.FILE_PATH }}' - Yara Scan Exe max_count: 1 period: 1m ``` * Save as **YARA Scan Downloaded EXE**. #### Scanning Processes Launched from Downloads 1. Create a new D\&R rule: * **Detect Block**: ```yaml event: NEW_PROCESS op: and rules: - op: starts with path: event/FILE_PATH value: C:\Users\ - op: contains path: event/FILE_PATH value: \Downloads\ ``` * **Respond Block**: ```yaml - action: report name: Execution from Downloads directory - action: task command: yara_scan hive://yara/sliver-process --pid "{{ .event.PROCESS_ID }}" investigation: Yara Scan Process suppression: is_global: false keys: - '{{ .event.PROCESS_ID }}' - Yara Scan Process max_count: 1 period: 1m ``` * Notice Here : 1. **Previously, we scanned files** (using their file path) when they were downloaded. 2. **Now, we scan running processes** (using their process ID) instead.\ \

#### Why switch to process scanning? * The original YARA rules (from NCSC) **failed to detect Sliver when it was running**. * This is because those rules were designed to match specific file-based patterns, not live processes. * To fix this, the new rule (`sliver-process`) was created, which looks for specific strings inside a running Sliver process. #### How was this verified? * Using LimaCharlie (LC), the analyst extracted strings from a running Sliver process. * Those strings were then used to refine the new YARA rule. * The screenshots confirm that the new rule detects Sliver in memory. #### Final Outcome: This rule ensures that even if Sliver bypasses file-based detection, it **still gets caught when executed**. ### Triggering the Rules #### Simulating EXE Download Since we already have the Sliver payload in Downloads, instead of re-downloading it, we **move it to another folder (Documents)** and then **move it back** to Downloads.\ This simulates a "newly downloaded" EXE.
Move the Sliver payload between directories: ```powershell Move-Item -Path C:\Users\User\Downloads\[payload_name].exe -Destination C:\Users\User\Documents\[payload_name].exe Move-Item -Path C:\Users\User\Documents\[payload_name].exe -Destination C:\Users\User\Downloads\[payload_name].exe ``` Verify detections in the **Detections** tab.\

#### Testing Process Scanning Now this process ensures that any executable file (EXE) launched from the Downloads folder is detected and scanned using YARA.
1. **Open an Admin PowerShell Prompt:** * This is required to run the necessary commands with proper privileges. 2. **Kill Any Existing Sliver C2 Processes:** ```powershell Get-Process [payload_name] | Stop-Process ``` * Execute the Sliver payload: ```shell C:\Users\User\Downloads\[payload_name].exe ```

* Check the **Detections** tab for alerts.

### Conclusion This automated YARA scanning setup allows: * Scanning of newly downloaded EXEs. * Scanning of processes launched from the Downloads directory. * Customizable rules for other threat scenarios.
\ \ **Ready to build your very own SOC Home Lab?** * Follow Eric Capuano’s step-by-step guide here:[ https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro?sd=pf](https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro?sd=pf)