Part 6 - Automated YARA Scanning
Learn how to automate YARA scanning with LimaCharlie for real-time malware detection. This guide covers setting up YARA rules, configuring automated scans, and detecting Sliver C2 implants in files an
Automated YARA Scanning
What is YARA?
YARA helps detect malware by using custom rules to find suspicious patterns in files, processes, and network traffic. It's widely used for threat hunting and incident response.
Implementing YARA Scanning with LimaCharlie
Setting Up YARA Rules
We will prepare our LimaCharlie instance to detect file system and process activities to trigger YARA scans.
Adding a YARA Signature for the Sliver C2 Payload
Navigate to Automation > YARA Rules in LimaCharlie.
Create a new YARA rule:
Name:
sliverRules Block: Copy and Paste the YARA signature below ⇒
Rulesrule sliver_github_file_paths_function_names { meta: author = "NCSC UK" description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary" strings: $p1 = "/sliver/" $p2 = "sliverpb." $fn1 = "RevToSelfReq" $fn2 = "ScreenshotReq" $fn3 = "IfconfigReq" $fn4 = "SideloadReq" $fn5 = "InvokeMigrateReq" $fn6 = "KillSessionReq" $fn7 = "ImpersonateReq" $fn8 = "NamedPipesReq" condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*)) } rule sliver_proxy_isNotFound_retn_cmp_uniq { meta: author = "NCSC UK" description = "Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur" strings: $ = {C644241800C381F9B3B5E9B2} $ = {8B481081F90CAED682} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } rule sliver_nextCCServer_calcs { meta: author = "NCSC UK" description = "Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur" strings: $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them }
Click Create to save the Rule.
Create another YARA rule:
Name:
sliver-processRule Block: Copy and Paste the second YARA signature here ⇒ Rules
rule sliver_strings { meta: author = "Eric Capuano, inspired by NCSC UK" description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)" strings: $p1 = "/sliver/" $p2 = "sliverpb" condition: all of ($p*) }Click Create to save the Rule.
Setting Up Detection and Response (D&R) Rules
We will configure LimaCharlie to generate alerts when a YARA detection occurs.
Rule 1: YARA Detection
Navigate to Automation > D&R Rules.
Create a new rule:
Detect Block:
event: YARA_DETECTION op: and rules: - not: true op: exists path: event/PROCESS/* - op: exists path: event/RULE_NAMERespond Block:
- action: report name: YARA Detection {{ .event.RULE_NAME }} - action: add tag tag: yara_detection ttl: 80000Save the rule as YARA Detection.
Rule 2: YARA Detection in Memory
Create another rule:
Detect Block:
event: YARA_DETECTION op: and rules: - op: exists path: event/RULE_NAME - op: exists path: event/PROCESS/*Respond Block:
- action: report name: YARA Detection in Memory {{ .event.RULE_NAME }} - action: add tag tag: yara_detection_memory ttl: 80000Save the rule as YARA Detection in Memory.
Testing YARA Scanning
Since we know a Sliver implant is in the Downloads folder of our Windows VM, we can verify our YARA signature by running a manual scan with the EDR sensor. This ensures everything is working correctly.
Manual YARA Scan
In LimaCharlie, go to Sensors List and select your Windows VM sensor.
Open the EDR Sensor Console.
Run the following command, replacing
[payload_name]with your actual payload name from Part 2 - Detecting C2 Activityyara_scan hive://yara/sliver -f C:\Users\User\Downloads\[payload_name].exePress Enter twice to run the command.
Now we’re ready to automate this process 💪.
Automating YARA Scans
Scanning Downloaded EXEs
Create a new D&R rule: This rule detects and scans any process that runs from the Downloads folder. Since malware is often executed from Downloads, this helps catch potential threats in real time.
Detect Block:
event: NEW_DOCUMENT op: and rules: - op: starts with path: event/FILE_PATH value: C:\Users\ - op: contains path: event/FILE_PATH value: \Downloads\ - op: ends with path: event/FILE_PATH value: .exeRespond Block:
- action: report name: EXE dropped in Downloads directory - action: task command: >- yara_scan hive://yara/sliver -f "{{ .event.FILE_PATH }}" investigation: Yara Scan Exe suppression: is_global: false keys: - '{{ .event.FILE_PATH }}' - Yara Scan Exe max_count: 1 period: 1mSave as YARA Scan Downloaded EXE.
Scanning Processes Launched from Downloads
Create a new D&R rule:
Detect Block:
event: NEW_PROCESS op: and rules: - op: starts with path: event/FILE_PATH value: C:\Users\ - op: contains path: event/FILE_PATH value: \Downloads\Respond Block:
- action: report name: Execution from Downloads directory - action: task command: yara_scan hive://yara/sliver-process --pid "{{ .event.PROCESS_ID }}" investigation: Yara Scan Process suppression: is_global: false keys: - '{{ .event.PROCESS_ID }}' - Yara Scan Process max_count: 1 period: 1m
Notice Here :
Previously, we scanned files (using their file path) when they were downloaded.
Now, we scan running processes (using their process ID) instead.
Why switch to process scanning?The original YARA rules (from NCSC) failed to detect Sliver when it was running.
This is because those rules were designed to match specific file-based patterns, not live processes.
To fix this, the new rule (
sliver-process) was created, which looks for specific strings inside a running Sliver process.
How was this verified?Using LimaCharlie (LC), the analyst extracted strings from a running Sliver process.
Those strings were then used to refine the new YARA rule.
The screenshots confirm that the new rule detects Sliver in memory.
Final Outcome:This rule ensures that even if Sliver bypasses file-based detection, it still gets caught when executed.
Triggering the Rules
Simulating EXE Download
Since we already have the Sliver payload in Downloads, instead of re-downloading it, we move it to another folder (Documents) and then move it back to Downloads. This simulates a "newly downloaded" EXE.
Move the Sliver payload between directories:
Move-Item -Path C:\Users\User\Downloads\[payload_name].exe -Destination C:\Users\User\Documents\[payload_name].exe
Move-Item -Path C:\Users\User\Documents\[payload_name].exe -Destination C:\Users\User\Downloads\[payload_name].exeVerify detections in the Detections tab.
Testing Process Scanning
Now this process ensures that any executable file (EXE) launched from the Downloads folder is detected and scanned using YARA.
Open an Admin PowerShell Prompt:
This is required to run the necessary commands with proper privileges.
Kill Any Existing Sliver C2 Processes:
Get-Process [payload_name] | Stop-ProcessExecute the Sliver payload:
C:\Users\User\Downloads\[payload_name].exe
Check the Detections tab for alerts.
Conclusion
This automated YARA scanning setup allows:
Scanning of newly downloaded EXEs.
Scanning of processes launched from the Downloads directory.
Customizable rules for other threat scenarios.
Ready to build your very own SOC Home Lab?
Follow Eric Capuano’s step-by-step guide here: https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro?sd=pf
Last updated