Part 6 - Automated YARA Scanning

Learn how to automate YARA scanning with LimaCharlie for real-time malware detection. This guide covers setting up YARA rules, configuring automated scans, and detecting Sliver C2 implants in files an

Automated YARA Scanning

What is YARA?

YARA helps detect malware by using custom rules to find suspicious patterns in files, processes, and network traffic. It's widely used for threat hunting and incident response.

Implementing YARA Scanning with LimaCharlie

Setting Up YARA Rules

We will prepare our LimaCharlie instance to detect file system and process activities to trigger YARA scans.

Adding a YARA Signature for the Sliver C2 Payload

1. Navigate to Automation > YARA Rules in LimaCharlie.

   
2. Create a new YARA rule:

   • Name: sliver

   • Rules Block: Copy and Paste the YARA signature below ⇒

     Rules

     rule sliver_github_file_paths_function_names {
       meta:
         author = "NCSC UK"
         description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary"
       strings:
         $p1 = "/sliver/"
         $p2 = "sliverpb."
         $fn1 = "RevToSelfReq"
         $fn2 = "ScreenshotReq"
         $fn3 = "IfconfigReq"
         $fn4 = "SideloadReq"
         $fn5 = "InvokeMigrateReq"
         $fn6 = "KillSessionReq"
         $fn7 = "ImpersonateReq"
         $fn8 = "NamedPipesReq"
       condition:
         (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*))
     }
     
     rule sliver_proxy_isNotFound_retn_cmp_uniq {
       meta:
         author = "NCSC UK"
         description = "Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur"
       strings:
         $ = {C644241800C381F9B3B5E9B2}
         $ = {8B481081F90CAED682}
       condition:
         (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them
     }
     
     rule sliver_nextCCServer_calcs {
       meta:
         author = "NCSC UK"
         description = "Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur"
       strings:
         $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308}
       condition:
         (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them
     }

   • Click Create to save the Rule.

     
3. Create another YARA rule:

   • Name: sliver-process

   • Rule Block: Copy and Paste the second YARA signature here ⇒ Rules

     rule sliver_strings {
       meta:
         author = "Eric Capuano, inspired by NCSC UK"
         description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)"
       strings:
         $p1 = "/sliver/"
         $p2 = "sliverpb"
       condition:
         all of ($p*)
     }

   • Click Create to save the Rule.

     

Setting Up Detection and Response (D&R) Rules

We will configure LimaCharlie to generate alerts when a YARA detection occurs.

Rule 1: YARA Detection

1. Navigate to Automation > D&R Rules.

2. Create a new rule:

   • Detect Block:

     event: YARA_DETECTION
     op: and
     rules:
       - not: true
         op: exists
         path: event/PROCESS/*
       - op: exists
         path: event/RULE_NAME

   • Respond Block:

     - action: report
       name: YARA Detection {{ .event.RULE_NAME }}
     - action: add tag
       tag: yara_detection
       ttl: 80000

   • Save the rule as YARA Detection.

Rule 2: YARA Detection in Memory

1. Create another rule:

   • Detect Block:

     event: YARA_DETECTION
     op: and
     rules:
       - op: exists
         path: event/RULE_NAME
       - op: exists
         path: event/PROCESS/*

   • Respond Block:

     - action: report
       name: YARA Detection in Memory {{ .event.RULE_NAME }}
     - action: add tag
       tag: yara_detection_memory
       ttl: 80000

   • Save the rule as YARA Detection in Memory.

Testing YARA Scanning

Since we know a Sliver implant is in the Downloads folder of our Windows VM, we can verify our YARA signature by running a manual scan with the EDR sensor. This ensures everything is working correctly.

Manual YARA Scan

1. In LimaCharlie, go to Sensors List and select your Windows VM sensor.

   
2. Open the EDR Sensor Console.

   
3. Run the following command, replacing [payload_name] with your actual payload name from Part 2 - Detecting C2 Activity

   yara_scan hive://yara/sliver -f C:\Users\User\Downloads\[payload_name].exe

4. Press Enter twice to run the command.

   
5. Verify Detection

   • If successful, you should see output indicating a positive hit on one of the Sliver YARA signatures.

   • Check the Detections screen for a new detection event.

     

Now we’re ready to automate this process 💪.

Automating YARA Scans

Scanning Downloaded EXEs

1. Create a new D&R rule: This rule detects and scans any process that runs from the Downloads folder. Since malware is often executed from Downloads, this helps catch potential threats in real time.

   • Detect Block:

     event: NEW_DOCUMENT
     op: and
     rules:
       - op: starts with
         path: event/FILE_PATH
         value: C:\Users\
       - op: contains
         path: event/FILE_PATH
         value: \Downloads\
       - op: ends with
         path: event/FILE_PATH
         value: .exe

   • Respond Block:

     - action: report
       name: EXE dropped in Downloads directory
     - action: task
       command: >-
         yara_scan hive://yara/sliver -f "{{ .event.FILE_PATH }}"
       investigation: Yara Scan Exe
       suppression:
         is_global: false
         keys:
           - '{{ .event.FILE_PATH }}'
           - Yara Scan Exe
         max_count: 1
         period: 1m

   • Save as YARA Scan Downloaded EXE.

Scanning Processes Launched from Downloads

1. Create a new D&R rule:

   • Detect Block:

     event: NEW_PROCESS
     op: and
     rules:
       - op: starts with
         path: event/FILE_PATH
         value: C:\Users\
       - op: contains
         path: event/FILE_PATH
         value: \Downloads\

   • Respond Block:

     - action: report
       name: Execution from Downloads directory
     - action: task
       command: yara_scan hive://yara/sliver-process --pid "{{ .event.PROCESS_ID }}"
       investigation: Yara Scan Process
       suppression:
         is_global: false
         keys:
           - '{{ .event.PROCESS_ID }}'
           - Yara Scan Process
         max_count: 1
         period: 1m

   • Notice Here :

     1. Previously, we scanned files (using their file path) when they were downloaded.

     2. Now, we scan running processes (using their process ID) instead.

        

     

     

     

     Why switch to process scanning?

     • The original YARA rules (from NCSC) failed to detect Sliver when it was running.

     • This is because those rules were designed to match specific file-based patterns, not live processes.

     • To fix this, the new rule (sliver-process) was created, which looks for specific strings inside a running Sliver process.

     How was this verified?

     • Using LimaCharlie (LC), the analyst extracted strings from a running Sliver process.

     • Those strings were then used to refine the new YARA rule.

     • The screenshots confirm that the new rule detects Sliver in memory.

     Final Outcome:

     This rule ensures that even if Sliver bypasses file-based detection, it still gets caught when executed.

Triggering the Rules

Simulating EXE Download

Since we already have the Sliver payload in Downloads, instead of re-downloading it, we move it to another folder (Documents) and then move it back to Downloads. This simulates a "newly downloaded" EXE.

Move the Sliver payload between directories:

Move-Item -Path C:\Users\User\Downloads\[payload_name].exe -Destination C:\Users\User\Documents\[payload_name].exe
Move-Item -Path C:\Users\User\Documents\[payload_name].exe -Destination C:\Users\User\Downloads\[payload_name].exe

Verify detections in the Detections tab.

Testing Process Scanning

Now this process ensures that any executable file (EXE) launched from the Downloads folder is detected and scanned using YARA.

1. Open an Admin PowerShell Prompt:

   • This is required to run the necessary commands with proper privileges.

2. Kill Any Existing Sliver C2 Processes:

   Get-Process [payload_name] | Stop-Process

   • Execute the Sliver payload:

     C:\Users\User\Downloads\[payload_name].exe

   

   • Check the Detections tab for alerts.

     

Conclusion

This automated YARA scanning setup allows:

• Scanning of newly downloaded EXEs.

• Scanning of processes launched from the Downloads directory.

• Customizable rules for other threat scenarios.

Ready to build your very own SOC Home Lab?

• Follow Eric Capuano’s step-by-step guide here: https://blog.ecapuano.com/p/so-you-want-to-be-a-soc-analyst-intro?sd=pf