Part 6 - Automated YARA Scanning

Learn how to automate YARA scanning with LimaCharlie for real-time malware detection. This guide covers setting up YARA rules, configuring automated scans, and detecting Sliver C2 implants in files an

PreviousPart 5 - Reducing False Positives NextAutomation Lab - Home Project

Last updated 3 months ago

Part 6 - Automated YARA Scanning

Automated YARA Scanning

What is YARA?

YARA helps detect malware by using custom rules to find suspicious patterns in files, processes, and network traffic. It's widely used for threat hunting and incident response.

Implementing YARA Scanning with LimaCharlie

Setting Up YARA Rules

We will prepare our LimaCharlie instance to detect file system and process activities to trigger YARA scans.

Adding a YARA Signature for the Sliver C2 Payload

Navigate to Automation > YARA Rules in LimaCharlie.

Create a new YARA rule:

Name: sliver

Rules Block: Copy and Paste the YARA signature below ⇒

Rules

rule sliver_github_file_paths_function_names {
  meta:
    author = "NCSC UK"
    description = "Detects Sliver Windows and Linux implants based on paths and function names within the binary"
  strings:
    $p1 = "/sliver/"
    $p2 = "sliverpb."
    $fn1 = "RevToSelfReq"
    $fn2 = "ScreenshotReq"
    $fn3 = "IfconfigReq"
    $fn4 = "SideloadReq"
    $fn5 = "InvokeMigrateReq"
    $fn6 = "KillSessionReq"
    $fn7 = "ImpersonateReq"
    $fn8 = "NamedPipesReq"
  condition:
    (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*))
}

rule sliver_proxy_isNotFound_retn_cmp_uniq {
  meta:
    author = "NCSC UK"
    description = "Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur"
  strings:
    $ = {C644241800C381F9B3B5E9B2}
    $ = {8B481081F90CAED682}
  condition:
    (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them
}

rule sliver_nextCCServer_calcs {
  meta:
    author = "NCSC UK"
    description = "Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur"
  strings:
    $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308}
  condition:
    (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them
}

Click Create to save the Rule.

Create another YARA rule:

Name: sliver-process

Rule Block: Copy and Paste the second YARA signature here ⇒ Rules

rule sliver_strings {
  meta:
    author = "Eric Capuano, inspired by NCSC UK"
    description = "Detects Sliver Windows and Linux implants based on obvious strings within - not tested at scale, but it's probably good :)"
  strings:
    $p1 = "/sliver/"
    $p2 = "sliverpb"
  condition:
    all of ($p*)
}

Click Create to save the Rule.

Setting Up Detection and Response (D&R) Rules

We will configure LimaCharlie to generate alerts when a YARA detection occurs.

Rule 1: YARA Detection

Navigate to Automation > D&R Rules.

Create a new rule:

Detect Block:

event: YARA_DETECTION
op: and
rules:
  - not: true
    op: exists
    path: event/PROCESS/*
  - op: exists
    path: event/RULE_NAME

Respond Block:

- action: report
  name: YARA Detection {{ .event.RULE_NAME }}
- action: add tag
  tag: yara_detection
  ttl: 80000

Save the rule as YARA Detection.

Rule 2: YARA Detection in Memory

Create another rule:

Detect Block:

event: YARA_DETECTION
op: and
rules:
  - op: exists
    path: event/RULE_NAME
  - op: exists
    path: event/PROCESS/*

Respond Block:

- action: report
  name: YARA Detection in Memory {{ .event.RULE_NAME }}
- action: add tag
  tag: yara_detection_memory
  ttl: 80000

Save the rule as YARA Detection in Memory.

Testing YARA Scanning

Since we know a Sliver implant is in the Downloads folder of our Windows VM, we can verify our YARA signature by running a manual scan with the EDR sensor. This ensures everything is working correctly.

Manual YARA Scan

In LimaCharlie, go to Sensors List and select your Windows VM sensor.
Open the EDR Sensor Console.
Run the following command, replacing [payload_name] with your actual payload name from Part 2 - Detecting C2 Activity
```
yara_scan hive://yara/sliver -f C:\Users\User\Downloads\[payload_name].exe
```
Press Enter twice to run the command.
Verify Detection
- If successful, you should see output indicating a positive hit on one of the Sliver YARA signatures.
- Check the Detections screen for a new detection event.

Now we’re ready to automate this process 💪.

Automating YARA Scans

Scanning Downloaded EXEs

Create a new D&R rule: This rule detects and scans any process that runs from the Downloads folder. Since malware is often executed from Downloads, this helps catch potential threats in real time.

Detect Block:

event: NEW_DOCUMENT
op: and
rules:
  - op: starts with
    path: event/FILE_PATH
    value: C:\Users\
  - op: contains
    path: event/FILE_PATH
    value: \Downloads\
  - op: ends with
    path: event/FILE_PATH
    value: .exe

Respond Block:

- action: report
  name: EXE dropped in Downloads directory
- action: task
  command: >-
    yara_scan hive://yara/sliver -f "{{ .event.FILE_PATH }}"
  investigation: Yara Scan Exe
  suppression:
    is_global: false
    keys:
      - '{{ .event.FILE_PATH }}'
      - Yara Scan Exe
    max_count: 1
    period: 1m

Save as YARA Scan Downloaded EXE.

Scanning Processes Launched from Downloads

Create a new D&R rule:
- Detect Block:
  event: NEW_PROCESS op: and rules: - op: starts with path: event/FILE_PATH value: C:\Users\ - op: contains path: event/FILE_PATH value: \Downloads\
- Respond Block:
  - action: report name: Execution from Downloads directory - action: task command: yara_scan hive://yara/sliver-process --pid "{{ .event.PROCESS_ID }}" investigation: Yara Scan Process suppression: is_global: false keys: - '{{ .event.PROCESS_ID }}' - Yara Scan Process max_count: 1 period: 1m
- Notice Here :
  1. Previously, we scanned files (using their file path) when they were downloaded.
  2. Now, we scan running processes (using their process ID) instead.
  Why switch to process scanning?
  - The original YARA rules (from NCSC) failed to detect Sliver when it was running.
  - This is because those rules were designed to match specific file-based patterns, not live processes.
  - To fix this, the new rule (sliver-process) was created, which looks for specific strings inside a running Sliver process.
  How was this verified?
  - Using LimaCharlie (LC), the analyst extracted strings from a running Sliver process.
  - Those strings were then used to refine the new YARA rule.
  - The screenshots confirm that the new rule detects Sliver in memory.
  Final Outcome:
  This rule ensures that even if Sliver bypasses file-based detection, it still gets caught when executed.

Triggering the Rules

Simulating EXE Download

Since we already have the Sliver payload in Downloads, instead of re-downloading it, we move it to another folder (Documents) and then move it back to Downloads. This simulates a "newly downloaded" EXE.

Move the Sliver payload between directories:

Move-Item -Path C:\Users\User\Downloads\[payload_name].exe -Destination C:\Users\User\Documents\[payload_name].exe
Move-Item -Path C:\Users\User\Documents\[payload_name].exe -Destination C:\Users\User\Downloads\[payload_name].exe

Verify detections in the Detections tab.

Testing Process Scanning

Now this process ensures that any executable file (EXE) launched from the Downloads folder is detected and scanned using YARA.

Open an Admin PowerShell Prompt:
- This is required to run the necessary commands with proper privileges.
Kill Any Existing Sliver C2 Processes:
```
Get-Process [payload_name] | Stop-Process
```
- Execute the Sliver payload:
  C:\Users\User\Downloads\[payload_name].exe
- Check the Detections tab for alerts.