Threat Hunting With YARA: Tryhackme Writeup
Task 1: Introduction
This room aims to demonstrate an active application of threat hunting with a specific focus on using YARA rules to hunt for Indicators of Compromise (IOC) related to malware. We will use a realistic scenario as the red wire throughout this room.
Learning Objectives
- Looking for actionable information that can be used to search for threats
- Installing YARA
- Creating a YARA rule
- Deploying a YARA rule
No answer needed.
Task 2: Scenario Description
Questions
#2.1 What technique does ID T1134 describe?
Answer: Access Token Manipulation
#2.2 What does the detection rule M_APT_Dropper_Rootsaw_Obfuscated detect?
Answer: Detects obfuscated ROOTSAW payloads
Task 3: Opportunities for Threat Hunting
There are three styles of threat hunting: Structured hunting, unstructured hunting, and situational/entity-driven hunting.
Questions
#3.1 Which threat hunting style is proactive and uses indicators of attack and TTPs?
Answer: structured hunting
#3.2 In which phase of the threat hunting process, tools like YARA or Volatility are used?
Answer: Investigation
#3.3 You have received a threat intelligence report consisting only of Indicators of Compromise. What threat hunting style do you recommend to use?
Answer: unstructured hunting
Task 4: YARA: Introduction
YARA stands for Yet Another Ridiculous Acronym. It is a tool Victor Alvarez of VirusTotal developed to assist malware researchers in detecting and describing malware families.
The main functionality of YARA is based on advanced pattern matching, explicitly tailored to malware. It can be best compared to using a supercharged grep with complex regular expressions in Linux. Just like the grep command, the YARA binary will iterate over all files in a designated path, trying to find a match with the information provided in the YARA rule.
A YARA rule describes a malware family based on a pattern using a set of strings and Boolean logic.
Questions
#4.1 Apart from the rule name, which other section is also required in a YARA rule?
Answer: condition
Task 5: YARA: Strings and Conditions
Questions
#5.1 What modifier should be used if you want to search for 2-byte encoded characters?
Answer: wide
#5.2 What condition should be used if you want to exclude the defined strings from the matching process?
Answer: none of them
Task 6: Environment and Setup
No answer needed.
Task 7: YARA: How To Use YARA Rules To Hunt for Indicators of Compromise
Questions
#7.1 What option do you need to pass to ensure you scan all directories recursively?
Answer: -r
Task 8: Indicators of Compromise Detected — Now What
After discovering a true positive Indicator of Compromise on a system, the first thing you should do is detailed in the incident response procedure. Any company serious about security will have an incident response policy that explains all the steps to follow before, during, and after an incident.
Questions
#8.1 What does DAIR stand for?
Answer: Dynamic Approach to Incident Response
Task 9: YARA: Hands-on Exercise
Below I have give the code and the command to run to get the answers for this task:
Exercise 1
Write a YARA rule to find the file that contains the pattern THM{}. Use the C:\TMP\Exercise1\ path as the target in the YARA command, enter the flag as the answer.
rule FindTHMFlag {
strings:
$pattern = "THM"
condition:
$pattern
}
The flag can be found in file26.txt
#9.1 What is the flag found in exercise 1?
Answer: THM{Threathuntingisawesome}
Exercise 2
Write a YARA rule that finds the file that contains the following strings: Yet another, Ridiculous acronym. Use the C:\TMP\Exercise2\ path as the target in the YARA command. Enter the name of the file as the answer.
rule FindAcronymFile {
strings:
$str1 = "Yet another" wide
$str2 = "Ridiculous acronym" wide
condition:
2 of them
}
#9.2 What is the filename found in exercise 2? (Format: filename.extension)
Answer: file10.txt
Exercise 3
Write a YARA rule that searches for the file that contains the base64 encoded string THM{This was a really fun exercise}. Use the C:\TMP\Exercise3\ path as the target in the YARA command, and enter name of the file as the answer.
rule FindBase64Flag {
strings:
$base64str = "VEhNe1RoaXMgd2FzIGEgcmVhbGx5IGZ1biBleGVyY2lzZX0="
condition:
$base64str
}
#9.3 What is the filename found in exercise 3? (Format: filename.extension)
Answer: file13.txt
Exercise 4
Write a YARA rule that searches for the XOR encrypted string THM{FoundSomethingHidden} in the C:\TMP directory and subdirectories. Fill in the encrypted text and XOR key used.
This task is a little complicateed and suggest you try this on your own, remeber to use -X flag to get the XOR key.
#9.4 What was the XOR key used for encryption in exercise 4?
Answer: 0x01
#9.5 What encrypted string did you find in exercise 4?
Answer: UILzGntoeRnlduihofIheedo|
Task 10: Conclusion
As you progressed through the room, it taught you YARA’s powerful capabilities and how to leverage it in the context of threat hunting. You learned that YARA is an essential tool for identifying and analyzing malware, using custom rules to match specific patterns within files or processes.
The room guided you through the process of creating and using YARA rules for detecting potential threats. By writing your own basic YARA rule, you were able to conduct a simple yet effective threat hunt. This experience reinforced the importance of structured hunting and how YARA can be a valuable asset in detecting and mitigating malicious activity.
No answer needed.
Thank you!
