Threat Hunting and Response Using YARA/Sigma

Published on October 18, 2020

Why does Securonix support YARA and Sigma formats?

Cybersecurity professionals must navigate an ever-changing landscape of threats that no individual security engineer or organization can handle alone. To succeed, security professionals must work together to identify and resolve threats as a community and agree on common languages to effectively communicate with each other.

Securonix is committed to supporting open data formats in our products. We understand how important sharing information is within the security community. Sigma and YARA are two open formats we support in order to aid our customers in sharing indicators of compromise (IOC) and standard log formats. Our YARA and Sigma integrations affirms our commitment to being an open platform, as well as providing the resources necessary for customers to convert these rules in Sigma and YARA formats to the our SearchMore capabilities.

 

A Brief Introduction to Yara

YARA was created by VirusTotal to help malware researchers identify and classify malware samples. YARA helps with signature-based searches that focus on scanning and identifying malicious files as well as searching for IOCs in log files. YARA uses "Descriptions" to identify malware families based on textual or binary patterns. Each description is broken down by two sections: strings and conditions. The strings define the rule and can be text, hexadecimal, or regular expressions. The conditions are Boolean expressions that evaluate if the rule is true or false.

Below is an example of a Yara rule that looks at the use case WHOAMI Privilege Escalation:

rule whoami_execution {

meta:

author = "Florian Roth"

description = "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators Author: Florian Roth. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."

reference = "https://tdm.socprime.com/tdm/info/0"

version = "0.01"

created = "2018/05/22"

 

events:

$selection.metadata.product_log_id = "1"

$selection.target.process.command_line = "whoami"

 

condition:

$selection

}

rule whoami_execution_2 {

meta:

author = "Florian Roth"

description = "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators Author: Florian Roth. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."

reference = "https://tdm.socprime.com/tdm/info/0"

version = "0.01"

created = "2018/05/22"

 

events:

$selection.metadata.product_log_id = "4688"

re.regex($selection.NewProcessName, "*\\whoami.exe")

 

condition:

$selection

}

 

A Brief Introduction to Sigma

Sigma provides a standard format for log events, in the same way YARA creates a standard format for file threat IOCs. Sigma provides a common language for SIEM platforms and malware researchers to communicate. A Sigma rule is a YAML file with standardized sections and structured fields that all vendors utilize. These Sigma rules are then translated by the SIEM into the distinct SIEM language, with the most important part being the detection section which identifies the logic of the rule.

Below is an example of a Sigma rule that looks at the use case WHOAMI Privilege Escalation:

action: global

title: Whoami Execution

status: experimental

description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators

references:

- https://twitter.com/haroonmeer/status/939099379834658817

- https://twitter.com/c_APT_ure/status/939475433711722497

author: Florian Roth

date: 2018/05/22

tags:

- attack.discovery

- attack.t1033

detection:

condition: selection

falsepositives:

- Admin activity

- Scripts and administrative tools used in the monitored environment

level: high

---

logsource:

product: windows

service: sysmon

detection:

selection:

EventID: 1

CommandLine: whoami

---

logsource:

product: windows

service: security

definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'

detection:

selection:

EventID: 4688

NewProcessName: '*\whoami.exe'

 

How does Securonix leverage YARA and Sigma to bolster security teams’ efforts?

Securonix translates YARA and Sigma rules into regex patterns that are run against live, raw data. The output is then ingested into Securonix to be used for correlation and alerting to aid security teams.

Below are the regex patterns from the same WHOAMI use case above:

grep -P '^(?:.*(?=.*1)(?=.*whoami))'

grep -P '^(?:.*(?=.*4688)(?=.*.*\whoami\.exe))'

 

Using Sigma and YARA on Live Data With Securonix

Endpoint solutions are great at detecting real-time events, but zero-day attacks go unseen until signatures are updated to include the new attack. By using YARA and Sigma rules, security teams can immediately use this data within the Securonix Next-Gen SIEM platform. YARA and Sigma rules are evaluated against the live raw log feed within Securonix. Together these integrations provide customers with multiple methods to validate new potential policy violations and threats for any given query, regardless of whether it originated in a Sigma or YARA format.

 

 

Securonix Actions Against IOCs

Securonix Security Orchestration Automation and Response (SOAR) provides security teams with the ability to remediate threats quickly. SOAR is also very useful for adding additional context automatically to an event or incident. This contextualization is done without analyst interaction, so when an analyst does see the event, they already know the output is from YARA, reducing their time to triage and respond to a potential incident.

Irrespective of how the threat is detected - via YARA rules, Sigma rules, or Securonix analytics - Securonix can take the data, tie it back to an incident and trigger a playbook for that incident. This capability provides efficient remediation of the threat, no matter which source the data originated from.

Through the Securonix Live Channel fed by YARA and Sigma using the whoami example above, we can identify a privilege escalation through the log messages and confirmed with whoami. The incident is then automatically created through the threat model, enriched via the Securonix Live Channel data from YARA or Sigma, and a playbook can automatically disable the user’s account based on log data being corroborated across multiple sources.

 

 

For more information on the Securonix Next-Gen SIEM solution, request a demo today.