Recommended
More Related Content
What's hot
What's hot (20)
Similar to Sigma and YARA Rules
Similar to Sigma and YARA Rules (20)
Recently uploaded
Recently uploaded (20)
Sigma and YARA Rules
- 1. YARA & SIGMA Rules Lionel Faleiro 1
- 2. #WHOAMI • Lionel Faleiro • Practice Lead – Forensics • 10 years experience in IT and Cybersecurity • Key Domains – Malware Analysis, Log Analysis, IR and Security Analytics, Training • Gamer, Photographer • @sandmaxprime
- 3. 3
- 4. Yara 4
- 5. What is YARA? • A detection rule system for files • Based upon defined patterns or characteristics • Developed by Victor Alvarez of Virustotal • Open-Source System which is primarily used for Malware Hunting • Has extension of .YAR • Filtration • Hunting
- 6. Uses of YARA? • Triaging • Memory Analysis • Email Analysis • Back Hunting • Forward Hunting
- 7. Who Uses YARA? • Cuckoo Sandbox • ESET • FireEye • Joe Security
- 8. Who Uses YARA? • Kaspersky Lab • PhishMe • Tenable • LOKI 8
- 9. Writing YARA Rules • Pros: • Easy to Understand • Easily sharable • Cons: • Runs slowly on large number of files • Issues running against files that are packed or having obfuscation • Need to be written manually
- 10. Writing YARA Rules 10 • Each rule consists: • Set of strings • Boolean expressions - Determine the logic for detection
- 11. Writing YARA Rules • Text strings • Hex strings are placed inside parenthesis • Regular expressions are enclosed in backslashes • Yara keywords: • all, and, any, ascii, at, condition, contains, entrypoint, false, filesize, fullword, for, global, in, import, include, int8, int16, int32, matches, meta. nocase, not, or, of, private, rule, strings, them, true, uint8, uint16, uint32, wide. 11
- 12. Writing YARA Rules • condition: • all of ($foo*) • condition: • $foo1 and $foo2 and $foo3 and $foo4 and $foo5 • condition: • $foo1 or $foo2 12
- 14. Hafnium Privileged & Confidential | ©2021, Network Intelligence. All Rights Reserved. 14
- 18. Other Tools
- 19. SIGMA Rules 19
- 20. Log File To Detection Log Files SIEM Search Correlation Manual Analysis
- 21. Sample Events Account Process Windows Application
- 22. Problems • Lots of data available online but in an unstructured format • Manual creation of queries due to different formats in SIEM systems • Mixed Environments
- 23. Unleash SIGMA
- 24. What is SIGMA? • Open-source rule system to be used by SIEM’s • Rule format is a very structured format • Mapped to Log Events • Rules are written in YAML • Open repository present for ules 24
- 25. Use Cases of SIGMA? • Describe the detection methods and make it available. • Invest in generating rules for Sigma and use on many different (e.g. SIEM) systems. • Use Sigma to share the signature with other threat intel communities. 25
- 28. SIGMA Rule Structure • Metadata (id, tags, author, title, references, level) • Scope - Log source • Search Parameters – values, ID • Condition 28
- 30. SIGMAUI
- 31. SIGMAUI
- 32. Hafnium SIGMA 32
- 33. Hafnium SIGMA 33
- 34. Hafnium SIGMA 34
- 35. References • SIGMA Rule Wiki - https://github.com/SigmaHQ/sigma/wiki/Sp ecification • SIGMA Repo - https://github.com/SigmaHQ/sigma • Yara Rules Repo - https://github.com/Yara- Rules/rules • YarGen - https://github.com/Neo23x0/yarGen • Yara Wiki - https://yara.readthedocs.io/en/v3.4.0/writin grules.html