Open in app

Sign in

Write

Sign in

Unveiling the capabilities of Threat Hunting with YARA and SilkETW in a Windows environment

Praj Shete
5 min readSep 29, 2024

--

This blog covers the process of threat hunting, YARA rules, and how to use YARA rules and ETW to detect malicious activity in Windows environments

Threat Hunting

  • Proactive Security Measure: Threat hunting involves actively searching for signs of malicious activities or threats within an organization’s network before they can cause damage, instead of waiting for automated systems to detect them.
  • Identifying Advanced Threats: It helps uncover sophisticated and stealthy threats that traditional security tools may miss, such as zero-day exploits and insider threats.
  • Reducing Dwell Time: By continuously monitoring and investigating potential threats, threat hunters can significantly reduce the time malicious actors remain undetected within the network (known as dwell time), minimizing possible damage.
  • Improving Incident Response: Threat hunting enhances an organization’s incident response capabilities by providing valuable insights and context about potential threats, allowing for quicker and more effective responses.
  • Building Security Intelligence: The process of threat hunting generates intelligence about threat actors, their tactics, techniques, and procedures (TTPs), which can inform better security strategies and defenses.

When Should We Hunt?

  • When New Information on an Adversary or Vulnerability Comes to Light.
  • When New Indicators are Associated with a Known Adversary.
  • During an Incident Response Activity

YARA Rules

YARA is a powerful pattern-matching tool and rule format used for identifying and classifying files based on specific patterns, characteristics, or content.

Usage of YARA:

  • Malware Detection and Classification
  • File Analysis and Classification
  • Indicator of Compromise (IOC) Detection
  • Community-driven Rule Sharing

General structure to develop YARA rule

rule my_rule {

    meta:
        author = "Author Name"
        description = "example rule"
        hash = ""
    
    strings: 
        $string1 = "test"
        $string2 = "rule"
        $string3 = "htb"

    condition: 
        all of them
}

Rule Meta: The rule meta section allows for the definition of additional metadata for the rule. This metadata can include information about the rule’s author, references, version, etc.

Rule Body: The rule body contains the patterns or indicators to be matched within the files

Rule Conditions: Rule conditions define the context or characteristics of the files to be matched

Detecting Meterpreter shellcode injection

Rule Source: community/data/yara/shellcode/metasploit.yar at master · cuckoosandbox/community · GitHub

rule meterpreter_reverse_tcp_shellcode {
    meta:
        author = "FDD @ Cuckoo sandbox"
        description = "Rule for metasploit's  meterpreter reverse tcp raw shellcode"

    strings:
        $s1 = { fce8 8?00 0000 60 }     // shellcode prologe in metasploit
        $s2 = { 648b ??30 }             // mov edx, fs:[???+0x30]
        $s3 = { 4c77 2607 }             // kernel32 checksum
        $s4 = "ws2_"                    // ws2_32.dll
        $s5 = { 2980 6b00 }             // WSAStartUp checksum
        $s6 = { ea0f dfe0 }             // WSASocket checksum
        $s7 = { 99a5 7461 }             // connect checksum

    condition:
        5 of them
}

We have a sample meterpreter_shell.exe that executes a meterpreter shellcode into a process named cmdkey.exe, we will be using the above mentioned YARA rule to detect this behaviour

To begin with we will execute the meterpreter_shell.exe

execute meterpreter_shell.exe

Now, we will run the ps command in powershell/cmd to see running processes, we will see meterpreter_shell and cmdkey with their respective PIDs

To hunt for the process injection activity, let's use this command:

Get-Process | ForEach-Object { "Scanning with Yara for meterpreter shellcode on PID "+$_.id; & "yara64.exe" "C:\Rules\yara\meterpreter_shellcode.yar" $_.id }

The Get-Process command fetches running processes, and with the help of the pipe symbol (|), this data inserts into the script block ({...}). Here, ForEach-Object dissects each process, prompting yara64.exe to apply our YARA rule to each process's memory.

As we can see it detected the rule behavior for two process IDs: 1672, 3724. It detected the shellcode/strings in two processes (Source and Target). If we inspect the strings in our target process cmdkey.exe, we can see the strings detected in our target process.

Hunting for threats using YARA and ETW

What is ETW?
Event Tracing for Windows (ETW) is a powerful logging framework built into the Windows operating system. It allows for the efficient collection of event data from various sources, including kernel-mode and user-mode applications.

Some ETW providers that can be helpful in threat detection:

  • Microsoft-Windows-Kernel-Process
  • Microsoft-Windows-Kernel-Network
  • Microsoft-Windows-SMBClient/SMBServer
  • Microsoft-Windows-DotNETRuntime
  • Microsoft-Windows-PowerShell
  • Microsoft-Windows-DNS-Client
  • Microsoft-Antimalware-Service

As a simple demonstration to understand the capabilities of YARA, we will be using Microsoft-Windows-PowerShell and Microsoft-Windows-DNS-Client providers.

SilkETW is an open-source tool to work with Event Tracing for Windows (ETW) data. SilkETW provides enhanced visibility and analysis of Windows events for security monitoring, threat hunting, and incident response purposes. The best part of SilkETW is that it also has an option to integrate YARA rules

I have built two simple YARA rules to detect a PowerShell activity that downloads a file from the internet. First will use Microsoft-Windows-PowerShell provider and second will use Microsoft-Windows-DNS-Client

rule powershel_payload_download {
  meta:
    author = "Praj S"
    description = "Rule to detect malicious.ps1"
  strings:
    $s0 = "https://filesampleshub.com/download/document/txt/sample1.txt" ascii wide nocase
    $s1= "sample1.txt" ascii wide nocase
    $s2 = "Invoke-WebRequest" ascii wide nocase
  condition:
    all of them
}
rule powershel_payload_download {
  meta:
    author = "Praj S"
    description = "Rule to detect DNS entry for malicious.ps1"
  strings:
    $s0 = "filesampleshub.com" ascii wide nocase
  condition:
    all of them
}

Powershell command:

Invoke-WebRequest -Uri "https://filesampleshub.com/download/document/txt/sample1.txt" -OutFile "C:\Users\prajs_28\Downloads\sample1.txt" -ScriptBlock {Write-Host "File downloaded successfully"}

To begin we will first execute:

PS C:\Users\prajs_28> .\SilkETW.exe -t user -pn Microsoft-Windows-PowerShell -ot file -p ./etw_ps_logs.json -l verbose -y C:\Users\prajs_28\OneDrive\Desktop\YaraRules  -yo Matches

As mentioned above, it detected the YARA rule that matches the pattern present in the PowerShell script

Now, let's use this script again for the Microsoft-Windows-DNS-Client ETW provider

PS C:\Users\prajs_28> .\SilkETW.exe -t user -pn Microsoft-Windows-DNS-Client -ot file -p ./etw_ps_logs.json -l verbose -y C:\Users\prajs_28\OneDrive\Desktop\YaraRules  -yo Matches

We have a match again!!

With this, we can use YARA rules with various different tools like Volatility as well to detect malicious behaviors in memory images as well.

Threat Hunting
Threat Detection
Yara
Malware Analysis
Malware Detection

--

--

Praj Shete
Praj Shete

Written by Praj Shete

17 Followers
1 Following

Passionate Cybersecurity enthusiast, curious about protecting digital assets!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams