Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and...
Transcript of Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and...
![Page 1: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/1.jpg)
Tracking Threat Actors through YARA
Rules and Virus Total
Kevin Perlow- Booz Allen HamiltonAllen Swackhamer- Target Corporation
![Page 2: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/2.jpg)
YARA Rule Notification
Elasticsearch Stack Indexing/Logging
Cuckoo
Additional APIs
1
2
3
24
Automation and Collection Workflow
![Page 3: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/3.jpg)
YARA Rules - Purpose• Track Campaigns
▫ Strings
▫ Static Indicators
▫ Compilation Artifacts
▫ Opcode signatures
• Categorize Malware
▫ Family / Variants Basic YARA rule for tracking a crimeware crypter
![Page 4: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/4.jpg)
YARA Rules- Examples
![Page 5: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/5.jpg)
YARA Rules- Examples
![Page 6: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/6.jpg)
YARA Rules- Examples
![Page 7: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/7.jpg)
YARA Rules- Case Study
![Page 8: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/8.jpg)
YARA Rules- Case Study
Left: the executable path being built.
Top right: Similar sample- the GET request being made inside a try/catch function
![Page 9: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/9.jpg)
YARA Rule Notification
Elasticsearch Stack Indexing/Logging
Cuckoo
Additional APIs
1
2
3
24
Automation and Collection Workflow
![Page 10: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/10.jpg)
Notifications API
• VirusTotal or proprietary database
▫ SMTP notifications
Pull via Python IMAP library
▫ JSON notifications
Pull from REST API via Python requests library
Delete the alerts from VT after you process them
• Index and Parse into Elasticsearch
![Page 11: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/11.jpg)
Sample VirusTotal Notification
![Page 12: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/12.jpg)
IOC Extraction and Logging• Static Extraction
▫ Configuration deobfuscation and parsing▫ Strings▫ Various obfuscation techniques (olevba)▫ FLOSS – Automated deobfuscation of strings
• Dynamic Extraction▫ Sandbox
Network File system
![Page 13: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/13.jpg)
YARA Rule Notification
Elasticsearch Stack Indexing/Logging
Cuckoo
Additional APIs
1
2
3
24
Automation and Collection Workflow
![Page 14: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/14.jpg)
Elasticsearch Stack• Elasticsearch & Kibana
▫ Visualize Notification Trends First Seen Last Seen Resubmissions
▫ Export Data (Hash, Rule Name, Rule Set) Pivot through additional API’s Export to CSV/JSON or other consumable formats
![Page 15: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/15.jpg)
![Page 16: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/16.jpg)
Cuckoo Sandbox• Automated Submission
▫ Push notifications to Cuckoo on ingest from VT▫ Output IOCs (Domains, Files, Mutexs, etc…) back to
Elasticsearch• Customizable
▫ Custom Elasticsearch reporting module• Popular Sandboxes
▫ VirusTotal▫ Malwr▫ Hybrid Analysis
![Page 17: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/17.jpg)
• Sets shard count to 1
• Compression to “best”
• Strings to “not_analyzed”
• task_id is an indexed field
• report_time is the date/time field
Cuckoo Elasticsearch
Index Template
![Page 18: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/18.jpg)
Back to the Elasticsearch Stack
• Collect Cuckoo IOCs
▫ Track by Domain, IP, Country
▫ Files written to disk
▫ Command line called
▫ Normalization of A/V Data
![Page 19: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/19.jpg)
![Page 20: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/20.jpg)
![Page 21: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/21.jpg)
• Files• Registry• Mutex• Directory• Resolved Hosts• Connected Hosts• Command Line• DLL Loaded• WMI Query• Target File - Hash• Target File - Name• Target File - Type• VirusTotal Signatures
Cuckoo Summary
![Page 22: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/22.jpg)
![Page 23: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/23.jpg)
Lucene Search Query Syntax
List of hosts and files written aggregated with count
Normalized AV signatures from VT
Command line called by malware
File size and hosts connected to
![Page 24: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/24.jpg)
![Page 25: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/25.jpg)
YARA Rule Notification
Elasticsearch Stack Indexing/Logging
Cuckoo
Additional APIs
1
2
3
24
Automation and Collection Workflow
![Page 26: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/26.jpg)
Additional APIs• VirusTotal
▫ Parent objects Emails Zip Files
▫ Network Infrastructure• CentralOps
▫ Whois▫ Physical Address
• PassiveTotal▫ PassiveDNS▫ Historical Records
![Page 27: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/27.jpg)
Recap• Built YARA rule for one dropper
• Identified 700+ files
• Automated analysis via Cuckoo
• Logging via Elasticsearch and Visualization with Kibana
• Additional pivoting via API
• Source code: https://github.com/swackhamer
![Page 28: Tracking Threat Actors through YARA Rules and … · Tracking Threat Actors through YARA Rules and Virus Total Kevin Perlow- Booz Allen Hamilton Allen Swackhamer- Target Corporation.](https://reader031.fdocuments.us/reader031/viewer/2022012405/5b97266309d3f2d0248c8b8c/html5/thumbnails/28.jpg)
Questions?