Creating IOCs & Yara

Rules

Lab 1

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 1
 SCENARIO
Another organization within your ISAC has shared a malicious binary with your security
team. They mentioned this malware was detected by one of their threat hunters. The
malware was found inside various network shares within the organization, disguising itself
as a PDF file. Your manager has tasked you with creating an IOC and YARA rule to scan the
network for this malware.

GOALS
Create an IOC and YARA rule for the malware sample.

WHAT YOU WILL LEARN

You will get familiar with creating both indicators of compromise and YARA rules.

RECOMMENDED TOOLS
• Strings
• WINMD5Free
• Yara
• Mandiant IOC Editor
• Mandiant Redline

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 2
 NETWORK CONFIGURATION
Lab Network: 172.15.161.0/24

• You:
o IP: 172.16.151.50
o RDP Credentials: elshunter:ahuntingweg0!

TASKS
TASK 1. CREATE A BASIC IOC FOR THE MALWARE.
Use Strings, WINMD5Free, & Mandiant IOC Editor to create a basic IOC for the malware
sample using the file hash, size, and 2 strings.

TASK 2. TEST YOUR IOC WITH REDLINE.

Import your IOC into Redline and see if it successfully detects your malware sample residing
on the desktop and another hidden location within the machine.

TASK 3. CREATE A BASIC YARA RULE FOR THE

MALWARE.
Using Strings & WINMD5Free to create a basic YARA rule using the strings from your IOC.

TASK 4. TEST YOUR YARA RULE WITH YARA.

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 3
Test your YARA rule using YARA against the malware sample on the desktop and the hidden
location which you found using Redline.

TASK 5. REVIEW YARA RULE CREATED USING

YARGEN.PY.
Review the YARA rule created by yarGen.py to see if there were any other strings that you
could have used.

Below, you can find solutions for each task. Remember though that you can follow your
own strategy (which may be different from the one explained in the following lab).

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 4
SOLUTIONS

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 5
 TASK 1. CREATE A BASIC IOC FOR THE MALWARE.
We can start off with obtaining the MD5 hash of the malware sample.

1. Open WINMD5FREE and browse to the folder on the desktop called “MALWARE –
DON’T RUN”.
2. Click on the EXE titled END OF YEAR FINANCIALS REPORT.

3. Open Mandiant IOC Editor.

4. At the Browse For Folder prompt, choose IOC.
5. Right-Click and select New Indicator.
6. Populate the general information for the IOC as you see fit.

7. Add the MD5 hash you obtained from WINMD5FREE by clicking on Add Item >
FileItem > File MD5.
8. Obtain the file size of the binary and add it to the IOC by clicking Add Item > FileItem
> File Size.

9. Run Strings against the malware sample and obtain strings to detect the malware.

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 6
strings.exe “c:\users\elshunter\desktop\malware – don’t run\end of year
financials report.exe” >> c:\users\elshunter\desktop\strings.txt

10. Add some strings to your IOC.

TASK 2. TEST YOUR IOC WITH REDLINE.

1. Open Redline and create an IOC Search Collector.
2. Select Browse to choose the Indicators of Compromise Location and choose the IOC
folder on the desktop where your newly created IOC resides.
3. Make sure your IOC is visible and checked under Indicators.
4. Hit Next.
5. Select Edit your script under Review Script Configuration.
6. Select the Disk tab and check Strings on the right column.

7. Select Ok.

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 7
8. Select Browse under Save Your Collector To and choose the HUNT folder on the
desktop.
9. Select Ok.
10. When the Collector Instructions appears, read the instructions and close the box.

11. Close Redline.

12. Open elevated command prompt and navigate to the HUNT folder on the desktop.
13. Run the batch file called RunRedlineAudit.bat.
14. Once it’s complete, navigate to the newly created Sessions folder within the HUNT
folder on the desktop and open the analysis file called AnalysisSession1.mans by
double-clicking the file.
15. Once Redline is open, click on the IOC Reports tab located at the bottom left.

16. Click on the IOC report under Analysis Data and then click on the report under IOC
Report.

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 8
 17. Click on View Hits.

Ignore all the hits pertaining to your IOC, your strings text file, and files pertaining to your
collector. You should see the malware sample.

You should also see the 2nd secret location.

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 9
TASK 3. CREATE A BASIC YARA RULE FOR THE
MALWARE.
1. Open the skeleton YAR file within the tools\yara-3.6.2-win64 on your desktop
within Notepad and enter the hash of the malware sample.
2. Enter the 2 strings from our IOC as $s1 and $s2.

TASK 4. TEST YOUR YARA RULE WITH YARA.

1. Run YARA using your newly created YARA rule against the malware sample on the
desktop.

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 10
Yara64.exe .\rules\eoyfr.yar “c:\users\elshunter\desktop\malware – don’t run”

Nothing should have returned as the output, meaning YARA didn’t get any hits. Let’s modify
the condition of the YARA rule to look for only 1 string.

2. Change the condition from “2 of them” to “1 of them” within the eoyfr.yar file.

3. Run YARA again using the same file against the same folder.

We got a hit. At this point you should have realized that if you chose
‘allyourbasearebelongtous’ as a string to look for that Redline and YARA didn’t catch this
string. We’ll look at how to fix this in task 5. For now let’s test this YARA rule against the
other file residing in System32.

4. Run YARA again using the same YARA rule but against the C:\Windows\System32
folder to find the other malware sample.

TASK 5. REVIEW YARA RULE CREATED USING

YARGEN.PY.
1. Open the YARA rule in the tools\yara-3.6.2-win64\rules folder titled
yargen_rules.yar within Notepad.

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 11
 We see other strings we could have used but we also see the string that Redline and
YARA didn’t detect. If you modify your YARA file and add the words “fullword wide” to
your allyourbasearebelongtous string and change the condition to 2 you will notice that
YARA now successfully detects it.

2. Update eoyfr.yar with this change and run YARA again to detect malware sample
residing in System32.

You should have gotten a successful hit.

KEY TAKEWAYS
1. You need to test your IOCs and YARA rules to ensure they will catch whatever
they’re intended to catch.
2. The more signatures within your IOCs and YARA rules the better, but cautious of
creating IOCs and YARA rules that will generate false positives.

© 2017 Caendra Inc. | Threat Hunting v1 | Creating IOCs & Yara Rules 12