Yara Malware Integration

[Ojekwu Stepeen]

Hello Wazuh community. 

Please can I get a guide on how to integrate Yara for malware scan in my windows environment. Any help will be useful.

Best regards 

[Anthony Faruna]

Hello Ojekwu

Thank you for using Wazuh

Wazuh can be integrated with YARA, a tool used for detecting and classifying malware artifacts

To ensure this integration works, please ensure Python and Pip should are installed on the Windows endpoint. They will be used to install necessary libraries and download the needed rules. Ensure Microsoft Visual C++ 2015 Redistributable is also installed on the endpoint, as it is required for the YARA executable to run.

Perform the following actions on the windows endpoint:

1. Open PowerShell with administrator privileges and download YARA:
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.2.2/yara-v4.2.2-2012-win64.zip -OutFile v4.2.2-2012-win64.zip

2. Extract the YARA executable:
> Expand-Archive v4.2.2-2012-win64.zip ; Remove-Item v4.2.2-2012-win64.zip

3. Create a directory called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA executable into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.2.2-2012-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

4. Download YARA rules:

• Install the valhallaAPI module:   > pip install valhallaAPI
• Copy the following script and save it as download_yara_rules.py:

           from valhallaAPI.valhalla import ValhallaAPI
           v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
           response = v.get_rules_text()
           

           with open('yara_rules.yar', 'w') as fh:
           fh.write(response)

• Run the following command to download the rules and place them in the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ directory: 

         > python.exe download_yara_rules.py
         > mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
         > cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

• Add the YARA rule to the downloaded C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar file

5. Alternatively, you can skip step 4 and paste your YARA rule in C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ directory. For the purpose of this instruction, my yara rule is yara_rules.yar

6.  Create the yara.bat script in the C:\Program Files (x86)\ossec-agent\active-response\bin\ directory. This is necessary for the Wazuh-Yara active response scans:

@echo off

setlocal enableDelayedExpansion

reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT

if %OS%==32BIT (

    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"

)

if %OS%==64BIT (

    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"

)

set input=

for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (

    set input=%%a

)

set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"

set syscheck_file_path=

echo %input% > %json_file_path%

for /F "tokens=* USEBACKQ" %%F in (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) do (

set syscheck_file_path=%%F

)

del /f %json_file_path%

set yara_exe_path=C:\”Program Files (x86)”\ossec-agent\active-response\bin\yara\yara64.exe

set yara_rules_path=C:\”Program Files (x86)”\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"

echo %syscheck_file_path% >> %log_file_path%

for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (

    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%

)

exit /b

7. Edit the Wazuh agent configuration file  C:\Program Files (x86)\ossec-agent\ossec.conf  and add the directory to be monitored. This should be within the <syscheck> block.  The configuration should look like this:
<directories whodata="yes">C:\Users\administrator\Downloads</directories>
Note: You can configure whichever directory you wish to monitor

8. Apply the changes by restarting the agent using this PowerShell command:
> Restart-Service -Name wazuh

Perform the following actions on the Wazuh server:

1. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file on the Wazuh server. This is to extract the information from YARA scan results:
<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

2.  Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server. The rules detect FIM events in the monitored directory, and also alert when malware is detected by the YARA integration:
Note:  Rule 100050 and 100051 was configured to monitor the C:\Users\administrator\Downloads directory. However, you can configure whichever directory you wish to monitor.
<group name= "syscheck,">

  <rule id="100050" level="7">
    <if_sid>550</if_sid>
    <field name="file">C:\\Users\\administrator\\Downloads</field>
    <description>File modified in C:\Users\administrator\Downloads directory.</description>
  </rule>

  <rule id="100051" level="7">
    <if_sid>554</if_sid>
    <field name="file">C:\\Users\\administrator\\Downloads</field>
    <description>File added to C:\Users\administrator\Downloads  directory.</description>
  </rule>

</group>

<group name="yara,">

  <rule id="100052" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

  <rule id="100053" level="12">
    <if_sid>100052</if_sid>
    <match>wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>

</group>

3. Add the following configuration to the /var/ossec/etc/ossec.conf file within the <ossec_config> block:
<ossec_config>
    <command>
        <name>yara</name>
        <executable>yara.bat</executable>
        <timeout_allowed>no</timeout_allowed>
    </command>

    <active-response>
        <command>yara</command>
        <location>local</location>
        <rules_id>100050,100051</rules_id>
    </active-response>
</ossec_config>

4. Restart the Wazuh server to apply the configuration changes:
systemctl restart wazuh-manager

For further guide, the blog post Detecting Lockbit 3.0 ransomware with Wazuh shows how to implement YARA  with Wazuh on a windows endpoint

Please let me know if you need further clarifications 

Best Regards

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAE04-wWyWGMMy9atNRMuv6xz5v8Lq7ZnK1NEJBWmfKFBheUn_w%40mail.gmail.com.