More advanced detection methods do not calculate a single signature from the entire file (something that is too easily changed), instead they use multiple signatures each of which are strings (hex or ascii) or regular expressions, used to identify important functional sections within the malware. One such open-source tool for advanced signature-based malware detection is called YARA. YARA covers all the operating system bases by running on Windows, Linux, and macOS and is easy to install. The screenshot below shows installation on Ubuntu.
Signature and Socket Based Malware Detection with osquery and YARA
YARA is a powerful malware and file scanning framework. It can be incorporated into an osquery configuration allowing:- on demand scanning when a file system change occurs (from file_events)- a yara table for on-demand YARA scanning.
Wazuh can integrate with YARA in different ways. YARA is a versatile Open Source pattern-matching tool aimed to detect malware samples based on rule descriptions, although it is not limited to that use case alone.
Unified data from across the control and data planes gives you the strongest base on which to conduct investigations, incident response, and threat hunting along with traditional security operations. Siloed tools and data are a detriment to fast moving, effective CSIRT teams. The power of this foundation in security analytics is that Uptycs provides out-of-the-box solutions for teams, but also gives you a platform with all the socket and process event data needed to build tailored YARA scans or detections frameworks that rapidly respond to emerging threats and incidents.
We wanted to see over time, between BPFDoor payloads, what, if anything, the threat actors modified. A number of samples were detonated and analyzed ranging from the uploaded source code to a sample uploaded last month. We found that the behavior over time did not change a great deal. It maintained the same relative attack lifecycle with a few variations with the hardcoded values such as passwords, process names, and files - this is not uncommon when compared to other malware samples that look to evade detection or leverage payloads across a variety of victims.
After developing the 2 detection rules along with the 2 hunt rules listed below and in addition to the 6 YARA signatures deployed we were able to detect BPFDoor in a myriad of different ways and within different stages of its life cycle. As stated earlier though, if you detect this malware in your environment it should be the least of your concerns given the threat actor will most likely have already successfully compromised your network via other means.
To put things in perspective, let us take the case of MITRE Technique T1055 (Process Injection) to evade process-based defenses using a sub-technique (for example, Process Injection or Process Hollowing) in which a well-known process is launched with malicious code mapped into it. The commonly used rule to detect such behaviors would be to monitor parent-child relationships but such rules can (and will) trigger a lot of false positive alerts. Triaging each of these alerts requires additional data and context around the activity done by the parent and child processes. Streaming this amount of data, building context, and matching alerts with known indicators or signatures (offer the most definitive answer), is not an easy task and requires a lot of resources and leaves behind the gaps through which the attack can succeed. This is a daily conundrum that security practitioners struggle with!
But why stop at enriching a process creation activity with just the file events telemetry, when an analyst can enrich it with socket events, SSL events (preferred method for most malware to communicate these days), or any of the multiple real-time events supported by the agent? The same query can be extended to capture activities of child processes in the result. You can make the query extremely granular by using additional SQL constraints to monitor the launches of only well-known processes (such as, svchost.exe or cmd.exe).
EclecticIQ Endpoint Response enables accomplished community tools to come together, such as osquery with the EclecticIQ Extension that works like the Sysmon tool, detection engine with YARA, and scripting languages, such as Shell and PowerShell. To summarize, EclecticIQ Endpoint Response offers features that allow you to:
Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.[1] The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.[2] Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.[3]
Note: This involves replacing legitimate components with malicious ones, and as such the legitimate components will likely no longer function. If you have a detection based on DLLHost.exe with /Processid:xyz, you can match xyz with the CLSID (COM Class Object) or AppID mentioned below to check for any malicious EXE or DLL.
So back in the day I began working with OSSEC, the open source host based intrusion detection system. OSSEC has been running sonce around 2008, and been shepherded by Trend Micro since 2009. I ran the base package for some years, but
So I have been using ClamAV for a while now and have found it to be a very effective and modular tool, especially due to the fact that you can use it with you own custom signatures using sigtool and yara to 2ff7e9595c
Comments