This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Malware Service - Custom Yara for the Doublekill

Malware Service - Custom Yara for the Doublekill

EricPartington
Employee EricPartington
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2018-05-17 12:52 PM

A question came from a customer about a recent 0-day Doublekill (Byte Nibble Obfuscation) yara rule that they were trying to implement with RSA NetWitness. 

 

Challenge accepted !

 

First thing was to locate the yara signature in question:

c0d3inj3cT on Twitter: "Very interesting collection of Yara hunting rules to discover some of the latest techniques here… 

 

Specifically this signature:

yara-rules/RTF_Byte_Nibble_Obfuscation.rule at master · InQuest/yara-rules · GitHub 

 

Which looks like this

rule RTF_Byte_Nibble_Obfuscation_method1 {     strings:         $magic  = {7b 5c 72}         $update = "\\objupdate" nocase         $data   = "\\objdata"   nocase         $nibble = /([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){4}/     condition:         $magic in (0..30) and all of them and #nibble > 10 }  rule RTF_Byte_Nibble_Obfuscation_method2 {     strings:         $magic  = {7b 5c 72}         $nibble = /\\objupdate.{0,1024}\\objdata.{0,1024}([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){2}/     condition:         $magic in (0..30) and all of them }

How can this be applied to RSA NetWitness?
Malware service with 10.6.x or standalone with 11.x can leverage custom yara signatures following this configuration:
Investigation and Malware Analysis User Guide for Version 11.0 

Start with page 172 to start with custom yara content

current yara version on the MA service is 3.7 which is being updated in the Docs (reference to 1.7 is incorrect)
[root@nw11malware ~]# yara -v
3.7.0

Now we need to format the yara rule so that the MA service (Malware) loads the yara signature into the Yara library and runs it against files seen in the appliance.
These are the additional items to be added to each yara signature section (examples)
meta:
iocName = "FW.ecodedGenericCLSID"
fileType = "WINDOWS_PE"
score = 25
ceiling = 100
highConfidence = false

The end result of the rule is this ( The rules are doubled as i wasn't sure how the file would be presented to the engine (PE or MS Office)
rule RTF_Byte_Nibble_Obfuscation_method1
{
meta:
iocName = "RTF_Byte_Nibble_Obfuscation_method1"
fileType = "MS_OFFICE"
score = 85
ceiling = 100
highConfidence = true

strings:
$magic = {7b 5c 72}
$update = "\\objupdate" nocase
$data = "\\objdata" nocase
$nibble = /([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){4}/
condition:
$magic in (0..30) and all of them and #nibble > 10
}

rule RTF_Byte_Nibble_Obfuscation_method2
{
meta:
iocName = "RTF_Byte_Nibble_Obfuscation_method2"
fileType = "MS_OFFICE"
score = 85
ceiling = 100
highConfidence = true

strings:
$magic = {7b 5c 72}
$nibble = /\\objupdate.{0,1024}\\objdata.{0,1024}([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){2}/
condition:
$magic in (0..30) and all of them
}

rule RTF_Byte_Nibble_Obfuscation_method1_PE
{
meta:
iocName = "RTF_Byte_Nibble_Obfuscation_method1_PE"
fileType = "WINDOWS_PE"
score = 80
ceiling = 100
highConfidence = true

strings:
$magic = {7b 5c 72}
$update = "\\objupdate" nocase
$data = "\\objdata" nocase
$nibble = /([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){4}/
condition:
$magic in (0..30) and all of them and #nibble > 10
}

rule RTF_Byte_Nibble_Obfuscation_method2_PE
{
meta:
iocName = "RTF_Byte_Nibble_Obfuscation_method2_PE"
fileType = "WINDOWS_PE"
score = 80
ceiling = 100
highConfidence = true

strings:
$magic = {7b 5c 72}
$nibble = /\\objupdate.{0,1024}\\objdata.{0,1024}([A-Fa-f0-9]\\'[A-Fa-f0-9]{4}){2}/
condition:
$magic in (0..30) and all of them
}

Save that in a file like this RTF_Byte_NIbble_Obfuscation.yara

Follow the instructions in the doc to put the file in the correct directory to get it added to the yara section
(again path being updated for 11.x as it changed in from the 10.6 paths - doc update coming)

[root@TESTHOST yara]# pwd
/var/netwitness/malware-analytics-server/spectrum/yara/
[root@TESTHOST yara]# ls *.yara
rsa_mw_pdf_artifacts.yara rsa_mw_pe_artifacts.yara rsa_mw_pe_ packers.yara

This is where you can drop the yara signature to do any more work on it, then move it to the watch/ folder to import it

Once the import is successful the rule will show like this

[root@nw11malware yara]# ls
error rsa_mw_pdf_artifacts.yara rsa_mw_pe_packers.yara watch
processed rsa_mw_pe_artifacts.yara RTF_Byte_Nibble_Obfuscation.yara

If there are errors then the rule ends up in error/

The rules should be available in MA service UI (Admin > Service > MA > config > IOCs > Yara)
pastedImage_5.png

You can see your custom yara rules listed along with the score we assigned and the type of file it will match on


Find a sample to test ... like this one
https://www.hybrid-analysis.com/sample/10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24 

After a sign up and vetting process you can download the sample as bin.gz

Which I transferred as is to the MA service location so that i can uncompress it, change the name to .rtf , zip and add password of infected so that it can be picked up for analysis

scp over to the MA service (if you dont have the file upload dir exposed by NFS)

move the file to this directory
cd /var/netwitness/malware-analytics-server/spectrum/infectedZipWatch

Install zip
yum install zip

Ungzip the sample
gunzip 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.bin.gz

Rename from .bin to .rtf
mv 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.bin 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.rtf

zip -e 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.rtf 10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.rtf.zip

Use password of 'infected'

Move to watch/

This will now get processed by the file watcher and show up in the MA UI when processed like this

pastedImage_7.png
The user is fileshare as that was where it was picked up from.

You can open up the report and see the details

Which looks like this
pastedImage_8.png

Opening that up looks like this

At the top are the sandbox related items from Threatgrid
pastedImage_9.png

The Yara results are shown in the static analysis section further down

pastedImage_10.png
Which shows us the signature fired on this sample ( the MS_OFFICE one not the PE_Executable version of the yara sig)

You can see the potential IOC listed in the IOC Summary tab
pastedImage_207.png

If this type of file came across the wire and matched the criteria to pull them into MA and you had the License to enable automatic analysis then files like this would be automatically analyzed in MA

Output:
If you had created the syslog output from MA to NetWitness logs or another SIEM then you would get an output like this

May 16 15:51:59 nw11malware CEF:0|RSA|Netwitness for Malware Audit logging|11.1.0.0-8295.5.0|Suspicious Event|Detected suspicious network event|2|static=100.0 community=0.0 sandbox=95.0 malware.nextgen.source=http://localhost event.type=FILE_SHARE event.id=36569 high.confidence.ioc.hit=com.netwitness.malware.rules.sandbox.autostart.registry.currentcontrolset.services USER=Unknown identity
May 16 15:51:59 nw11malware CEF:0|RSA|Netwitness for Malware Audit logging|11.1.0.0-8295.5.0|Suspicious File|Detected suspicious file|2|static=100.0 community=0.0 sandbox=95.0 fname=10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24.rtf fsize=85584 fileHash=b48ddad351dd16e4b24f3909c53c8901 file.sha1.hash=a3424a3593b6d7aaefa23f8076b141205cdbf5c0 file.sha256.hash=10ceb5916cd90e75f8789881af40287c655831c5086ae1575b327556b63cdb24 event.id=36569 high.confidence.ioc.hit=com.netwitness.malware.rules.sandbox.autostart.registry.currentcontrolset.services USER=Unknown identity

By default one of the three hashes are indexed but that is being changed to include all three versions of the hash so that we can match on any version of that hash if we have a known hash list in NetWitness that might match from endpoint logs or malware output. (internal change being made to add these)

 

cef-custom.xml

<DEVICEMESSAGES>
<VendorProducts>
<Vendor2Device vendor="RSA" product="rsa_netwitness_for_malware_audit_logging" device="rsa_netwitness_for_malware_audit_logging" group="Anti Virus"/>
</VendorProducts>
<ExtensionKeys>
<ExtensionKey cefName="file.sha1.hash" metaName="checksum"/>
<ExtensionKey cefName="file.sha256.hash" metaName="checksum"/>
<ExtensionKey cefName="USER" metaName="username"/>
</ExtensionKeys>
</DEVICEMESSAGES>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

Devices look like this

 

device.type = 'rsa_netwitness_for_malware_audit_logging'

 

And in the Event analysis view you get this type of meta

pastedImage_227.png

 

We have the filename from the submission (matches up with filename.all and every other filename that the system might capture from logs/packets/endpoint/malware/netflow), the checksums from the submission and the threat.category.

 

Now you can hook into RE service to report on these occurrences or ESA for immediate correlation across sessions.

  • Custom
  • doublekill
  • Logs
  • Malware
  • NetWitness
  • NW
  • NWP
  • rsa
  • RSA NetWitness
  • RSA NetWitness Platform
  • yara
3 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.