Detecting Malicious Files with YARA Rules as They Traverse the Network

Conference:  BlackHat USA 2019



The presentation discusses the implementation of network-based file extraction and YARA detection using the open-source platform, SIEK.
  • Network-based Jerell detection can be implemented with SIEK, which is an open-source and free platform
  • Scanning all the extracted files of one minute is very fast
  • General rules should be written by every organization's security team to identify any campaigns that they spot on the wire to identify malware families
  • Resources from the community should also be used, such as locally written rules, groups that provide quality error rules, and public threat research provided by various security vendors
  • The presentation demonstrates the capability of the network-based file extraction and YARA detection by focusing on a prevalent threat attack vector, Microsoft Word documents with malicious code
The presenter demonstrated the capability of the network-based file extraction and YARA detection by using a proof of concept server to test a phishing email with a Microsoft Word document containing malicious code. The file was downloaded and opened by the user, who enabled the macro code, allowing the code to run on their machine. However, the file had already been extracted and scanned by SIEK with YARA, and an email alert was sent to the security analyst with all the necessary information to act and do something about it.


YARA, the pattern matching swiss knife for malware researchers, has been extremely useful at detecting suspicious files on the endpoint. However, little or no information is publicly available on how to leverage this useful tool to scan for files as they are traversing the network. In this presentation, I will show how you can open source Zeek IDS (formerly bro) and how some custom developed scripts can be used to extract files from the network and identify attacks on an early stage before it causes more damage. Scanning for YARA files on the network has the benefit of increased performance, as compared to scanning several gigabytes or terabytes on the endpoint, as well as target specific mime types, used for malware delivery. Additionally, Zeek IDS can provide additional context whenever a YARA rule is triggered, that will provide defenders with more information to act more rapidly.



Post a comment

Related work

Conference:  RSA Conference 2023
Authors: Matt Benyo, Jaron Bradley

Conference:  Defcon 31
Authors: Nick Saunders Chief Cybersecurity and Data Officer, Viasat Government, he/him/his, Mark Colaluca Vice President and Chief Information Security Officer (CISO), Viasat, he/him/his