Skip to main content

Greetings, everyone! Today we'll delve into the art of identifying basic file Indicators of Compromise (IoCs), crafting YARA rules to sniff out malicious actors, and seamlessly integrating these rules into Veeam Backup & Replication to safeguard our backups against potential malware threats. But before we dive in, let's take a moment to understand YARA and what its for.

 

YARA

YARA is an open-source malware classification tool used to identify and classify malware or suspicious files based on its signatures or rules. It is a powerful and flexible tool that allows users to create rules matching their organization’s needs or targeting specific threats. Moreover, YARA rules are like a piece of programming language, they work by defining a number of variables that contain patterns found in a sample of malware. If some or all of the conditions are met, depending on the rule, then it can be used to successfully identify a piece of malware.

 

Indicators of Compromise (IoCS)

Suppose one day a user notices a suspicious document on their desktop named Susfile1.txt. Instead of opening it and potentially spreading malware, we should analyze the file to identify any indicators of compromise (IoCs).

In its simplest form, we first examine the file's properties. The initial indicators of compromise (IoCs) we get are the name, extension, file path, and size in bytes.

So far, basic info from properties:

  • File Name: Susfile1.txt
  • File Path: /home/veeam/Desktop
  • File Size: 24 Bytes

That’s not really a whole to work with.. so next step is to run strings on the file. Strings is a tool that can gather collections of characters that produce human readable text. 9 times out of 10, you will get a ton of gibberish characters. As a good habit, let’s pipe the output into a text file.

strings Susfile1.txt > Susflie1strings.txt

Once we have the output, we can cat the text file to view the output data.

Now, we can add the additional information collected to our list:

  • File Name: Susfile1.txt
  • File Path: /home/veeam/Desktop
  • File Size: 24 Bytes
  • Strings: “Hello there! FreeGfitCards”

The next step to take is to collect the file hashes… We can do that by running the following commands:

md5sum Susfile1.txt
sha1sum Susfile1.txt
sha256sum Susfile1.txt

Our list of information is growing…

  • File Name: Susfile1.txt
  • File Path: /home/veeam/Desktop
  • File Size: 24 Bytes
  • Strings: “Hello there! FreeGiftCards”
  • MD5 Hash: f1bc52b1c4da8b1d9dbe44bf41697d9d
  • SHA1 Hash: acf20e2e687005925149527e979220d21ded5696
  • SHA256 Hash: a6592f3b045c0d897899a25b3b0b10a4c8444e28764cfcf2717dee1b67d3ecb

 

Creating the YARA

Now that we have some information from this suspicious file, let’s start making a YARA rule. Afterwards we can use YARA to hunt for any additional files that meet our strings and conditions.

You can use any text editor based on your preference / OS… I am using nano on Ubuntu.

nano veeam.yara

There are some basic concepts to follow when creating a YARA rule:

  • You have to give it a name
  • You can use metadata (author, description, hash)
  • You can use Strings (these are specific text / characters / expressions you want to search for)
  • You have to use conditions ( combination of strings, file size, Hex or text)
rule veeam
{
meta:
author = "Andy"
date = "2024"
description = "This is a veeam yara demo."
reference = "Blank"
md5hash = "f1bc52b1c4da8b1d9dbe44bf41697d9d"
sha1hash = "acf20e2e687005925149527e979220d21ded5696"
sha256hash = "a6592f3b045c0bd897899a25b3b0b10a4c8444e28764cfcf2717dee1b67d3ecb"
strings:
$s1 = "Hello there!"
$s2 = "FreeGiftCards"
condition:
($s1 or $s2) and filesize < 20KB
}

Let’s now run the YARA rule with the command below. This will scan the system and look for files that share the similar information as defined in your strings and conditions.

sudo yara -m -s -r veeam.yara ~/ 2>/dev/null

(-m feeds the YARA rule file, -s shows the strings on which YARA detected, -r searches recursively)

 

Depending on what files get identified by the YARA, we could then choose to collect the IoCs for new identified files and then update the YARA rule and run it again if need be.

Looks like a new file was identified…. clickme.txt

Let’s take a look at that file and gather its IoCs….

  • File Name: clickme.txt
  • File Path: /home/veeam/Desktop
  • File Size: 38 Bytes
  • Strings: “bitcoin.. FreeGiftCards NFT”
  • MD5 Hash: e10edced670747f31ce544a5ec39b4eb
  • SHA1 Hash: d6a51843f65d032abfb2ec500ce11f32ea72e39d
  • SHA256 Hash: 0833077daa6d59306178a61efde6063cbe45eb2d107d4c28649ce579b70826f

We can now go back to our YARA rule and update it to include the additional strings & to change the condition:

rule veeam
{
meta:
author = "Andy"
date = "2024"
description = "This is a veeam yara demo."
reference = "Blank"
md5hash1 = "f1bc52b1c4da8b1d9dbe44bf41697d9d"
md5hash2 = "e10edced670747f31ce544a5ec39b4eb"
strings:
$s1 = "Hello there!"
$s2 = "FreeGiftCards"
$s3 = "bitcoin"
$s4 = "NFT"
condition:
(1 of them) and filesize < 20KB
}

At this point i think you can understand the general concepts of YARA and its uses.

  1. Collect the IoCs of your potential malicious file
  2. Create a YARA rule to scan an entire system and look for other instances of them.
  3. Rinse. Repeat to your liking.

 

Veeam Backup & Replication & YARA

Now that we have a YARA rule, we can use it in Veeam Backup & Replication to search through our existing backups for any malicious files. To do this, copy the YARA rule to the specified folder on our VBR server. (If you're unsure where that is, refer to the link provided. The image below will copy the location to your clipboard.) There are two methods to use a YARA rule within Veeam Backup & Replication…. Let’s go over them now.

 

 

YARA Scan for Scan Backup

This option allows you to run YARA rules on existing restore points. For example, find the last clean restore point or to analyze content for specific information or sensitive data.

Find the last clean restore point, last clean in range, or scan all restore points.

 

YARA Scan for Secure Restore

This option allows you to run YARA rule when performing a restore of a workload. Much like Secure Restore with Antivirus options, you have several options on how you would like to proceed if something was found.

 

Viewing YARA Scan Results

The results of the YARA scan can be viewed in the Statistics section of each scan Job.

To view the detailed log of the YARA scan, click the Scan Log button at the bottom of the window with the Scan Backup job statistics. Veeam Backup & Replication will display the most recenft logs in a file of 1 MB in size

 

Full logs of the scan are stored on the mount server in the following folder: C:\ProgramData\Veeam\Backup\FLRSessions\Windows\FLR__<machinename>_\Antivirus.

 

As you can see this was just a small example of identifying files and creating YARA rules with Veeam Backup & Replication.

For more information on strings and conditions, head over to learn more: Writing YARA Rules.

 

Hope this information gave you a good understanding about getting started with YARA rules and how to utilize them in Veeam Backup & Replication.

Great write-up @andy.sturniolo !! Am bookmarking this. Sadly, I just come to the realization yesterday I’m not able to run YARA scans in my environment due to the VDP Edition I have. Bummer. 


Great write-up @andy.sturniolo !! Am bookmarking this. Sadly, I just come to the realization yesterday I’m not able to run YARA scans in my environment due to the VDP Edition I have. Bummer. 

Yeah gotta have advanced or premium...

 


Awesome write up @andy.sturniolo 

its pretty cool how something so simple can be so advanced at the same time.  I’d be interested to see how more advanced we can get with YARA rules. It’s something that can be leveraged for much much more than malware too. 


Awesome write up @andy.sturniolo 

its pretty cool how something so simple can be so advanced at the same time.  I’d be interested to see how more advanced we can get with YARA rules. It’s something that can be leveraged for much much more than malware too. 

Stay tuned…


Well done 👍 Andy!  The best & most thorough explanation of VBR & YARA rules that I’ve seen.  Hugely helpful! 🙏🤓👏


What a nice post @andy.sturniolo ! Thanks 


Comment