Chronicle Road to Detection: YARA-L Language — Part 3 of 3

Anton Chuvakin
Feb 28 · 3 min read

Note: Yes, this is written while wearing my vendor hat. But do keep in mind that I only work on things I believe in! So, don’t knock that hat off my head :-)

We call our approach YARA-L because it is inspired by YARA — invented by Google VirusTotal for malware analysis and applied to logs (hence the “L”) and other security telemetry inside the Chronicle platform.

What is important is that YARA-L is a language to express detections, not merely to query the data in order to eventually use said data for detection. In essence, it is a threat detection language, not a data query language! It is designed by and for security analysts, admittedly with some help from malware reverse engineers (who created the original YARA).

Building to become “the standard” or even “a standard” for expressing detection is a monumental undertaking. Understanding the success of YARA is essential in developing a strategy for nurturing the success of our detection language, YARA-L, broadly and Chronicle rule engine specifically.

How will YARA-L be used with Chronicle [not all of the below are real today, to be sure]?

  1. Define real-time detection rules
  2. Define historical detection rules of arbitrary complexity
  3. Perform advanced (hunting-style) searches

Admittedly, the cases 2 and 3 are similar, but 2. implies a scheduled rule run leading to an alert while 3 is about interactive exploration of data by a human analyst.

YARA — L Scenarios

What are some of the scenarios where we think this approach really shines?

  1. You hear about a new malware that uses a particular registry key for persistence
  2. You analyze a new threat and realize that it uses a Powershell launching with a hidden window parameter
  3. You have a need to expand coverage of a particular MITRE ATT&CK technique in your environment
  4. You want to cast a wide net of looking for types of newly popular suspicious activities such as access to browser cookie and credential files
  5. You need to watch for specific activities that are necessary for the attacker to take in order to steal particularly valuable data

YARA-L shines in all those scenarios and while other approaches may help with some of them, it is hard to find an approach that works universally.

One, a traditional SIEM product with a UI-based rule configuration lacks flexibility and hence the coverage of use cases, coupled with typically slower performance. Two, a search-based tool will require a layer of additional data analysis to deliver the detections. Three, a programming language-based approach (say express detection rules in Python or Go as some elite organizations do) would be a massive overkill for non-programming SOC analysis and other security professionals. We feel that YARA-L is the “just right” approach for the threat detection problem today.

Detection needs continue to shift and grow as organizations realize legacy product solutions are not the sole answer to security. As investments are made into human analysts, threat responders and hunters, we have the opportunity to introduce YARA-L as both a microscope and wide angle lens to defenders’ toolkits. We must support an investigative mindset that allows for ready on-boarding and application of threat intelligence, analyst insights, and investigative techniques.

Thus far, the collective industry has failed to develop a unified solution and remains unable — in most cases and/or without extreme reliance on uniquely talented people — to effectively use procedural based detectors derived from the study of attacker TTPs. YARA-L is an opportunity to throw our hat into the ring while also providing Chronicle customers a powerful mechanism to detect threats and intuitively pursue and iterate upon security investigations.

YARA-L Example

Example MITRE ATT&CK Technique T1054 Blocking of Indicators

profile mitre_T1054_Possible_Indicator_Blocking

{

meta:

author = “Chronicle”

description = “Detection for registry change used to bypass Event Tracing for Windows (ETW)”

reference = “https://attack.mitre.org/techniques/T1054/"

version = “1.0”

created = “2019–12–13”

function:

func RegChange()

if ( (udm.metadata.event_type == “REGISTRY_MODIFICATION” or udm.metadata.event_type == “REGISTRY_CREATION” ) and

re.regex(udm.target.Registry.registry_key, “HKLM\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\AUTOLOGGER_NAME.*”) )

then

return true

end

return false

end

condition:

if ( RegChange() ) then

outcome.match()

end

}

P.S. I can be convinced to drop more examples, if you are curious.

(written together with Brandon Levene)

Anton on Security

A new start for my security blog

Anton Chuvakin

Written by

See www.chuvakin.org

Anton on Security

A new start for my security blog

More From Medium

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade