Malware Detection with YARA and osquery
Traditional filehash malware detection is relatively easy to circumvent as threat actors easily morph code to create "new" variants, rendering old IOC's useless.
YARA, uses a different approach. Its rules match to small segments of code within the malware, making traditional morphing techniques easier to detect. The challenge can be knowing which files to scan with YARA, as scanning everything can be expensive.
This is where osquery can tell us exactly which files have been executed, and therefore which files to scan. Even if a file has not been executed, osquery can be used to create whitelists from golden images and identify suspect binaries.
Register now to access this on-demand webinar!
Julian Wayte is a Security Solutions Engineer for Uptycs. In this role, he helps organizations architect security solutions - based on endpoint telemetry and automated workflows – in order to solve a variety of security use cases. Julian loves working with and teaching osquery. He has worked for 20 years in various customer facing, technical, IT roles helping organizations manage and secure their data.
What is osquery?
Osquery is a an open-source, cross-platform agent that turns your operating system into a virtual database, letting you leverage the power of the SQL language to ask anything from your system. Over 200 tables let you understand what processes are running, what users are logged in, where the machine is connected, what files are on disk and much, much more. Due to its flexibility and power, it makes an amazing tool for threat hunting, security monitoring, and even IT operations.
What is YARA?
YARA is a tool aimed at helping security people identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. (Documentation)
Why are these two perfect?
osquery and YARA are complementary to each other because osquery is all about exposing endpoint telemetry across a fleet and some of that telemetry is exactly what’s needed to compare against YARA rules for identification of known malware.