Skip to main content

Threat Hunting with Veeam : Leveraging Yara for Incident Response

Threat Hunting with Veeam : Leveraging Yara for Incident Response 

Introduction: In Veeam version 12.1, a significant addition to its feature set is the enhanced security functionality. Among the standout tools for incident response, Veeam introduced Inline Scanning with Entropy analysis and integrated Yara for post-backup examination. This article delves into the power of Yara and demonstrates how it can be a vital asset in the arsenal of cybersecurity teams.

Understanding Yara: Yara is a versatile and indispensable tool in the field of malware analysis. It is a staple in most cybersecurity professionals' toolboxes. YARA rules are customizable patterns used for identifying specific malware, targeted attacks, and security threats tailored to your unique environment.

When Should You Use Yara? To illustrate the utility of Yara, let's walk through a hypothetical incident response scenario:

The Scenario: Imagine a situation where Veeam Backup Inline Scanning has detected an Indicator of Compromise (IOC) - files on a server have been maliciously encrypted. Cyber threat actors employ a variety of tools in their kill chain, and our task is to pinpoint the threat actor. Furthermore, we must analyze a malware sample, scan the infrastructure, particularly backup images, to identify artifacts linked to the kill chain. This approach allows us to cleanse backup images before reintegrating them into production.

Getting Started:

  1. Begin with a Windows 11 virtual machine containing random documents.
  2. Develop a Python script that simulates malware behaviour by encrypting documents and establishing a connection to a command-and-control server.
  3. Execute this imitation malware on the Windows 11 VM, encrypting files and appending the ".EZZ" extension, mimicking Alpha Crypt.
  4. Perform a backup while enabling inline scanning in Veeam to detect IOCs by identifying encrypted data.
  5. Utilize PE (Portable Executable) analysis tools to examine the imitation malware sample.
  6. Use insights gained to create a Yara rule.
  7. Embark on a hunt through backup images to locate imitation malware artifacts.

First Lets enable Inline Malware scanning in Veeam :


 

You can add more extensions but there is a considerable amount out of the box , you can see the file here & these will be updated automatically with latest.

 


 

C:\Program Files\Veeam\Backup and Replication\Backup\SuspiciousFiles.xml

However, you can add custom extension

IE :  .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, _crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK,

I already took an initial clean backup.  So now ill detonate the Malware on the target VM.

Inline detection was run against first clean backup:



I created an exe by using pyinstaller to convert Python script to exe ,  this will serve as our malware binary we will execute on the target system.

These are the files we will Target


After detonating the Malware, we can see data is encrypted with extension :

Lets Rerun backup with inline detection.

We have Event logged for Malware in Images

Lets Open the Exe of malware and look at the PE data , I’m using PeStudio & PEviewer

What are PE tools?

PE tools are used for static analysis, this is a method of debugging that is done by automatically examining the source code of a malicious without having to execute or detonating the Malware.

We will use the information we analyze with PE studio to understand what the malware is doing & try creating a relevant Yara rule to isolate its artifacts across systems.

Here we can see encryption command & we can see execution to change file extension to EZZ.

  


We can also see Command and Control URL


Now we create a YARA rule to find artifacts that might have similar strings being used.

Creating the Yara Rule:

  1. After analysing the malware sample, identify unique strings or patterns within it.
  2. Craft a YARA rule with the following sections:
    • Header/Meta Data: This section provides information about the rule's purpose.
    • Strings: Specify the data patterns you wish to match when running the rule against files.
    • Conditions: Define the criteria for managing the matches found (e.g., AND, OR).

      For example:

2 of any of the strings must be present to make a positive match.

Save As a .YAR File  in Path C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules


In Veeam , we can go look at protected data & initiate a scan with our new YARA rule


We select YARA rule we created & run scan against the entire backup chain:

 


Once the rule Scans all the files in the VM Disks we can find additional artifacts:

** Note inline scan detected the encrypted document files with EZZ , the YARA rule found the Malware artifacts that were used when detonated in the VM

  


Conclusion:

Yara, combined with Veeam's security functionality, empowers organizations to proactively hunt for threats, detect IOCs, and mitigate potential damage during incident response. By creating custom Yara rules and performing scans on backup images, you can fortify your cybersecurity posture and protect your data from evolving threats.

This Customizes beyond AV definitions for more custom, Targeted Scans

Additionally, Yara can be customized to find PII & other sensitive information by forming rules to match.

Please share your thoughts & comments, thank you for taking the time to read.

Comments