Wafaray - Enhance Your Malware Detection With WAF + YARA (WAFARAY)

Hacking

Wafaray – Enhance Your Malware Detection With WAF + YARA (WAFARAY)

May 18, 2023

by musman5264

0 comments

WAFARAY is a LAB deployment based on Debian 11.3.0 (stable) x64 made and cooked between two main ingredients WAF + YARA to detect malicious files (e.g. webshells, virus, malware, binaries) typically through web functions (upload files).

✔️The YaraCompile.py compiles all the yara rules. (Python3 code)

✔️The test.conf is a virtual host that contains the mod security rules. (ModSecurity Code)

✔️ModSecurity rules calls the modsec_yara.py in order to inspect the file that is trying to upload. (Python3 code)

✔️Yara returns two options 1 (200 OK) or 0 (403 Forbidden)

Main Paths:

Yara Compiled rules: /YaraRules/Compiled
Yara Default rules: /YaraRules/rules
Yara Scripts: /YaraRules/YaraScripts
Apache vhosts: /etc/apache2/sites-enabled
Temporal Files: /temporal

Approach

Blueteamers: Rule enforcement, best alerting, malware detection on files uploaded through web functions.
Redteamers/pentesters: GreyBox scope , upload and bypass with a malicious file, rule enforcement.
Security Officers: Keep alerting, threat hunting.
SOC: Best monitoring about malicious files.
CERT: Malware Analysis, Determine new IOC.

Building Detection Lab

The Proof of Concept is based on Debian 11.3.0 (stable) x64 OS system, OWASP CRC v3.3.2 and Yara 4.0.5, you will find the automatic installation script here wafaray_install.sh and an optional manual installation guide can be found here: manual_instructions.txt also a PHP page has been created as a “mock” to observe the interaction and detection of malicious files using WAF + YARA.

Installation (recommended) with shell scripts

✔️Step 1: Download Debian 11.3.0:

Yara Rules

Once the Yara Rules were downloaded and compiled.

It is similar to when you deploy ModSecurity, you need to customize what kind of rule you need to apply. The following log is an example of when the Web Application Firewall + Yara detected a malicious file, in this case, eicar was detected.

Message: Access denied with code 403 (phase 2). File "/temporal/20220812-184146-YvbXKilOKdNkDfySME10ywAAAAA-file-Wx1hQA" rejected by 
the approver script "/YaraRules/YaraScripts/modsec_yara.py": 0 SUSPECTED [YaraSignature: eicar] 
[file "/etc/apache2/sites-enabled/test.conf"] [line "56"] [id "500002"] 
[msg "Suspected File Upload:eicar.com.txt -> /temporal/20220812-184146-YvbXKilOKdNkDfySME10ywAAAAA-file-Wx1hQA - URI: /upload.php"]

Testing WAFARAY… voilà…

Stop / Start ModSecurity

$ sudo service apache2 stop
$ sudo service apache2 start

Apache Logs

$ cd /var/log
$ sudo tail -f apache2/test_access.log apache2/test_audit.log apache2/test_error.log

Demos

Be careful about your test. The following demos were tested on isolated virtual machines.

Demo 1 – EICAR

A malicious file is uploaded, and the ModSecurity rules plus Yara denied uploading file to the backend if the file matched with at least one Yara Rule. (Example of Malware:

Demo 2 – WebShell.php

For this demo, we disable the rule 933110 - PHP Inject Attack to validate Yara Rules. A malicious file is uploaded, and the ModSecurity rules plus Yara denied uploading file to the backend if the file matched with at least one Yara Rule. (Example of WebShell PHP:

Demo 3 – Malware Bazaar (RecordBreaker) Published: 2022-08-13

A malicious file is uploaded, and the ModSecurity rules plus Yara denied uploading file to the backend if the file matched with at least one Yara Rule. (Example of Malware Bazaar (RecordBreaker):

YARA Rules sources

In case that you want to download more yara rules, you can see the following repositories:

Yara Signatures Compiled – https://github.com/Yara-Rules/rules
YARAHub – https://yaraify.abuse.ch/
Awesome Yara Rules – https://github.com/InQuest/awesome-yara#rules
Advanced Threat Research Yara Rules – https://github.com/advanced-threat-research/Yara-Rules
Icewater – https://github.com/SupportIntelligence/Icewater
Open Source Yara Rules – https://github.com/mikesxrs/Open-Source-YARA-rules
Bartblaza Yara Rules – https://github.com/bartblaze/Yara-rules
Cobalstrike – https://github.com/Te-k/cobaltstrike
Yara Forensic – https://github.com/Xumeiquer/yara-forensics
Loki – https://github.com/Neo23x0/Loki
YarGen – https://github.com/Neo23x0/yarGen
YarAnalyzer – https://github.com/Neo23x0/yarAnalyzer/
Valhalla – https://www.nextron-systems.com/valhalla/, https://valhalla.nextron-systems.com/
AlienVault – https://otx.alienvault.com/ (Create an account)

References

https://portswigger.net/daily-swig/waf-reloaded-modsecurity-3-1-showcased-at-black-hat-asia
https://yara.readthedocs.io/en/latest/gettingstarted.html
https://yara.readthedocs.io/en/v3.4.0/yarapython.html
https://virustotal.github.io/yara/
https://www.tutorialspoint.com/perl/perl_introduction.htm
https://malware.expert/scan-every-file-clam-antivirus-scanner-modsecurity/
https://xael.org/pages/pyclamd-en.html
https://docs.clamav.net/
https://www.decalage.info/en/python/pyclamd
https://opensource.apple.com/source/clamav/clamav-116.2/clamav.Conf/clamd.conf.auto.html
https://c99.sh/hunting-0days-with-yara-rules/
https://github.com/claroty/arya
https://isc.sans.edu/diary/YARA%27s+Console+Module/28288

Roadmap until next release

Malware Hash Database (MLDBM). The Database stores the MD5 or SHA1 that files were detected as suspicious.
To be tested CRS Modsecurity v.3.3.3 new rules
ModSecurity rules improvement to malware detection with Database.
To be created blacklist and whitelist related to MD5 or SHA1.
To be tested, run in background if the Yara analysis takes more than 3 seconds.
To be tested, new payloads, example: Powershell Obfuscasted (WebShells)
Remarks for live enviroments. (WAF AWS, WAF GCP, …)

Authors

Alex Hernandez aka (@_alt3kx_)
Jesus Huerta aka @mindhack03d

Contributors

Israel Zeron Medina aka @spk085

Download Wafaray

Tags:

Hacking