Cyber Kill Chain Defense - YARA & Suricata Rules

🛠️

Introduction

Detection rules organized by the Cyber Kill Chain framework

YARA Rules Pattern Matching

Purpose: Identify and classify malware
Scope: Files, memory, processes
Strength: Deep content inspection
Format: Rule-based signatures

Suricata Rules Network IDS

Purpose: Detect network-based attacks
Scope: Network packets, protocols
Strength: Real-time traffic analysis
Format: Signature-based alerts

Reconnaissance Detection

Detect port scans, vulnerability scans, and OSINT gathering

Suricata Rules Network Detection

Port Scanning Detection

# SYN Scan Detection
alert tcp any any -> $HOME_NET any (msg:"SYN Scan Detected"; flags:S,12; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-recon; sid:1000001; rev:1;)

# NULL Scan Detection
alert tcp any any -> $HOME_NET any (msg:"NULL Scan Detected"; flags:0; threshold: type both, track by_src, count 50, seconds 60; classtype:attempted-recon; sid:1000002; rev:1;)

# Web Scanner Detection
alert http any any -> $HOME_NET any (msg:"Nikto Scanner Detected"; flow:to_server; http.user_agent; content:"Nikto"; nocase; classtype:web-application-attack; sid:1000009; rev:1;)

YARA Rules Tool Detection

rule Nmap_Detection {
    meta:
        description = "Detects Nmap network scanner"
        severity = "medium"
        kill_chain_phase = "reconnaissance"
    
    strings:
        $nmap1 = "Nmap" ascii wide
        $nmap2 = "nmap.org" ascii
        $nmap3 = "Starting Nmap" ascii
    
    condition:
        2 of them
}

Weaponization Detection

Detect malicious payload creation and presence

YARA - Meterpreter Critical

rule Metasploit_Meterpreter {
    meta:
        severity = "critical"
    
    strings:
        $met1 = "metsrv.dll"
        $met2 = "ReflectiveLoader"
        $func = "screenshot"
    
    condition:
        2 of them
}

YARA - Web Shells Critical

rule Web_Shell {
    strings:
        $php = "<?php"
        $exec = "system($_"
        $eval = "eval($_POST"
    
    condition:
        $php and 1 of ($exec,$eval)
}

Delivery Detection

Detect payload transmission methods

Suricata - Phishing Detection Email Security

# Suspicious Email Attachments
alert smtp any any -> $HOME_NET any (msg:"Email with Executable Attachment"; flow:to_server; file_data; content:".exe"; nocase; classtype:trojan-activity; sid:3000001; rev:1;)

# Malicious Office Documents
alert http any any -> $HOME_NET any (msg:"Office Document with Macros"; flow:to_client; file_data; content:"vbaProject.bin"; classtype:trojan-activity; sid:3000005; rev:1;)

YARA - Malicious Documents High Priority

rule Malicious_Office_Document {
    strings:
        $office = { D0 CF 11 E0 A1 B1 1A E1 }
        $macro = "vbaProject.bin"
        $auto = "AutoOpen" nocase
        $susp = "powershell" nocase
    
    condition:
        $office at 0 and $macro and $auto and $susp
}

Exploitation Detection

Detect vulnerability exploitation attempts

Suricata - Web Exploits Web App Security

# SQL Injection
alert http any any -> $HOME_NET any (msg:"SQL Injection - UNION SELECT"; flow:to_server; http.uri; content:"union"; nocase; content:"select"; nocase; classtype:web-application-attack; sid:4000001; rev:1;)

# Cross-Site Scripting
alert http any any -> $HOME_NET any (msg:"XSS Attempt - Script Tag"; flow:to_server; http.uri; content:"<script"; nocase; classtype:web-application-attack; sid:4000004; rev:1;)

# Log4Shell
alert http any any -> $HOME_NET any (msg:"Log4Shell Exploitation"; flow:to_server; content:"${jndi:"; nocase; pcre:"/(ldap|rmi|dns):\\/\\//i"; classtype:web-application-attack; sid:4000014; rev:1;)

Installation Detection

Detect persistence mechanism installation

YARA - Windows Persistence High

rule Registry_Persistence {
    strings:
        $run = "CurrentVersion\\Run" nocase
        $reg = "RegCreateKeyEx"
    
    condition:
        all of them
}

YARA - Linux Persistence High

rule Linux_Persistence {
    strings:
        $cron = "crontab"
        $systemd = "systemctl enable"
        $ssh = "authorized_keys"
    
    condition:
        2 of them
}

Command & Control Detection

Detect C2 communications and beaconing

Suricata - C2 Detection Critical

# Meterpreter Traffic
alert tcp any any -> any any (msg:"Meterpreter Session"; flow:established; content:"metsrv"; nocase; classtype:trojan-activity; sid:6000001; rev:1;)

# DNS C2
alert dns any any -> any 53 (msg:"DNS C2 - High Entropy"; dns.query; pcre:"/^[a-z0-9]{20,}\\./i"; classtype:trojan-activity; sid:6000003; rev:1;)

# HTTP C2
alert http any any -> any any (msg:"HTTP C2 - Base64 Command"; flow:established; http.uri; pcre:"/^\\/[A-Za-z0-9+\\/=]{20,}/"; classtype:trojan-activity; sid:6000005; rev:1;)

YARA - C2 Frameworks Critical

rule Cobalt_Strike_Beacon {
    strings:
        $beacon = "beacon.dll" nocase
        $cs = "cobaltstrike" nocase
        $pipe = "\\\\.\\pipe\\MSSE-"
    
    condition:
        2 of them
}

Actions on Objectives Detection

Detect data theft and destructive actions

Suricata - Data Exfiltration High Priority

# Large Upload Detection
alert http $HOME_NET any -> any any (msg:"Large HTTP POST - Data Exfiltration"; flow:to_server; http.method; content:"POST"; http.content_len; byte_test:4,>,5000000,0,string,dec; classtype:policy-violation; sid:7000001; rev:1;)

# DNS Exfiltration
alert dns $HOME_NET any -> any 53 (msg:"DNS Exfiltration - Base64"; dns.query; pcre:"/[A-Za-z0-9+\\/]{50,}/"; classtype:policy-violation; sid:7000002; rev:1;)

Suricata - Lateral Movement Critical

# PsExec Detection
alert smb any any -> $HOME_NET 445 (msg:"PsExec Lateral Movement"; flow:established; content:"PSEXESVC"; nocase; classtype:lateral-movement; sid:7000008; rev:1;)

# Pass-the-Hash
alert smb any any -> $HOME_NET 445 (msg:"Pass-the-Hash Attempt"; flow:established; classtype:lateral-movement; sid:7000010; rev:1;)

YARA - Credential Dumpers Critical

rule Credential_Dumper {
    strings:
        $mimi1 = "sekurlsa::logonpasswords"
        $mimi2 = "lsadump::sam"
        $laz = "laZagne" nocase
    
    condition:
        any of them
}

YARA - Ransomware Critical

rule Ransomware_Indicators {
    strings:
        $note1 = "files have been encrypted" nocase
        $note2 = "bitcoin" nocase
        $anti = "vssadmin delete shadows" nocase
    
    condition:
        2 of them
}

⚙️

Rule Management

Deployment and maintenance procedures

YARA Deployment Management

# Compile rules
yara -C rules.yar

# Scan file
yara rules.yar file_to_scan

# Scan directory
yara -r rules.yar /path/to/scan/

# Scan process memory
yara rules.yar <PID>

Suricata Deployment Management

# Test configuration
sudo suricata -T -c /etc/suricata/suricata.yaml

# Reload rules
sudo kill -USR2 $(pidof suricata)

# Update rules
sudo suricata-update

# View alerts
tail -f /var/log/suricata/eve.json

🧪

Testing & Validation

Ensure rules work correctly and efficiently

Testing Procedures

YARA Testing

# Test against sample files
yara rules.yar /path/to/malware/samples/

# Test for false positives
yara -r rules.yar /usr/bin/ > false_positives.txt

Suricata Testing

# Test against PCAP
suricata -c /etc/suricata/suricata.yaml -r test.pcap

# Check results
jq 'select(.event_type=="alert")' /var/log/suricata/eve.json

⚠️ Legal Disclaimer

IMPORTANT: These detection rules are for authorized security monitoring only.

Deploy only on networks you own or have authorization to monitor
Follow all applicable laws and regulations
Respect privacy and data protection requirements
Obtain proper consent for monitoring activities

Always ensure proper authorization before deploying security monitoring tools.