This article discusses the limitations of YARA signatures for .NET assemblies that rely solely on strings and explores enhanced detection methodologies, including the use of IL code, method signatures, and specific custom attributes. The piece emphasizes the importance of understanding .NET metadata structures for crafting effective signatures, even in the absence of malicious samples. Affected: .NET assemblies, malware analysts, cybersecurity sector.
Keypoints :
- YARA signatures based on strings are limited in their effectiveness for .NET assemblies.
- Detection opportunities can be improved by utilizing IL code, method signatures, and custom attributes.
- Understanding .NET metadata structures, tokens, and streams is crucial for crafting precise and efficient signatures.
- When samples are unavailable, analysts may rely on screenshots of decompiled code to create YARA rules.
- Common pitfalls exist in writing YARA rules that misuse modifiers affecting string patterns.
- Two types of tokens are present in .NET: coded tokens and non-coded tokens, impacting signature creation.
- Robust patterns can be established by wild-carding RIDs and incorporating detailed context.
- Knowledge of stream structures and formats can lead to more successful detections and fewer false positives.
MITRE Techniques :
- Technique ID: T1105 ā Ingress Tool Transfer ā The discussion of YARA signatures hints at methods employed by malware to transfer malicious payloads through legitimate .NET processes.
- Technique ID: T1203 ā Exploitation for Client Execution ā Using reversed engineered IL code reveals methods that can be leveraged for exploiting client applications.
Indicator of Compromise :
- [Hash] f9ee3eff3345ea280c01d5fce5461b24c537cf6c3dfadc626ef73eed815c2008
Full Story: https://www.gdatasoftware.com/blog/2025/04/38145-yara-signatures-net-malware