YARA + Velociraptor

From One Machine to the Entire Fleet

In Lesson 7.4, you learned to scan files, directories, memory dumps, and disk images on a single system. That covers incident response on one compromised host. But what happens when you need to answer a much bigger question: "Is this malware on any other system in our environment?"

Manually SSH-ing into every server, copying your YARA rules, running scans, and collecting results is not feasible when you have 50, 500, or 5,000 endpoints. You need a platform that can deploy YARA rules to every endpoint simultaneously, run the scan locally on each machine, and collect the results centrally.

That platform is Velociraptor.

You already know Velociraptor from Module 6 as an endpoint investigation tool. Now you will use its hunt capability — the ability to run the same artifact collection across every connected client at once. When that artifact is a YARA scan, you get enterprise-wide malware detection in minutes instead of days.

Click to enlarge

How Velociraptor YARA Hunting Works

The architecture is simple but powerful:

1. Analyst writes a YARA rule and pastes it into a Velociraptor hunt configuration
2. Velociraptor server distributes the hunt to all connected clients (or a targeted subset)
3. Each client runs YARA locally — the endpoint's CPU scans its own filesystem or memory
4. Only results travel the network — if 1,000 endpoints scan 100GB each, the server does not transfer 100TB. It receives only match reports (usually kilobytes per endpoint)
5. Analyst reviews aggregated results in the Velociraptor web interface — which hosts matched, which files triggered, which rules fired

This model scales linearly. Scanning 10 endpoints takes the same amount of analyst time as scanning 1,000 — the work is distributed to the endpoints themselves.

Velociraptor YARA Artifacts

Velociraptor provides several YARA-specific artifacts (pre-built collection scripts) for different operating systems and scan targets.

Click to enlarge

Windows: Windows.Detection.Yara.NTFS

The primary Windows YARA scanning artifact. Uses raw NTFS access via the Master File Table (MFT) to scan files — including files that are locked by running processes.

Key parameters:

Key advantage: Raw NTFS access reads files that running processes hold open — including locked DLLs, open databases, and files with exclusive locks. Standard filesystem APIs cannot read these files, but MFT-level access bypasses all locks.

Common scan paths:

C:\Users\**                    # User directories — malware staging
C:\Windows\Temp\**             # Temp directory — dropped payloads
C:\ProgramData\**              # App data — hidden tools
C:\Windows\System32\**         # System directory — masqueraded binaries

Linux: Linux.Detection.Yara.Glob

The primary Linux YARA scanning artifact. Uses glob patterns to traverse the filesystem.

Key parameters:

Common scan paths:

/tmp/**                        # World-writable temp — attacker staging
/var/tmp/**                    # Persistent temp — survives reboot
/dev/shm/**                    # RAM-backed — fileless attack staging
/var/www/**                    # Web directories — webshell hunting
/home/**                       # User directories — backdoor tools
/etc/cron.d/**                 # Cron persistence

Cross-Platform: Generic.Detection.Yara.Glob

Works on both Windows and Linux. Uses standard file access (not raw NTFS). Simpler but cannot read locked files on Windows.

Process Memory: *.Detection.Yara.Process

Scans running process memory instead of filesystem:

• Windows.Detection.Yara.Process — scan Windows process memory
• Linux.Detection.Yara.Process — scan Linux process memory

When to use: Detecting fileless malware, process injection, and packed payloads that only exist in memory. Deploy when your filesystem scan finds nothing but you still suspect compromise (the attacker may have deleted their files but their process is still running).

Creating and Launching a Hunt

A hunt is a Velociraptor operation that runs the same artifact across multiple endpoints. Here is the workflow:

Step 1: Navigate to the Hunt Manager

In the Velociraptor web interface, click the Hunt Manager icon (crosshair icon) in the left sidebar. Click New Hunt (+ button).

Step 2: Configure the Hunt

Description: Give the hunt a clear name:

Hunt: Webshell Detection - PHP eval/base64_decode/system
Date: 2026-02-17
Analyst: CyberBlue Team
Ref: INC-2026-0147

Artifacts: Select the appropriate YARA artifact:

• For Windows endpoints: Windows.Detection.Yara.NTFS
• For Linux endpoints: Linux.Detection.Yara.Glob
• For mixed environments: create two hunts (one per OS)

Parameters: Configure the artifact with your YARA rule and scan scope:

YaraRule:
rule Webshell_PHP_Eval {
    meta:
        author = "SOC Team"
        description = "Detects PHP eval webshells"
        severity = "critical"
    strings:
        $eval = "eval(" nocase
        $b64 = "base64_decode" nocase
        $system = "system(" nocase
        $post = "$_POST"
        $php = "<?php"
    condition:
        filesize < 50KB and
        $php and
        ($eval or $system) and
        ($b64 or $post)
}

PathGlob: /var/www/**
FileNameRegex: \.php$
SizeMax: 50000
NumberOfHits: 10
Upload: true

Step 3: Target Selection

Choose which endpoints to scan:

• All clients — scan every connected endpoint (use for serious threat)
• Label-based — scan only endpoints with a specific label (e.g., "web-servers", "production", "linux")
• OS-based — limit to Windows or Linux clients
• Individual — select specific hosts for targeted investigation

Step 4: Launch and Monitor

Click Launch Hunt. The Velociraptor server dispatches the hunt to all targeted clients. You can monitor progress in real time:

• Total clients — how many endpoints are targeted
• Scheduled — hunt dispatched, waiting for client to check in
• Running — actively scanning
• Completed — scan finished (with or without matches)
• Errors — scan failed (permissions, disk errors, client offline)

Step 5: Review Results

The results view shows:

Hostname          | Matched File                    | Rule Name          | Matching Strings
------------------|---------------------------------|--------------------|-----------------
linux-web-01      | /var/www/html/.status.php       | Webshell_PHP_Eval  | $eval, $post, $php
linux-web-03      | /var/www/app/uploads/shell.php  | Webshell_PHP_Eval  | $eval, $b64, $php
WIN-IIS-01        | C:\inetpub\wwwroot\cmd.php     | Webshell_PHP_Eval  | $system, $post, $php

For each match you see:

• Hostname — which endpoint has the malicious file
• Matched file — full path to the detected file
• Rule name — which YARA rule triggered
• Matching strings — which patterns fired

If you enabled Upload: true, the matching files are collected to the Velociraptor server for further analysis — you can download them, hash them, submit to sandbox, or share with your IR team.

Hunt Optimization Tips

Narrow Your Scope

Do not scan C:\** or /** on every endpoint. This scans the entire filesystem and takes hours. Instead:

• Know your threat model. Webshells go in web directories. Ransomware targets user files. C2 beacons hide in temp and appdata folders. Scan where the threat lives.
• Use FileNameRegex. If you are hunting for PHP webshells, add \.php$ — no point scanning .jpg, .pdf, and .log files.
• Set SizeMax. If your target is under 50KB, set SizeMax to 50000 — skip everything larger.

Stage Your Hunts

1. Pilot hunt — run on 5-10 test endpoints first. Verify the rule works, check for false positives, confirm scan duration is reasonable.
2. Targeted hunt — expand to the most likely targets (all web servers, all domain controllers, all endpoints in the affected network segment).
3. Full hunt — if the targeted hunt finds additional infections, expand to the entire fleet.

Multiple Rules in One Hunt

You can paste multiple YARA rules into a single hunt's YaraRule parameter:

rule Webshell_Eval { ... }
rule Webshell_System { ... }
rule Webshell_Passthru { ... }
rule Cobalt_Strike_Beacon { ... }

All rules execute in a single pass over the filesystem, which is faster than running four separate hunts.

Real-World Hunt Scenario

Here is a complete example of how a SOC team uses Velociraptor YARA hunting during an incident:

Trigger: Wazuh fires alert for a suspicious PHP file creation on linux-web-01. Analyst investigates and confirms a web shell at /var/www/html/.status.php.

Question: Is this web shell on any other web server?

Action 1: Analyst writes a YARA rule based on the confirmed web shell:

rule Confirmed_Webshell_StatusPHP {
    meta:
        author = "SOC Analyst - INC-2026-0147"
        description = "Webshell found on linux-web-01"
        hash = "a1b2c3d4..."
    strings:
        $eval = "eval(base64_decode" nocase
        $post = "$_POST['cmd']" nocase
        $unique = "@set_time_limit(0)"
    condition:
        filesize < 10KB and all of them
}

Action 2: Launch Velociraptor hunt targeting all endpoints labeled "web-server" with:

• Artifact: Linux.Detection.Yara.Glob
• PathGlob: /var/www/**
• FileNameRegex: \.php$
• Upload: false (first pass)

Result: 3 additional web servers have the same shell. Analyst launches follow-up with Upload: true on those 3 hosts to collect the files.

Action 3: Expand hunt to ALL endpoints (not just web servers) scanning /tmp/** and /home/** for the same rule — checking if the attacker staged tools elsewhere.

Result: One additional endpoint has the web shell source in /tmp/.cache/tools/ — this is likely where the attacker staged before deploying to web servers.

Outcome: In under 30 minutes, the team went from a single alert to full enterprise-wide scope assessment.

What's Next

You can now deploy YARA rules across your entire fleet using Velociraptor. In Lesson 7.6, you will study real-world YARA rules from the security community — the 523+ rules in the YARA-Rules repository and professional rules from threat intelligence teams. You will learn to read, evaluate, and customize community rules for your organization's specific needs.