I discovered it resulted from using the Legacy YARA Service. Please make sure to subscribe to the new YARA extension. It will add the matching YARA Rules and YARA Scanners. It then worked immediately upon testing in my experience.
Is your logon account name something else, like Jon or Ed or Eric? Maybe you need to change 'User' in the file path to the user's profile name where the download is.
When trying to input the command in the console I put it exactly like in the tutorial says but I keep getting "failed to parse task [{yara_scan hive://yara/sliver -f C:\Users\User\Downloads\FUZZY_MIDI.exe yara_scan hive://yara/sliver -f C:\Users\User\Downloads\FUZZY_MIDI.exe}]: lc_error_code:FAILED_GETTING_YARA_RULE"
What do you think might be the issue? I tried double checking my YARA and D&R rules having the VM running and have the payload exucted and still telling me the same thing :( tried disabling other rules but haven't had any luck
Maybe double check that your user has all permissions in your org? I don't think that's the issue, but I am stumped otherwise.... 100s have finished this guide already, and I've made corrections where needed, but it should absolutely work in its current state. Send me a DM on Discord if you want me to take a look @eric_capuano
I discovered it resulted from using the Legacy YARA Service. Please make sure to subscribe to the new YARA extension. It will add the matching YARA Rules and YARA Scanners. It then worked immediately upon testing in my experience.
I encountered same issue, what I did was to delete the YARA rules as well as D&R Rules I created , then created it again. It worked for me. You can try this out.
Ok thank you for the prompt response, that worked. I want to say thank you for the walkthrough as well. It has been very helpful for gaining some hands on experience.
Hi, im stuck with the same problem, did u figured it out?
I don't see the answer shared so I just discovered the fix to your issue. I was also having the same issue:
"failed to parse task [{yara_scan hive://yara/sliver -f C:\Users\User\Downloads\REMARKABLE_CARTOON.exe yara_scan hive://yara/sliver -f C:\Users\User\Downloads\REMARKABLE_CARTOON.exe}]: lc_error_code:FAILED_GETTING_YARA_RULE"
I discovered it resulted from using the Legacy YARA Service. Please make sure to subscribe to the new YARA extension. It will add the matching YARA Rules and YARA Scanners. It then worked immediately upon testing in my experience.
I encountered same issue, what I did was to delete the YARA rules as well as D&R Rules I created , then created it again. It worked for me.
Hi Eric,
Is there a way I can connect Splunk to this and if so how can I do it and analyse the log events? As in how can I add the gathered data into Splunk?
Sorry, forgot to mention, not specifically for this part, but for the overall lab.
Thank you so much Eric for this walkthrough, It’s indeed a great resource for gaining hands-on experience.
I encountered same issue, what I did was to delete the YARA rules as well as D&R Rules I created , then created it again. It worked for me.
Is your logon account name something else, like Jon or Ed or Eric? Maybe you need to change 'User' in the file path to the user's profile name where the download is.
When trying to input the command in the console I put it exactly like in the tutorial says but I keep getting "failed to parse task [{yara_scan hive://yara/sliver -f C:\Users\User\Downloads\FUZZY_MIDI.exe yara_scan hive://yara/sliver -f C:\Users\User\Downloads\FUZZY_MIDI.exe}]: lc_error_code:FAILED_GETTING_YARA_RULE"
What do you think might be the issue? I tried double checking my YARA and D&R rules having the VM running and have the payload exucted and still telling me the same thing :( tried disabling other rules but haven't had any luck
It seems to not see the YARA rule in the hive. Double check the steps in step 1.
Yeah double checked the steps everything is good it’s so weird
Maybe double check that your user has all permissions in your org? I don't think that's the issue, but I am stumped otherwise.... 100s have finished this guide already, and I've made corrections where needed, but it should absolutely work in its current state. Send me a DM on Discord if you want me to take a look @eric_capuano
Yeah I have all permissions set to select all as well. I have sent you a DM.
I don't see the answer shared so I just discovered the fix to your issue. I was also having the same issue:
"failed to parse task [{yara_scan hive://yara/sliver -f C:\Users\User\Downloads\REMARKABLE_CARTOON.exe yara_scan hive://yara/sliver -f C:\Users\User\Downloads\REMARKABLE_CARTOON.exe}]: lc_error_code:FAILED_GETTING_YARA_RULE"
I discovered it resulted from using the Legacy YARA Service. Please make sure to subscribe to the new YARA extension. It will add the matching YARA Rules and YARA Scanners. It then worked immediately upon testing in my experience.
Thanks for sharing this -- I'll update the post to reflect this.
I encountered same issue, what I did was to delete the YARA rules as well as D&R Rules I created , then created it again. It worked for me. You can try this out.
When selecting YARA Rules it tells me: Missing Permission Ask the administrator to give you yara.get permission.
Ah yeah, that’s a new thing.
1. On the left side menu, click “Access Management” > “Users & Roles
2. Click your username (likely your email address)
1. Toggle “ON” the “Select All” at the top right of the permissions list to give yourself all permissions
Ok thank you for the prompt response, that worked. I want to say thank you for the walkthrough as well. It has been very helpful for gaining some hands on experience.
Thanks for the feedback! I've added those steps to the lab guide.