Defender’s Toolkit 101: Yara Rules!

In today’s blog, we’ll be covering a short portion of one of the most versatile tools ever built for us Forensicators — Yara!

Yara Rules

We’ve gone over this before — Yara uses what we call ‘rules’ to write characteristics of a program and then matches these very rules against your malwares. So, if there’s a match (let’s stay a string matches), the rule basically matches or detects the malware. It’s simple as that.

  • Text strings
  • Regular expressions

F4 23 01 02 03 04 62 B4 F4 23 00 00 00 00 00 62 B4 F4 23 15 82 A3 04 45 22 62 B4

Make sure your jumps are valid by utilizing the following rule: 0 <= X <= Y

  • ‘ascii’: All strings are defaulted to be ASCII encoded. So, whether or not you add this, it’ll search for an ASCII encoded string in your file.
  • ‘wide’: Search for strings with two-bytes per character. It’s very common in executables (which you’ll be analyzing very often!). Now, if you were to search an ASCII-encoded string with this modifier, it will run. This modifier interleaves the ASCII codes of the characters with zeroes. If you want to search for strings in both ASCII and wide form, you can use the ascii modifier in conjunction with wide , no matter the order in which they appear.
  • ‘fullword’: This modifier guarantees that the string will match only if it appears in the file delimited by non-alphanumeric characters. For example the string domain, if defined as fullword, doesn’t match www.mydomain.com but it matches www.my-domain.com and www.domain.com.

Get Some Malware!

Not everyone has access to malware repositories? Is that true? WELL, NO.

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.

Hi, I’m Syed. Explore my articles as I embark on this journey of learning more about Forensics, Threat Hunting, and Cyber-threat Intelligence.