HackMD
YARA 101 - Defense Against the Dark Arts
tags: dfir blue team yara defense against the dark arts
I'm doing a Defense Against the Dark Arts series as I build up a curriculum for my incoming cybersecurity mentees. This post will be covering an introduction to YARA.
Yet another ridiculous acronym (YARA) is The pattern matching swiss knife for malware researchers (and everyone else)
Yara can identify info based on both binary and textual patterns, such as hex and strings contained within a file. Rules are used to label these patterns.
Yara rules are frequently written to determine if a file is malicious or not based on the features / patterns it presents.
In YARA your rule is only as effective as your understanding of the pattern you want to search for.
Every yara command requires 2 arguments to be valid:
- The rule file we create
- Name of file, directory, or process id to use the rule for.
Every rule must have a name and condition.
Here's the syntax to use yara:
yara myrule dirToApplyRuleTo
.yar is the standard file extension for all yara rules.
Read about writing yara rules here
Check out the Anatomy of a yara rule
To improve your Yara Rules you can use Cuckoo Sandbox or Python's PE module
Cuckoo Sandbox
Is an automated malware analysis environment allowing you to generate Yara Rules based on behaviors observed from it. You can create specific rules based on observed behaviors while the environment executes malware such as runtime strings.
Python PE
Allows you to create yara rules from various sections and elements of the Windows Portable Executable (PE) structure. This structure is the standard formatting for all executables and dll files on windows including the programming libraries used.
Examining PE file contents is essential in malware analysis because it unravels behaviors such as worming , or cryptography without the need for reverse engineering or malware sample execution.
Yara Tools
Check out this awesome collection here
Loki
Loki is a free open-source IOC scanner. detection is based on 4 methods:
- File name IOC check
- Yara rule check
- Hash check
- C2 Back Connect Check
Thor Lite
Thor Lite is a fast and flexible multiplatform IOC and Yara scanner
Fenrir
Fenrir is a simple IOC scanner bash script that allows scanning Linux/Unix/OSX systems for Indicators of Compromise (IOCs).
YAYA (Yet Another Yara Automaton)
created by the EFF - Electronic Frontier Foundation.
YAYA is an open-source tool to help researchers manage multiple YARA rule repositories. YAYA starts by importing a set of high-quality YARA rules and then lets researchers add their own rules, disable specific rulesets, and run scans of files.
Creating YARA rules with YarGen
You can use this command with yarGen to create your own yara rules
-m : the path to the files you want to generate rules for
–excludegood : exclude all goodware strings (i.e strings found in legitimate software which would increase false positives)
-o : location and name you want to output the Yara Rule
Additional resources:
yarAnalyzer creates statistics on a yara rule set and files in a sample directory
How to write Simple but Sound Yara rules: part1, part2, and part3
Valhalla
Valhalla is an online Yara feed created and hosted by… you guessed it Florian Roth.
It boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules.
To do this practically, I strongly recommend the Yara room on TryHackMe :)
