YARA 101 - Defense Against the Dark Arts

# YARA 101 - Defense Against the Dark Arts ###### tags: `dfir` `blue team` `yara` `defense against the dark arts` I'm doing a Defense Against the Dark Arts series as I build up a curriculum for my incoming cybersecurity mentees. This post will be covering an introduction to YARA. Yet another ridiculous acronym (YARA) is The pattern matching swiss knife for malware researchers (and everyone else) Yara can identify info based on both binary and textual patterns, such as hex and strings contained within a file. Rules are used to label these patterns. Yara rules are frequently written to determine if a file is malicious or not based on the features / patterns it presents. In YARA your rule is only as effective as your understanding of the pattern you want to search for. Every yara command requires 2 arguments to be valid: 1. The rule file we create 2. Name of file, directory, or process id to use the rule for. Every rule must have a **name and condition.** Here's the syntax to use yara: ``` yara myrule dirToApplyRuleTo ``` **.yar** is the standard file extension for all yara rules. Read about writing yara rules [here](https://yara.readthedocs.io/en/stable/writingrules.html) Check out the [Anatomy of a yara rule](https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd) To improve your Yara Rules you can use [Cuckoo Sandbox](https://cuckoosandbox.org/) or [Python's PE module](https://pypi.org/project/pefile/) ### Cuckoo Sandbox Is an automated malware analysis environment allowing you to generate Yara Rules based on behaviors observed from it. You can create specific rules based on observed behaviors while the environment executes malware such as runtime strings. ### Python PE Allows you to create yara rules from various sections and elements of the Windows Portable Executable (PE) structure. This structure is the standard formatting for all executables and dll files on windows including the programming libraries used. Examining PE file contents is essential in malware analysis because it unravels behaviors such as worming , or cryptography without the need for reverse engineering or malware sample execution. ## Yara Tools Check out this awesome collection [here](https://github.com/InQuest/awesome-yara) ### Loki [Loki](https://github.com/Neo23x0/Loki/releases) is a free open-source IOC scanner. detection is based on 4 methods: * File name IOC check * Yara rule check * Hash check * C2 Back Connect Check ### Thor Lite [Thor Lite](https://www.nextron-systems.com/thor-lite/) is a fast and flexible multiplatform IOC and Yara scanner ### Fenrir [Fenrir](https://github.com/Neo23x0/Fenrir) is a simple IOC scanner bash script that allows scanning Linux/Unix/OSX systems for Indicators of Compromise (IOCs). ### YAYA (Yet Another Yara Automaton) created by the EFF - Electronic Frontier Foundation. YAYA is an open-source tool to help researchers manage multiple YARA rule repositories. YAYA starts by importing a set of high-quality YARA rules and then lets researchers add their own rules, disable specific rulesets, and run scans of files. ## Creating YARA rules with YarGen You can use this command with [yarGen](https://github.com/Neo23x0/yarGen) to create your own yara rules ``` python3 yarGen.py -m file_path_to_analyze --excludegood -o Yara_File_To_Create.yar ``` -m : the path to the files you want to generate rules for --excludegood : exclude all goodware strings (i.e strings found in legitimate software which would increase false positives) -o : location and name you want to output the Yara Rule ### Additional resources: [yarAnalyzer](https://github.com/Neo23x0/yarAnalyzer/) creates statistics on a yara rule set and files in a sample directory How to write Simple but Sound Yara rules: [part1](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [part2](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), and [part3](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/) ## Valhalla [Valhalla](https://www.nextron-systems.com/valhalla/) is an online Yara feed created and hosted by... you guessed it Florian Roth. It boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules. To do this practically, I strongly recommend the [Yara room](https://tryhackme.com/room/yara) on TryHackMe :)