Yara rules are a powerful tool for identifying and tracking malicious activity, such as malware, on a network. They can also be used to detect suspicious activity on a system that may not be malware-related but could still be indicative of malicious behavior. Yara rules are written in a special language that allows users to specify conditions and criteria for a given set of data. This makes them especially useful for security professionals, as they can be used to quickly identify and respond to potential threats.
We’ve built a platform to automate incident response and forensics in AWS, Azure and GCP — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in the cloud.
Examples from GoDaddy:
/*
* This will match any file containing "hello" anywhere.
*/
rule AsciiExample {
strings:
// A string to match -- default is ascii
$ascii_string = "hello"
condition:
// The condition to match
$ascii_string
}
/*
* This will match any file containing unicode "hello" anywhere.
*/
rule UnicodeExample {
strings:
// The 'wide' keyword indicates the string is unicode
$unicode_string = "hello" wide
condition:
$unicode_string
}
/*
* Match any file containing the 01 23 45 67 89 AB CD EF byte sequence.
*/
rule HexExample {
strings:
// A few hex definitions demonstrating
$hex_string1 = { 0123456789ABCDEF }
$hex_string2 = { 0123456789abcdef }
$hex_string3 = { 01 23 45 67 89 ab cd ef }
condition:
// Match any file containing
$hex_string1 or $hex_string2 or $hex_string3
}
/*
* Match any file containing the 01 23 45 ?? ?? AB CD EF byte sequence.
*/
rule WildcardHexExample {
strings:
// A few hex definitions demonstrating
$hex_string1 = { 012345????ABCDEF }
$hex_string2 = { 012345????abcdef }
$hex_string3 = { 01 23 45 ?? ?? ab cd ef }
condition:
// Match any file containing
$hex_string1 or $hex_string2 or $hex_string3
}
/*
* Match any file containing "MZ" (not zero terminated) at offset 0.
*/
rule OffsetExample {
strings:
$mz = "MZ"
condition:
$mz at 0
}
/*
* Match any file containing "PE" anywhere between offsets 32-100 (decimal)
*/
rule RangeExample {
strings:
$pe = "PE"
condition:
$pe in (32..100)
}
/*
* Match any file with "PE" within 0x200 bytes (decimal) of the first occurrence of "MZ"
*/
rule RelativeOffsetExample {
strings:
$mz = "MZ"
$pe = "PE"
condition:
$mz at 0 and $pe in (@mz[0]..0x200)
}
/*
* Match any PE file as defined by MZ and PE signatures at required locations.
*/
rule IsPeFile {
strings:
$mz = "MZ"
condition:
$mz at 0 and uint32(uint32(0x3C)) == 0x4550
}
/*
* Match any file with 55 8B EC (push ebp; mov ebp, esp) at the entry point.
*/
rule EntryPointExample {
strings:
$ep = { 55 8b ec }
condition:
$ep at entrypoint
}
/*
* This will match any file containing "hello" anywhere.
*/
rule ConditionsExample {
strings:
$string1 = "hello"
$string2 = "hello"
$string3 = "hello"
condition:
any of them
/*
all of them
1 of them
any of ($string*)
2 of ($string*)
1 of ($string1,$string2)
*/
}
/*
* Any file containing at least 5 hello strings
*/
rule NumberStringsExample {
strings:
$hello = "hello"
condition:
#hello >= 5
}
/*
* Match any file containing hello that is also a PE file
*/
rule RuleReference {
strings:
$hello = "hello"
condition:
$hello and IsPeFile
}
/*
* Make YARA test only files less than 2MB for ALL rules.
*/
global rule GlobalRuleExample {
condition:
filesize < 2MB
}One of the most common uses of Yara rules is to detect and block malicious files. For example, a rule could be written to scan a system for any file with a certain extension, such as .exe, or a certain size, such as larger than 1MB. If a file matches the criteria, the rule could be configured to block it or alert the security team. This type of rule is valuable for keeping malicious files from entering the system in the first place.
Yara rules can also be used to detect malicious processes running on a system. For example, a rule could be written to detect a specific type of process running on a system, such as a keylogger or a rootkit. If a process matching the criteria is detected, the rule could be configured to alert the security team or take action to stop the process from running. This type of rule is valuable for quickly identifying and responding to malicious processes that may be running on the system.
In addition to detecting malicious files and processes, Yara rules can also be used to detect suspicious activity on a system. For example, a rule could be written to detect any processes that are consuming too much memory or CPU resources. If a process matches the criteria, the rule could be configured to alert the security team or take action to stop the process from running. This type of rule is valuable for quickly identifying and responding to processes that may be consuming too many system resources.
Finally, Yara rules can also be used to detect known malicious behavior. For example, a rule could be written to detect any processes that are attempting to connect to a known malicious IP address or domain. If a process matches the criteria, the rule could be configured to alert the security team or take action to stop the process from running. This type of rule is valuable for quickly identifying and responding to processes that may be attempting to connect to a malicious IP address or domain.
Overall, Yara rules are a powerful tool for identifying and responding to malicious activity on a network or system. They can be used to detect malicious files, processes, and suspicious activity, as well as known malicious behavior. Security professionals should become familiar with Yara rules and how to use them in order to effectively protect their networks and systems.
For more, see this video from Blackhat:
