YARA Cheat-sheet

https://virustotal.github.io/yara/

OBJECTIVE:

Detect cyber threats and discover the full scope of affected systems in a wide enterprise network.

YARA is an open source tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description consists of a set of strings and a boolean expression which determine its logic — Victor M. Alvarez

USAGE:

YARA engine has scanning capabilities: File objects (PE files and others)/Compressed files (.zip, .tar, etc), Process / Rogue Process, External variables.

Example:

yara rule for DarkRAT

Installation:

OPTIONS:

yara options

METADATA & TAGS:

When a YARA rule matches file/process, Metadata describes post-processing task like what will be the next step after getting match. Tags can be also used for post-processing task like filtering output and rule management.you can get metadata by using -m option and tags by using -g option.

example for Metadata & Tags
output of above example
These are reserved and cannot be used as an identifier

Strings:

It is an identifier consisting of a $ character followed by a sequence of alphanumeric characters and underscores.

It can be used in the condition section.

It can be defined in text , hexadecimal form or regular expression.

Text strings can also contain the following subset of the escape sequences.

the escape sequences
yara rule strings section
Regular Expression

Conditions:

It is a Boolean expressions.

Boolean operators and, or, and not, and relational operators >=, <=, <, >, == and !=. Also, the arithmetic operators (+, -, *, \, %) and bitwise operators (&, |, <<, >>, ~, ^) can be used on numerical expressions.

condition:
($a or $b) and ($c or $d)//$a,$b,$c,$d are simple text strings
yara rule conditions section

Global rules:

Rule compulsion or required.

It will be evaluated before the rest of the rules, which in turn will be evaluated only if all global rules are satisfied.

Global rule example

Private rules:

These are not reported by YARA when they match on a given file.

You can apply both private and global modifiers to a rule, resulting in a global rule that does not get reported by YARA but must be satisfied.

Private rule example

Import modules:

Ex: import “pe” / import “hash”

External variables:

An external variable whose value is assigned at run-time (see -d option of command-line tool, and externals parameter of compile and match methods in yara-python)

contains and matches. The contains operator returns true if the string contains the specified substring. The matches operator returns true if the string matches the given regular expression.

Ex: condition: string_ext_var matches /[a-z]+/is /* case insensitive single-line mode */

Including files:

Ex: include “other.yar”

********If you like this type of cheat sheets format then, please clap or comment. :-) ********

--

--

--

Cyber Security Automation Engineer, the engineer implements security measures that effectively safeguard sensitive data in the event of a cyber-attack.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Insider Transactions in Fundamental API

The 4 Steps Creative Process

Adding Social Logins to Your Laravel Apps: Twitter and GitHub

Migrating Java Applications to Azure App Service (Part 1 — DataSources and MSI Credentials)

9 Reasons Why Python Is Weird For C++ Developers

Two code windows being looked at through glasses. The two code windows have different colors and styles to show the differences between C++ and Python.

CS373 Fall 2020: Divya Manohar

Installing kubectl in a Kubernetes Pod

Python Lambda Functions Explained Simply

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nidhi Trivedi

Nidhi Trivedi

Cyber Security Automation Engineer, the engineer implements security measures that effectively safeguard sensitive data in the event of a cyber-attack.

More from Medium

Your Guide to the Best Cyber Security Podcasts

Social Sciences to Cybersecurity

Cybersecurity Essentials: What You Need To Know

Online Child Protection: A Guide for Parents