YARA

A swiss army knife for pattern matching. Often used for writing Malware Signatures for Unpacked malware. Used primarily as Hunting Rules Ends with .yar File Extension.

Usage

yara myrule.yar myfile

yara myrule.yar mydirectory/

Boilerplate

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true
    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

Concepts

• Yara Imports
• Yara Meta
• Yara Strings
• Yara Conditions
• Yara Searching Algorithm
• Yara Rule Tips

Existing Boilerplates

• Yara Windows Malware Boilerplate

Rule Repositories

• https://github.com/elastic/protections-artifacts
• https://github.com/VirusTotal/yara
• https://github.com/Yara-Rules/rules
• https://github.com/bartblaze/Yara-rules
• https://github.com/Neo23x0/signature-base
• https://github.com/embee-research/Yara-detection-rules