YARA is a pattern matching tool for malware researchers. It helps identify and classify malware families based on textual or binary patterns.
Basic Rule Structure
rule ExampleMalware {
meta:
author = "WhoisNexus"
description = "Detects Example Malware"
date = "2024-12"
strings:
$mz = "MZ"
$str1 = "malicious.exe" ascii
$str2 = { 4D 5A 90 00 } // Hex pattern
$regex = /https?:\/\/[a-z0-9\-\.]+/ nocase
condition:
$mz at 0 and any of ($str*) and $regex
}String Modifiers
ascii- ASCII stringwide- UTF-16 (Unicode)nocase- Case insensitivefullword- Match whole word only
Practical Examples
rule SuspiciousPowerShell {
meta:
description = "Detects suspicious PowerShell patterns"
strings:
$ps1 = "powershell" nocase
$enc = "encodedcommand" nocase
$bypass = "bypass" nocase
$hidden = "-windowstyle hidden" nocase
condition:
$ps1 and ($enc or ($bypass and $hidden))
}
rule DetectMimikatz {
strings:
$s1 = "mimikatz" ascii wide nocase
$s2 = "sekurlsa::logonpasswords" ascii
$s3 = "lsadump::sam" ascii
condition:
any of them
}Running YARA
# Scan file
yara rules.yar suspicious.exe
# Scan directory
yara -r rules.yar /path/to/scan
# Scan with metadata
yara -m rules.yar suspicious.exeBest Practices
- Use unique strings to reduce false positives
- Combine multiple indicators
- Test rules against legitimate files
- Include metadata for context
December 2024