YARA rules
Last updated
Last updated
Now, this yara rules check any file with the strings of:
Hello World!
hello world
HELLO WORLD
[Strings ,hashes, IP addresses, domain names,, Bitcoin]
LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth.
Based on the GitHub page, detection is based on 4 methods: File Name IOC Check Yara Rule Check (we are here) Hash Check C2 Back Connect Check
THOR is IOC (Indicator Of Compromise) and Yara scanner. there are precompiled versions.
What is yarGen? yarGen is a generator for YARA rules.
From the README - "The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use."
Update on First use
Generate a Yara Rule from a malicious file
-m
is the path to the files you want to generate rules for
--excludegood
force to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)
-o
location & name you want to output the Yara rule
Note: Another tool created to assist with this is called yarAnalyzer
Further Reading on creating Yara rules and using yarGen:
Valhalla is an online Yara feed created and hosted by Nextron-Systems (erm, Florian Roth). By now, you should be aware of the ridiculous amount of time and energy Florian has dedicated to creating these tools for the community. Maybe we should have just called this the Florian Roth room. (lol)
Per the website, "Valhalla boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules."
Valhalla