YARA rules

#100DaysOfYara ChallengeSecurityBreak

GitHub - InQuest/awesome-yara: A curated list of awesome YARA rules, tools, and people.GitHub

Best Resources

Basic Rule samples

writing Yara Rules

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"
		$hello_world_lowercase = "hello world"
		$hello_world_uppercase = "HELLO WORLD"

	condition:
		any of them
}

Now, this yara rules check any file with the strings of:

1. Hello World!

2. hello world

3. HELLO WORLD

IOC (Indicator Of Compromise)

[Strings ,hashes, IP addresses, domain names,, Bitcoin]

LOKI

LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth.

Based on the GitHub page, detection is based on 4 methods: File Name IOC Check Yara Rule Check (we are here) Hash Check C2 Back Connect Check

https://github.com/Neo23x0/Loki/releases

python loki.py -h

python -p .loki.py -p /home/

THOR

THOR is IOC (Indicator Of Compromise) and Yara scanner. there are precompiled versions.

https://www.nextron-systems.com/thor-lite/

./thor-lite-linux-64 -h

YaraGEN

What is yarGen? yarGen is a generator for YARA rules.

From the README - "The main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use."

https://github.com/Neo23x0/yarGen

Update on First use

python3 yarGen.py --update

Generate a Yara Rule from a malicious file

python3 yarGen.py -m /home/cmnatic/suspicious-files/file2 --excludegood -o /home/cmnatic/suspicious-files/file2.yar

• -m is the path to the files you want to generate rules for

• --excludegood force to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)

• -o location & name you want to output the Yara rule

Note: Another tool created to assist with this is called yarAnalyzer

Further Reading on creating Yara rules and using yarGen:

• https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/
• https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/
• https://www.bsk-consulting.de/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/

Valhalla

Valhalla is an online Yara feed created and hosted by Nextron-Systems (erm, Florian Roth). By now, you should be aware of the ridiculous amount of time and energy Florian has dedicated to creating these tools for the community. Maybe we should have just called this the Florian Roth room. (lol)

Per the website, "Valhalla boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules."

https://www.nextron-systems.com/valhalla/

Valhalla

https://valhalla.nextron-systems.com/