Yara
Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting.
What is Yara?
All about Yara
Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file. Yara rules are frequently used to label these patterns to determine if a file is malicious based upon features or patterns it presents. Because applications use strings to store data (text), strings are a fundamental component of programming languages.
EX:
print("Hello World!")
prints "Hello World" in Python and the text "Hello World" would be stored as string.
A Yara rule could be written to search for "hello world" in every program on the OS.
Why does Malware use Strings?
Malware uses strings to store textual data. Some examples:
Ransomware
Bitcoin Wallet for ransom payments
Botnet
12.34.56.7
The IP address of the Command and Control (C&C) server
What is the name of the base-16 numbering system that Yara can detect?
hex
Would the text "Enter your Name" be a string in an application? (Yay/Nay)
yay
Intro to Yara Rules
Your First Yara Rule
Every yara
command requires two arguments to be valid:
The rule file we create
Name of file, directory, or process ID to use the rule for.
Every rule must have a name and condition.
EX:
to use "myrule.yar" on directory "some directory" use the following command:
yara myrule.yar somedirectory
.yar
is the standard file extension for all Yara rules.
The name of the rule in the .yar
file above is examplerule
with one condition. The condition is condition
. This rule satisfies both requirements - a name and a condition.
The rule checks to see if the file/directory/PID to be specified exists via condition: true
. If it does, an output will be given of examplerule
.
Since somefile
exists, Yara says examplerule
because the pattern has been met.
Expanding on Yara Rules
Yara Conditions Continued...
Yara has a few conditions, which can be read here. Some important keywords are as follows: Desc Meta Strings Conditions Weight
Meta
This section of a Yara rule is reserved for descriptive information by the author of the rule. desc
, short for description, can be used to summarize what your the checks for. Anything within this section does not influence the rule itself. Similar to commenting code, it is useful to summarize rules.
Strings
Strings can be used to search for specific text or hexadecimal in files or programs. To search a directory for all files containing "Hello World!", create a rule such as below:
The keyword Strings
is defined where the string wanted to search "Hello World!"
is stored within the variable $hello_world
To make the rule valid, a condition is to be made. To make the string condition, use the variable's name:
If any file has the string "Hello World!"
, the rule will match. This does NOT match "hello world"
or "HELLO WORLD."
To solve this, the condition any of them
allows multiple strings to be searched for:
Conditions
Like regular programming, operators can be used such as:
<= less than or equal to >= more than or equal to != not equal to
EX:
This rule will:
Look for the "Hello World!" string
Only say the rule matches if there are less than or equal to ten occurrences of the "Hello World!" string
Combining keywords
To combine multiple conditions, use keywords such as: and not or
To check if a file has a string and is of a certain size, use a rule like below:
Information security researcher "fr0gger_" created a cheatsheet that breaks down and visualizes the elements of a YARA rule.
Yara Modules
Integrating With Other Libraries
Frameworks such as the Cuckoo Sandbox or Python's PE Module allow improvement of the technicality of your Yara rules ten-fold.
Cuckoo
Cuckoo Sandbox is an automated malware analysis environment that allows generating Yara rules based on behaviors discovered from CS. As this environment executes malware, rules can be created on specific behaviors such as runtime strings.
Python PE
Python's PE module allows to create Yara rules from the various sections and elements of the Windows Portable Executable (PE) structure. This structure is the standard formatting of all executables and DLL files on windows, including the programming libraries that are used.
Examining a PE file's contents is a technique in malware analysis because behaviors such as cryptography or worming can be identified without reverse engineering or execution of the sample.
Other Tools and Yara
Yara Tools
GitHub resources and open-source tools (along with commercial products) can be utilized to leverage Yara in hunt operations and/or incident response engagements.
LOKI
LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth.
Detection is based on 4 methods:
File Name IOC Check
Yara Rule Check (we are here)
Hash Check
C2 Back Connect Check
For a full rundown, please reference the GitHub readme.
LOKI can be used on both Windows and Linux systems and can be downloaded here.
THOR
THOR Lite is Florian's newest multi-platform IOC AND YARA scanner, coming with precompiled versions for Windows, Linux, and macOS. TL's scan throttling limits exhausting CPU resources.
For more information and/or to download the binary, start here. Only subscribers can obtain a copy of the binary. Note that THOR is geared towards corporate customers. THOR Lite is the free version.
FENRIR
Also created by Florian Roth, Fenrir was created to address the issue where requirements must be met to function. Fenrir is a bash script and will run on any system that is bash capable.
YAYA
YAYA (Yet another Yara Automation) was created by the EFF (Electronic Frontier Foundation) and is an open-source tool to help researches manage multiple YARA rule repositories. YAYA imports a set of high-quality YARA rules and lets researchers add their own, disable specific rulesets, and run scans of files. YAYA only runs on Linux systems.
Using LOKI and its Yara Rule Set
A security analyst may need to research threat intelligence and gather information on the latest tactics and tecniques used in the wild, past, or present. IOCs will typically be shared so rules can be created to detect these threats, along with Yara rules. In the event an unknown situation is encountered that a security stack of tools cannot or did not detect, tools such as Loki allows for adding personal rules based on threat intel gatherings or findings from an incident response engagement (forensics).
Loki has pre-imported Yara rules to benefit from and allows for immediate scanning for evil on the endpoint.
When running Loki on your own system, the first command to run should be --update
. This will add the signature-base
directory which Loki uses to scan for known evil.
Below is an example of a Yara rule from one of the yar files, crime ranson generic.yar
:
Scenario: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the suspicious-files
directory. Use Loki to answer the questions below.
Scan file 1. Does Loki detect this file as suspicious/malicious or benign?
What Yara rule did it match on?
What does Loki classify this file as?
Based on the output, what string within the Yara rule did it match on?
What is the name and version of this hack tool?
Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?
Scan file 2. Does Loki detect this file as suspicious/malicious or benign?
Inspect file 2. What is the name and version of this web shell?
Creating Yara Rules with yarGen
In the example previous, Loki found file2 to be benign/clean. This would render the scan useless on other web servers since that webshell will be undetected. Going through code manually can be very time consuming but something would need to be done to find specific strings to create a new Yara rule to detect the discovered webshell.
yarGen is a generator for Yara rules. It works mostly by removing strings found in goodware files to better prepare for sifting through potentially important strings for the malicious file to then create a Yara rule. yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.
If running yarGen on a personal system, update it first by running python3 yarGen.py --update
to update the good-opcodes and good-strings DB's from the online repository.
To create a Yara rule for file2, run the following:
-m
is the path to the files you want to generate rules for--excludegood
force to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)-o
location & name you want to output the Yara rule
Best practice would be to examine the Yara rule and remove any strings possible of creating false positives. Note: Another tool created to assist with this is called yarAnalyzer.
From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?
After creating the new rule, copy the .yar file to the Yara signature base folder then proceed to run Loki:
Did Yara rule flag file 2? (Yay/Nay)
yay
Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)
What is the name of the variable for the string that it matched on?
Inspect the Yara rule, how many strings were generated?
One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?
700kb
Valhalla
Valhalla is an online Yara feed hosted by Nextron-Systems. Valhalla boosts detection capbilities with thousands of hand-crafted Yara rules.
Searches can be administered based on keyword, tag, ATT&CK technique, sha256, or rule name.
Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)
Do the same for file 2. What is the name of the first Yara rule to detect file 2?
Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?
Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)
Besides .PHP, what other extension is recorded for this file?
What JavaScript library is used by file 2?
Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)
The reason why file 2 was not detected is that the Yara rule was not in the Yara file used by Loki to detect the hack tool (web shell) even though its the hack tool has been around for years and has even been attributed to at least 1 nation-state. The Yara rule is present in the commercial variant of Loki, which is Thor.
Last updated