Yara

Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting.

What is Yara?

All about Yara

Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file. Yara rules are frequently used to label these patterns to determine if a file is malicious based upon features or patterns it presents. Because applications use strings to store data (text), strings are a fundamental component of programming languages.

EX: print("Hello World!") prints "Hello World" in Python and the text "Hello World" would be stored as string. A Yara rule could be written to search for "hello world" in every program on the OS.

Why does Malware use Strings?

Malware uses strings to store textual data. Some examples:

TypeDataDescription

Ransomware

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Bitcoin Wallet for ransom payments

Botnet

12.34.56.7

The IP address of the Command and Control (C&C) server

What is the name of the base-16 numbering system that Yara can detect?

hex

Would the text "Enter your Name" be a string in an application? (Yay/Nay)

yay

Intro to Yara Rules

Your First Yara Rule

Every yara command requires two arguments to be valid:

  1. The rule file we create

  2. Name of file, directory, or process ID to use the rule for.

Every rule must have a name and condition.

EX: to use "myrule.yar" on directory "some directory" use the following command: yara myrule.yar somedirectory

.yar is the standard file extension for all Yara rules.

The name of the rule in the .yar file above is examplerule with one condition. The condition is condition. This rule satisfies both requirements - a name and a condition.

The rule checks to see if the file/directory/PID to be specified exists via condition: true. If it does, an output will be given of examplerule.

Since somefile exists, Yara says examplerule because the pattern has been met.

Expanding on Yara Rules

Yara Conditions Continued...

Yara has a few conditions, which can be read here. Some important keywords are as follows: Desc Meta Strings Conditions Weight

Meta

This section of a Yara rule is reserved for descriptive information by the author of the rule. desc, short for description, can be used to summarize what your the checks for. Anything within this section does not influence the rule itself. Similar to commenting code, it is useful to summarize rules.

Strings

Strings can be used to search for specific text or hexadecimal in files or programs. To search a directory for all files containing "Hello World!", create a rule such as below:

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"
}

The keyword Strings is defined where the string wanted to search "Hello World!" is stored within the variable $hello_world

To make the rule valid, a condition is to be made. To make the string condition, use the variable's name:

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"

	condition:
		$hello_world
}

If any file has the string "Hello World!", the rule will match. This does NOT match "hello world" or "HELLO WORLD."

To solve this, the condition any of them allows multiple strings to be searched for:

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"
		$hello_world_lowercase = "hello world"
		$hello_world_uppercase = "HELLO WORLD"

	condition:
		any of them
}

Conditions

Like regular programming, operators can be used such as:

<= less than or equal to >= more than or equal to != not equal to

EX:

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"

	condition:
        #hello_world <= 10
}

This rule will:

  1. Look for the "Hello World!" string

  2. Only say the rule matches if there are less than or equal to ten occurrences of the "Hello World!" string

Combining keywords

To combine multiple conditions, use keywords such as: and not or

To check if a file has a string and is of a certain size, use a rule like below:

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!" 
        
        condition:
	        $hello_world and filesize < 10KB 
}

Information security researcher "fr0gger_" created a cheatsheet that breaks down and visualizes the elements of a YARA rule.

Yara Modules

Integrating With Other Libraries

Frameworks such as the Cuckoo Sandbox or Python's PE Module allow improvement of the technicality of your Yara rules ten-fold.

Cuckoo

Cuckoo Sandbox is an automated malware analysis environment that allows generating Yara rules based on behaviors discovered from CS. As this environment executes malware, rules can be created on specific behaviors such as runtime strings.

Python PE

Python's PE module allows to create Yara rules from the various sections and elements of the Windows Portable Executable (PE) structure. This structure is the standard formatting of all executables and DLL files on windows, including the programming libraries that are used.

Examining a PE file's contents is a technique in malware analysis because behaviors such as cryptography or worming can be identified without reverse engineering or execution of the sample.

Other Tools and Yara

Yara Tools

GitHub resources and open-source tools (along with commercial products) can be utilized to leverage Yara in hunt operations and/or incident response engagements.

LOKI

LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth.

Detection is based on 4 methods:

  1. File Name IOC Check

  2. Yara Rule Check (we are here)

  3. Hash Check

  4. C2 Back Connect Check

For a full rundown, please reference the GitHub readme.

LOKI can be used on both Windows and Linux systems and can be downloaded here.

THOR

THOR Lite is Florian's newest multi-platform IOC AND YARA scanner, coming with precompiled versions for Windows, Linux, and macOS. TL's scan throttling limits exhausting CPU resources.

For more information and/or to download the binary, start here. Only subscribers can obtain a copy of the binary. Note that THOR is geared towards corporate customers. THOR Lite is the free version.

FENRIR

Also created by Florian Roth, Fenrir was created to address the issue where requirements must be met to function. Fenrir is a bash script and will run on any system that is bash capable.

YAYA

YAYA (Yet another Yara Automation) was created by the EFF (Electronic Frontier Foundation) and is an open-source tool to help researches manage multiple YARA rule repositories. YAYA imports a set of high-quality YARA rules and lets researchers add their own, disable specific rulesets, and run scans of files. YAYA only runs on Linux systems.

Using LOKI and its Yara Rule Set

A security analyst may need to research threat intelligence and gather information on the latest tactics and tecniques used in the wild, past, or present. IOCs will typically be shared so rules can be created to detect these threats, along with Yara rules. In the event an unknown situation is encountered that a security stack of tools cannot or did not detect, tools such as Loki allows for adding personal rules based on threat intel gatherings or findings from an incident response engagement (forensics).

Loki has pre-imported Yara rules to benefit from and allows for immediate scanning for evil on the endpoint.

When running Loki on your own system, the first command to run should be --update. This will add the signature-base directory which Loki uses to scan for known evil.

Below is an example of a Yara rule from one of the yar files, crime ranson generic.yar:

Scenario: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the suspicious-files directory. Use Loki to answer the questions below.

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?

What Yara rule did it match on?

What does Loki classify this file as?

Based on the output, what string within the Yara rule did it match on?

What is the name and version of this hack tool?

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

Inspect file 2. What is the name and version of this web shell?

Creating Yara Rules with yarGen

In the example previous, Loki found file2 to be benign/clean. This would render the scan useless on other web servers since that webshell will be undetected. Going through code manually can be very time consuming but something would need to be done to find specific strings to create a new Yara rule to detect the discovered webshell.

yarGen is a generator for Yara rules. It works mostly by removing strings found in goodware files to better prepare for sifting through potentially important strings for the malicious file to then create a Yara rule. yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.

If running yarGen on a personal system, update it first by running python3 yarGen.py --update to update the good-opcodes and good-strings DB's from the online repository.

To create a Yara rule for file2, run the following:

  • -m is the path to the files you want to generate rules for

  • --excludegood force to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)

  • -o location & name you want to output the Yara rule

Best practice would be to examine the Yara rule and remove any strings possible of creating false positives. Note: Another tool created to assist with this is called yarAnalyzer.

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?

After creating the new rule, copy the .yar file to the Yara signature base folder then proceed to run Loki:

Did Yara rule flag file 2? (Yay/Nay)

yay

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

What is the name of the variable for the string that it matched on?

Inspect the Yara rule, how many strings were generated?

One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

700kb

Valhalla

Valhalla is an online Yara feed hosted by Nextron-Systems. Valhalla boosts detection capbilities with thousands of hand-crafted Yara rules.

Searches can be administered based on keyword, tag, ATT&CK technique, sha256, or rule name.

Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

Besides .PHP, what other extension is recorded for this file?

What JavaScript library is used by file 2?

Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)

The reason why file 2 was not detected is that the Yara rule was not in the Yara file used by Loki to detect the hack tool (web shell) even though its the hack tool has been around for years and has even been attributed to at least 1 nation-state. The Yara rule is present in the commercial variant of Loki, which is Thor.

PreviousThreat Intelligence ToolsNextOpenCTI

Last updated