# Yara
### What is Yara?
### All about Yara
Yara can identify information based on both binary and textual patterns, such as hexadecimal and strings contained within a file. Yara rules are frequently used to label these patterns to determine if a file is malicious based upon features or patterns it presents. Because applications use strings to store data (text), strings are a fundamental component of programming languages.
**EX:** \
`print("Hello World!")` \
prints "Hello World" in Python and the text "Hello World" would be stored as string. \
A Yara rule could be written to search for "hello world" in every program on the OS.
### Why does Malware use Strings?
Malware uses strings to store textual data. Some examples:
| Type | Data | Description |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- |
| Ransomware |
| The IP address of the Command and Control (C\&C) server |
***What is the name of the base-16 numbering system that Yara can detect?***
hex
***Would the text "Enter your Name" be a string in an application? (Yay/Nay)***
yay
### Intro to Yara Rules
### Your First Yara Rule
Every `yara` command requires two arguments to be valid:
1. The rule file we create
2. Name of file, directory, or process ID to use the rule for.
Every rule must have a name and condition.
**EX**: \
to use "myrule.yar" on directory "some directory" use the following command:\
`yara myrule.yar somedirectory`
`.yar` is the standard file extension for all Yara rules.
creating rule
The name of the rule in the **`.yar`** file above is `examplerule` with one condition. The condition is `condition`. This rule satisfies both requirements - a name and a condition.
The rule checks to see if the file/directory/PID to be specified exists via `condition: true`. If it does, an output will be given of `examplerule`.
met condition
Since `somefile` exists, Yara says `examplerule` because the pattern has been met.
unmet condition
### Expanding on Yara Rules
### Yara Conditions Continued...
Yara has a few conditions, which can be read [here](https://yara.readthedocs.io/en/stable/writingrules.html). Some important keywords are as follows:\
\&#xNAN;*Desc*\
*Meta*\
*Strings*\
*Conditions*\
*Weight*
### Meta
This section of a Yara rule is reserved for descriptive information by the author of the rule. `desc`, short for description, can be used to summarize what your the checks for. Anything within this section does not influence the rule itself. Similar to commenting code, it is useful to summarize rules.
### Strings
Strings can be used to search for specific text or hexadecimal in files or programs. To search a directory for all files containing "Hello World!", create a rule such as below:
```yaml
rule helloworld_checker{
strings:
$hello_world = "Hello World!"
}
```
The keyword `Strings` is defined where the string wanted to search `"Hello World!"` is stored within the variable `$hello_world`
To make the rule valid, a condition is to be made. To make the string condition, use the variable's name:
```yaml
rule helloworld_checker{
strings:
$hello_world = "Hello World!"
condition:
$hello_world
}
```
If any file has the string `"Hello World!"`, the rule will match. This does NOT match `"hello world"` or `"HELLO WORLD."`
To solve this, the condition `any of them` allows multiple strings to be searched for:
```yaml
rule helloworld_checker{
strings:
$hello_world = "Hello World!"
$hello_world_lowercase = "hello world"
$hello_world_uppercase = "HELLO WORLD"
condition:
any of them
}
```
### Conditions
Like regular programming, operators can be used such as:
<= *less than or equal to*\ >= *more than or equal to* \ != *not equal to*
**EX**:
```yaml
rule helloworld_checker{
strings:
$hello_world = "Hello World!"
condition:
#hello_world <= 10
}
```
This rule will:
1. Look for the "Hello World!" string
2. Only say the rule matches if there are less than or equal to ten occurrences of the "Hello World!" string
### Combining keywords
To combine multiple conditions, use keywords such as:\
\&#xNAN;*and*\
*not*\
*or*
To check if a file has a string and is of a certain size, use a rule like below:
```yaml
rule helloworld_checker{
strings:
$hello_world = "Hello World!"
condition:
$hello_world and filesize < 10KB
}
```
Information security researcher "fr0gger\_" created a [cheatsheet](https://medium.com/malware-buddy/security-infographics-9c4d3bd891ef#18dd) that breaks down and visualizes the elements of a YARA rule.
### Yara Modules
### Integrating With Other Libraries
Frameworks such as the [Cuckoo Sandbox](https://cuckoosandbox.org/) or [Python's PE Module](https://pypi.org/project/pefile/) allow improvement of the technicality of your Yara rules ten-fold.
### Cuckoo
Cuckoo Sandbox is an automated malware analysis environment that allows generating Yara rules based on behaviors discovered from CS. As this environment executes malware, rules can be created on specific behaviors such as runtime strings.
### Python PE
Python's PE module allows to create Yara rules from the various sections and elements of the Windows Portable Executable (PE) structure. This structure is the standard formatting of all executables and DLL files on windows, including the programming libraries that are used.
Examining a PE file's contents is a technique in malware analysis because behaviors such as cryptography or worming can be identified without reverse engineering or execution of the sample.
### Other Tools and Yara
### Yara Tools
GitHub [resources](https://github.com/InQuest/awesome-yara) and open-source tools (along with commercial products) can be utilized to leverage Yara in hunt operations and/or incident response engagements.
### LOKI
LOKI is a free open-source IOC (*Indicator of Compromise*) scanner created/written by Florian Roth.
Detection is based on 4 methods:
1. File Name IOC Check
2. Yara Rule Check (we are here)
3. Hash Check
4. C2 Back Connect Check
For a full rundown, please reference the [GitHub readme](https://github.com/Neo23x0/Loki/blob/master/README.md).
LOKI can be used on both Windows and Linux systems and can be downloaded [here](https://github.com/Neo23x0/Loki/releases).
### THOR
THOR *Lite* is Florian's newest multi-platform IOC AND YARA scanner, coming with precompiled versions for Windows, Linux, and macOS. TL's scan throttling limits exhausting CPU resources.
For more information and/or to download the binary, start [here](https://www.nextron-systems.com/thor-lite/). Only subscribers can obtain a copy of the binary. Note that THOR is geared towards corporate customers. THOR Lite is the free version.
### FENRIR
Also created by Florian Roth, [Fenrir ](https://github.com/Neo23x0/Fenrir)was created to address the issue where requirements must be met to function. Fenrir is a bash script and will run on any system that is bash capable.
### YAYA
YAYA (Yet another Yara Automation) was created by the [EFF](https://www.eff.org/deeplinks/2020/09/introducing-yaya-new-threat-hunting-tool-eff-threat-lab) (*Electronic Frontier Foundation*) and is an open-source tool to help researches manage multiple YARA rule repositories. YAYA imports a set of high-quality YARA rules and lets researchers add their own, disable specific rulesets, and run scans of files. YAYA only runs on Linux systems.
### Using LOKI and its Yara Rule Set
A security analyst may need to research threat intelligence and gather information on the latest tactics and tecniques used in the wild, past, or present. IOCs will typically be shared so rules can be created to detect these threats, along with Yara rules. In the event an unknown situation is encountered that a security stack of tools cannot or did not detect, tools such as Loki allows for adding personal rules based on threat intel gatherings or findings from an incident response engagement (forensics).
Loki has pre-imported Yara rules to benefit from and allows for immediate scanning for evil on the endpoint.
python loki.py -h
When running Loki on your own system, the first command to run should be `--update`. This will add the `signature-base` directory which Loki uses to scan for known evil.
signature-base
Below is an example of a Yara rule from one of the yar files, `crime ranson generic.yar`:
yara rule
**Scenario**: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the `suspicious-files` directory. Use Loki to answer the questions below.
***Scan file 1. Does Loki detect this file as suspicious/malicious or benign?***
Loki file1
suspicious
***What Yara rule did it match on?***
webshell metaslsoft
***What does Loki classify this file as?***
webshell
***Based on the output, what string within the Yara rule did it match on?***
str1
***What is the name and version of this hack tool?***
b374k 2.2
***Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?***
1 string
***Scan file 2. Does Loki detect this file as suspicious/malicious or benign?***
benign
***Inspect file 2. What is the name and version of this web shell?***
b374k 3.2.3
### Creating Yara Rules with yarGen
In the example previous, Loki found file2 to be benign/clean. This would render the scan useless on other web servers since that webshell will be undetected. Going through code manually can be very time consuming but something would need to be done to find specific strings to create a new Yara rule to detect the discovered webshell.
[yarGen](https://github.com/Neo23x0/yarGen) is a generator for Yara rules. It works mostly by removing strings found in goodware files to better prepare for sifting through potentially important strings for the malicious file to then create a Yara rule. yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.
If running yarGen on a personal system, update it first by running `python3 yarGen.py --update` to update the good-opcodes and good-strings DB's from the online repository.
python3 yarGen.py --update
To create a Yara rule for file2, run the following:
yarGen.py -m --excludegood -o file2.yar
finished yar file
* `-m` is the path to the files you want to generate rules for
* `--excludegood` force to exclude all goodware strings (*these are strings found in legitimate software and can increase false positives*)
* `-o` location & name you want to output the Yara rule
Best practice would be to examine the Yara rule and remove any strings possible of creating false positives. **Note**: Another tool created to assist with this is called [yarAnalyzer](https://github.com/Neo23x0/yarAnalyzer/).
***From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?***
yara file2.yar file2/1ndex.php
After creating the new rule, copy the .yar file to the Yara signature base folder then proceed to run Loki:
python ../tools/Loki/loki.py -p file2
***Did Yara rule flag file 2? (Yay/Nay)***
yay
***Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)***
yay
***What is the name of the variable for the string that it matched on?***
zepto
***Inspect the Yara rule, how many strings were generated?***
20
***One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?***
700kb
### Valhalla
[Valhalla ](https://valhalla.nextron-systems.com/)is an online Yara feed hosted by [Nextron-Systems](https://www.nextron-systems.com/valhalla/). Valhalla boosts detection capbilities with thousands of hand-crafted Yara rules.
Searches can be administered based on keyword, tag, ATT\&CK technique, sha256, or rule name.
***Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)***
file1
yay
***Do the same for file 2. What is the name of the first Yara rule to detect file 2?***
file2
Webshell_b374k_rule1
***Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?***
THOR APT Scanner
***Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)***
Nay
***Besides .PHP, what other extension is recorded for this file?***
.exe
***What JavaScript library is used by file 2?***
zepto
***Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)***
nay
The reason why file 2 was not detected is that the Yara rule was not in the Yara file used by Loki to detect the hack tool (web shell) even though its the hack tool has been around for years and has even been attributed to at least 1 nation-state. The Yara rule is present in the commercial variant of Loki, which is Thor.
