Intro to Yara Rules

3 minute read

Intro

Hello, 🌎! Yara is an awesome tool written by the developers of VirusTotal and it is specifically helpful in the identification and classification of malware. Yara rules allow security detection engineers to quickly turn indicators of compromise (IOCs) seen within a victim’s environment into powerful malware indentification variables. In this blog I’ll walkthrough Yara’s installation process on Linux, provide a basic Yara rule, and then explain the structure of the rule itself. Let’s go for it!

Installation

To install Yara on Linux, copy, paste, and run each command below into a terminal window:

git clone https://github.com/VirusTotal/yara.git; cd yara
./bootstrap.sh
./configure
make
sudo make install
sudo ln -sf $(pwd)/yara /usr/local/bin/

If you have Yara successfully installed you should be able to type yara in the terminal and see its basic help message:

Yara Basic Help

With Yara now installed, lets go ahead and write our first Yara rule!

Writing a Yara Rule

The following Yara rule is an example rule and does not actually look for real-world malware but will be used to explain all the components that make up a Yara rule.

rule my_rule : credential_stealer {
  meta:
    description = "This rule looks for requests to an attacker controlled domain with stolen credentials"
    author = "Alexis Rodriguez"
    date = "2022.06.11"
    classification = "malware"
    first_spotted_in_wild = "2022.06.09"
  strings:
    /* match malicious domain name associated with malware */
    $ioc1 = "https://malicious-domain.com" wide base64
    /* match credential stealing parameters */
    $ioc2 = /\?email=.{,100}&password=.{,100}/i
    /* match IP addresses associated with malicious server */
    $ioc3 = /(125\.66\.71\.101|34\.155\.37\.225)/
  condition:
    /* find at least one IOC string above to trigger rule */
    1 of ($ioc*)
}

Here are the elements that make up the Yara rule above:

  • my_rule: the name of the Yara rule
  • credential_stealer: the rule tage which can be used to classify the rule
  • meta: the rule’s metadata
  • strings: the IOCs for detection
  • condition: the condition that must be met for the rule to trigger

Here is the rule above with syntax highlighting for readability:

Demo Yara Rule

As we can see from the rule above, we can also use regular expressions to match certain strings and they can be specified between two forwards slashes /. You can also search for hexadecimal strings by specifying the hexadecimal characters within opening and closing curly brackets like this:

$hex_ioc1 = { F4 23 62 B4 }

The modifiers used in our rule were wide and base64. The wide modifier ensures that the string also matches even if the string was encoded with two-bytes per character - something you might commonly find on some Windows applications. The base64 modifier takes the given string and base64 encodes it before attempting to find the encoded string in the provided data.

Here is a table containing all the available modifiers along with some of their restrictions:

Keyword Supported String Types Summary Restrictions
nocase text,regex ignore casing cannot use with xor, base64, or base64wide
wide text,regex also match 2-byte encoded characters none
ascii text,regex also match ascii characters none
xor text XOR text string with single byte keys cannot use with nocase, base64, or base64wide
base64 text perform 3 different types of base64 encoding cannot use with nocase, xor or fullword
base64wide text perform 3 different types of base64 encoding but using 2-byte per character cannot use with nocase, xor, or fullword
fullword text,regex string is not preceded or follow by alphanumeric character cannot use with base64 or base64wide
private text,regex,hex matched is not included in output none

And finally, our rules condition simply tells Yara to trigger the rule if at least 1 of the 3 strings is identified. $ioc* gets expanded to $ioc1, $ioc2, and $ioc3 to include all the rules beginning with $ioc.

Running the Rule

To run the Yara rule above, save the rule above to a file named rule1.yara and use the following command to run it:

yara rule1.yara malware.txt

For demonstration purposes, I entered the following text into the file malware.txt:

https://malicious-domain.com/[email protected]&[email protected]$aL*&anNBLafe
125.66.71.101

If the contents of the file triggers the rule, you should see the name of the rule followed by the name of the file that the rule matched like this:

Yara Rule Match

If you’d like to print the strings that matched including their offsets, use the --print-strings option:

yara --print-strings rule1.yara malware.txt

Yara Rule Match with Stings

And there you have it. Happy Hacking!

EOF

If you enjoyed reading this blog and learned something, keep an eye out for more of my posts and maybe consider following me on GitHub, where I work on cybersecurity projects. And if you are feeling really generous, consider buying me a coffee!

References

comments powered by Disqus