[BLUE TEAMING] - Pattern matching in Malware Analysis using YARA

<aside> 💡 YARA is a multi platform tool for matching patterns of interest, used to identify malicious files

</aside>

<aside> 💡 Yara rules is a way of telling yara what characteristics to look for in a file.

</aside>

<aside> 💡 Yara Rule

rulename

metadata

strings

conditions

</aside>

<aside> 💡 Yara rule syntax :-

• Strings
  • Specify the strings you want to match
  • Define strings like you define variables
    • $textstring = "text"
  • Can be text strings (which are strings found in the legible text portion of a file) or hex strings (raw sequences of bytes in a file)
    • Use double quotes for text strings and braces for hex strings
• Conditions
  • Defines the conditions that the writer want to meet in order for the rule to hit on a file
  • Conditions are booleans, and use strings defined in the strings section as variables
  • Most common conditions are and, or, and not
• Metadata
  • Adds metadata about the rule
  • Important when contributing to community </aside>

<aside> 💡 Running Yara syntax

• yara [options] <rule_file> <target file> </aside>

Questions ➖

1 - boolean condition

2, 4 - yara help

3 - metadata