YARA

Overview

YARA describes patterns to classify and identify malware samples. Rules combine string literals, hex jumps/wildcards, and boolean conditions over file size, entry point, and matched offsets.

Conditions can reference other rules, use modules (pe, elf, dotnet, hash, math, time), and count matches (`#s1 > 3 and uint16(0) == 0x5A4D`). Rules compile to bytecode scanned by libyara across files, processes, and memory.

yarac compiles rules to binary form; yara scans targets. Integration points: ClamAV, VirusTotal Livehunt, osquery, Velociraptor, and custom IR pipelines.

Rule quality matters: overly broad strings cause false positives; anchor on PE sections, export names, or encoded config blobs unique to a family.

Primary use cases

• Hunting malware families across endpoint/file shares
• Email gateway attachment screening with custom rules
• Memory scanning for injected shellcode or reflective DLLs
• Validating unpacker output against known packer signatures
• Threat intel sharing via rule repositories (Yara-Rules, Neo23x0)

Key commands

yara -r family_rule.yar /path/to/samples/

yarac rules/*.yar compiled.yarc

rule example {
  strings:
    $a = "malicious_config" ascii wide
  condition:
    pe.is_pe and $a
}

Notable modules / features

• Modules: pe, elf, dotnet, hash, math, time, cuckoo, virustotal
• External variables (-d) for contextual scanning
• Fast multi-pattern Aho-Corasick search engine
• Yara-X (Rust rewrite) for performance-critical deployments

Detection / defense notes

• Attackers mutate strings and encrypt configs to evade static rules
• Combine YARA with behavioral detection and network IOCs
• Test rules against clean corpora before production deployment

Related tools

• Volatility — Memory forensics. Extract processes, credentials, network connections, and kernel artifacts from RAM dumps.
• Ghidra — Reverse engineering IDE. Disassembly, decompilation, scripting, and binary diffing.
• binwalk — Firmware analysis. Extracts embedded files and filesystems from binary blobs.