This scenario serves as a guide on how to create Yara Signatures for Malware Detection.
YARA is a tool designed to help malware researchers identify and classify malware samples. It’s been called the pattern-matching Swiss Army knife for security researchers (and everyone else). It is multi platform and can be used from both its command-line interface or through your own Python scripts.
The tool allows you to conduct signature-based detection of malware, something similar to what antivirus solutions can do for you.
OBJECTIVES AND OUTCOME
After completing this scenario you will be able to:
Learn Rule Identifiers
Learn Yara Keywords
– Text Strings
– String Modifiers
– Regular Expression
– Sets of strings
– Anonymous strings
– Counting string instances
– String offsets or virtual -addresses
– Match Length
– File size
– Executable entry_point
– Accessing data at a given position
– Applying one condition across many strings
– Iterating over string occurrences
Learn Referencing other rules
Learn Yara Essentials
– Global Rules
– Private Rules
– Rule tags
– Using Modules
– Undefined values
– External/Argument Values
– Including Files
In order to get the full benefit from this scenario, it is suggested that you have competencies in the following areas:
– GNU Linux
– Familiarity with C syntax (not required, but useful)
– Regex (not required, but useful)
This scenario has no recommended reading.
This scenario was created by Sathish Govindharajan and Lawrence Muchilwa.