We covered an introduction to YARA rules and how to create them to detect malwares using patterns that match common indicators of compromise. YARA rules are created and stored inside rule files that have .yar extension and rules are written in YAML language. We also used LOKI python script as a tool to scan for malicious files using Yara rules. We also covered how to generate Yara rules using yaraGen tool. Finally we explained how to research and download Yara rules using VALHALLA feed. This was part of TryHackMe Yara which is under SOC Level 1 Pathway.

COMPTIA Security+ Certificate Notes

The Complete Practical Web Application Penetration Testing Course

What is Yara?

Yara is a pattern-matching tool widely used in cybersecurity to detect malware and threats by searching for predefined patterns in files. It is used for threat intelligence, digital forensics, and malware detection. Unlike traditional antivirus software that relies on signature-based detection, Yara provides customizable rule-based detection, allowing analysts to hunt for threats in a more flexible manner.

File Types Yara Can Analyze

Yara is capable of analyzing different file formats, including:

  • Binary files (executables, DLLs)
  • Text files (logs, scripts)
  • PHP files (used in web development)
  • Other extensions depending on the security need

Yara Rule Files (.yar)

A Yara rule file is a text-based configuration file with the .yar extension, written in YAML format. Each rule contains search conditions that help identify malicious indicators within files. The rule file can contain a single rule or multiple rules.

Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are digital footprints left by malware or threat actors. Yara rules help detect these by searching for:

  • Strings – Malicious scripts or text fragments
  • Domain Names – Domains used by malware for communication
  • IP Addresses – IPs related to command-and-control servers
  • File Hashes – Unique identifiers for known malware files
  • Bitcoin Wallets – Addresses used in ransomware payments

By identifying these indicators, analysts can proactively detect and mitigate threats before they cause significant damage.

Structure of a Yara Rule

A Yara rule consists of four primary components:

  1. Meta Section – Stores metadata about the rule such as:
    • Author
    • Description
    • References
    • Creation Date
  2. Rule Name – Each rule must have a unique identifier to differentiate it from others.
  3. Strings Section – Defines the patterns to look for in a file. These patterns can be:
    • Plain text strings (e.g., "malicious_code")
    • Hexadecimal patterns (e.g., {6A 40 68 00 30 00 00})
  4. Condition Section – Specifies how the rule should match against a file. Conditions can use:
    • Boolean Logic (AND, OR, NOT)
    • Operators (<=, >=, ==)
    • String Match Conditions (any of them, all of them)

Rule Conditions & Operators

Yara provides powerful logical expressions to refine malware detection. Some common conditions include:

  • true – The rule will always match.
  • any of them – The rule matches if any of the defined strings are found.
  • all of them – The rule matches only if all defined strings are found.
  • Operators: Yara allows various operators to refine conditions:
    • <=, >= – Checks if a value is less than or greater than a given number.
    • contains – Ensures a file contains a specific string.
    • matches – Used for regular expressions.

Yara Rule Tools

Several tools help automate and optimize the creation, execution, and scanning of Yara rules:

🔨 Yara Generate

  • Automates rule creation by generating rules from a collection of files.
  • Useful for detecting common malware patterns across multiple files.
  • Example command:
python yara_generate.py -d <directory> -o output.yar

Loki Scanner

  • A Yara-based scanner for identifying threats in files.
  • Uses predefined rules to flag malicious indicators.
  • Can be extended by adding new rules.

Example command to scan a file:

python Loki.py -p <file_directory>

Thor

  • An improved version of Loki with better CPU and resource management.
  • Features scan throttling to reduce system load.

🌍 Valhalla

  • An online Yara rule repository for security researchers.
  • Allows analysts to search for rules by IOC, hash, or domain.
  • Provides access to community-created Yara rules.

Practical Use of Loki Scanner

The video demonstrates how to use Loki Scanner in a real-world malware analysis scenario:

  1. Scanning Files for Malware
    • A directory containing two suspicious files (file1 and file2) is scanned using Loki.
    • The command used:
python Loki.py -p suspicious_files
  • The scan result shows that file1 is malicious and flagged as a web shell.

Inspecting the Yara Rule Match

  • The detection output contains:
    • Matched Rule Name
    • Matched Strings
    • Reason for Flagging the File
  • The flagged file is classified as a web shell, which could be used for unauthorized access.

Creating a Custom Yara Rule

  • Using Yara Generate, a custom rule is created to detect the same malware in future scans.
  • The rule is stored in a .yar file and tested against other files using:
yara custom_rule.yar <directory>
  1. Using VirusTotal & Valhalla
    • Hash lookup is performed in Valhalla to check if the detected malware is linked to Advanced Persistent Threat (APT) groups.
    • VirusTotal scan determines if antivirus engines detect the malware.

🔍 Using Valhalla for Threat Intelligence

  1. Searching for a Malware Hash
    • A file’s SHA256 hash is checked in Valhalla to see if it has been flagged.
    • If found, it may be linked to a known APT attack.
  2. Inspecting VirusTotal Reports
    • The malware hash is submitted to VirusTotal.
    • The report shows:
      • Antivirus detections of the file.
      • File classification (Malicious, Suspicious, or Benign).
      • Known variants of the malware.

Room Answers | TryHackMe Yara

What is the name of the base-16 numbering system that Yara can detect?
hexadecimal

Would the text “Enter your Name” be a string in an application? (Yay/Nay)

Yay

Scan file 1. Does Loki detect this file as suspicious/malicious or benign?
Suspicious

What Yara rule did it match on?

webshell_metaslsoft

What does Loki classify this file as?

Web Shell

Based on the output, what string within the Yara rule did it match on?

Str1

What is the name and version of this hack tool?

b374k 2.2

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?

1

Scan file 2. Does Loki detect this file as suspicious/malicious or benign?

Benign

Inspect file 2. What is the name and version of this web shell?

b374k 3.2.3

From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?
yara file2.yar file2/1ndex.php

Did Yara rule flag file 2? (Yay/Nay)

Yay

Copy the Yara rule you created into the Loki signatures directory.

No answer needed

Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)

Yay

What is the name of the variable for the string that it matched on?

Zepto

Inspect the Yara rule, how many strings were generated?

20

One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?

700KB


Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)
Yay

Do the same for file 2. What is the name of the first Yara rule to detect file 2?

Webshell_b374k_rule1

Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?

THOR APT Scanner

Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)

Nay

Besides .PHP, what other extension is recorded for this file?

EXE

What JavaScript library is used by file 2?
Zepto

Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)
Nay


Video Walkthrough

Number-Based Facts

700KB – Maximum file size defined for a Yara rule to trigger detection.

3.2.3 – Version number of a detected web shell.

1,000+ – The potential number of Yara rules that can be included in a single .yar file.

2 – The number of files scanned in the tutorial using Loki.

Summary

🔎 What is Yara? – Yara is a pattern-matching tool used for threat hunting, allowing security analysts to search for specific patterns in binary or text files.📁 File Types It Can Analyze – Yara can detect patterns in multiple file types, including binary, text, PHP, and various other extensions.📝 Yara Rule Files – A Yara rule file (.yar) contains multiple rules written in YAML format, defining search conditions for malware detection.🛑 Indicators of Compromise (IOCs) – These are attributes like strings, domains, IP addresses, hashes, and Bitcoin wallets that help identify malicious files.🏗 Structure of a Yara Rule:

  • Meta Section – Contains details such as rule purpose, author, and references.
  • Rule Name – A unique identifier for the rule.
  • Strings – Defines the patterns (hexadecimal, text) the rule searches for.
  • Condition – Specifies conditions for triggering a match.

Rule Conditions & Operators – Common conditions include true, any of them, all of them, and logical operators (AND, OR, <=, >=).⚙ Yara Rule Tools:

  • Yara Generate – A tool that automates rule creation based on a pattern or file collection.
  • Loki – A Yara scanner used to identify threats in files based on predefined rules.
  • Thor – An improved version of Loki, featuring CPU throttling and scan optimization.
  • Valhalla – An online database for researching existing Yara rules using hashes, IPs, or IOCs.

🚀 Practical Use of Loki Scanner:

  • Running python tools/Loki.py -p <directory> to scan a given directory for suspicious files.
  • Loki detects web shells and malicious files based on predefined rules.

🔧 Creating a Custom Yara Rule:

  • Using Yara Generate to create a rule file (.yar) for detecting specific threats.
  • Running Yara command to test the newly created rule against files in a directory.

🔍 Using Valhalla for Threat Intelligence:

  • Searching for a file hash in Valhalla to determine if it has been linked to an Advanced Persistent Threat (APT) group.
  • Reviewing VirusTotal reports to verify if a file is flagged as malicious by multiple antivirus solutions.
, , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles