YARA learning

Example of a yara rule TryHackMe-Threat Hunting with YARA

rule M_APT_Downloader_WINELOADER_2
{
    meta:
        author = "Mandiant"
        disclaimer = "This rule is meant for hunting and is not tested to run in a production environment."
        description = "Detects payload invocation stub in WINELOADER"

    strings:
        // 48 8D 0D ?? ?? 00 00  lea rcx, module_start (Pointer to encrypted resource)
        // 48 C7 C2 ?? ?? 00 00  mov rdx, ???? (size of encrypted source)
        // E8 [4]  call decryption
        // 48 8D 05 [4]  lea rcx, ??
        // 48 8D 0D [4]  lea rax, module_start (decrypted resource)
        // 48 89 05 [4]  mov ptr_mod, rax
        //
        $ = {48 8D 0D ?? ?? 00 00 48 C7 C2 ?? ?? 00 00 E8 [4] 48 8d 0D [4] 48 8D 05 [4] 48 89 05 }

    condition:
        All of them
}

TryHackMe™ mentions that there are three styles for threat hunting: Structured hunting, unstructured hunting, and situational/entity-driven hunting.

In the above rule you’ll see four key areas:

RULE NAME: is the first line "rule M_APT…"

Meta Data: is the second section starting with the meta: key word.

Strings: is the string key word with the strings that are used to match on something in YARA called atoms. Atoms are 4 byte sub-strings that are used for pattern matching. This is to keep combing through files as efficient as possible. I like to think of this like I think of molecules from science class as my visual, but I’m sure that’s over simplifying it here. You know atoms (bytes) chained together to form a molecule (exploit code/malware).

Conditions: is the rule area that define the strings that have to be present to match. In the above sample all the strings have to be present to find a match.

Strings and Conditions

Strings:

Text Strings Wide-Character Strings Hexadecimal Strings XOR Strings base64 encoded Regular Expressions

Conditions:

Boolean Operators	Relational operators	Arithmetic Operators	Bitwise Operators	Keywords
and	>=	+	&	1 of them
or	⇐	-	\| (pipe char.)	any of them
not	<	*	<<	none of them
	>	\	>>	contains
	==	%	~	icontains
	!=		^	startswith
				istartswith
				endswith
				iendswith
				iequals
				matches
				not defined
				fielsize

Boolean Operators

Relational operators

Arithmetic Operators

Bitwise Operators

Keywords

and

1 of them

⇐

| (pipe char.)

any of them

not

none of them

contains

icontains

startswith

istartswith

endswith

iendswith

iequals

matches

not defined

fielsize

to be continued….