Threat Hunting with Yara

What is threat hunting?

It is the process of proactively searching for malware or attackers that are lurking in your network and may have been there for some time. Threat hunting assumes that since it is not possible to stop or capture every attack using the traditional methods such as SIEM, IDS, firewalls hence the network will be compromised and this will leave a trail to the attacker.

What is Yara?

Yara is an open-source tool that assists malware researchers to identify and classify malware samples by looking for certain characteristics.

Indicators of Compromise

These are artifacts observed on a network or Operating system that identify potentially malicious activities.

Yara Syntax

In Yara, each rule starts with a keyword rule followed by a rule identifier. The identifier can start with an alphanumeric letter or an underscore but MUST NOT start with a digit.

  1. Text strings — allow 4 special modifiers: nocase, fullword, wide and ascii
  2. Regular expressions — allow the same modifiers as text strings

A. String Identifier

Each string identifier begins with a $ character followed by a sequence of alphanumeric characters and underscores.

B. Conditions

This is where the logic of the rule exists.

Structure of a Yara Value

rule ExampleRule{

How to run a Yara Value

· You can download yara on github https://github.com/VirusTotal/yara/releases

A community of Women in Cybersecurity from various backgrounds and counties across Kenya. https://shehackske.com/