Sign in Subscribe

THM - Advent of Cyber [Day 21]

Alex McCulley

1 min read

The task for today deals with Yara and Yara rules, which are a way of automating virus detection. We can setup Yara rules to search for and detect families of viruses. Here’s an example of a Yara rule:

rule rulename
  {
    meta:
      author = "tryhackme"
      description = "test rule"
      created = "11/12/2021 00:00"
    strings:
      $textstring = "text"
      $hexstring = {4D 5A}
    conditions:
      $textstring and $hexstring
  }

The rule at the top declares a rule, then followed by the name.

meta

This section is optional and can help to classify rules based on author, description, etc. It helps purely with organization.

strings

You define the string you want to match in the malicious files with strings. They act much like variables do. You declare them with a $ and then use double quotes for text strings and curly brackets for hex strings.You can also use regex for matching strings

conditions

While the strings section more or less defines variables for our Yara rule, the conditions section defines the conditions that make a rule hit on a file. Conditions follow boolean logic.

The Task

Once we get the rule written, we can run the following command to run the rule:

yara [options] rule_file [target]

This task was mostly taking a look at the options for the yara command. You only really have to run one command to get the final question.

Sign up for more like this.

Enter your email
Subscribe
Follow Me on Mastodon! Follow Me on Twitter