YARA Templates

Selection of YARA rules for use as guides or templates

File system only examples:

Find by Name

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_by_name 
{
    meta:
        description = "Find files by name."

    condition:
        file_name == "some-name.exe"
}

Find by Extension

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_by_extension
{
    meta:
        description = "Find files by extension."

    condition:
        file_extension == "xyz"
}

Find by Content

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_by_content
{
    meta:
        description = "Find files containing specific strings."

    strings:
        $a = "password" wide ascii nocase

    condition:
        $a
}

Find by Hash

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

import "hash"

rule find_by_hash
{
    meta:
        description = "Find files by hash."

    condition:
        hash.sha256(0, filesize) == "b6800c2ca4bfec26c8b8553beee774f4ebab741b1a48adcccce79f07062977be"
}

Find by Size

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_by_size
{
    meta:
        description = "Find files by size."

    condition:
        filesize < 1MB
}

Find by Size range

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_by_size_range
{
    meta:
        description = "Find files in size range."

    condition:
        filesize > 100KB and filesize < 500KB
}

Find by Location

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_by_location
{
    meta:
        description = "Find files in specific location."

    condition:
        file_path contains "Downloads" // when file path contains a certain string
        or
        file_path == "C:\\Windows\\Temp\\svchost.exe" // for exact file location
}

Find PE (portable executable) files only

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule IsPE
{
    meta:
        description = "Identifies PE files only based on the header."

    condition:
        // MZ signature at offset 0 and ...
        uint16(0) == 0x5A4D and
        // ... PE signature at offset stored in MZ header at 0x3C
        uint32(uint32(0x3C)) == 0x00004550
}

Find PKZIP files only

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule IsZIP
{
    meta:
        description = "Identifies ZIP files only based on the header."

    condition:
        uint32(0) == 0x04034B50
}

Find by Hash with Size filter

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

// In order to make yara scan faster, it is always a good practice to use filters.
// In this case let's say we know that sample is smaller than 1MB and we want to search the hash.

import "hash"

rule find_by_hash
{
    meta:
        description = "Find files by hash."

    condition:
        filesize < 1MB and
        hash.sha256(0, filesize) == "b6800c2ca4bfec26c8b8553beee774f4ebab741b1a48adcccce79f07062977be"
}

Memory/process scan examples:

Find Process by Name

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_process_by_name
{
    meta:
      description = "Find process by name."

    condition:
      process_name == "audiodg.exe"
}

Find String in Memory

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_string_in_memory
{
    meta:
        description = "Find process executables containing string."

    strings :
        $a = "keylogger started" wide ascii nocase

    condition :
        $a
}

Find Process by Command line

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_process_by_cmdline
{
    meta:
        description = "Find string in process command lines."

    condition :
        process_command_line icontains "powershell.exe" // icontains is for case insensitive
}

Find Malware domain

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_malware_domain
{
    meta:
        description = "Search malware domain in process memory."

    strings:
        $a = "http://malware-domain.com" wide ascii

    condition:
        $a
}

Find Byte pattern

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_byte_pattern
{
    meta:
        description = "Search byte pattern process memory."

    strings:
        $a = { AA BB CC DD EE FF }

    condition:
        $a
}

Filesystem and memory scan:

Find String

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_string
{
    meta:
        description = "Find containing string."

    strings :
        $a = "keylogger started" wide ascii nocase

    condition :
        $a
}

Find Malware domain

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_malware_domain
{
    meta:
        description = "Search malware domain."

    strings:
        $a = "http://malware-domain.com" wide ascii

    condition:
        $a
}

Find Byte pattern

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_byte_pattern
{
    meta:
        description = "Search byte pattern process memory."

    strings:
        $a = { AA BB CC DD EE FF }

    condition:
        $a
}

Find XOR pattern

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_xor_string
{
    meta:
        description = "Search xor string pattern."

    strings:
        $xor_string = "This program cannot" xor

    condition:
        $xor_string
}

Find Base64 pattern

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html

rule find_base64_string
{
    meta:
        description = "Search Base64 encoded string pattern."

    strings:
        $mimi = "Mimikatz" ascii wide base64 base64wide

    condition:
        $mimi
}

PreviousTriage Rule Templates NextSigma Templates

Last updated 9 months ago

Was this helpful?