YARA Templates
Selection of YARA rules for use as guides or templates
File system only examples:
Find by Name
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_by_name
{
meta:
description = "Find files by name."
condition:
file_name == "some-name.exe"
}Find by Extension
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_by_extension
{
meta:
description = "Find files by extension."
condition:
file_extension == "xyz"
}Find by Content
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_by_content
{
meta:
description = "Find files containing specific strings."
strings:
$a = "password" wide ascii nocase
condition:
$a
}Find by Hash
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
import "hash"
rule find_by_hash
{
meta:
description = "Find files by hash."
condition:
hash.sha256(0, filesize) == "b6800c2ca4bfec26c8b8553beee774f4ebab741b1a48adcccce79f07062977be"
}Find by Size
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_by_size
{
meta:
description = "Find files by size."
condition:
filesize < 1MB
}Find by Size range
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_by_size_range
{
meta:
description = "Find files in size range."
condition:
filesize > 100KB and filesize < 500KB
}Find by Location
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_by_location
{
meta:
description = "Find files in specific location."
condition:
file_path contains "Downloads" // when file path contains a certain string
or
file_path == "C:\\Windows\\Temp\\svchost.exe" // for exact file location
}Find PE (portable executable) files only
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule IsPE
{
meta:
description = "Identifies PE files only based on the header."
condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}Find PKZIP files only
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule IsZIP
{
meta:
description = "Identifies ZIP files only based on the header."
condition:
uint32(0) == 0x04034B50
}Find by Hash with Size filter
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
// In order to make yara scan faster, it is always a good practice to use filters.
// In this case let's say we know that sample is smaller than 1MB and we want to search the hash.
import "hash"
rule find_by_hash
{
meta:
description = "Find files by hash."
condition:
filesize < 1MB and
hash.sha256(0, filesize) == "b6800c2ca4bfec26c8b8553beee774f4ebab741b1a48adcccce79f07062977be"
}Memory/process scan examples:
Find Process by Name
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_process_by_name
{
meta:
description = "Find process by name."
condition:
process_name == "audiodg.exe"
}Find String in Memory
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_string_in_memory
{
meta:
description = "Find process executables containing string."
strings :
$a = "keylogger started" wide ascii nocase
condition :
$a
}Find Process by Command line
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_process_by_cmdline
{
meta:
description = "Find string in process command lines."
condition :
process_command_line icontains "powershell.exe" // icontains is for case insensitive
}Find Malware domain
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_malware_domain
{
meta:
description = "Search malware domain in process memory."
strings:
$a = "http://malware-domain.com" wide ascii
condition:
$a
}Find Byte pattern
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_byte_pattern
{
meta:
description = "Search byte pattern process memory."
strings:
$a = { AA BB CC DD EE FF }
condition:
$a
}Filesystem and memory scan:
Find String
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_string
{
meta:
description = "Find containing string."
strings :
$a = "keylogger started" wide ascii nocase
condition :
$a
}Find Malware domain
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_malware_domain
{
meta:
description = "Search malware domain."
strings:
$a = "http://malware-domain.com" wide ascii
condition:
$a
}Find Byte pattern
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_byte_pattern
{
meta:
description = "Search byte pattern process memory."
strings:
$a = { AA BB CC DD EE FF }
condition:
$a
}Find XOR pattern
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_xor_string
{
meta:
description = "Search xor string pattern."
strings:
$xor_string = "This program cannot" xor
condition:
$xor_string
}Find Base64 pattern
// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html
rule find_base64_string
{
meta:
description = "Search Base64 encoded string pattern."
strings:
$mimi = "Mimikatz" ascii wide base64 base64wide
condition:
$mimi
}
Last updated
Was this helpful?