Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  1. Systems Forensics

YARA

PreviousWindows File AnalyzerNextsystems-hardening

Last updated 2 years ago

  • Description: identifying specific files by looking at the characteristics of a large number of files to see if any of them match the profile

  • Installation

    • On Linux: download tar file from

    • Install dependencies: sudo apt-get install automake libtool make gcc pkg-config

    • Install YARA: tar -zxf yara-4.0.2.tar.gz -> cd yara-4.0.2/ -> ./bootstrap.sh

    • Compile YARA: ./configure -> make -> sudo make install

    • Confirm Installation: sudo make install

  • Usage

    • Write YARA Rules:

    • Run rule file against a target: yara [OPTIONS] RULES_FILE TARGET

    • YARA Flags

      • -m: Prints the associated meta information to the terminal after a YARA scan.

      • -s: Prints the matching strings to the terminal after a YARA scan.

      • -r: Recursively scan all subfolders within the target location to ensure everything is scanned.

    • YarGen to automatically generate rules for files:

      • Installation

        • YarGen: tar -zxf yarGen-0.18.0.tar.gz

        • sudo apt-get install python-pip

        • sudo pip install pefile cd

        • sudo pip install scandir lxml naiveBayesClassifier

        • python yarGen.py --update

        • python yarGen.py --help

      • Usage

        • python yarGen.py -m /root/Desktop/Malware -o ./TestRule.yara

        • python yarGen.py: Runs the yarGen python script

        • -m /root/Desktop/Malware: Create rules for files inside the Malware folder

        • -o ./TestRule.yara: Output the generated rule to the current folder

        • cat TestRule.yara: read rules

  • Resources:

https://github.com/virustotal/yara/releases/tag/v4.0.2
https://yara.readthedocs.io/en/stable/writingrules.html
https://github.com/Neo23x0/yarGen/releases
https://yara.readthedocs.io/en/stable/gettingstarted.html
https://yara.readthedocs.io/en/stable/writingrules.html
https://yara.readthedocs.io/en/stable/commandline.html
https://github.com/Yara-Rules/rules