Jan 1
[Day 21] Blue Teaming Needles In Computer Stacks | Advent of Cyber 3 (2021)
Today is about detecting malicious file with yara. Yara is a tool to match patterns in a file with the registered rules.
let’s make a yara rule..
# We changed the text in the string $a as shown in the eicaryara rule we wrote, from X5O to X50, that is, we replaced the letter O with the number 0. The condition for the Yara rule is $a and $b and $c and $d. If we are to only make a change to the first boolean operator in this condition, what boolean operator shall we replace the ‘and’ with, in order for the rule to still hit the file?
or
The or operator is our solution when we want to meet two conditions become false if all conditions are false, and become true if all conditions are true or if one of the condition is true.
# What option is used in the Yara command in order to list down the metadata of the rules that are a hit to a file?
-m
Just check into man yara.
# What section contains information about the author of the Yara rule?
metadata
Yara rule have three section, metadata, strings, and condition.
# What option is used to print only rules that did not hit?
-n
man yara is your best friend.
# Change the Yara rule value for the $a string to X50. Rerun the command, but this time with the -c option. What is the result?
0
Conclusion
Learn about Yara is one way to learn about Antivirus or tools to detect malicious file. Any Intrusion Detection System (IDS) has their rules and patterns for detecting malicious file.
Thanks
