Authors: Tom Lancaster (Volexity)

DFRWS USA 2022

Abstract

Because sometimes grep is not enough. YARA is one of the most popular tools used by investigators and threat researchers alike to identify malware and more. Today, when threat researchers publish information on new findings on a given attacker and their tools one of the key things published alongside their research is often a set of YARA rules to identify the malicious files discussed. YARA is the industry standard for sharing detections based on the contents of a file. Understanding the syntax of these rules, their likely accuracy and how they were written is key to using them and getting the most out of the tool.

In this workshop attendees will go from writing their very first YARA rule to working with some of the more complex features of the language. Building upon each layer, there are an array of exercises for attendees to complete increasing in complexity as the workshop continues.
Finally, attendees will be encouraged to think about ways that YARA can be extended through either custom modules of their own, or through the python extension for YARA.

Bio

Tom Lancaster is the Threat Intelligence Lead @ Volexity with 10 years of experience in malware detection, threat intelligence and assisting in incident response investigations.

Materials and Setup

Download the materials for the workshop now!

This workshop requires approximately 30 minutes of setup if participants already have access to a suitable environment to run the utilities described below. It may take longer if they need to set up a Virtual Environment for the first time.

While we will not be executing any malware in this workshop we will be working with malicious files at times. Therefore for candidates to be successful in this workshop it is recommended they have access to a Virtual Machine running Windows 7 or greater. Participants should add the following applications to the machine such that they are in the %PATH% variable and are easily accessible via their chosen console:

  • yara (download releases from: https://github.com/VirusTotal/yara/releases)
  • strings (download releases from: https://docs.microsoft.com/en us/sysinternals/downloads/strings)

If using a Windows environment, candidates should also download a copy of the GUI application PEStudio, however this is not essential:

  • Download PE Studio from: https://www.winitor.com/

Additionally participants may wish to consider:

  • Having access to common unix CLI tooling in their environment (either via Cygwin or equivalent) specifically useful commands include:
    • wc
    • grep

Users may also find it helpful to set up a text editor with syntax highlighting and snippets for YARA. The author of the course uses Visual Studio Code and the YARA extension to develop YARA rules.

Similar setups are available for Sublime and Atom.

Downloads