This room is part of the SOC Level 1 Path.
Room URL: https://tryhackme.com/r/room/yara
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on!
Task 1: Introduction
Questions
Let’s get started
Answer: No answer needed
Task 2: What is Yara?
Note: I upgraded the Introductionary text on THM, as I did not feel like it did a great job of actually explaining what Yara is.
Understanding Yara
Yara is a versatile tool designed for identifying and classifying files based on patterns, whether binary or textual. Originally developed for malware researchers, it has since become a go-to resource for security analysts and anyone dealing with threat detection. Known as “the pattern matching Swiss knife for malware researchers (and everyone else)” (Virustotal, 2020), Yara’s ability to detect malicious behavior by matching specific features or patterns makes it a cornerstone in modern cybersecurity operations.
Why Yara is Important for SOC Analysts
For a Security Operations Center (SOC) analyst, identifying threats quickly and accurately is critical. Yara is particularly valuable in incident response, malware analysis, and threat hunting because it enables analysts to automate the detection of known malicious files or suspicious behaviors. By writing custom Yara rules, you can search through files, memory, or network traffic for patterns associated with malware, saving time and improving detection rates.
Yara’s relevance for rookies lies in its simplicity and power. It provides a practical entry point into malware detection without requiring deep programming or reverse engineering skills. Learning to use Yara effectively helps SOC analysts develop a deeper understanding of how malicious files are structured and behave, which is essential for responding to modern threats.
How Yara Works
Yara uses rules, which are sets of conditions defined by the user to match specific patterns in files. These rules can target strings (e.g., text stored in a file) or binary data (e.g., specific sequences of bytes). Yara rules are highly flexible and can be customized to detect unique characteristics of malware.
For example:
- A ransomware rule might search for Bitcoin wallet addresses used for ransom payments.
- A botnet rule could match IP addresses of known Command and Control (C&C) servers.
Why Strings Matter
Strings—sequences of text or characters—are a fundamental part of software and malware alike. Just as a simple Python program might include the string “Hello World” to print a message, malware uses strings to store critical data such as file paths, encryption keys, IP addresses, or commands. By identifying these strings, Yara can flag files or processes that exhibit suspicious patterns.
Yara in Action for SOC Analysts
Imagine you’re investigating a potential malware outbreak. Using Yara, you can scan files across an infected system or network for known malicious patterns. For example, a custom rule might detect the presence of ransomware by matching specific encryption routines or strings associated with ransom notes.
By automating this process, Yara allows SOC analysts to:
- Quickly identify infected files.
- Attribute the malware to a known family or actor.
- Develop further rules for proactive threat hunting.
Questions
What is the name of the base-16 numbering system that Yara can detect?
Base 16 uses powers of 16. The possible digits are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. We also call this hexadecimal this there are 16 possibilities (hexadecimal meaning 16).
Hexadecimal is used for lots of things, for example color codes in HTML!
Answer:hexadecimal
Would the text “Enter your Name” be a string in an application? (Yay/Nay)
Yes! “Enter your name” is a sequence of characters, and is therefore considered a string.
Answer: Yay
Task 3: Deploy
Nothing to cover here. Startup the machine attached to this task, or connect through SSH (remember to connect to THMs VPN).
Questions
I’ve connected to my instance!
Answer: No answer needed.
Task 4: Introduction to Yara Rules
The proprietary language Yara uses for rules is simple to start with but requires understanding of the patterns you want to detect. Here, we will walk through the process of creating your first Yara rule.
Basic Structure of Yara Rules
A Yara rule consists of two key components:
- Rule Name: The name you assign to the rule.
- Condition: The conditions under which the rule is triggered.
In simple terms, the rule you write will check if specific patterns (like strings or binary data) exist in the target file, directory, or process.
For example, let’s create a basic Yara rule that checks if a file or directory exists.
Steps to Create Your First Yara Rule:
- Create a Sample File:
First, create a file called somefile. This will be the file we test the Yara rule on. - Create the Yara Rule File:
Now, create a new Yara rule file named myfirstrule.yartouch myfirstrule.yar
- Write the Rule:
Open myfirstrule.yar with a text editor (e.g., nano):nano myfirstrule.yar
Inside the file, write the following rule:
rule examplerule { condition: true }
- Rule Explanation:
- rule examplerule sets the rule’s name as examplerule.
- condition: true is a condition that simply checks whether the file exists (in this case, it always evaluates to true).
Running the Rule:
- Now, use the following command to run the Yara rule against the somefile we created earlier:
yara myfirstrule.yar somefile
If the file
somefile
exists, Yara will output the name of the rule, examplerule, like this:What Happens if the File Doesn’t Exist?
If the file doesn’t exist, Yara will give an error message, such aserror scanning sometextfile: could not open file
- Rule Explanation:
Key Takeaways:
- The Rule: Your first Yara rule (examplerule) checks whether a file or directory exists using condition: true.
- Output: If the file exists, Yara outputs the rule name (e.g., examplerule). If it doesn’t, Yara returns an error indicating the file couldn’t be found.
- The Condition: The simplicity of the rule here is that condition: true always evaluates as true, but more complex rules can search for specific patterns or strings inside files.
What’s Next?
- Refining Rules: Now that you’ve written your first rule, you can begin experimenting with more complex patterns like searching for specific strings or binary data within files.
- Real-World Use: In a real-world context, SOC analysts often use Yara rules to detect malicious patterns in files, processes, or network traffic, making Yara an essential tool for identifying malware in various environments.
Questions
One rule to – well – rule them all.
Answer: No answer needed.
Task 5: Expanding on Yara Rules
Checking if a file exists with a basic Yara rule is a good starting point, but the real power of Yara lies in its ability to search for patterns and apply complex conditions. Let’s delve deeper into Yara’s functionality, including meta fields, string definitions, and advanced conditions.
Meta
The meta section provides descriptive information about the rule. It is used for documentation purposes and does not affect the rule’s functionality. This is similar to comments in programming and is particularly useful for organizing and understanding your rules.
Example:
rule helloworld_checker { meta: author = "Your Name" description = "Detects files containing variations of 'Hello World!'" date = "2025-01-07" }
Strings
The strings section allows you to specify patterns the rule should search for. These patterns can be text strings or hexadecimal values.
Example:
rule helloworld_checker { strings: $hello_world = "Hello World!" condition: $hello_world }
This rule matches any file containing the exact text “Hello World!”.
Handling Case Sensitivity
Yara matches strings exactly as defined. To account for case variations (e.g., “hello world” or “HELLO WORLD”), you can define multiple strings and combine them with conditions.
Example:
rule helloworld_checker { strings: $hello_world = "Hello World!" $hello_world_lower = "hello world" $hello_world_upper = "HELLO WORLD" condition: any of them }
This rule matches files containing any of the defined variations.
Advanced Conditions
Yara supports logical operators, comparison operators, and complex conditions to refine your rules.
Counting Occurrences
Use #<string_name> to count occurrences of a string in a file.
Example:
rule helloworld_checker { strings: $hello_world = "Hello World!" condition: #hello_world <= 10 }
This rule matches if “Hello World!” appears 10 times or fewer in a file.
Combining Conditions
You can combine multiple conditions with logical operators like and, or, and not.
Example:
rule helloworld_checker { strings: $hello_world = "Hello World!" condition: $hello_world and filesize < 10KB }
This rule matches only if:
The file contains “Hello World!”, and
The file size is less than 10KB.
Questions
Upwards and onwards…
Task 6: Yara Modules
Integrating Yara with Other Tools and Libraries
Yara’s capabilities can be extended by integrating it with tools like Cuckoo Sandbox or Python’s PE Module, enabling deeper insights into file behaviors and structures. These integrations are particularly useful in malware analysis, where understanding both runtime and static characteristics is critical.
Cuckoo Sandbox
Cuckoo Sandbox is an automated malware analysis framework that runs suspicious files in an isolated environment to observe their behaviors. Integrating Yara with Cuckoo enables you to:
- Generate Yara rules based on runtime characteristics like strings loaded into memory, API calls, and other system interactions.
- Target specific behaviors or patterns observed during execution.
- Build rules that reflect both static and dynamic analysis findings, enhancing detection accuracy.
Benefits:
- Capture real-time execution data for malware.
- Focus on unique runtime behaviors, such as network activity or dropped files.
- Create rules for malware families based on observed execution patterns.
Python’s PE Module
The Python PE Module allows for static analysis of Portable Executable (PE) files, which are standard for executables and libraries on Windows. This integration supports:
- Parsing and analyzing PE file headers, sections, and imports/exports.
- Detecting anomalies like unusual section sizes, names, or characteristics.
- Creating Yara rules based on structural attributes rather than execution behavior.
Benefits:
- Efficient static analysis without requiring malware execution.
- Identify specific functions or libraries used by potentially malicious files.
- Detect packing, cryptography, or other indicators of malicious intent through PE structure anomalies.
Questions
Sounds pretty cool!
Answer: No answer needed
Task 7: Other tools and Yara
This task simply mentions some other tools. The important things to remember is that there are tools which makes it easy to start using Yara rules without having to write your own!
Tools Overview
- LOKI
- Open-source IOC scanner focused on detecting Indicators of Compromise using various checks like file names, Yara rules, hashes, and C2 communication.
- Cross-platform support for Windows and Linux.
- Lightweight and straightforward, making it an ideal choice for quick IOC checks.
- THOR Lite
- A more advanced IOC and Yara scanner with multi-platform support for Windows, Linux, and macOS.
- Features scan throttling to minimize resource usage.
- Requires email subscription for download and is oriented towards corporate environments.
- FENRIR
- A bash script for systems capable of running bash (Linux, macOS, and Windows with bash support).
- A simple IOC checker designed for lightweight and dependency-free operation.
- YAYA (Yet Another Yara Automaton)
- Focused on managing Yara rule repositories and performing scans.
- Exclusively supports Linux.
- Helps researchers manage and customize Yara rules efficiently.
Questions
Cool tools. I’m ready to use one of them.
Answer: No answer needed
Task 8: Using LOKI and its Yara rule set
Getting Started with LOKI:
- Initial Setup:
- Navigate to the Loki folder on your system.
- Run the command
python loki.py -h
to see available options. - Update its signatures by running
--update
(this ensures it can scan for the latest threats).
- Inspecting Yara Rules:
- Check the “signature-base” directory under LOKI to see preloaded rules in the yara folder.
- These rules specify what LOKI should look for during scans.
- Running a Scan:
- Use LOKI to scan specific files or folders for malicious content.
- Example command:
python ../../tools/Loki/loki.py -p .
This scans all files in the current folder for threats.
Scenario: You are the security analyst for a mid-size law firm. A co-worker discovered suspicious files on a web server within your organization. These files were discovered while performing updates to the corporate website. The files have been copied to your machine for analysis. The files are located in the suspicious-files
directory. Use Loki to answer the questions below.
Questions
Scan file 1. Does Loki detect this file as suspicious/malicious or benign?
~/tools/Loki/loki.py
python ../../tools/Loki/loki.py -p .
The final result is as follows: [RESULT] Suspicious objects detected!
Answer: suspicious
What Yara rule did it match on?
Answer: webshell_metaslsoft
What does Loki classify this file as?
Look at the description field of the Warning section.
DESCRIPTION: Web Shell – file metaslsoft.php REF:
Answer: Web Shell
Based on the output, what string within the Yara rule did it match on?
Answer: Str1
What is the name and version of this hack tool?
Answer: b374k 2.2
Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?
~/tools/Loki/signature-base/yara
directory. yara/thor-webshells.yar
I used the following command to find the Metaslsoft rule and print the 10 lines after the matched rule name:
cat thor-webshells.yar | grep metaslsoft -A 10
This gives the following result:
Answer:Sales_Receipt 5606.xls
Scan file 2. Does Loki detect this file as suspicious/malicious or benign?
python ../../tools/Loki/loki.py -p .
The result is clear: [RESULT] SYSTEM SEEMS TO BE CLEAN.
Answer: Benign
Inspect file 2. What is the name and version of this web shell?
head 1ndex.php
The answer is in the comment, but remove the “shell” in the middle.
Answer: b374k 3.2.3
Task 9: Creating Yara rules with yarGen
Why Create a YARA Rule?
If LOKI doesn’t detect a suspicious file, you can create a custom YARA rule to identify the file and similar threats across your systems. This is especially useful in incident response to prevent undetected malicious activity.
What is yarGen?
yarGen is a tool that helps generate YARA rules by analyzing suspicious files and filtering out strings commonly found in legitimate software (to reduce false positives).
Steps to Create a YARA Rule with yarGen:
- Prepare yarGen:
- Navigate to the
yarGen
directory. - Run
python3 yarGen.py --update
to download its database of legitimate software strings and opcodes.
- Navigate to the
- Generate a YARA Rule:
- Use the command:
python3 yarGen.py -m /path/to/suspicious/file --excludegood -o /path/to/output/file.yar
-m
: Path to the suspicious file.--excludegood
: Filters out strings from legitimate software.-o
: Specifies where to save the generated YARA rule.
- Use the command:
Resources for Learning More:
Questions
From within the root of the suspicious files directory, what command would you run to test Yara and your Yara rule against file 2?
After making sure you are in the ~/tools/yarGen directory, run the following command to create your own yar rule.
python3 yarGen.py -m /home/cmnatic/suspicious-files/file2 --excludegood -o /home/cmnatic/suspicious-files/file2.yar
After running this command we can test our freshly created Yara rule on file2 like this (we learned this in Task 4):
yara file2.yar file2/1ndex.php
Answer: yara file2.yar file2/1ndex.php
Did Yara rule flag file 2? (Yay/Nay)
If you look at the output of the command (in the bottom of my screenshot) you can see that it outputs “home cmnatic suspicious files file2 index“. This means that the file is considered suspicious, as yara outputs the rule name that gets “matched”.
Answer: Yay
Copy the Yara rule you created into the Loki signatures directory.
cp file2.yar ../tools/Loki/signature-base/yara
Answer: No answer needed
Test the Yara rule with Loki, does it flag file 2? (Yay/Nay)
cd file2 python ../../tools/Loki/loki.py -p .
As you can see, the file is considered suspicious.
Answer: Yay
What is the name of the variable for the string that it matched on?
The answer is in the MATCHES section on the previous screenshot:
MATCHES: Str1: var Zepto=function(){function G(a){return a==null?String(a):z[A.call(a)]||"object"}function H(a){return G(a)=="function"}fun Str2: $c ... (truncated)
Answer: Zepto
Inspect the Yara rule, how many strings were generated?
cat ~/tools/Loki/signature-base/yara/file2.yar
There are 20 strings generated in the rule.
Answer: 20
One of the conditions to match on the Yara rule specifies file size. The file has to be less than what amount?
condition: uint16(0) == 0x3f3c and filesize < 700KB and 1 of ($x*) and 4 of them
The relevant one is the first one. Here it is specified that the filesize should be less than 700KB.
Answer: 700KB
Task 10: Valhalla
Valhalla is an online Yara rule feed hosted by Nextron-Systems (Florian Roth), offering thousands of high-quality, hand-crafted Yara rules to enhance detection capabilities. The platform enables threat intelligence gathering and malware detection through extensive, organized rule sets.
Link: https://www.nextron-systems.com/valhalla/
Key Features:
- Search Capabilities:
You can search by keyword, tag, MITRE ATT&CK technique, SHA256 hash, or rule name. - Rule Details:
Each rule includes:- Name
- Description
- Submission date
- Reference link for more context
- Practical Use:
- Valhalla rules provide context and actionable intelligence for threat hunting.
- Security professionals can utilize this data even without deep coding knowledge.
Scenario Application:
- Using Yara and Valhalla:
If LOKI identifies suspicious files, Valhalla can provide additional context, helping analysts confirm malicious behavior and justify actions like removing files from the network. - Research-Based Approval:
Valhalla supports the research needed for incident response and decision-making without requiring advanced scripting skills.
Questions
Enter the SHA256 hash of file 1 into Valhalla. Is this file attributed to an APT group? (Yay/Nay)
As you can see, one of the results mentions a Chinese APT group.
Answer: Yay
Do the same for file 2. What is the name of the first Yara rule to detect file 2?
If we consider the first rule to be the one with the oldest date, the answer is Webshell_b374k_rule1.
Answer: Webshell_b374k_rule1
Examine the information for file 2 from Virus Total (VT). The Yara Signature Match is from what scanner?
On the Community tab you can find the answer:
Answer: THOR APT Scanner
Enter the SHA256 hash of file 2 into Virus Total. Did every AV detect this as malicious? (Yay/Nay)
Answer: Nay
Besides .PHP, what other extension is recorded for this file?
Besides php, php5, txt and html, there is .exe, which is the expected answer.
Answer: exe
What JavaScript library is used by file 2?
$zepto_code = packer_read_file($GLOBALS['packer']['base_dir']."zepto.js"); $js_main_code = "\n\n".packer_read_file($GLOBALS['packer']['base_dir']."main.js"); $js_code = "\n\n".packer_read_file($GLOBALS['packer']['base_dir']."sortable.js").$js_main_code; $js_code .= "\n\n".packer_read_file($GLOBALS['packer']['base_dir']."base.js");
Answer: zepto
Is this Yara rule in the default Yara file Loki uses to detect these type of hack tools? (Yay/Nay)
Answer: Nay
Task 11: Conclusion
I can’t put it better than the room creator does:
In this room, we explored Yara, how to use Yara, and manually created basic Yara rules. We also explored various open-source tools to hit the ground running that utilizes Yara rules to detect evil on endpoints.
By going through the room scenario, you should understand the need (as a blue teamer) to know how to create Yara rules effectively if we rely on such tools. Commercial products, even though not perfect, will have a much richer Yara ruleset than an open-source product. Both commercial and open-source will allow you to add Yara rules to expand its capabilities further to detect threats.
If it is not clear, the reason why file 2 was not detected is that the Yara rule was not in the Yara file used by Loki to detect the hack tool (web shell) even though its the hack tool has been around for years and has even been attributed to at least 1 nation-state. The Yara rule is present in the commercial variant of Loki, which is Thor.
There is more that can be done with Yara and Yara rules. We encourage you to explore this tool further at your own leisure.
Questions
No answer needed.
Answer: No answer needed
Congratulations on completing Yara!!!
Whew! We’re done. It definitely took a while to finish this walkthrough.
Great job on finishing this room on Yara. I think it is one of the harder rooms that I have tried on TryHackMe, but I learned a bunch. I really liked the practical assignments!
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox.
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: