Threat Hunting Using Yara

Threat hunting is a proactive search for hidden or ongoing cyber threats inside a network to find and stop them before they cause major damage.

• Actively seek indicators of compromise (logs, network traffic, config anomalies).
• Use tools like SIEM, threat intel feeds, and malware analysis to investigate findings.
• Focus on early detection in the attack lifecycle and fast mitigation.
• Complements automated defenses (AV, firewalls) by catching what they miss

What is YARA?

YARA is a lightweight pattern-matching engine used to identify and classify files and in-memory objects based on user-defined rules that combine text, hex, regex, and metadata checks.

Why use YARA

• Rule-based detection (strings, regex, hex, modules).
• Can scan files, archives, memory dumps, or output from other tools.
• Fast, scriptable, and easy to integrate into automation, sandboxes, and threat-intel pipelines.

For example, A YARA rule encodes the traits of malware (file signatures, code strings, regexes, hashes). When YARA runs, it compares those rule patterns against a target (file, directory, or memory); if the target meets the rule’s condition, YARA reports the rule name and the exact matched strings/offsets. Rules let analysts reliably flag families of malware even when samples are tweaked.

rule example_rule {
 strings:
 $a = "malware string 1"
 $b = "malware string 2"
 condition:
 any of them
}

How YARA works

1. Write rules that describe what to look for: A rule has three parts: meta (optional human info), strings (text/hex/regex patterns), and condition (the logic that decides a match). This rule matches if either $a or $b appears in the scanned target.

2. When you run YARA (CLI or library), the engine compiles rules into an optimized matcher. Pre-compiling or loading compiled rulesets speeds repeated scans in production.

3. YARA scans targets

• Files or directories, e.g. yara rules.yar sample.bin or yara -r rules.yar /path.
• Memory dumps or forensic images to find embedded artifacts.
• Live memory or endpoints via integrations (EDR, forensic tools, or custom scripts).
  The engine streams the data and applies the compiled ruleset.

4. On a match YARA reports the rule name, any meta fields, which strings matched, and offsets (byte positions). Example CLI-style output might look like:

example_rule sample.bin
 $a at 0x02fa: "malware string 1"

Programmatic APIs (for example yara-python) return structured match objects with the same details.

Install & Run the Yara

Install YARA on your OS, then use a few simple commands to scan folders and files.

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install -y yara
yara --version

Basic CLI usage

yara -r rules.yar /path/to/scan

Windows

In windows download prebuilt binaries (yara64.exe, yarac64.exe) and put them in a folder on %PATH% (e.g., C:\Tools\YARA).

How To Run Yara on Windows?

To run Yara on a Windows system, you will need to have the Yara software installed. You can download and install Yara from the Yara website (https://github.com/VirusTotal/Yara/releases). Once Yara is installed, you can use the following syntax to run it from the command prompt:

Yara32 [options] <rule_file> <target_file>

The <rule_file> parameter specifies the path to the Yara rule file that you want to use, and the <target_file> parameter specifies the path to the file that you want to scan.

Here are a few examples of how you might use this syntax:

To scan a single file for malware using a Yara rule file called "malware rules.Yara":

Yara32 malware_rules.Yara C:\myfile.exe

To scan a directory and all of its subdirectories for malware using a Yara rule file called "malware rules.Yara":

Yara32 -r malware_rules.Yara C:\mydirectory

Scan the file and print the names of all the rules that match:

Yara32 -g malware_rules.Yara C:\myfile.exe

There are many other options and parameters that you can use with Yara, including options for specifying multiple rule files, modifying the output format, and using multiple threads for scanning. You can refer to the Yara documentation or use the 'Yara32 --h' command for a complete list of options and syntax.

Rules:

In the above screenshot I create a rule called "creds.ru" after that I added I description of the malware using the "meta" tag, then after declaring three strings named $a, $b, and  $c. These strings are important strings associated with the malware that we are trying to detect. And at the end, we applied a condition. The above condition statement specifies that the rule will match if either of these strings is found in the software being analyzed.

Now we have two files.

1. The first one is the Yara rule which we just created.
2. And the second one is a sample malware file. you can take any malware as your wish or for the practice you can just write the strings and paste it into a text file. The output will be the same

Output :

Types of Yara Rule

There are several types of Yara rules that you can use to identify and classify malware and other malicious software. Here are a few examples:

• String-based rules: These rules use strings of text, either as literal values or as regular expressions, to identify malware. For example, you might use a string-based rule to detect malware that contains a specific string of characters in its code.
• File metadata-based rules: These rules use metadata about the files being analyzed to identify malware. For example, you might use a file metadata-based rule to detect a particular file type or to identify files that have been created or modified within a specific time period.
• Hash-based rules: These rules use cryptographic hashes to identify malware. A cryptographic hash is a unique representation of the contents of a file, and if any part of the file changes, the hash will also change. Hash-based rules can be used to detect malware that has been modified or disguised in an attempt to evade detection.
• Network-based rules: These rules use network traffic data, such as IP addresses or ports, to identify malware. For example, you might use a network-based rule to detect malware that is communicating with a specific IP address or port.

There are many other types of Yara rules that you can use, and you can also combine different types of rules to create more specific and sophisticated detection methods. It is important to carefully consider which characteristics are most relevant for detecting the specific type of malware that you are targeting.

String-based Yara

To write a string-based Yara rule, you need to specify the strings of text that are associated with the malware that you are trying to detect. Here is an example of a simple string-based Yara rule:

rule example_string_rule 
{
 strings:
 $a = "malware string 1"
 $b = "malware string 2"
 condition:
 any of them
}

This Yara rule contains two strings, $a and $b, that are associated with the malware that you are trying to detect. The condition statement specifies that the rule will match if either of these strings is found in the software being analyzed. You can also use regular expressions in your string-based Yara rules. For example, the following rule uses a regular expression to detect a string of text that contains a specific pattern:

rule example_regex_rule 
{
 strings:
 $a = /[A-Za-z0-9]{8}/
 condition:
 $a
}

This rule will match any string that contains an 8-character alphanumeric sequence. It is essential to carefully consider which strings are most relevant for detecting the specific type of malware that you are targeting. You can use multiple strings in a single Yara rule, and you can also use logical operators to create more complex and specific rules.

File metadata-based Yara

To write a file metadata-based Yara rule, you need to specify the metadata characteristics of the files that are associated with the malware that you are trying to detect. Here is an example of a simple file metadata-based Yara rule:

rule example_metadata_rule 
{
 condition:
 file.extension == "exe" and
 file.size > 100KB
}

This Yara rule will match any file that has a “.exe” extension and is larger than 100 KB in size. There are many types of file metadata that you can use in your Yara rules, including the file extension, size, creation, and modification dates, and attributes such as “hidden” or “system.” You can also use logical operators and other syntax elements to create more complex and specific rules. For example, the following rule uses a regular expression to match the file name and a logical operator to specify that the file must have been created within the past 7 days:

rule example_complex_metadata_rule 
{
 condition:
 file.name matches /^malware.*\.exe$/ and
 file.creation_time > (now - 7d)
}

It is important to carefully consider which file metadata characteristics are most relevant for detecting the specific type of malware that you are targeting. You can use multiple metadata characteristics in a single Yara rule to create more specific and sophisticated detection methods.

Hash-based Yara

To write a hash-based Yara rule, you need to specify the cryptographic hashes of the files that are associated with the malware that you are trying to detect. Here is an example of a simple hash-based Yara rule:

rule example_hash_rule 
{
 strings:
 $a = {0A0B0C0D0E0F0A0B0C0D0E0F0A0B0C0D}
 condition:
 $a
}

This Yara rule contains a single string, $a, which is the cryptographic hash of a specific file. The 'condition' statement specifies that the rule will match if the hash of the file being analyzed matches the hash specified in the rule. You can use multiple hashes in a single Yara rule, and you can also use logical operators to create more complex and specific rules. For example, the following rule uses a logical operator to specify that the file must have a hash that matches either of two different values:

rule example_complex_hash_rule 
{
 strings:
 $a = {0A0B0C0D0E0F0A0B0C0D0E0F0A0B0C0D}
 $b = {1A1B1C1D1E1F1A1B1C1D1E1F1A1B1C1D}
 condition:
 $a or $b
}

Hash-based Yara rules can be used to detect malware that has been modified or disguised in an attempt to evade detection. It is important to carefully consider which hashes are most relevant for detecting the specific type of malware that you are targeting.

Network-based Yara

To write a network-based Yara rule, you need to specify the network traffic characteristics of the malware that you are trying to detect. Here is an example of a simple network-based Yara rule:

rule example_network_rule 
{
 condition:
 network.ip == "192.168.1.1" and
 network.port == 80
}

This Yara rule will match any network traffic that originates from the IP address “192.168.1.1” and is sent to port 80. You can use a variety of network traffic characteristics in your Yara rules, including IP addresses, port numbers, protocols, and packet payloads. You can also use logical operators and other syntax elements to create more complex and specific rules. For example, the following rule uses a regular expression to match the packet payload and a logical operator to specify that the traffic must be sent over either the HTTP or HTTPS protocols:

rule example_complex_network_rule 
{
 condition:
 network.protocol in 
 { "HTTP", "HTTPS" } and
 (network.payload matches 
 /login/ or network.payload 
 matches /password/)
}

It is essential to carefully consider which network traffic characteristics are most relevant for detecting the specific type of malware that you are targeting. You can use multiple characteristics in a single Yara rule to create more specific and sophisticated detection methods.