For this forensics cases which are based in unreliable evidences, we decided to carry out the development of a carving tool for getting files from a raw disk using IoC detection.
YaraRET it’s based in Radare2 and Yara, and it provides 58 magic number’s rules for detecting 58 types of files. This tool relies on the idea of a first stage detecting files using its magic numbers and a second stage, selecting or discarding those detected files using Yara, IoCs or its entropy value.
It’s been long time without any updates here. Let’s publish some news. Yara-Rules project is proud to anounce another interesting tool for the comunity, it is Yara-Endpoint. It is a tool that has been designed for helping incident handlers during their daily job.
As you may guess Yara-Endpoint is a tool that runs Yara remotely on endpoints. Well, that is a basic summarize for the whole project so let’s explain it a little bit.
From YaraRules Project we would like to introduce you a new Yara module that pretends to use information retrieved from radare2 (r2) to use with Yara.
To use this module it is important to know basic concepts about r2 and Yara.
You can find all the documentation about the installation of the module and use cases in the following link https://r2yara.readthedocs.io/en/latest/. The code is available in our Github repository https://github.com/Yara-Rules/r2yara
As all Yara users know, Yara rules are based on “strings”; which are basically descriptions of patterns-based malware families. We can find simple rules like the following, for example:
rule LIGHTDART_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "ret.log" wide ascii $s2 = "Microsoft Internet Explorer 6.0" wide ascii $s3 = "szURL Fail" wide ascii $s4 = "szURL Successfully" wide ascii $s5 = "%s&sdate=%04ld-%02ld-%02ld" wide ascii condition: all of them } On the other hand, there are also more complex rules that use wild-cards, regular expressions, special operators or any other features that can be used in Yara and can be consulted in the documentation.
NOTE Yago project is archived and no longer maintained.
Yara-Rules project is proud to anounce YaGo. YaGo is a tool that converts Yara rules into JSON files, that’s it, simple.
Yara has a great comunity that use it and use a lot of rules, but sometimes it is hard to manage all of them, it is difficult to get a bird’s eye view of your rule set so we thought coverting the rules in json format will help.
Hello Yara lovers!
We have been very busy lately working on ways to improve the YaraRules project and the online YaraRules Analyzer.
The first of the changes and improvements is the redesigned website that you are seeing right now. We have moved from WordPress to Hugo in an effort of simplifying the web and its management.
But that is not the only thing we are working on. We are working also on the YaraRules Analyzer and the YaraRules ruleset and have planned some improvements that you will enjoy for sure.
NOTE YaraRules Analyzer project is no longer maintained.
At YaraRules Project we want to offer to the Community a new online service: “YaraRules Analyzer”. It allows you to analyze your files on the cloud using the full YaraRules ruleset, so you do not need to install Yara in your local computer and you also make sure to analyze your files against the latest YaraRules ruleset.
This service is still in an alpha stage, is available at https://analysis.
If you’re interested in sharing your Yara rules with us and the Security Community, you can join our Telegram Group, send a message to our Twitter account @YaraRules, or submit a pull request on our Github Repository.
We have divided our ruleset in five categories, each one of them represented by a file: AntiDebug, Crypto, Malicious Document, Packer and Malware. Also, the malware category is split in a per malware family basis.
This project arises out of the need to have a repository to compile different Yara signatures, classified and most up to date as possible.
Yara is a tool increasingly used, but knowledge is dispersed, so one of the main objectives of the Yara Rules project is to offer a Yara ruleset as complete as possible to provide a quick way to get and update existing rules.
We hope it is useful for the Security Community and are looking forward for your feedback.
If you’re interested in sharing your Yara rules with us and the Security Community, you can contact us in many ways:
Sending a message to our Twitter account @YaraRules
Submitting an issue or a pull request on our Github Repository.
The YaraRules team.
If you’re interested in sharing your Yara rules with us and the Security Community, you can join our Telegram group, send a message to our Twitter account @YaraRules, or submit a pull request on our Github Repository.
We have divided our ruleset in nine main categories, each one of them represented by a file: AntiDebug, CVE, Crypto, Exploit Kits, Malicious Document, Malware, Mobile Malware, Packer and Webshells. Most of the categories are split in a per family basis.
This project covers the need of a group of IT Security Researches to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and begin as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
Yara is being increasingly used, but knowledge about the tool and its usage is dispersed in many different places.