YARA Cheat Sheet

YARA is a powerful tool used to identify and classify malware by defining rules based on textual or binary patterns. It is widely used in malware research, DFIR, and threat hunting.

Basic Rule Structure

rule ExampleRule
{
    meta:
        author = "analyst"
        description = "Example YARA rule"

    strings:
        $a = "malware"
        $b = { 6A 40 68 00 30 00 00 }

    condition:
        any of them
}

Strings

Text Strings

$a = "cmd.exe"
$b = "powershell" nocase

Hex Strings

$c = { 4D 5A }

Regular Expressions

$d = /http:\/\/[a-z0-9\.]+/ nocase

Conditions

condition:
    all of ($a,$b)

condition:
    filesize < 2MB and $c

Meta Section

meta:
    author = "SOC"
    version = "1.0"
    reference = "internal"

Common Keywords

any of them
all of them
n of them
uint16(0) == 0x5A4D (PE header)

Modules

PE Module

import "pe"

condition:
    pe.is_pe and pe.number_of_sections > 5

ELF Module

import "elf"

condition:
    elf.entry_point == 0x8048000

Scan Files

yara rules.yar sample.exe

Recursive scan:

yara -r rules.yar /path/to/files/

Scan Memory (Linux)

yara rules.yar /proc/1234/mem

Compile Rules

yarac rules.yar rules.compiled

Debug Rules

yara -d rules.yar sample.exe

Typical Workflow

Write YARA rules
Test against samples
Refine conditions
Deploy to SOC / EDR

Common Issues

Too many false positives

Narrow conditions and add filesize or module checks.

Rule does not trigger

Verify encoding and string types.

clamav
virustotal
radare2
ghidra

Use Cases

Malware detection
Threat hunting
Incident response
File classification

Legal Notice

Danger

Use YARA only on files and systems you are authorized to analyze.