Understanding YARA Rules

Use Cases for YARA Rules

All PhishER rules must follow Yet Another Recursive or Ridiculous Acronym (YARA) rule logic to disposition messages. You can use YARA rules to disposition messages based on included attachments, potential CEO fraud, and more. This guide provides a list of common use cases for YARA rules. You can create these rules to use in your PhishER platform. For general information about writing YARA rules, see our How to Write YARA Rules article or YARA Rules video.

Tip:You can click the text editor image for each YARA rule example to view a text file of the example in a new tab.

Attachments Rule

If you would like to create a YARA rule that detects if any type of attachment is included in an email, you can use the example rule in the screenshot and code block below:

rule Attachments
{
  strings:
    $Attachment = "X-Attachment-Id"

  condition:
    $Attachment
}

This rule does not detect specific attachment types. If you would like to write a rule that detects specific attachment types, you can use the example rules in the screenshot and code block below:

Tip:Depending on what information you want to detect, you can customize this rule by adding or removing different attachment types.
rule Attachments {
  strings:
    $doc = ".doc"
    $htm = ".htm"
    $exe = ".exe"
    $pdf = ".pdf"
    $excel = ".xlsx"
    $ics = ".ics"
    $png = ".png"
    $jpg = ".jpg"
    $gif = ".gif"
  condition:
    any of them
}

Automated Software Emails Rule

If you would like to create a YARA rule that detects automated software emails, you can use the example rule in the screenshot and code block below:

Important:This rule can flag legitimate emails because it looks for the text in brackets in the from email address or the subject line of an email.
rule Automated_SoftwareEmails
{
  strings:
    $ = /(\n|\r)From:.{0,200}[Salesforce].{0,200}</ nocase
    $ = /(\n|\r)Subject:.{0,200}[Salesforce]/ nocase

    $ = /(\n|\r)From:.{0,200}[HubSpot].{0,200}</ nocase
    $ = /(\n|\r)Subject:.{0,200}[HubSpot]/ nocase

  condition:
    any of them
}

For this rule to work, you'll need to replace the text in brackets with the name of a software application. We recommend that you use the name of a software application that your organization uses or would likely receive an email from.

CEO Fraud Rule

If you would like to create a YARA rule that identifies potential CEO fraud attempts, you can use the example rule in the screenshot and code block below:

rule CEO_Fraud
{
  strings:
    $FromEmail        = /From:.{0,20}\<[yourCEO@yourDomain.com]\>/ nocase
    $FromName	        = /From:.{0,20}[yourCEO].{0,20}<.{5,100}>/ nocase
    $FromNameEmail    = /From:.{0,20}[yourCEO].{0,20}\<[yourCEO@yourDomain.com]\>/ nocase

    $Reply            = /Reply-To:.{0,20}/ nocase
    $ReplyEmail       = /Reply-To:.{0,20}\<[yourCEO@yourDomain.com]\>/ nocase
    $ReplyName	      = /Reply-To:.{0,20}[yourCEO].{0,20}\</ nocase
    $ReplyNameEmail   = /Reply-To:.{0,20}[yourCEO].{0,20}\<[yourCEO@yourDomain.com]\>/ nocase

  condition:
    ($Reply and $FromNameEmail and not $ReplyNameEmail)
    or ($Reply and not $FromNameEmail and $ReplyNameEmail)
    or ($Reply and $FromEmail and not $ReplyEmail)
    or ($Reply and not $FromEmail and $ReplyEmail)
    or ($FromName and not $FromEmail)
    or ($ReplyName and not $ReplyNameEmail)
}

If you use this rule, you'll need to replace each instance of the [yourCEO@yourDomain.com] placeholder with your CEO's email address. You'll also need to replace each instance of the [yourCEO] placeholder with your CEO's name.

Internal Sender Rule

If you would like to create a YARA rule that identifies any email coming from your domain that is not a spoofed email, you can use the example rule in the screenshot and code block below:

rule InternalSender
{
  strings:
	$a = /from:.{0,60}@domain.com/ nocase
	$b = /Return-Path:.{0,60}@domain.com/ nocase
	$c = "header.from=domain.com"
	$d = /Authentication-Results:.{0,20}spf=pass/ nocase
	
  condition:
    all of them
}
Tip:If you use this rule, the email will need a matching sender domain in the headers and will need to pass your Sender Policy Framework (SPF) checks. This rule will not tag emails sent from your domain that do not require or pass your SPF checks. If you would like to tag the types of emails mentioned, remove the $d string. You can also remove the $c string.

KnowBe4 Training Emails Rule

If you would like to create a YARA rule that detects all training notification emails from your KSAT console, you can use the example rule in the screenshot and code block below:

rule KnowBe4_TrainingEmails
{
  strings:
  $ = /Return-Path:.{0,50}psm.knowbe4.com>/ nocase
  $ = /Received:.{0,50}(147.160.167.\d{1,3})/ nocase
  $ = /Received:.{0,50}(23.21.109.197)/ nocase
  $ = /Received:.{0,50}(23.21.109.212)/ nocase
  $ = /Received:.{0,50}psm.knowbe4.com/ nocase

  condition:
    any of them
}

Not Present Rule

You can create a YARA rule that detects if a value is not present in a selected PhishER target. To create this rule, you can use the example rule in the screenshot and code block below:

rule notPresent
{
  strings:
    $a = "KnowBe4" nocase

  condition:
    (not $a) and (filesize > 0)
}

To use this rule, you'll need to include the special variable filesize in your rule's condition. The filesize variable checks if the target you selected is empty. This process is helpful if you receive an email with a plain text body and an HTML body since one type of body could be empty but the other body could contain your string. Without the filesize variable, the email could falsely match your notPresent rule.

Most Common Regular Expressions Table

A regular expression, or regex, is a sequence of characters that is used to identify a pattern in text strings. To learn about regular expressions that are often used in YARA rules for PhishER, see the table below. For more information about regular expressions, see YARA's Writing YARA rules documentation.

Operators and Modifiers Description
\n

This regex is an escape sequence that looks for a new line. 

. This regex is a metacharacter that matches any character or symbol.
{n, m}

This regex is a quantifier that looks for a range of matches between a number of characters represented by n and m. This regex is used to identify matching segments of a string.

Note: You can use the {n,m} regex following any character. See the examples below:
  • 9{2,3}: This regex will match 99 or 999.
  • .{2,3}: This regex will match any two-character or three-character string.
| This regex is a metacharacter that indicates an alternation operator, similar to an OR operator. This regex looks for a match among multiple possible regular expressions.
* This regex is a quantifier that looks for zero or more matches.
? This regex is a quantifier that looks for zero or one match.

Can't find what you're looking for?

Contact Support