YARA Rules
Below is a list of common use cases for YARA rules. Each rule can be customized and used in your PhishER platform. For more information about writing YARA rules, please visit our How to Write YARA Rules article or YARA Rules video.
Note:
If you would like to download a text file of the YARA rule examples, click on the text editor image displayed for each rule. This will open a text file in a new tab.
Jump to:
NOT Present Rule
CEO Fraud Rule
Attachments Rule
Automated Software Emails Rule
KnowBe4 Training Emails Rule
Regular Expressions Table
NOT Present Rule
If you would like to create a YARA rule that detects if an item is not present in a selected target (click to view), it's important to include the special variable filesize in your rule's condition. See the example below:
Choose Target Drop-down
(Click on the rule to open the YARA_Rules.txt file in a new window)
By adding the filesize variable to your condition, you're checking to see if the target you selected to scan is empty. This is helpful if you receive an email with a plain text body and an HTML body, as one part may be empty while the other contains your string. In this scenario, the email could falsely match the rule if the filesize variable is not included.
CEO Fraud Rule
If you would like to create a YARA rule that helps identify potential CEO Fraud attempts, you can use the example rule below:
(Click on the rule to open the YARA_Rules.txt file in a new window)
If you decide to use this rule, be sure to replace all of the highlighted text with your CEO's information:
- From Email Address
/From:.{0,20}\<yourCEO@yourDomain.com\>/ - From Name
/From:.{0,20}yourCEO.{0,20}<.{5,100}>/ - From Name AND From Email Address
/From:.{0,20}yourCEO.{0,20}\<yourCEO@yourDomain.com\>/ - Reply-To Email Address
/Reply-To:.{0,20}\<yourCEO@yourDomain.com\>/ - Reply-To Name
/Reply-To:.{0,20}yourCEO.{0,20}\</ - Reply-To Name AND Reply-To Email Address
/Reply-To:.{0,20}yourCEO.{0,20}\<yourCEO@yourDomain.com\>/
Attachments Rule
If you would like to create a YARA rule that detects if any type of attachment is included in an email, you can use the example rule below:
(Click on the rule to open the YARA_Rules.txt file in a new window)
Keep in mind, this rule does not detect specific attachment types. If you would like to write an attachment-type-specific rule, you can follow the format of the rule below:
Depending on what you want to detect, you can customize this rule by adding or removing different attachment types.
Automated Software Emails Rule
If you would like to create a YARA rule that detects automated software emails, you can use the example rule below:
(Click on the rule to open the YARA_Rules.txt file in a new window)
If you decide to use this rule, be sure to replace all of the highlighted text with the name of a software application your organization uses or is likely to receive an email from. Be aware, this rule may flag legitimate emails because it looks for the highlighted words in the from address or the subject line of an email.
KnowBe4 Training Emails Rule
If you would like to create a YARA rule that detects all KnowBe4 Training emails, you can use the example rule below:
(Click on the rule to open the YARA_Rules.txt file in a new window)
Regular Expressions Table
Below is a condensed list of commonly used regular expressions that are recognized by the YARA compiler. For more information about regular expressions, visit here.
| Operator/Modifier | Meaning |
| \n | An escape sequence that looks for a new line. |
| . | A metacharacter that matches any character or symbol. |
| {n, m} |
A quantifier that looks for a range of matches, n to m times. This is used to capture the unnecessary segments of a line. Keep in mind, {n,m} can be used following any character. See the examples below:
|
| | | A metacharacter that indicates an alternation (this is similar to an OR option). |
| * | A quantifier that looks for 0 or more matches. |
| ? | A quantifier that looks for 0 or 1 matches. |
Comments
0 comments
Article is closed for comments.