YARA Rule Use Cases
All PhishER rules must follow Yet Another Recursive or Ridiculous Acronym (YARA) rule logic to disposition messages. You can use YARA rules to disposition messages based on included attachments, potential CEO fraud, and more. This guide provides a list of common use cases for YARA rules. You can create these rules to use in your PhishER platform. For general information about writing YARA rules, see our How to Write YARA Rules article or YARA Rules video.
For YARA rule use cases, see the sections below.
Jump to:
Attachments Rule
Automated Software Emails Rule
CEO Fraud Rule
Internal Sender Rule
KnowBe4 Training Emails Rule
Not Present Rule
Most Common Regular Expressions Table
Attachments Rule
If you would like to create a YARA rule that detects if any type of attachment is included in an email, you can use the example rule in the screenshot and code block below:
rule Attachments
{
strings:
$Attachment = "X-Attachment-Id"
condition:
$Attachment
}
This rule does not detect specific attachment types. If you would like to write a rule that detects specific attachment types, you can use the example rules in the screenshot and code block below:
rule Attachments
{ strings: $doc = ".doc" $htm = ".htm" $exe = ".exe" $pdf = ".pdf" $excel = ".xlsx" $ics = ".ics" $png = ".png" $jpg = ".jpg" $gif = ".gif" condition: any of them }
Automated Software Emails Rule
If you would like to create a YARA rule that detects automated software emails, you can use the example rule in the screenshot and code block below:
rule Automated_SoftwareEmails
{
strings:
$ = /(\n|\r)From:.{0,200}[Salesforce].{0,200}</ nocase
$ = /(\n|\r)Subject:.{0,200}[Salesforce]/ nocase
$ = /(\n|\r)From:.{0,200}[HubSpot].{0,200}</ nocase
$ = /(\n|\r)Subject:.{0,200}[HubSpot]/ nocase
condition:
any of them
}
For this rule to work, you'll need to replace the text in brackets with the name of a software application. We recommend that you use the name of a software application that your organization uses or would likely receive an email from.
CEO Fraud Rule
If you would like to create a YARA rule that identifies potential CEO fraud attempts, you can use the example rule in the screenshot and code block below:
rule CEO_Fraud
{
strings:
$FromEmail = /From:.{0,20}\<[yourCEO@yourDomain.com]\>/ nocase
$FromName = /From:.{0,20}[yourCEO].{0,20}<.{5,100}>/ nocase
$FromNameEmail = /From:.{0,20}[yourCEO].{0,20}\<[yourCEO@yourDomain.com]\>/ nocase
$Reply = /Reply-To:.{0,20}/ nocase
$ReplyEmail = /Reply-To:.{0,20}\<[yourCEO@yourDomain.com]\>/ nocase
$ReplyName = /Reply-To:.{0,20}[yourCEO].{0,20}\</ nocase
$ReplyNameEmail = /Reply-To:.{0,20}[yourCEO].{0,20}\<[yourCEO@yourDomain.com]\>/ nocase
condition:
($Reply and $FromNameEmail and not $ReplyNameEmail)
or ($Reply and not $FromNameEmail and $ReplyNameEmail)
or ($Reply and $FromEmail and not $ReplyEmail)
or ($Reply and not $FromEmail and $ReplyEmail)
or ($FromName and not $FromEmail)
or ($ReplyName and not $ReplyNameEmail)
}
If you use this rule, you'll need to replace each instance of the [yourCEO@yourDomain.com] placeholder with your CEO's email address. You'll also need to replace each instance of the [yourCEO] placeholder with your CEO's name.
Internal Sender Rule
If you would like to create a YARA rule that identifies any email coming from your domain that is not a spoofed email, you can use the example rule in the screenshot and code block below:
rule InternalSender
{
strings:
$a = /from:.{0,60}@domain.com/ nocase
$b = /Return-Path:.{0,60}@domain.com/ nocase
$c = "header.from=domain.com"
$d = /Authentication-Results:.{0,20}spf=pass/ nocase
condition:
all of them
}
KnowBe4 Training Emails Rule
If you would like to create a YARA rule that detects all training notification emails from your KMSAT console, you can use the example rule in the screenshot and code block below:
rule KnowBe4_TrainingEmails
{
strings:
$ = /Return-Path:.{0,50}psm.knowbe4.com>/ nocase
$ = /Received:.{0,50}(147.160.167.\d{1,3})/ nocase
$ = /Received:.{0,50}(23.21.109.197)/ nocase
$ = /Received:.{0,50}(23.21.109.212)/ nocase
$ = /Received:.{0,50}psm.knowbe4.com/ nocase
condition:
any of them
}
Not Present Rule
You can create a YARA rule that detects if a value is not present in a selected PhishER target (click to view). To create this rule, you can use the example rule in the screenshot and code block below:
Choose Target Drop-down
rule notPresent
{
strings:
$a = "KnowBe4" nocase
condition:
(not $a) and (filesize > 0)
}
To use this rule, you'll need to include the special variable filesize in your rule's condition. The filesize variable checks if the target you selected is empty. This process is helpful if you receive an email with a plain text body and an HTML body since one type of body could be empty but the other body could contain your string. Without the filesize variable, the email could falsely match your notPresent rule.
Most Common Regular Expressions Table
A regular expression, or regex, is a sequence of characters that is used to identify a pattern in text strings. To learn about regular expressions that are often used in YARA rules for PhishER, see the table below. For more information about regular expressions, see YARA's Writing YARA rules documentation.
| Operators and Modifiers | Description |
| \n |
This regex is an escape sequence that looks for a new line. |
| . | This regex is a metacharacter that matches any character or symbol. |
| {n, m} |
This regex is a quantifier that looks for a range of matches between a number of characters represented by n and m. This regex is used to identify matching segments of a string. Note: You can use the {n,m} regex following any character. See the examples below:
|
| | | This regex is a metacharacter that indicates an alternation operator, similar to an OR operator. This regex looks for a match among multiple possible regular expressions. |
| * | This regex is a quantifier that looks for zero or more matches. |
| ? | This regex is a quantifier that looks for zero or one match. |
Comments
0 comments
Article is closed for comments.