This rule introduces the YARA PE module which allows more fine-grained examination of Portable Executable files by providing easy access to various attributes of the PE file format.
Today’s rule matches PE files which have at least one cryptographic signature. This isn’t malicious in itself but is often interesting depending on the context of the binary. The PE module is smart enough to check for PE files so we don’t really need to specify the magic bytes here, but I’ve included them for completeness anyway.
import "pe"
rule file_pe_signed {
meta:
description = "Finds signed Windows executables"
last_modified = "2024-01-04"
author = "@petermstewart"
DaysofYara = "4/100"
condition:
uint16(0) == 0x5a4d and
pe.number_of_signatures >= 1
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 
One thought on “#100DaysofYARA 2024 – Day 4 – Signed PE files”