Tag: 100DaysofYARA

#100DaysofYARA 2024 – Day 1 – Windows PE Files

Starting off with some simple utility rules.

There are multiple ways to determine what file format we are dealing with, but one of the simple ones is to check the “magic bytes” at the beginning of the file, for Windows PEs we are looking for 0x4D5A. As YARA works in little-endian by default, we reverse this to 0x5A4D.

rule file_pe_header {
    meta:
        description = "Finds PE file MZ header as uint16"
        last_modified = "2024-01-01"
        author = "@petermstewart"
        DaysofYara = "1/100"

    condition:
        uint16(0) == 0x5a4d
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 0

Since switching my focus from incident response to threat hunting I have been using YARA more and more often to identify new samples and track the threat actors using them. During 2023 I was able to complete Steve Miller‘s excellent “YARA for Security Analysts” course from Applied Network Defense, and wanted to challenge myself to write even more YARA rules, so am joining in the 2024 edition of #100DaysofYARA.

I am mostly focusing on specific malware families and tools that I encounter during my day-job, but also have plans for some more generic hunting rules that might catch something interesting.

I plan to add new rules each day, posting them on this blog and uploading them to Github where hopefully someone else will find them useful.

Unless otherwise stated, all of the samples I will be triaging will be acquired from public repositories such as those on Lenny Zeltser’s list of malware sources, or based on analysis of public reports and blogs.

#100DaysofYARA 2024 starts on the 1st of January. Let’s go!