Post 87 - Message in a bottle(s)

26 Dec 2025

Day 13 YARA Rules YARA mean one!

When to use YARA

• Post-incident analysis: when needing to verify whether traces of malware found on one compromised host still exist elsewhere in the environment
• Threat hunting: searching through systems and endoints for signs of known or related malware families
• Intelligence-based scans: applying shared rules from other defenders or kingdoms to detect ne indicators of compromise
• Memory analysis: examining active processes in a mempry dump for malicious code fragments

YARA Values

• Speed: quickly scans large sets of files or systems to identify suspicious ones
• Flexibility: detects everythingfrom text strings to binary patterns and complex logic
• Control: lets analysts define exactly what they consider malicious
• Shareability: rules can be reused and improved by other defenders across kingdoms
• Visibility: helps connect scattered clues into a clear picture of the attack

YARA Rules

Built from several key elements:

• Metedata: info about the rule itself: who created it, when, and for what purpose
• Strings: the clues YARA searches for: text, byte sequences, or regex that mark suspicious content
• Conditions: the logic that decides when the rule triggers, combining multiple strings or parameters into a single decision

Text strings

Simplest and most common type of string in YARA rules. represents words or short fragments within a file, script, or memory. Default treatment is case-sensitive ASCII but can use modifiers after the definition. Example:

rule text_string_sample
{
    strings:
        $string1 = "Word"

    condition:
        $string1
}

Modifiers can be used to counter uncertainty and attacker use of encoding, case tricks, and even encryption as obfuscation methods.

• Case-insensitive: nocase will match characters in string no matter the case
• Wide-character: wide used to look for two-byte Unicode characters as used by many Windows executables. ascii can be used along side to enforce for single-byte search
• XOR: xor checks all possible sinngle-byte XOR variations of a string
• Base64: base64 and base64wide decodes the content and searches for the iriginal pattern even if encoded

Hexadecimal strings

YARA can search for specific byte patterns in hex notation, useful for detecting malware fragments like file headers, shellcode, or binary signatures that can’t be plain text. Example:

rule hex_string_sample
{
    strings:
        $mz = { 4D 5A 90 00 } // MZ header of a windows exe
        $hex_string = { E3 41 ?? C8 G? VB }
    
    condition:
        $mz and $hex_string
}

Regex strings

Allows flexible search patterns that can match multiple variations of the same malicious string. Especially useful for URLs, encoded commands, and filenames that share a structure but are slightly different. Very powerful but should be used carefully because too broad a definition can match a wide range of data and slow down scans. Example:

rule regex_string_sample
{
    strings:
        $url = /http:\/\/.*malware.*/ nocase
        $cmd = /powershell/*-enc\s+[A-Za-z0-9+/+]+/ nocase
    
    condition:
        $url and $cmd
}

Conditions

• Single string - $<stringname>
• Any string - any of them
• All strings - all of them
• Logical - ($s1 or $s2) and not $s3
• Comparisons (filesize, entrypoint, or hash) - any of them and (filesize < 700KB)

The Task

Create a rule based on the playbook to find a secret message from McSkidy. Would have been much easier if I had entered the one character I thought I had. No recommended stuff with the room.