Thiago Teixeira
EN | PT

YARA

VirusTotal / Community

Pattern-matching engine for classifying and identifying malware samples.

Malware Analysis & Sandboxing Free & Open Source CLI Learning Cross-platform
Homepage

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

YARA ("Yet Another Recursive Acronym") is the de facto standard for writing signatures that describe families of malware. A YARA rule combines text/byte strings, regex, and a Boolean condition that fires when the sample matches.

Analysts use YARA in three main contexts:

  • Triage of large file sets (a SOC pipeline scans every email attachment with hundreds of rules).
  • Threat hunting in memory captures (Volatility's yarascan plugin, loki, THOR).
  • IOC sharing — vendors and CERTs publish YARA rules alongside CVE / IOC reports.

Use cases

  • Triaging incoming files at the email gateway
  • Hunting for known malware families across a fleet
  • Validating sandbox verdicts with offline rules

Example

rule SuspiciousMimikatz {
    meta:
        author = "soc-team"
        description = "Heuristic for Mimikatz-like strings"
    strings:
        $s1 = "sekurlsa::logonpasswords" ascii wide
        $s2 = "privilege::debug" ascii wide
    condition:
        any of them
}