Back to CTI Guides
TECHNICAL GUIDEOPEN SOURCE

Master YARA

The complete guide to creating malware detection signatures, identifying malicious patterns and automating threat analysis

30 min read
Level: Intermediate to Expert
4 advanced examples

What is YARA?

YARA (Yet Another Ridiculous Acronym) is a reference open-source tool in the cybersecurity field, developed by Victor Alvarez at VirusTotal. It allows identifying and classifying malicious files by creating descriptions based on textual, binary or structural patterns.

Massively used in threat intelligence, malware analysisand incident response, YARA is the tool of choice for detecting malware families, identifying APTs and automating suspicious file analysis.

Main Capabilities

What can YARA do?

Malware Detection

Identify malware families based on their unique signatures and behavioral patterns

APT detectionRansomware familiesTrojansRootkits

File Analysis

Scan files to identify suspicious patterns, encoded strings and malicious structures

PE analysisDocument macrosScriptsArchives

Threat Hunting

Proactively search for threats in your infrastructure with custom rules

Memory scanningDisk forensicsNetwork capturesLogs analysis

Process Analysis

Examine memory of running processes to detect malicious behaviors

Process injectionCode cavesPacked malwareRootkit detection
Rule Anatomy

Structure of a YARA rule

Understand the 3 essential components of a rule: meta, strings and condition

meta

Rule descriptive metadata

author

Name of the rule author

descriptionREQUIRED

Detection description

date

Creation date

reference

Reference URL

hash

Sample hash

version

Rule version

strings

Patterns to search for in files

Text strings

$str = "text"

ASCII/Unicode strings

Hex strings

$hex = { 4D 5A 90 }

Byte sequences

Regex

$re = /pattern/

Regular expressions

Modifiers

nocase, wide, ascii

Matching options

condition

Boolean logic defining when the rule matches

and, or, not

Logical operators

all of them

All strings must match

any of them

At least one string must match

filesize

File size

uint16(0) == 0x5A4D

Reading values

for..of

Loops and quantifiers

Basic Example

rule Malware_Example
{
    meta:
        author = "CTI Analyst"
        description = "Detects a specific malware"
        date = "2025-10-29"
        reference = "https://example.com/analysis"
        hash = "abc123..."
        severity = "high"
        
    strings:
        $str1 = "malicious_string" nocase wide
        $str2 = "suspicious_function" ascii
        $hex1 = { 4D 5A 90 00 03 }  // PE header
        $regex1 = /https?:\/\/[a-z0-9]{8,}\.com/
        
    condition:
        uint16(0) == 0x5A4D and  // MZ signature
        filesize < 1MB and
        (
            all of ($str*) or
            (#hex1 > 2 and $regex1)
        )
}
Advanced Examples

Advanced Detection Rules

Discover real examples used in production to detect sophisticated threats

IntermediateWindows Malware

Malicious PE Detection

rule Suspicious_PE_File
{
    meta:
        author = "CTI Analyst"
        description = "Detects PE with suspicious sections"
        date = "2025-10-29"
        severity = "high"
        
    strings:
        $mz = "MZ"
        $pe = "PE\x00\x00"
        $suspicious1 = "WinExec" nocase
        $suspicious2 = "URLDownloadToFileA" nocase
        $suspicious3 = "ShellExecuteA" nocase
        
    condition:
        $mz at 0 and
        $pe and
        2 of ($suspicious*) and
        filesize < 500KB
}

💡 Explanation

This rule detects Windows PE files containing suspicious APIs used for code execution and file downloads.

AdvancedRansomware

Ransomware Detection

rule Ransomware_Generic
{
    meta:
        description = "Generic ransomware detection"
        author = "Threat Intel Team"
        tlp = "white"
        
    strings:
        $ransom1 = "encrypted" nocase
        $ransom2 = "bitcoin" nocase
        $ransom3 = "decrypt" nocase
        $crypto1 = "CryptEncrypt"
        $crypto2 = "CryptGenKey"
        $file_ext1 = ".locked"
        $file_ext2 = ".encrypted"
        
    condition:
        uint16(0) == 0x5A4D and
        filesize < 2MB and
        (
            (2 of ($ransom*) and 1 of ($crypto*)) or
            (3 of ($ransom*) and any of ($file_ext*))
        )
}

💡 Explanation

Rule to identify ransomware based on characteristic strings and cryptographic functions.

ExpertCode Analysis

Obfuscation Detection

rule Obfuscated_Code
{
    meta:
        description = "Detects heavily obfuscated code"
        
    strings:
        $base64_pattern = /[A-Za-z0-9+\/]{200,}/
        $high_entropy = { ( [A-F0-9]{2} ){100,} }
        
    condition:
        for any section in pe.sections : (
            section.name matches /^\.[a-z]{4,8}$/ and
            math.entropy(section.raw_data_offset, 
                        section.raw_data_size) > 7.0
        ) or
        #base64_pattern > 5 or
        #high_entropy > 3
}

💡 Explanation

Detects obfuscated code by analyzing PE section entropy and presence of encoded patterns.

ExpertAdvanced Persistent Threat

APT Detection

import "pe"
import "hash"

rule APT_Backdoor_Custom
{
    meta:
        description = "Detects a specific APT backdoor"
        threat_actor = "APT29"
        mitre_attack = "T1071.001"
        
    strings:
        $c2_pattern = /https?:\/\/[a-z0-9]{16}\.com\/[a-z]{4}/
        $mutex = "Global\\{8F6F0AC4-B9A1-45FD-A8CF-72F04E6BDE8F}"
        $pdb = /[A-Z]:\\Projects\\[a-z]+\\Release\\[a-z]+\.pdb/ nocase
        
    condition:
        uint16(0) == 0x5A4D and
        pe.number_of_sections > 3 and
        pe.timestamp > 1609459200 and // After 2021
        (
            hash.md5(0, filesize) != 
            hash.md5(pe.sections[0].raw_data_offset, 
                    pe.sections[0].raw_data_size) and
            ($c2_pattern or $mutex or $pdb)
        )
}

💡 Explanation

Advanced rule using modules to detect APT backdoor with PE structural analysis.

Available Modules

YARA Modules for Advanced Analysis

pe

Analysis of Portable Executable files (Windows)

pe.machinepe.timestamppe.sectionspe.importspe.exportspe.resources
Usage example:
pe.number_of_sections > 5
elf

Analysis of ELF files (Linux)

elf.typeelf.machineelf.sectionself.segments
Usage example:
elf.type == elf.ET_EXEC
math

Mathematical and statistical functions

math.entropymath.meanmath.deviationmath.monte_carlo_pi
Usage example:
math.entropy(0, filesize) > 7.5
hash

Cryptographic hash calculation

hash.md5hash.sha1hash.sha256hash.checksum32
Usage example:
hash.md5(0, filesize) == "abc123..."
Use Cases

Practical Applications of YARA

Endpoint Detection

Scan endpoints to detect known malware

YARA + EDR
osquery
Velociraptor

Network Forensics

Analyze network traffic and PCAP captures

Suricata + YARA
Zeek
NetworkMiner

Sandbox Analysis

Integrate YARA into your analysis sandboxes

Cuckoo
CAPE
ANY.RUN

Threat Intelligence

Generate IOCs and share rules

MISP
OpenCTI
TheHive
Best Practices

What to do & Avoid

Do

Test on varied datasets

Validate your rules on benign and malware samples

Use complete metadata

Author, date, description, references

Optimize performance

Avoid complex regex, limit wildcards

Version your rules

Use Git to track modifications

Document the logic

Comment on complex conditions

Use YARA modules

pe, elf, math, hash for advanced analysis

Avoid

Too generic rules

Avoid massive false positives

Strings too short

Minimum 8-10 characters to avoid random matches

Ignore performance tests

Test on large file volumes

Forget modifiers

nocase, wide, fullword depending on context

Neglect maintenance

Regularly update your rules

Share without context

Always add metadata and references

Installation

Installation on Different Platforms

Ubuntu/Debian

Update packages
sudo apt-get update
Install YARA
sudo apt-get install yara
Verify installation
yara --version

CentOS/RHEL

Enable EPEL
sudo yum install epel-release
Install YARA
sudo yum install yara
Verify
yara --version

Windows

https://github.com/VirusTotal/yara/releases
Download from GitHub releases
To C:\Program Files\YARA
Extract yara64.exe
System environment variables
Add to PATH

Python (yara-python)

Install Python binding
pip install yara-python
Import in your scripts
import yara
Programmatic usage
rules.match(data)
Resources

Additional Resources

Official YARA Documentation
docs
YARAify - Online Scanner
tool
Awesome YARA
collection
YARA Rules Repository
rules
Florian Roth's Signature Base
rules
YARA-CI
tool

Ready to Create Your First YARA Rules?

Put your knowledge into practice with our malware detection use cases and threat analysis

Discover Practical CasesBack to CTI Guides