performing-threat-hunting-with-yara-rules
Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds.
What this skill does
# Performing Threat Hunting with YARA Rules
Scan files, directories, and memory dumps using YARA rules to identify
malware families, suspicious patterns, and IOC matches.
## When to Use
- Proactively hunting for unknown malware variants across network shares, endpoints, and email attachments
- Scanning quarantine directories or sandbox outputs for malware family classification
- Searching process memory dumps for injected code or in-memory-only payloads
- Validating threat intelligence IOCs against a large corpus of collected samples
- Triaging incident response artifacts to identify known malware families quickly
- Building automated detection pipelines that scan new files on ingestion
**Do not use** for real-time endpoint protection (use EDR agents instead); YARA scanning is best suited for batch hunting, triage, and post-collection analysis where scan latency is acceptable.
## Prerequisites
- YARA 4.x installed (`apt install yara` on Debian/Ubuntu, `brew install yara` on macOS)
- Python 3.8+ with `yara-python` (`pip install yara-python`)
- `yarGen` for automated rule generation (`git clone https://github.com/Neo23x0/yarGen`)
- Sample malware corpus or suspicious files for scanning (from malware zoos, VT, or incident artifacts)
- Optional: `pefile` for PE header analysis, `malduck` for memory carving
- Threat intel YARA rule sets (e.g., YARA-Rules community repository, Florian Roth signature-base)
## Workflow
### Step 1: Install YARA and Python Bindings
```bash
# Linux
sudo apt update && sudo apt install -y yara
# Python bindings
pip install yara-python
# Verify installation
yara --version
python3 -c "import yara; print(yara.YARA_VERSION)"
```
### Step 2: Write a Basic YARA Rule
Create rules that match on strings, hex patterns, and file metadata:
```yara
// File: rules/emotet_loader.yar
rule Emotet_Loader_2026 {
meta:
author = "Threat Intel Team"
description = "Detects Emotet first-stage loader DLL"
date = "2026-01-20"
reference = "https://attack.mitre.org/software/S0367/"
mitre_attack = "T1059.001, T1055.001"
severity = "critical"
strings:
// Emotet export function name patterns
$export1 = "DllRegisterServer" ascii
$export2 = "RunDLL" ascii nocase
// Obfuscated string decryption routine
$decrypt_loop = { 8B 45 ?? 33 45 ?? 89 45 ?? 8B 4D ?? 03 4D ?? }
// PowerShell download cradle in embedded script
$ps_cradle = /powershell[^\n]{0,50}-e(nc|ncodedcommand)/i
// Known C2 URI patterns
$uri1 = "/wp-content/uploads/" ascii
$uri2 = "/wp-admin/css/" ascii
$uri3 = "/wp-includes/" ascii
// PE characteristics
$mz = "MZ" at 0
condition:
$mz and
filesize < 2MB and
(
($export1 and $decrypt_loop) or
($ps_cradle and any of ($uri*)) or
(2 of ($uri*) and $decrypt_loop)
)
}
```
### Step 3: Write Advanced Rules with Modules
Use YARA modules for PE header inspection and math-based entropy checks:
```yara
import "pe"
import "math"
rule Suspicious_Packed_Executable {
meta:
author = "Threat Hunting Team"
description = "Detects PE files with high entropy sections indicating packing or encryption"
severity = "medium"
condition:
pe.is_pe and
pe.number_of_sections > 0 and
for any section in pe.sections : (
math.entropy(section.offset, section.size) > 7.2 and
section.size > 1024
) and
pe.imports("kernel32.dll", "VirtualAlloc") and
pe.imports("kernel32.dll", "VirtualProtect")
}
rule Suspicious_UPX_Modified {
meta:
description = "Detects UPX-packed binaries with tampered section names"
severity = "medium"
strings:
$upx_magic = { 55 50 58 21 } // UPX!
condition:
pe.is_pe and
$upx_magic and
not (
pe.sections[0].name == "UPX0" and
pe.sections[1].name == "UPX1"
)
}
```
### Step 4: Scan Files and Directories with yara-python
```python
import yara
import os
import json
from datetime import datetime
from pathlib import Path
def compile_rules(rule_paths):
"""Compile YARA rules from one or more .yar files."""
rule_files = {}
for i, path in enumerate(rule_paths):
namespace = Path(path).stem
rule_files[namespace] = path
return yara.compile(filepaths=rule_files)
def scan_directory(rules, target_dir, recursive=True):
"""Scan a directory for matches and return structured results."""
results = []
scan_count = 0
error_count = 0
for root, dirs, files in os.walk(target_dir):
for filename in files:
filepath = os.path.join(root, filename)
scan_count += 1
try:
matches = rules.match(filepath, timeout=60)
if matches:
for match in matches:
result = {
"file": filepath,
"rule": match.rule,
"namespace": match.namespace,
"tags": match.tags,
"meta": match.meta,
"strings": [],
"scan_time": datetime.utcnow().isoformat()
}
for offset, identifier, data in match.strings:
result["strings"].append({
"offset": hex(offset),
"identifier": identifier,
"data": data.hex() if isinstance(data, bytes) else data
})
results.append(result)
print(f" MATCH: {match.rule} -> {filepath}")
except yara.TimeoutError:
error_count += 1
print(f" TIMEOUT scanning {filepath}")
except yara.Error as e:
error_count += 1
if not recursive:
break
print(f"\nScan complete: {scan_count} files scanned, "
f"{len(results)} matches, {error_count} errors")
return results
# Compile and scan
rules = compile_rules([
"rules/emotet_loader.yar",
"rules/suspicious_packed.yar"
])
matches = scan_directory(rules, "/mnt/evidence/collected_samples/")
# Export results
with open("yara_scan_results.json", "w") as f:
json.dump(matches, f, indent=2)
```
### Step 5: Scan Process Memory Dumps
Hunt for in-memory indicators that only exist in running processes:
```python
import yara
def scan_memory_dump(rules, dump_path):
"""Scan a process memory dump for YARA matches."""
matches = rules.match(dump_path, timeout=120)
for match in matches:
print(f"Rule: {match.rule}")
print(f" Severity: {match.meta.get('severity', 'unknown')}")
for offset, identifier, data in match.strings:
# Show context around the match
print(f" String {identifier} at offset {hex(offset)}")
if len(data) <= 64:
print(f" Data: {data.hex()}")
return matches
# Rules targeting in-memory artifacts
memory_rules = yara.compile(source="""
rule Cobalt_Strike_Beacon_Memory {
meta:
description = "Detects Cobalt Strike beacon in process memory"
severity = "critical"
strings:
$config_start = { 2E 2F 2E 2F 2E 2C }
$sleep_mask = { 48 8B 44 24 ?? 48 89 44 24 ?? 48 8B 44 24 }
$named_pipe = "\\\\\\\\.\\\\pipe\\\\msagent_" ascii
$watermark = { 00 00 00 00 00 00 ?? ?? 00 00 }
condition:
2 of them
}
""")
scan_memory_dump(memory_rules, "/mnt/evidence/lsass_dump.dmp")
```
### Step 6: Generate Rules Automatically with yarGen
Use yarGen to create rules from malware samples by extracting unique strings:
```bash
# Clone and set up yarGen
git clone https://github.com/Neo23x0Related in Security
mac-ops
IncludedComprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.
a11y-audit
IncludedRun accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).
erpclaw
IncludedAI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.
assess
IncludedAssesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.
spring-boot-security-jwt
IncludedProvides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.
code-hardcode-audit
IncludedDetect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.