YARA

https://github.com/VirusTotal/yara

Basis

yara myRule.yar /some/file
Execute Yara rule on a file: search for a pattern in the file.

Flag

-m
Prints metadata of the rules that were satisfied during the analysis.

-c
Prints the number of matches.

-s
Prints satisfied rules.

-n
Prints not satisfied rules.

Rules

Cheat Sheet: https://twitter.com/fr0gger_/status/1516570364775907328/photo/1

Keywords: and, not, or, >, >=, !=, any of them

Example:

rule myRule {
	/* Infos */
	meta:
	      author = "myAuthor"
	      description = "myRule Description"
	      created = "12/12/2012 12:12"
	
	/* Match one string */
	strings:
			$myString = “Hello myString”
		condition:
			$myString
	
		
	/* Match multiple strings */
	strings:
			$myStringLow = “hello mystring”
			$myStringHigh = “HELLO MYSTRING”
		condition:
			any of them
}

Valhalla Rules Database: https://valhalla.nextron-systems.com/

YarGen

https://github.com/Neo23x0/yarGen

python3 yarGen.py --update
Update.

python3 yarGen.py -m mySuspiciousFile --excludegood -o myNewRule.yar
Create a Yara rule from mySuspiciousFile.

-m
Path to the files you want to generate rules for.

--excludegood
Force to exclude all goodware strings.

-o
Output Yara rule file.