Skip to content
AIR Knowledge Base

YARA Templates

File system only examples:

Section titled “File system only examples:”

Find by Name

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_by_name
{
    meta:
        description = "Find files by name."


    condition:
        file_name == "some-name.exe"
}

Find by Extension

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_by_extension
{
    meta:
        description = "Find files by extension."


    condition:
        file_extension == "xyz"
}

Find by Content

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_by_content
{
    meta:
        description = "Find files containing specific strings."


    strings:
        $a = "password" wide ascii nocase


    condition:
        $a
}

Find by Hash

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


import "hash"


rule find_by_hash
{
    meta:
        description = "Find files by hash."


    condition:
        hash.sha256(0, filesize) == "b6800c2ca4bfec26c8b8553beee774f4ebab741b1a48adcccce79f07062977be"
}

Find by Size

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_by_size
{
    meta:
        description = "Find files by size."


    condition:
        filesize < 1MB
}

Find by Size range

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_by_size_range
{
    meta:
        description = "Find files in size range."


    condition:
        filesize > 100KB and filesize < 500KB
}

Find by Location

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_by_location
{
    meta:
        description = "Find files in specific location."


    condition:
        file_path contains "Downloads" // when file path contains a certain string
        or
        file_path == "C:\\Windows\\Temp\\svchost.exe" // for exact file location
}

Find PE (portable executable) files only

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule IsPE
{
    meta:
        description = "Identifies PE files only based on the header."


    condition:
        // MZ signature at offset 0 and ...
        uint16(0) == 0x5A4D and
        // ... PE signature at offset stored in MZ header at 0x3C
        uint32(uint32(0x3C)) == 0x00004550
}

Find PKZIP files only

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule IsZIP
{
    meta:
        description = "Identifies ZIP files only based on the header."


    condition:
        uint32(0) == 0x04034B50
}

Find by Hash with Size filter

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


// In order to make yara scan faster, it is always a good practice to use filters.
// In this case let's say we know that sample is smaller than 1MB and we want to search the hash.


import "hash"


rule find_by_hash
{
    meta:
        description = "Find files by hash."


    condition:
        filesize < 1MB and
        hash.sha256(0, filesize) == "b6800c2ca4bfec26c8b8553beee774f4ebab741b1a48adcccce79f07062977be"
}

Memory/process scan examples:

Section titled “Memory/process scan examples: ”

Find Process by Name

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_process_by_name
{
    meta:
      description = "Find process by name."


    condition:
      process_name == "audiodg.exe"
}

Find String in Memory

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_string_in_memory
{
    meta:
        description = "Find process executables containing string."


    strings :
        $a = "keylogger started" wide ascii nocase


    condition :
        $a
}

Find Process by Command line

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_process_by_cmdline
{
    meta:
        description = "Find string in process command lines."


    condition :
        process_command_line icontains "powershell.exe" // icontains is for case insensitive
}

Find Malware domain

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_malware_domain
{
    meta:
        description = "Search malware domain in process memory."


    strings:
        $a = "http://malware-domain.com" wide ascii


    condition:
        $a
}

Find Byte pattern

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_byte_pattern
{
    meta:
        description = "Search byte pattern process memory."


    strings:
        $a = { AA BB CC DD EE FF }


    condition:
        $a
}

Filesystem and memory scan:

Section titled “Filesystem and memory scan: ”

Find String

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_string
{
    meta:
        description = "Find containing string."


    strings :
        $a = "keylogger started" wide ascii nocase


    condition :
        $a
}

Find Malware domain

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_malware_domain
{
    meta:
        description = "Search malware domain."


    strings:
        $a = "http://malware-domain.com" wide ascii


    condition:
        $a
}

Find Byte pattern

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_byte_pattern
{
    meta:
        description = "Search byte pattern process memory."


    strings:
        $a = { AA BB CC DD EE FF }


    condition:
        $a
}

Find XOR pattern

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_xor_string
{
    meta:
        description = "Search xor string pattern."


    strings:
        $xor_string = "This program cannot" xor


    condition:
        $xor_string
}

Find Base64 pattern

// Auto-Complete Support:
// Type modulename. followed by a CTRL + SPACE
// Yara documentation: https://yara.readthedocs.io/en/stable/writingrules.html


rule find_base64_string
{
    meta:
        description = "Search Base64 encoded string pattern."


    strings:
        $mimi = "Mimikatz" ascii wide base64 base64wide


    condition:
        $mimi
}