Module 10: YARA — Malware Detection & Hunting

Write rules that find malware. Hunt across files, endpoints, and memory.

Tools:YARAVelociraptorCyberChef
6
Lessons
6
Hands-on Labs
Operation Shadow Broker Thread

You'll write YARA rules to detect the malware the attacker dropped during Operation Shadow Broker.

Lessons & Labs

YARA Fundamentals

Meta, strings, condition

Lab 10.1 — Your First YARA Rule

Detect a malicious script. Zero FPs.

Intermediate

String Patterns & Matching

Wildcards, hex, case-insensitive

Lab 10.2 — Hex Pattern Hunting

Decode hex C2, write YARA rule.

Intermediate

Conditions & Logic

Boolean operators, file size

Lab 10.3 — Webshell Detection

Find 5 webshells in 500 files.

Advanced

Hunting with YARA

Scanning files and directories

Lab 10.4 — Ransomware Indicator Rule

Analyze ransomware, write YARA rule.

Advanced

YARA + Velociraptor

Hunt across endpoints at scale

Lab 10.5 — Endpoint-Wide Hunt

YARA in Velociraptor across all hosts.

Expert

Real-World YARA Rules

523+ community rules analysis

Lab 10.6 — Community Rules

Pick 3 rules. Explain and test.

Intermediate