Hunting with YARA

From Writing Rules to Hunting with Them

You can write precise YARA rules with sophisticated strings and airtight conditions. Now it is time to deploy them. Writing a rule is only half the job — the other half is knowing where to point it, how to optimize scanning performance, and how to interpret the results.

In a real SOC, you will scan everything from a single suspicious file to entire disk images seized during incident response. Each scan target has different characteristics, different performance considerations, and different operational contexts.

Click to enlarge

Scan Targets: What Can YARA Scan?

YARA is remarkably flexible in what it can scan. Every target is treated as a sequence of bytes — YARA does not care about file formats, operating systems, or encodings. If it is bytes, YARA can scan it.

Click to enlarge

Single File Scans

The simplest use case: scan one file with one or more rules.

yara rules.yar suspect.exe

When to use: Initial triage of a suspicious file. Someone reports a strange attachment, your email gateway quarantines a binary, or Velociraptor collects a file from an endpoint. You scan it immediately to see if it matches any known indicators.

Pro tip: Always use -s to see which strings matched:

yara -s rules.yar suspect.exe

This shows not just whether the file matches but exactly which patterns triggered and at what byte offsets — essential for understanding what makes this file suspicious.

Directory Scans (Recursive)

Scan every file in a directory and its subdirectories:

yara -r rules.yar /uploads/
yara -r rules.yar /var/www/
yara -r rules.yar /tmp/

The -r flag enables recursive scanning. Without it, YARA only scans files in the specified directory, not subdirectories.

When to use: Hunting for webshells in web directories, scanning upload folders for malicious content, checking temp directories for attacker tools, or sweeping a user's home directory after a compromise is confirmed.

Common scan targets during investigations:

Disk Image Scans

When you receive a forensic disk image (dd, E01, or raw format), mount it and scan:

# Mount the forensic image (read-only)
sudo mount -o ro,loop evidence.dd /mnt/evidence/

# Scan the mounted image
yara -r rules.yar /mnt/evidence/

When to use: Digital forensics and incident response. Law enforcement or your IR team provides a disk image from a seized or compromised system. You scan the entire filesystem to find every instance of known malware, attacker tools, and suspicious files without booting the compromised OS.

The advantage of scanning a mounted image over a live system is safety — the compromised OS is not running, so the attacker cannot detect your investigation, modify evidence, or trigger anti-forensics mechanisms.

Memory Dump Scans

YARA can scan raw memory dumps captured from running systems:

yara rules.yar memdump.raw
yara rules.yar process_memory.dmp

When to use: Detecting fileless malware, process injection, and packed/encrypted payloads that only exist in memory. A malware sample might be packed on disk (no recognizable strings) but unpacked in memory (all strings visible). YARA scanning the memory dump catches what disk scanning misses.

Memory dumps also capture:

• Decrypted C2 configurations
• Injected shellcode in legitimate process memory
• Unpacked malware after runtime deobfuscation
• Encryption keys that exist only in memory

Network Capture (Extracted Files)

Extract files from network captures (PCAP) and scan them:

# Extract files from PCAP using tshark or NetworkMiner
tshark -r capture.pcap --export-objects http,/extracted/

# Scan extracted files
yara -r rules.yar /extracted/

When to use: When you have network traffic captures and want to identify malicious files that were transferred. HTTP downloads, email attachments, SMB file transfers — any file that traversed the network can be extracted and scanned.

Live Process Memory (Linux)

On Linux, you can scan the memory of running processes:

# Scan all running process memory
sudo yara -r rules.yar /proc/*/

# Scan a specific process
sudo yara rules.yar /proc/1234/mem

When to use: When you suspect fileless malware or process injection on a live system. The attacker's code may exist only in the memory space of a legitimate process (like svchost.exe or apache2) with no file on disk to scan. Scanning /proc/ catches these in-memory threats.

Performance Optimization

When you move from scanning a single file to scanning thousands of files with hundreds of rules, performance becomes critical. A poorly optimized scan can take hours instead of minutes.

Parallel Scanning (-p)

yara -r -p 8 rules.yar /target/

The -p N flag uses N parallel threads. Set N to the number of CPU cores available. On an 8-core system, -p 8 provides near-linear speedup for directory scans.

Timeout (--timeout)

yara -r --timeout=60 rules.yar /target/

The --timeout=N flag skips files that take longer than N seconds to scan. Some files (highly compressed archives, files with patterns that trigger regex backtracking) can cause YARA to hang. A 60-second timeout prevents any single file from blocking the entire scan.

Compiled Rules

# Compile rules (one-time operation)
yarac all_rules.yar compiled_rules.yarc

# Use compiled rules (faster loading)
yara -r compiled_rules.yarc /target/

Compiling rules converts them from text format to a binary format that loads significantly faster. If you have 500+ rules, compiling them saves several seconds of parsing time on every scan invocation. Compile once, scan many times.

Performance Best Practices

Interpreting YARA Output

Understanding scan output is as important as writing the rules. YARA's output format varies based on the flags you use.

Default Output

$ yara malware_rules.yar /samples/
LockBit3_Ransomware /samples/ransom.exe
CobaltStrike_Beacon /samples/beacon.dll

Format: rule_name matched_file_path

With String Details (-s)

$ yara -s malware_rules.yar /samples/ransom.exe
LockBit3_Ransomware /samples/ransom.exe
0x1a3:$note1: your data are stolen and encrypted
0x2f1:$ext: .lockbit
0x445:$shadow: vssadmin delete shadows
0x89a:$mutex: Global\lockbit

Each matching string shows:

• Byte offset (0x1a3) — where in the file the string was found
• Variable name ($note1) — which string from the rule matched
• Matched content — the actual text that was found

Negated Output (-n)

yara -rn clean_file_rules.yar /uploads/

The -n flag shows files that do NOT match. This is useful for finding files that are not recognized by any of your rules — potential unknown threats.

Count Output (-c)

$ yara -rc malware_rules.yar /samples/
LockBit3_Ransomware /samples/: 3
CobaltStrike_Beacon /samples/: 1
Webshell_PHP /samples/: 7

Shows only the count of files matching each rule. Useful for getting a quick overview of a scan without detailed output.

Organizing Rules for Real Operations

In production, you will not run a single rule against a single file. You will maintain a library of hundreds of rules and need to organize them effectively.

Rule Files and Include Directives

// master_rules.yar
include "malware/ransomware.yar"
include "malware/trojans.yar"
include "webshells/php_shells.yar"
include "webshells/jsp_shells.yar"
include "tools/hacktool_indicators.yar"
include "apt/apt29.yar"
include "apt/apt28.yar"

Use include to compose a master rule file from categorized sub-files. This keeps individual rule files focused and manageable.

Tag Filtering (-t)

YARA rules can have tags:

rule Webshell_PHP : webshell php
{
    // ...
}

Scan for only rules with a specific tag:

yara -r -t webshell all_rules.yar /var/www/

This runs only rules tagged webshell, skipping malware, APT, and other rules. Tag filtering reduces scan time and keeps output focused.

CyberBlueSOC Rule Organization

CyberBlueSOC ships with 523+ YARA rules at /opt/yara-rules/, organized by category:

/opt/yara-rules/
├── malware/          # Commodity malware families
├── webshell/         # PHP, ASP, JSP web shells
├── cve_rules/        # Exploit and vulnerability indicators
├── packers/          # Packer and protector detection
├── email/            # Malicious email attachment patterns
├── crypto/           # Cryptocurrency miner indicators
├── apt/              # Advanced persistent threat rules
└── index.yar         # Master include file for all rules

You can scan with all rules at once:

yara -r /opt/yara-rules/index.yar /target/

Or scan with a specific category:

yara -r /opt/yara-rules/webshell/*.yar /var/www/

Real-World Scanning Workflow

Here is how an experienced analyst uses YARA during an incident:

Phase 1 — Quick triage. A single suspicious file arrives. Scan with all rules:

yara -s /opt/yara-rules/index.yar suspect_file.exe

Phase 2 — Scope assessment. The file matched a known ransomware family. Now scan the entire affected host for related indicators:

yara -r -p 4 --timeout=60 ransomware_rules.yar /mnt/affected_host/

Phase 3 — Fleet hunting. Deploy the rule across all endpoints using Velociraptor (covered in Lesson 7.5). Hunt at scale to determine if any other systems are infected.

Phase 4 — Retroactive analysis. Scan historical email quarantine, file upload archives, and network capture extractions to determine when the malware first entered the environment:

yara -r -p 8 ransomware_rules.yar /archive/email_quarantine/
yara -r -p 8 ransomware_rules.yar /archive/uploads/2026/

#!/bin/bash
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
yara -r -s -p 8 --timeout=60 "$1" "$2" | tee "scan_${TIMESTAMP}.log"
echo "Scan complete. Results in scan_${TIMESTAMP}.log"

./yara_scan.sh /opt/yara-rules/index.yar /var/www/

What's Next

You can now write rules, optimize conditions, and deploy scans at scale on individual systems. But what about scanning across your entire fleet — every endpoint in your organization? In Lesson 7.5, you will learn how to deploy YARA rules through Velociraptor to hunt across all connected endpoints simultaneously, turning a single rule into an enterprise-wide detection capability.