The 100 Days of Yara is a challenge created by Greg Lesnewich. The goal of this challenge is to write one YARA rule everyday for 100 days in a row.
Each day, I will update this repo by:
- uploading one YARA rule
- updating this README to track my progression
My journey into malware analysis concretely started last year. I focused mainly on static and dynamic analysis. Thus, I'm a beginner in writing YARA rules and I want to get better at it, both for my personal knowledge and the professional value it can have. My goal is to write qualitative YARA rules to be able to contribute to the Unprotect.it project which I find awesome. :)
Below, you will find the current state of my progression.
- Day 1: YARA rule for WannaCry detection. The sample I used is from the PMAT course. You can find it here.
- Day 2 : YARA rule for process hollowing detection. This rule is based on the sub-technique T1055.012 that you can find on MITRE ATT&CK.
- Day 3 : YARA rule for detection potential keylogging Windows malware. The rule is based both on the sub-technique T056.001 and the informations on MalAPI.io.
Here are all the resources I used during this challenge. I will try to update it regularly.
- YARA's official documentation
- YARA Performance Guidelines by Florian Roth
- Thomas Roccia's Blog (SecurityBreak) - #100DaysOfYara challenge
https://blog.securitybreak.io/100daysofyara-challenge-04c966eab1ae
- MalAPI.io by mrd0x
- MITRE ATT&CK (for TTPs)