For this lab, you’ll want a Ubuntu_22.04 machine
- I’ll connect to my machine using Putty for CLI Access
What is Yara? What are Yara Rules?
- Yara is a signature-based detection technology. (Key Sec+ Term)
- Yara can be very helpful in the CyberPatriot competition.
- YARA is a tool used for identifying and classifying malware based on specific patterns. It's like a "grep" for binaries, tailored for malware research. "YARA rules" are the definitions that describe these patterns. Each rule contains strings (patterns to search for) and a condition (when to consider it a match). By scanning files with these rules, analysts can quickly detect known threats or suspicious behaviors.
- YARA rules are widely integrated into many cybersecurity tools and platforms. Their precise pattern matching makes them ideal for malware detection. Many threat intelligence platforms, intrusion detection systems, and endpoint security solutions now support YARA rules. Additionally, digital forensics tools use YARA for memory analysis and artifact scanning. This broad adoption highlights YARA's significance in modern cybersecurity.
We’ll learn to work with Yara directly using the CLI.
- Keep in mind that the rules and signature patterns we’ll learn about are integrated in many industry-standard malware detection and alerting tools. An understanding of this technology is key to getting started as a Tier 1 cybersecurity analyst.
Yara can be run on both Windows and Linux. Because we are going to use Linux this time, we’ll need to download the source code and compile it before we can run it.
Go to the Yara release page and download the most recent zip file. (At the time of this lesson, the most recent release is v4.3.2.)
- Right-click on the .zip file and copy the link address.
- We’ll use wget on Ubuntu to fetch this file.

On your Ubuntu machine create a folder called yara and wget the .zip file.
mkdir yara
cd yara
wget <https://github.com/VirusTotal/yara/archive/refs/tags/v4.3.2.zip>
When you type ls you should have a single .zip file in your yara directory.

Unzip the file
unzip <yara_zip_filename>