It's all about the structure! Creating YARA rules by clicking

[harlan4096]

Since we made our (extended) vt module available for LiveHunt YARA rules we understand it is not easy for analysts to keep in mind all the new potential possibilities - too many of them! Our goal is to make YARA rule creation as easy as possible while providing security experts everything they need to make even more powerful rules.

Our recently published new YARA editor, which incorporates full syntax coloring and auto-complete while you develop your rule, is a first step.

However, we wanted to go further. We already discussed how you can use predefined templates (additionally you can check our Threat Hunting with VirusTotal - Episode 4 for further examples and ideas), but in this post we want to focus on a terrific new feature when creating rules using the “Structure” of any given object (file, URL, domain or IP).

“Structure” provides the full JSON containing all details VirusTotal knows for any given indicator. For instance, you can paste a file hash and you will get full details about its behaviour and metadata. What is better, you can simply click on any field you are interested in, and it will automatically included in a fresh new YARA rule in the editor - no need to remember how to get that particular field in the VT module anymore.

In case you are wondering, this also deals with all kinds of loops. If any of the selected fields needs to be iterated, the correct syntax will automatically be added to your rule.Let’s check the different object types. 

Files

For a file object you will find two different branches in the resulting JSON - behaviour and metadata.The behaviour key is based on the sample execution in the sandbox. For example, you can create rules based on files written by the malware, files dropped, mutexes created, processes created, sigma results or ATT&CK MITRE results, among others.
...

Continue Reading