This article discusses the use of text patterns in YARA rules, including various modifiers such as nocase, wide, ascii, and xor that can alter how patterns are matched. It provides examples of rules that utilize these modifiers to search for strings in different formats. Affected Platform: YARA
Keypoints :
- Text patterns are the most common type of patterns in YARA rules.
- Modifiers can be added to text patterns to change how they are interpreted.
- The nocase modifier allows for case-insensitive matching of strings.
- The wide modifier is used to search for strings encoded with two bytes per character.
- The ascii modifier can be used alone or in conjunction with the wide modifier.
- The xor modifier is used to search for strings that have been XORed with a single byte.
- Multiple rules can be created to match different XOR variations of a string.
- Control over the range of bytes used with the xor modifier can be specified.
MITRE Techniques :
- TA0001 – Initial Access: Using text patterns to identify potential malicious input.
- TA0002 – Execution: Executing scripts or binaries that match specific YARA rules.
- TA0003 – Persistence: Creating rules to detect persistent threats through pattern matching.
Indicator of Compromise :
- [file name] TextExample
- [file name] CaseInsensitiveTextExample
- [file name] WideCharTextExample1
- [file name] XorExample1
- [file name] XorExample5
- Check the article for all found IoCs.
Full Research: https://medium.com/@kaankaya9321/day-3-text-patterns-i-d5e219785250?source=rss——cybersecurity-5