401 Reading 31 - marsecguy/reading-notes-cyberops GitHub Wiki

YARA Rules

1. What is the main goal of Threat Hunting and how is it different from traditional threat monitoring?

   • Threat hunting is a method of searching for malicious code that is already in your system or network. It is a proactive approach that seeks to find existing threats, rather than a passive approach, such as threat monitoring, which "listens" for potential threats coming in.

2. What are the four types of YARA rules and what does each one of them use to identify and classify malicious software?

   • String-based rules listen for stings known to be in the malware.
   • File-metadata rules look for information within the metadata of the files.
   • Hash-based rules use hash cryptography to search for files that have been altered, possibly by injection of malware.
   • Network-based rules look at traffic data, such as searching for a piece of malware known to target specific ports.

3. How are YARA rules similar to how Anti-Virus programs detect malicious software?

   • YARA and antivirus software both use pattern matching to try detect malware
   • They both search for viruses, trojans, worms, and other types of malware.
   • They both inspect files and their attributes in their search

Sources: Archer, Geeks for Geeks