Hy!
Our Symantec reports the latest threat. I would like to create YARA rule to search it on my backups. How can I create own custom YARA rule? I have these information:
SHA256 file hash: bd0195d83580dde47e2ce077efb17680a48dd7370f1129aa7f84d4b8b5633136
Description: Trojanized utility, Cobalt Strike Beacon
File name(s): python311.dll
Last seen: 2024-05-14
I would like to check the backups file with YARA rule which is contain the hash and file name. Can anybody help me to create my first YARA rule?
Thanks.
-
adam900331
- Veteran
- Posts: 323
- Liked: 23 times
- Joined: Dec 01, 2019 7:27 pm
- Contact:
-
rennerstefan
- Veeam Software
- Posts: 723
- Liked: 161 times
- Joined: Jan 22, 2015 2:39 pm
- Full Name: Stefan Renner
- Location: Germany
- Contact:
Re: Create YARA rule
Hi Adam,
as Yara is an open standard I would advise to follow the official documentation on how to create a rule which you find here: https://yara.readthedocs.io/en/stable/writingrules.html
There is also a BlogPost on our page about this topic: https://www.veeam.com/blog/yara-rules-m ... lysis.html
As soon as the Yara rule is created you can add it to your Veeam installation and scan you relevant instance backup.
The path by default is: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules
Thanks
as Yara is an open standard I would advise to follow the official documentation on how to create a rule which you find here: https://yara.readthedocs.io/en/stable/writingrules.html
There is also a BlogPost on our page about this topic: https://www.veeam.com/blog/yara-rules-m ... lysis.html
As soon as the Yara rule is created you can add it to your Veeam installation and scan you relevant instance backup.
The path by default is: C:\Program Files\Veeam\Backup and Replication\Backup\YaraRules
Thanks
Stefan Renner
Veeam PMA
Veeam PMA
Who is online
Users browsing this forum: No registered users and 70 guests