This repository contains the lab files for the Udemy class, Hidden Secrets of Files with YARA Part I. This class introduces YARA rule creation to the student, showing them how to use a variety of techniques to build rules and identity files of interest. With each lesson, students learn about how to match different file types as well as employ the basic tools required to investigate files, e.g., hex editors, command line, and so on. Additionally, investigative and hunting techniques and strategies are discussed within each lesson to help students match file detections activity to malicious or suspicious activity.
In the Part I version of the class, student learns to use YARA to match on around 100 different file types. This is done via text strings and byte strings primarily; regex is saved for a different class. Primarily because its the most inefficient detection strategy.
In crafting rules, a student will leverage unique or rare strings for detection, as well as File Magic, the structure and format of files. Students will also employ built-in YARA keywords for both strings and they condition line. Lastly, Students will employ modular, organized logic in the rules crafted to understand how rulesets can further and simplify detection.
Passwords to access all archived files are found in the class curriculum for each assignment and lab. If one is not present or there are issues unarchiving the necessary files, please contact your instructure through the Udemy portal.