Detecting potential threats using YARA rules
To start using YARA, you can download the most recent version from https://github.com/VirusTotal/yara/releases:
- In this case, we will use YARA v4.2.0, which can be downloaded directly from here: https://github.com/VirusTotal/yara/releases/download/v4.2.0/yara-v4.2.0-1885-win64.zip.
- Once you have downloaded the tool, unzip the
.zipfile into a new directory calledyara, as shown in theC:\Users\Investigator\Workspace\Tools\yarapath.Note
You can add this directory to the environment variables of Windows to avoid explicitly specifying the path of YARA every time you execute a search using
yara.
Once you have downloaded YARA, you are ready to create your first detection rule.
Open VS Code, click on the File menu, and select New File.
Now, click again on the File menu and select Save As….
- When the dialog box appears, change the save path to the
C:\Users\Investigator\Workspace\Labs\Chapter_13directory. ...
