We’ve been hit, how can CyberDefenses help? Incident Hotline

Cyber Defenses Academy

Commanding YARA

Product Description

Course Objectives

Through the user interactive labs the student will learn:

  • File classification
  • YARA rule creation
  • Fuzzy logic
  • Rule organization and strategy

Date & Time

Target Student

Who should attend?

  • Individuals new to or desiring a better understanding of how to use YARA.
  • Professionals who deal with technical issues but feel they do not have enough background in using YARA successfully.
  • Technical professionals that need to be armed with greater knowledge of incident response, threat Intelligence and their role in resolving incidents.


CDI Academy
1205 Sam Bass Road, Suite 300
Round Rock, TX 78681
(512) 255-3700

Course Outline



YARA fundamentals

  • Lab 0 – YARA introduction
  • Strategies (direct, indirect, inverse)
  • Logic (Declarative, Connective, Cause & Effect)
  • Lab 1 – strings, hex & regex

File Magic

  • File types and file magic
  • Lab 2 – file magic (PE, PDF, Zip)

Structure and Format

  • Files and data organization
  • Lab 3 – Email (a & b)

Data and Content

  • BOF & EOF
  • Lab 4 – B/EOF (PDF, JPG)

Structural Detection

  • Lab 5 – Detection by Format (PDF)

YARA Keywords

  • Keywords
  • Rule organization basics
  • Lab 6 – Keyword modifications (PE/malware)
  • Lab (a-c) – Hex Jumps & Regexes (PE/malware)

Global Rules & Organization

  • Lab 7 – Classifying Emails
  • Negative Space (Inverse matching) topic
  • Lab 7a – Inverse matching email
  • Detection strategy & logic (one more time)
  • Classifying Malware Families
  • Core identification
  • Lab 8 – Malware classification (core)

Variations and derivatives

  • Lab 9 – Malware Family Classification

YARA Online

  • Basics to using YARA integrations online
  • Lab 10 – YARA on Alienvault OTX
  • Lab 11 – Sandboxes


Tricks & Tips

Your Instructor

Monty St John

Monty St John has been in the security world for more than two decades. When he is not responding to incidents he teaches classes in Threat Intelligence, Incident Response and Digital Forensics.


Certification of Completion

Additional Information

YARA is a powerful and free sleuthing tool that belongs in every threat, incident response or SOC team. It runs on any platform, is open source and is small enough to be an easy inclusion to any trusted tool set. Its ability to sift through data, identify files based on logic – not just by simple comparison but also via fuzzy logic – makes YARA pretty unbeatable. It can be used simply for insight on an isolated event or in sophisticated manner as part of an incident response or research laboratory. Those not using YARA are missing out on key intelligence capability. Its ease of use and ability to rapidly deploy means you can get into YARA quickly but can just as easily lead to missing the sophisticated and powerful ways to use it.

Need help figuring out which cyber security solution is optimal for your company?