Commanding YARA

CyberDefenses Academy



Available Upon Request


Available Upon Request

Delivery Method

Classroom & Online


Certification of Completion

Audience / Level



Intro Threat Intelligence or Intro Reverse Engineering


Laptop required

Course Details

Program Introduction

YARA is a powerful and free sleuthing tool that belongs in every threat, incident response or SOC team. It runs on any platform, Is open source and is small enough to be an easy inclusion to any trusted tool set. Its ability to sift through data, identify files based on logic—not just by simple comparison, but also via fuzzy logic—makes YARA pretty unbeatable. It can be used simply for insight on an isolated event or in a sophisticated manner as part of an incident response or research laboratory. Those not using YARA are missing out on key intelligence capability. Its ease of use and ability to rapidly deploy means you can get into YARA quickly, but can just as easily miss the sophisticated and powerful ways to use it.

  • Employ detection fragment strategies for identification and classification of elements of a file.
  • Identify files by signature, by structure and organization
  • Classify single and groups of file
  • Employ logical structures to stack, cluster, and iterate through data in a file for detection or classification
  • Use of negation and inverse detection tricks
  • Condition line only detections
  • Complex rule usage

Course Objectives

  • It’s designed for those with an interest in using YARA to classify, categorize, and detect files.
  • It conveys the necessary concepts, principles and terms to lay down a solid foundation.

Target Student

  • Individuals new to or desiring a better understanding of YARA
  • Professionals who deal with technical issues, but feel they do not have enough background in using YARA successfully.
  • Technical professionals that need to be armed with greater knowledge of incident response, threat intelligence and their role in resolving incidents.


Monty St John
Monty St John is a computer science and information security expert, U.S. Navy and U.S. Air Force veteran, certified instructor, and author of dozens of classes for CyberDefenses. He has assisted numerous companies build and accredit laboratories, threat teams, and security operations centers. He’s also a prolific writer with two upcoming technical volumes set for 2018; Game Designer and Speaker. Learn more about Monty St John

Additional Information

  • Laptop required
  • Requires basic knowledge of computers, technology and command line interface (CLI)
    • Open and operate browsers
    • Find and use command line
    • Execute scripts
  • Requires knowledge of Linux
  • No prior knowledge of YARA required
  • Understanding of virtual machines (VM) and how to use one.
    • Understand how to import and power on a VM
Follow up this course with another one of CDI’s offerings:
  • Intro to Threat Intelligence
  • Introduction to Reverse Engineering
  • File Interrogation
  • Python for Threat Intelligence

Course Outline

  • Introduction
  • YARA fundamentals
    • Lab 0 – YARA introduction
    • Strategies (direct, indirect, inverse)
    • Logic ( declarative, connective, cause & effect)
    • Lab 1 – strings, hex & regex
  • File Magic
    • File types and file magic
    • Lab 2 – file magic (PE, PDF, Zip)
  • Structure & Format
    • Files and data organization
    • Lab 3 – Email (a & b)
  • Data & Content
    • BOF & EOF
    • Lab 4 – B/EOF (PDF, JPG)
  • Structural Detection
    • Lab 5 – Detection by Format (PDF)
  • YARA Keywords
    • Keywords
    • Rule organization basics
    • Lab 6 – Keyword modifications (PE/malware)
    • Lab (a-c) – Hex Jumps & Regexes (PE/malware)
  • Global Rules & Organization
    • Lab 7 – Classifying Emai ls
    • Negative Space (inverse matching) topic
    • Lab 7a – Inverse matching email
    • Detection strategy & logic (one more time)
    • Classifying Malware Families
    • Core Identification
    • Lab 8 – Malware Classification (core)
  • Variations & Derivatives
    • Lab 9 – Malware Family Classification
  • YARA in Action
    • Lab 10-12 – Interrogate a file & use YARA to provide boilerplate for reporting.
    • Lab 13-16 – Dissect a file to understand its functions, composition, communication and protections.