yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

YARA rules did not detect reverse TCP payload

Open Evacch opened this issue 3 years ago • 3 comments

I created a malicious file using Metasploit, however, YARA did not detect anything. I downloaded the YARA rules from the official GitHub repo and after that run yara rules/index.yar malicious.bin and also to be specific, yara rules/malware/RAT_Meterpreter_Reverse_Tcp.yar malicious.bin, nothing was shown. Anything I miss out here?

Evacch avatar Jun 24 '22 01:06 Evacch

Well, the first thing is to manually check that malicious.bin actually matches the rule. Can you paste the content of the rule here? I've found for RAT_Meterpreter_Reverse_Tcp.yar in GitHub and found multiple repositories that contain that file, but in all of them is an empty file.

plusvic avatar Jun 24 '22 12:06 plusvic

Well, the first thing is to manually check that malicious.bin actually matches the rule. Can you paste the content of the rule here? I've found for RAT_Meterpreter_Reverse_Tcp.yar in GitHub and found multiple repositories that contain that file, but in all of them is an empty file.

I am using this rule from https://github.com/Yara-Rules/rules/blob/master/malware/RAT_Meterpreter_Reverse_Tcp.yar and it is not empty

Evacch avatar Jun 27 '22 01:06 Evacch

The rule is very straightforward, have you confirmed that malicious.bin contain those strings?

plusvic avatar Jun 27 '22 08:06 plusvic