100 Days of YARA – Day 24: Run Keys

On By DanielIn 100 days of Yara, incident response, malware, persistence, windows

This is a simple YARA rule that matches samples that contain strings related to Windows registry run keys. Malware commonly employs these keys to achieve persistence on a victim host.

This rule can definitely be improved upon, as there are different registry paths that do the same sort of thing.

rule runkeys
{
	meta:
		description = "run key strings"

	strings:
		$ = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide ascii nocase

	condition:
		any of them
}

YARA Rules Index

One thought on “100 Days of YARA – Day 24: Run Keys

  1. Pingback: Week 03 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s