explaingit

yara-rules/rules

4,789YARAAudience · researcherComplexity · 3/5LicenseSetup · moderate

TLDR

Community-maintained collection of YARA rules for identifying malware, malicious documents, exploit kits, packers, web shells, and CVE-linked threats. Requires YARA 3.0+ with PE module support.

Mindmap

mindmap
  root((yara-rules))
    Malware Detection
      Known malware families
      Cryptographic signatures
    Malicious Documents
      PDF exploits
      Office file threats
    Exploit Kits
      Browser attack frameworks
      Delivery mechanisms
    Evasion Techniques
      Anti-debug tricks
      Anti-VM methods
    Packers and Shells
      Software packers
      Web shells
    CVE Rules
      Vulnerability signatures
      Named CVE entries
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Scan files or directories for known malware families using prebuilt YARA rules

USE CASE 2

Detect malicious PDFs and Office documents before opening them

USE CASE 3

Identify exploit kit artifacts in network captures or disk images

USE CASE 4

Flag anti-analysis evasion techniques in suspicious binaries

Tech stack

YARAPE module

Getting it running

Difficulty · moderate Time to first run · 30min

Requires YARA 3.0+ for PE module support. Distro packages may be outdated, install from source or a maintained repo. Clone and point yara at any rule file to start scanning.

GNU GPL version 2, open source, but any derivative work must also be released under GPL v2.

In plain English

This repository is a community-maintained collection of YARA rules for security researchers and malware analysts. YARA is a tool used in the security field to identify and classify files by matching them against patterns, so a YARA rule is essentially a description of what a suspicious or malicious file looks like. This project gathers many such rules in one place and tries to keep them organized and up to date. The rules are grouped into categories based on what they detect. The malware category targets known malicious programs by name. The malicious documents category covers files like PDFs or Office documents that have been crafted to run malicious code when opened. The exploit kits category identifies specific attack frameworks that criminals use to deliver malware through browsers. Other categories cover anti-debugging and anti-virtual-machine tricks that malware uses to avoid analysis, software packers that hide malware inside legitimate-looking wrappers, web shells that attackers plant on compromised servers, and cryptographic algorithm signatures. There is also a section for rules tied to specific known software vulnerabilities identified by CVE numbers. Using the rules requires YARA version 3.0 or newer, primarily because several rules rely on a module that parses Windows PE executable files, which was introduced in that version. Older Linux distribution packages may ship a version that is too old, so the README suggests installing from source or a maintained package repository. The project is open source under the GNU GPL version 2 license. Security researchers who want to contribute their own rules can submit a pull request or contact the project through its mailing list or Twitter account.

Copy-paste prompts

Prompt 1
I have the yara-rules/rules repo cloned. Write a bash command to run all malware category rules against a directory of suspicious files using YARA 3.0+.
Prompt 2
Using the yara-rules/rules exploit kit rules, how do I scan a PCAP or extracted browser cache for known exploit kit signatures? Show me the yara command and flags I need.
Prompt 3
I want to contribute a new YARA rule for a malware family to yara-rules/rules. Show me the correct rule syntax with a PE module condition and metadata fields this project expects.
Prompt 4
Which rules in yara-rules/rules require the PE module, and how do I check if my installed YARA version supports it? Give me a test command.
Prompt 5
Help me write a YARA rule to detect a web shell that uses base64-encoded eval calls, following the style conventions used in the yara-rules/rules webshells category.
Open on GitHub → Explain another repo

← yara-rules on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.