Button

YARA Rules – YARA mean one!

sleepyblinky
Clear Christmas globe with padlock inside with 'ENC' engraved on the body
Image Source

This room was released on day thirteen of the event and focuses on YARA rules used for detecting malicious behaviour.

Task 1 Introduction

Read some background information on why we are doing this.

Spin up the Virtual Machine.

Flag 
There is no question or answer for this section.

Task 2 Yara Rules

Read about YARA rules. They are used to describe behaviours so that detection rules can be shared with other people.

Navigate to the /home/ubuntu/Downloads/easter directory to begin searching. 

cd ~/Downloads/easter

Create a YARA rule to look for the keyword ‘TBFC:’. 

nano TBFC_rule
rule TBFC_rule
{
	meta:
		author = "sleepyblinky"
		description = "Custom Rule for TBFC"
		date = "2025-12-29"
		confidence = "low"

	strings:
		$str = "TBFC:" ascii

	condition:
		all of them
}

Run the YARA rule. 

yara TBFC_rule .
Flag 
5

Adjust the rule to search for ASCII characters after TBFC. Change the value under ‘Strings:’ being searched for.

Flag 
/TBFC:[a-zA-Z0-9]+/

Run the updated YARA rule to find the message from McSkidy. 

yara -s TBFC_rule .

The -s option prints the matching string. Use the file names to order the matched strings.

Flag 
Find me in HopSec Island