KnowBe4 PhishER uses rules with Yet Another Recursive/Ridiculous Acronym (YARA) logic to disposition and tag the messages that are forwarded to your PhishER InboxYARA is a tool used to identify and classify malware samples. You can write custom rules using YARA logic. For general information about creating rules in PhishER, see our How to Create and Manage PhishER Rules article. 

All PhishER rules must follow Yet Another Recursive or Ridiculous Acronym (YARA) rule logic to disposition messages. We can use YARA rules to disposition messages based on included attachments, potential CEO fraud, and more. 

This guide provides a list of common use cases for YARA rules. You can create these rules to use in your PhishER platform. For general information about writing YARA rules, see our How to Write YARA Rules article or YARA Rules video.



Attachments Rule

detects if any type of attachment is included in an email
rule Attachments
{
  strings:
    $Attachment = "X-Attachment-Id"

  condition:
    $Attachment
}
a rule that detects specific attachment types
rule Attachments 
{ strings: $doc = ".doc" $htm = ".htm" $exe = ".exe" $pdf = ".pdf" $excel = ".xlsx" $ics = ".ics" $png = ".png" $jpg = ".jpg" $gif = ".gif" condition: any of them }

Automated Software Emails Rule

 a YARA rule that detects automated software emails,
rule Automated_SoftwareEmails
{
  strings:
    $ = /(\n|\r)From:.{0,200}[Salesforce].{0,200}</ nocase
    $ = /(\n|\r)Subject:.{0,200}[Salesforce]/ nocase

    $ = /(\n|\r)From:.{0,200}[HubSpot].{0,200}</ nocase
    $ = /(\n|\r)Subject:.{0,200}[HubSpot]/ nocase

  condition:
    any of them
}
For this rule to work, you’ll need to replace the text in brackets (?? with brackets?? ) with the name of a software application.

CEO Fraud Rule

 a YARA rule that identifies potential CEO fraud attempts, 

rule CEO_Fraud
{
  strings:
    $FromEmail        = /From:.{0,20}\<[[email protected]]\>/ nocase
    $FromName	        = /From:.{0,20}[yourCEO].{0,20}<.{5,100}>/ nocase
    $FromNameEmail    = /From:.{0,20}[yourCEO].{0,20}\<[[email protected]]\>/ nocase

    $Reply            = /Reply-To:.{0,20}/ nocase
    $ReplyEmail       = /Reply-To:.{0,20}\<[[email protected]]\>/ nocase
    $ReplyName	      = /Reply-To:.{0,20}[yourCEO].{0,20}\</ nocase
    $ReplyNameEmail   = /Reply-To:.{0,20}[yourCEO].{0,20}\<[[email protected]]\>/ nocase

  condition:
    ($Reply and $FromNameEmail and not $ReplyNameEmail)
    or ($Reply and not $FromNameEmail and $ReplyNameEmail)
    or ($Reply and $FromEmail and not $ReplyEmail)
    or ($Reply and not $FromEmail and $ReplyEmail)
    or ($FromName and not $FromEmail)
    or ($ReplyName and not $ReplyNameEmail)
}

If you use this rule, you’ll need to replace each instance of the [[email protected]] placeholder with your CEO’s email address. You’ll also need to replace each instance of the [yourCEO] placeholder with your CEO’s name.

Internal Sender Rule

a YARA rule that identifies any email coming from your domain that is not a spoofed email

rule InternalSender
{
  strings:
	$a = /from:.{0,60}@domain.com/ nocase
	$b = /Return-Path:.{0,60}@domain.com/ nocase
	$c = "header.from=domain.com"
	$d = /Authentication-Results:.{0,20}spf=pass/ nocase
	
  condition:
    all of them
}
Note: If you use this rule, the email will need a matching sender domain in the headers and will need to pass your Sender Policy Framework (SPF) checks. This rule will not tag emails sent from your domain that do not require or pass your SPF checks. If you would like to tag the types of emails mentioned, remove the $d string. You can also remove the $c string.

KnowBe4 Training Emails Rule

  a YARA rule that detects all training notification emails from your KMSAT console

rule KnowBe4_TrainingEmails
{
  strings:
  $ = /Return-Path:.{0,50}psm.knowbe4.com>/ nocase
  $ = /Received:.{0,50}(147.160.167.\d{1,3})/ nocase
  $ = /Received:.{0,50}(23.21.109.197)/ nocase
  $ = /Received:.{0,50}(23.21.109.212)/ nocase
  $ = /Received:.{0,50}psm.knowbe4.com/ nocase

  condition:
    any of them
}

KnowBe4 Training Emails Rule

 a YARA rule that detects if a value is not present in a selected PhishER target (click to view)

rule notPresent
{
  strings:
    $a = "KnowBe4" nocase

  condition:
    (not $a) and (filesize > 0)
}

To use this rule, you’ll need to include the special variable filesize in your rule’s condition. The filesize variable checks if the target you selected is empty. This process is helpful if you receive an email with a plain text body and an HTML body since one type of body could be empty but the other body could contain your string. Without the filesize variable, the email could falsely match your notPresent rule.

Most Common Regular Expressions Table

A regular expression, or regex, is a sequence of characters that is used to identify a pattern in text strings. To learn about regular expressions that are often used in YARA rules for PhishER, see the table below. For more information about regular expressions, see YARA’s Writing YARA rules documentation.

Operators and Modifiers Description
\n

This regex is an escape sequence that looks for a new line. 

. This regex is a metacharacter that matches any character or symbol.
{n, m}

This regex is a quantifier that looks for a range of matches between a number of characters represented by n and m. This regex is used to identify matching segments of a string.

Note: You can use the {n,m} regex following any character. See the examples below:

  • 9{2,3}: This regex will match 99 or 999.
  • .{2,3}: This regex will match any two-character or three-character string.
| This regex is a metacharacter that indicates an alternation operator, similar to an OR operator. This regex looks for a match among multiple possible regular expressions.
* This regex is a quantifier that looks for zero or more matches.
? This regex is a quantifier that looks for zero or one match.

Escape Sequences

Escape Sequence Represents
\a Bell (alert)
\b Backspace
\f Form feed
\n New line
\r Carriage return
\t Horizontal tab
\v Vertical tab
\’ Single quotation mark
\” Double quotation mark
\\ Backslash
\? Literal question mark
\ ooo ASCII character in octal notation
\x hh ASCII character in hexadecimal notation
\x hhhh Unicode character in hexadecimal notation if this escape sequence is used in a wide-character constant or a Unicode string literal.

For example, WCHAR f = L'\x4e00' or WCHAR b[] = L"The Chinese character for one is \x4e00".
Metacharacter Description
^ Matches the starting position within the string. In line-based tools, it matches the starting position of any line.
. Matches any single character (many applications exclude newlines, and exactly which characters are considered newlines is flavor-, character-encoding-, and platform-specific, but it is safe to assume that the line feed character is included). Within POSIX bracket expressions, the dot character matches a literal dot. For example, a.c matches “abc”, etc., but [a.c] matches only “a”, “.”, or “c”.
[ ] A bracket expression. Matches a single character that is contained within the brackets. For example, [abc] matches “a”, “b”, or “c”. [a-z] specifies a range which matches any lowercase letter from “a” to “z”. These forms can be mixed: [abcx-z] matches “a”, “b”, “c”, “x”, “y”, or “z”, as does [a-cx-z].

The - character is treated as a literal character if it is the last or the first (after the ^, if present) character within the brackets: [abc-][-abc]. Backslash escapes are not allowed. The ] character can be included in a bracket expression if it is the first (after the ^) character: []abc].

[^ ] Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than “a”, “b”, or “c”. [^a-z] matches any single character that is not a lowercase letter from “a” to “z”. Likewise, literal characters and ranges can be mixed.
$ Matches the ending position of the string or the position just before a string-ending newline. In line-based tools, it matches the ending position of any line.
( ) Defines a marked subexpression. The string matched within the parentheses can be recalled later (see the next entry, \n). A marked subexpression is also called a block or capturing group. BRE mode requires \( \).
\n Matches what the nth marked subexpression matched, where n is a digit from 1 to 9. This construct is vaguely defined in the POSIX.2 standard. Some tools allow referencing more than nine capturing groups. Also known as a backreference. backreferences are only supported in BRE mode
* Matches the preceding element zero or more times. For example, ab*c matches “ac”, “abc”, “abbbc”, etc. [xyz]* matches “”, “x”, “y”, “z”, “zx”, “zyx”, “xyzzy”, and so on. (ab)* matches “”, “ab”, “abab”, “ababab”, and so on.
{m,n} Matches the preceding element at least m and not more than n times. For example, a{3,5} matches only “aaa”, “aaaa”, and “aaaaa”. This is not found in a few older instances of regexes. BRE mode requires \{m,n\}.

Examples:

  • .at matches any three-character string ending with “at”, including “hat”, “cat”, “bat”, “4at”, “#at” and ” at” (starting with a space).
  • [hc]at matches “hat” and “cat”.
  • [^b]at matches all strings matched by .at except “bat”.
  • [^hc]at matches all strings matched by .at other than “hat” and “cat”.
  • ^[hc]at matches “hat” and “cat”, but only at the beginning of the string or line.
  • [hc]at$ matches “hat” and “cat”, but only at the end of the string or line.
  • \[.\] matches any single character surrounded by “[” and “]” since the brackets are escaped, for example: “[a]”, “[b]”, “[7]”, “[@]”, “[]]”, and “[ ]” (bracket space bracket).
  • s.* matches s followed by zero or more characters, for example: “s”, “saw”, “seed”, “s3w96.7”, and “s6#h%(>>>m n mQ”.

POSIX extended[edit]

The meaning of metacharacters escaped with a backslash is reversed for some characters in the POSIX Extended Regular Expression (ERE) syntax. With this syntax, a backslash causes the metacharacter to be treated as a literal character. So, for example, \( \) is now ( ) and \{ \} is now { }. Additionally, support is removed for \n backreferences and the following metacharacters are added:

Metacharacter Description
? Matches the preceding element zero or one time. For example, ab?c matches only “ac” or “abc”.
+ Matches the preceding element one or more times. For example, ab+c matches “abc”, “abbc”, “abbbc”, and so on, but not “ac”.
| The choice (also known as alternation or set union) operator matches either the expression before or the expression after the operator. For example, abc|def matches “abc” or “def”.

Examples:

  • [hc]?at matches “at”, “hat”, and “cat”.
  • [hc]*at matches “at”, “hat”, “cat”, “hhat”, “chat”, “hcat”, “cchchat”, and so on.
  • [hc]+at matches “hat”, “cat”, “hhat”, “chat”, “hcat”, “cchchat”, and so on, but not “at”.
  • cat|dog matches “cat” or “dog”.

By netsec

Leave a Reply