Guide: YARA Detection for Sliced Strings

YARA shines as an invaluable tool. Yet, it lacks direct support for detecting split strings across different addresses in a binary file. This guide outlines an approach to overcome this limitation and design a YARA rule that improves the chance of detecting a specific split string.

Be aware, though, this method may not be perfect and could lead to false positives.

Take this YARA rule as your blueprint:

rule DetectSlicedBase64String 
        author = "YourName" 
        description = "Detects the split base64 encoded string Z2l0aHViLmNvbQ== ("

        $part1 = "Z2l0"
        $part2 = "aHVi"
        $part3 = "LmNv"
        $part4 = "bQ=="

        (2 of ($part1, $part2, $part3, $part4))

This rule triggers a match if any two out of four string segments appear in the file. Although this improves the likelihood of detecting the sliced string, it’s susceptible to false positives, since it neither ensures the presence of all parts nor checks their order. Still, within YARA’s current constraints for handling sliced strings, this remains one of the finest approximations.

Nonetheless, what if the binary file slices the string as “Z2l” then “0aHV” then “iL” and so forth? For detecting such variants, unfortunately, YARA doesn’t offer a failproof solution. Hence, finding the entire string, no matter its slicing, poses a significant challenge.

A suggestion might be to concatenate the slices:

condition: $part1 + $part2 + $part3 + $part4

Although an intriguing idea, this won’t reliably work with YARA’s string detection.

In scenarios where the string permutations continue to evolve, it’s advisable to explore alternative methods for file detection. Attackers can readily modify the string build or implement an XOR or a secondary base64 decoding call, rendering the YARA rule ineffective.

Another approach exploits YARA’s wildcard feature. Convert the string characters to ASCII, and then create an expression accommodating spaces of zero to five bytes in between. For instance, the string ‘abcd’ translates to ’61 62 63 64′ in hexadecimal. If the string can split and contain spaces up to five bytes, you can use the expression:

$str0 = { 61 [0-5] 62 [0-5] 63 [0-5] 64 }

Keep in mind, this strategy could yield false positives, especially with shorter strings. Also, the performance of your rules might take a hit. Yet, if detecting a split string is essential, this approach might offer some value. As always, consider your unique situation and weigh the trade-offs before implementing a solution.

Done reading? Continue with our list of 25 open source cyber security tools.

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.