YARA — Detection (defender)

OSS (BSD-3-Clause) · VirusTotal · VirusTotal/yara · Docs · Active-development successor: YARA-X (Rust rewrite, ISC) · Rule libraries: Yara-Rules, Neo23x0/signature-base

What YARA does

YARA matches files (or memory regions) against pattern rules — byte sequences, ASCII or UTF-16 strings, regex, and conditions that combine them. It’s used by endpoint tooling, file-upload scanners, and incident responders to identify known malware families, webshells, exploit payloads, and second-stage tooling.

In vulnerability management YARA is the defender’s mirror image of Nuclei. Where Nuclei probes a target to confirm the exploit works, YARA inspects files at rest to catch what an attacker would drop after exploiting the vulnerability — the dropped binary, the webshell, the payload encoded in an uploaded image. A YARA rule deployed to your endpoint or upload pipeline is evidence that you can detect exploitation activity, which supports an OpenVEX affected with workaround_available while a patch is being prepared.

YARA rules are detections, not component-level fixes, so the attestation is always OpenVEX.

Rule structure

Writing a detection rule

rule CVE_XXXX_XXXX_exploit_payload {
  meta:
    description = "Detects CVE-XXXX-XXXX exploit payload in uploaded files"
    cve         = "CVE-XXXX-XXXX"
    author      = "vuln-coordinator"
    date        = "2026-05-14"

  strings:
    $magic  = { 4D 5A }                      // PE header
    $marker = "CVE-XXXX-XXXX-exploit" ascii

  condition:
    $magic at 0 and $marker
}
rule CVE_XXXX_XXXX_webshell {
  meta:
    description = "Detects webshell variant used with CVE-XXXX-XXXX"
    cve         = "CVE-XXXX-XXXX"

  strings:
    $cmd = /eval\(base64_decode\(['"]/

  condition:
    $cmd
}

Testing the rule

OpenVEX outcome

See also