KnowBe4 PhishER uses rules with Yet Another Recursive/Ridiculous Acronym (YARA) logic to disposition and tag the messages that are forwarded to your PhishER Inbox. YARA is a tool used to identify and classify malware samples. You can write custom rules using YARA logic. For general information about creating rules in PhishER, see our How to Create and Manage PhishER Rules article.
All PhishER rules must follow Yet Another Recursive or Ridiculous Acronym (YARA) rule logic to disposition messages. We can use YARA rules to disposition messages based on included attachments, potential CEO fraud, and more.
This guide provides a list of common use cases for YARA rules. You can create these rules to use in your PhishER platform. For general information about writing YARA rules, see our How to Write YARA Rules article or YARA Rules video.
Table of Contents
Attachments Rule
rule Attachments
{
strings:
$Attachment = "X-Attachment-Id"
condition:
$Attachment
}
rule Attachments
{ strings: $doc = ".doc" $htm = ".htm" $exe = ".exe" $pdf = ".pdf" $excel = ".xlsx" $ics = ".ics" $png = ".png" $jpg = ".jpg" $gif = ".gif" condition: any of them }
Automated Software Emails Rule
rule Automated_SoftwareEmails { strings: $ = /(\n|\r)From:.{0,200}[Salesforce].{0,200}</ nocase $ = /(\n|\r)Subject:.{0,200}[Salesforce]/ nocase $ = /(\n|\r)From:.{0,200}[HubSpot].{0,200}</ nocase $ = /(\n|\r)Subject:.{0,200}[HubSpot]/ nocase condition: any of them }
CEO Fraud Rule
a YARA rule that identifies potential CEO fraud attempts,
rule CEO_Fraud
{
strings:
$FromEmail = /From:.{0,20}\<[[email protected]]\>/ nocase
$FromName = /From:.{0,20}[yourCEO].{0,20}<.{5,100}>/ nocase
$FromNameEmail = /From:.{0,20}[yourCEO].{0,20}\<[[email protected]]\>/ nocase
$Reply = /Reply-To:.{0,20}/ nocase
$ReplyEmail = /Reply-To:.{0,20}\<[[email protected]]\>/ nocase
$ReplyName = /Reply-To:.{0,20}[yourCEO].{0,20}\</ nocase
$ReplyNameEmail = /Reply-To:.{0,20}[yourCEO].{0,20}\<[[email protected]]\>/ nocase
condition:
($Reply and $FromNameEmail and not $ReplyNameEmail)
or ($Reply and not $FromNameEmail and $ReplyNameEmail)
or ($Reply and $FromEmail and not $ReplyEmail)
or ($Reply and not $FromEmail and $ReplyEmail)
or ($FromName and not $FromEmail)
or ($ReplyName and not $ReplyNameEmail)
}
If you use this rule, you’ll need to replace each instance of the [[email protected]] placeholder with your CEO’s email address. You’ll also need to replace each instance of the [yourCEO] placeholder with your CEO’s name.
Internal Sender Rule
a YARA rule that identifies any email coming from your domain that is not a spoofed email
rule InternalSender
{
strings:
$a = /from:.{0,60}@domain.com/ nocase
$b = /Return-Path:.{0,60}@domain.com/ nocase
$c = "header.from=domain.com"
$d = /Authentication-Results:.{0,20}spf=pass/ nocase
condition:
all of them
}
KnowBe4 Training Emails Rule
a YARA rule that detects all training notification emails from your KMSAT console
rule KnowBe4_TrainingEmails
{
strings:
$ = /Return-Path:.{0,50}psm.knowbe4.com>/ nocase
$ = /Received:.{0,50}(147.160.167.\d{1,3})/ nocase
$ = /Received:.{0,50}(23.21.109.197)/ nocase
$ = /Received:.{0,50}(23.21.109.212)/ nocase
$ = /Received:.{0,50}psm.knowbe4.com/ nocase
condition:
any of them
}
KnowBe4 Training Emails Rule
a YARA rule that detects if a value is not present in a selected PhishER target (click to view)
rule notPresent
{
strings:
$a = "KnowBe4" nocase
condition:
(not $a) and (filesize > 0)
}
To use this rule, you’ll need to include the special variable filesize in your rule’s condition. The filesize variable checks if the target you selected is empty. This process is helpful if you receive an email with a plain text body and an HTML body since one type of body could be empty but the other body could contain your string. Without the filesize variable, the email could falsely match your notPresent rule.
Most Common Regular Expressions Table
A regular expression, or regex, is a sequence of characters that is used to identify a pattern in text strings. To learn about regular expressions that are often used in YARA rules for PhishER, see the table below. For more information about regular expressions, see YARA’s Writing YARA rules documentation.
| Operators and Modifiers | Description |
| \n |
This regex is an escape sequence that looks for a new line. |
| . | This regex is a metacharacter that matches any character or symbol. |
| {n, m} |
This regex is a quantifier that looks for a range of matches between a number of characters represented by n and m. This regex is used to identify matching segments of a string. Note: You can use the {n,m} regex following any character. See the examples below:
|
| | | This regex is a metacharacter that indicates an alternation operator, similar to an OR operator. This regex looks for a match among multiple possible regular expressions. |
| * | This regex is a quantifier that looks for zero or more matches. |
| ? | This regex is a quantifier that looks for zero or one match. |
Escape Sequences
| Escape Sequence | Represents |
|---|---|
| \a | Bell (alert) |
| \b | Backspace |
| \f | Form feed |
| \n | New line |
| \r | Carriage return |
| \t | Horizontal tab |
| \v | Vertical tab |
| \’ | Single quotation mark |
| \” | Double quotation mark |
| \\ | Backslash |
| \? | Literal question mark |
| \ ooo | ASCII character in octal notation |
| \x hh | ASCII character in hexadecimal notation |
| \x hhhh | Unicode character in hexadecimal notation if this escape sequence is used in a wide-character constant or a Unicode string literal. For example, WCHAR f = L'\x4e00' or WCHAR b[] = L"The Chinese character for one is \x4e00". |
| Metacharacter | Description |
|---|---|
^ |
Matches the starting position within the string. In line-based tools, it matches the starting position of any line. |
. |
Matches any single character (many applications exclude newlines, and exactly which characters are considered newlines is flavor-, character-encoding-, and platform-specific, but it is safe to assume that the line feed character is included). Within POSIX bracket expressions, the dot character matches a literal dot. For example, a.c matches “abc”, etc., but [a.c] matches only “a”, “.”, or “c”. |
[ ] |
A bracket expression. Matches a single character that is contained within the brackets. For example, [abc] matches “a”, “b”, or “c”. [a-z] specifies a range which matches any lowercase letter from “a” to “z”. These forms can be mixed: [abcx-z] matches “a”, “b”, “c”, “x”, “y”, or “z”, as does [a-cx-z].
The |
[^ ] |
Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than “a”, “b”, or “c”. [^a-z] matches any single character that is not a lowercase letter from “a” to “z”. Likewise, literal characters and ranges can be mixed. |
$ |
Matches the ending position of the string or the position just before a string-ending newline. In line-based tools, it matches the ending position of any line. |
( ) |
Defines a marked subexpression. The string matched within the parentheses can be recalled later (see the next entry, \n). A marked subexpression is also called a block or capturing group. BRE mode requires \( \). |
\n |
Matches what the nth marked subexpression matched, where n is a digit from 1 to 9. This construct is vaguely defined in the POSIX.2 standard. Some tools allow referencing more than nine capturing groups. Also known as a backreference. backreferences are only supported in BRE mode |
* |
Matches the preceding element zero or more times. For example, ab*c matches “ac”, “abc”, “abbbc”, etc. [xyz]* matches “”, “x”, “y”, “z”, “zx”, “zyx”, “xyzzy”, and so on. (ab)* matches “”, “ab”, “abab”, “ababab”, and so on. |
{m,n} |
Matches the preceding element at least m and not more than n times. For example, a{3,5} matches only “aaa”, “aaaa”, and “aaaaa”. This is not found in a few older instances of regexes. BRE mode requires \{m,n\}. |
Examples:
.atmatches any three-character string ending with “at”, including “hat”, “cat”, “bat”, “4at”, “#at” and ” at” (starting with a space).[hc]atmatches “hat” and “cat”.[^b]atmatches all strings matched by.atexcept “bat”.[^hc]atmatches all strings matched by.atother than “hat” and “cat”.^[hc]atmatches “hat” and “cat”, but only at the beginning of the string or line.[hc]at$matches “hat” and “cat”, but only at the end of the string or line.\[.\]matches any single character surrounded by “[” and “]” since the brackets are escaped, for example: “[a]”, “[b]”, “[7]”, “[@]”, “[]]”, and “[ ]” (bracket space bracket).s.*matches s followed by zero or more characters, for example: “s”, “saw”, “seed”, “s3w96.7”, and “s6#h%(>>>m n mQ”.
POSIX extended[edit]
The meaning of metacharacters escaped with a backslash is reversed for some characters in the POSIX Extended Regular Expression (ERE) syntax. With this syntax, a backslash causes the metacharacter to be treated as a literal character. So, for example, \( \) is now ( ) and \{ \} is now { }. Additionally, support is removed for \n backreferences and the following metacharacters are added:
| Metacharacter | Description |
|---|---|
? |
Matches the preceding element zero or one time. For example, ab?c matches only “ac” or “abc”. |
+ |
Matches the preceding element one or more times. For example, ab+c matches “abc”, “abbc”, “abbbc”, and so on, but not “ac”. |
| |
The choice (also known as alternation or set union) operator matches either the expression before or the expression after the operator. For example, abc|def matches “abc” or “def”. |
Examples:
[hc]?atmatches “at”, “hat”, and “cat”.[hc]*atmatches “at”, “hat”, “cat”, “hhat”, “chat”, “hcat”, “cchchat”, and so on.[hc]+atmatches “hat”, “cat”, “hhat”, “chat”, “hcat”, “cchchat”, and so on, but not “at”.cat|dogmatches “cat” or “dog”.
