top of page

Using YARA For Adversary Simulation

  • Writer: Markus Vervier
    Markus Vervier
  • Mar 21
  • 4 min read

Updated: Mar 26

In today’s evolving threat landscape, ensuring that your security controls are both robust and responsive is paramount. At Persistent Security, we recognize that simply having security tools isn’t enough—these tools must be rigorously tested against simulated, real-world attack scenarios.


One of the key challenges in modern security is ensuring that detection is consistent across all areas of your environment. Whether it’s storage devices, network communications, or endpoint systems, your security controls must be capable of applying matching suspicious data effectively. To address this, we’ve developed reverseyara, a specialized tool that leverages YARA—a powerful framework used for pattern matching against known threat indicators. How reverseyara Works:


  1. Parsing YARA Rules: Our atomic parses a given YARA rule to extract the Indicators of Compromise (IOCs), such as specific strings or binary patterns.

  2. Generating IOCs: The extracted IOCs serve as a simulated signature of malicious behavior.

  3. Injecting IOCs: These IOCs are then written to disk or transmitted over various communication channels. This deliberate distribution mimics the spread of threat indicators in real-world scenarios, ensuring your detection mechanisms are tested in every possible environment.


The Motivation Behind Our Approach

Nemesis is designed to check the effectiveness of your detection mechanisms across multiple vectors. By simulating malicious behavior, Nemesis helps you verify if your Endpoint Detection and Response (EDR) systems and other security controls can successfully identify and react to potential threats.


Such simulations can be very complex, for example when they involve multiple TTPs that together form an attack chain. But that's not the only thing you can do. Often the task of securing your environment boils down to two things:


  • Detection and response

  • Working security controls


In a perfect world, the right set of security controls would save the day, theoretically! But as we all know, practice is different from theory. Complex IT environments will always have gaps, and sometimes security controls might not be practical to implement correctly. This is where detection and response come into play! If something bad happens, you want to know about it and do the right thing.


At the heart of our breach and attack simulation lies our concept of Atomics. These are lightweight payloads or scripts engineered to mimic the actions of a real attacker. Unlike conventional testing methods, Atomics allow you to simulate a variety of malicious actions without causing harm to your actual infrastructure. They execute controlled behaviors that can trigger security alerts, providing invaluable insight into the performance of your detection systems.


Turning YARA Rules on Their Head

Applying Yara is a powerful way to match signatures in data, but can we use it as a generator and why would we want to do that?


A simple example for such a file looks like this:

It matches the string "hello" in any file that the rule is applied to. Such rules can be much more complex.


Now let's take these matching strings and put them into a file we generate. This is more complex than it might appear since Yara supports wildcard byte patterns, conditions how often and where a signature should appear, and much more. We have to start somewhere, so focus for now on generating strings, transforming regexp patterns into matching strings and finding examples for wildcards.

reverseyara is a proof-of-concept tool designed to process YARA rule files to extract signatures and generate various output formats. It parses YARA rules, extracts strings (whether plain, byte, or regex), and converts them into binary data enriched with random padding. This allows the creation of minimal yet structurally (mostly) valid files such as PDFs, Windows executables, HTML, PowerShell scripts, or Batch scripts. Additionally, it can send these signatures over a network connection.


How It Works


  • Parsing YARA Rules:

    The tool uses the plyara parser to read YARA rule files. It extracts the strings and processes them based on their type (e.g., byte strings are converted into binary sequences).

  • Processing and Padding:

    To make the binary output less predictable, reverseyara adds random padding between extracted segments. This randomness is especially noticeable in generated executable or PDF formats.

  • File Generation:

    Based on the specified output extension (such as `.pdf`, `.exe`, `.html`, `.ps1`, or `.bat`), reverseyara creates a file with the corresponding minimal valid structure. If no file extension is recognized, it produces a raw file with just the concatenated strings.

  • Network Mode:

    Instead of saving to a file, reverseyara can send the generated signatures over a TCP connection when run in `net` mode.


Examples


Here are some examples how to create "malicious" files:

They match the rules they are based on:




In network mode, the tool connects to the specified host and port, transmitting the signatures with random padding:




Is this recreating exploits or real malware? Not really, unless your Yara rule file has the exact payloads defined. We also obviously cannot reverse matching hashes or anything like that. But things such as packer signatures, shellcode, C2 beacon traffic signatures, and many other things can be replicated. And all without running the real thing!

Testing Detection Across Multiple Channels

The primary goal of our breach and attack simulation is to ensure that every facet of your security architecture can identify and act upon malicious indicators. By generating and dispersing IOCs across different channels, Nemesis verifies that:


  • Security controls are effectively matching IOCs in both storage and network communications.

  • Detection systems are responsive and robust, capable of flagging even subtle or dispersed threats.

  • Your overall security posture is continuously validated against the latest tactics used by adversaries.


The technique shown here is simple but effective for generating all kinds of malicious signatures that Nemesis can create at any place where they should be detected. Examples include:


  • Local Files

  • Network traffic

  • Memory contents


By automatically measuring detection events, for example via the Defender XDR integration, we can show that threats are monitored correctly and in time.


Conclusion

Incorporating Nemesis into your security strategy means stepping up your game in breach and attack simulation. With our Atomics and innovative use of YARA rules, you gain a comprehensive toolset to challenge your security controls, validate your detection rules, and ultimately strengthen your organization’s defense mechanisms.


Download reverseyara from our GitHub-Repository: https://github.com/persistent-security/reverseyara/


Are you ready to take your security testing to the next level? Contact us today to learn how Nemesis can help you stay ahead of emerging threats.



Comments

Want to learn more about how Nemesis can help you?

Fill in the form and we will contact you shortly or you can always reach us out via: info@persistent-security.net

Fill in the form with any question you have, so we can get in contact.

bottom of page