====== Create a file on vulnerable Server ======
count sequences of printable characters with the minimum length of 7
<code>
strings --bytes=7 sample.exe | wc -l
</code>

====== Rule to detect cmd.exe ======
offset.yar
<code>
rule cmd_rule
{
    strings:
       $s = "cmd.exe /c \"%s\""

    condition:
       $s
}
</code>

<code>
sudo yara /home/student/Desktop/rules/offset.yar . -s
</code>

====== Rule to identify PE file type ======
pe.yar
<code>
rule IsPeFile {
	strings:
		$mz = "MZ"

	condition:
		$mz at 0 and uint32(uint32(0x3C)) == 0x4550
}
</code>

====== Rule to detect maleware in PE Files ======
===== Generate Rule from Strings =====
generate_rule.sh
<code>
#!/bin/bash

echo "rule mw_rule" > /home/student/Desktop/rules/malware.yar
echo "{" >> /home/student/Desktop/rules/malware.yar

echo "  strings:" >> /home/student/Desktop/rules/malware.yar
count=1
while read s; do
  p=${s//\"/\\\"}
  echo "    \$s$count = \"$p\" fullword ascii" >> /home/student/Desktop/rules/malware.yar
  count=$((count+1))
done </home/student/Desktop/intel/strings.txt

echo "" >> /home/student/Desktop/rules/malware.yar

echo "  condition:" >> /home/student/Desktop/rules/malware.yar
echo "    any of them and" >> /home/student/Desktop/rules/malware.yar
echo "    uint16(0) == 0x5A4D and" >> /home/student/Desktop/rules/malware.yar
echo "    uint32(uint32(0x3C)) == 0x4550" >> /home/student/Desktop/rules/malware.yar

echo "}" >> /home/student/Desktop/rules/malware.yar
</code>
===== Final Rule =====
malware.yar
--> generated, but left only relevant string

rule mw_rule
{
  strings:
    $s176 = "cmd.exe /c \"%s\"" fullword ascii

  condition:
    $s176 and
    uint16(0) == 0x5A4D and
    uint32(uint32(0x3C)) == 0x4550
}

<code>
yara /home/student/Desktop/rules/malware.yar /home/student/Desktop/suspicious -s
</code>