{"id":7055,"date":"2015-10-17T16:53:11","date_gmt":"2015-10-17T16:53:11","guid":{"rendered":"https:\/\/www.bsk-consulting.de\/?p=1343"},"modified":"2023-02-02T16:52:19","modified_gmt":"2023-02-02T15:52:19","slug":"how-to-write-simple-but-sound-yara-rules-part-2","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/","title":{"rendered":"How to Write Simple but Sound Yara Rules &#8211; Part 2"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; admin_label=&#8221;section&#8221; _builder_version=&#8221;4.16&#8243; da_disable_devices=&#8221;off|off|off&#8221; global_colors_info=&#8221;{}&#8221; da_is_popup=&#8221;off&#8221; da_exit_intent=&#8221;off&#8221; da_has_close=&#8221;on&#8221; da_alt_close=&#8221;off&#8221; da_dark_close=&#8221;off&#8221; da_not_modal=&#8221;on&#8221; da_is_singular=&#8221;off&#8221; da_with_loader=&#8221;off&#8221; da_has_shadow=&#8221;on&#8221;][et_pb_row admin_label=&#8221;row&#8221; _builder_version=&#8221;4.16&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.16&#8243; custom_padding=&#8221;|||&#8221; global_colors_info=&#8221;{}&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text admin_label=&#8221;Text&#8221; _builder_version=&#8221;4.19.5&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221; hover_enabled=&#8221;0&#8243; global_colors_info=&#8221;{}&#8221; sticky_enabled=&#8221;0&#8243;]Months ago I wrote a blog article on &#8220;<a href=\"\/2015\/02\/16\/write-simple-sound-yara-rules\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to write simple but sound Yara rules<\/a>&#8220;. Since then the mentioned techniques and tools have improved. I&#8217;d like to give you a brief update on certain Yara features that I frequently use and tools that I use to generate and test my rules.<\/p>\n<h2>Handle Very Specific Strings Differently<\/h2>\n<p>In the past I was glad to see very specific strings in samples and sometimes used these strings as the only indicator for detection. E.g. whenever I&#8217;ve found a certain typo in the PE header fields like &#8220;Micorsoft Corportation&#8221; I cheered and thought that this would make a great signature. But &#8211; and I have to admit that now &#8211; this only makes a nice signature. Great signatures require not only to match on a certain sample in the most condensed way but aims to match on similar samples created by the same author or group.<br \/>\nLook at the following rule:<\/p>\n<pre>rule Enfal_Malware_Backdoor {\n\tmeta:\n\t\tdescription = &quot;Generic Rule to detect the Enfal Malware&quot;\n\t\tauthor = &quot;Florian Roth&quot;\n\t\tdate = &quot;2015\/02\/10&quot;\n\t\tsuper_rule = 1\n\t\thash0 = &quot;6d484daba3927fc0744b1bbd7981a56ebef95790&quot;\n\t\thash1 = &quot;d4071272cc1bf944e3867db299b3f5dce126f82b&quot;\n\t\thash2 = &quot;6c7c8b804cc76e2c208c6e3b6453cb134d01fa41&quot;\n\t\tscore = 60\n\tstrings:\n\t\t$x1 = &quot;Micorsoft Corportation&quot; fullword wide\n\t\t$x2 = &quot;IM Monnitor Service&quot; fullword wide\n\t\t$a1 = &quot;imemonsvc.dll&quot; fullword wide\n\t\t$a2 = &quot;iphlpsvc.tmp&quot; fullword\n\t\t$a3 = &quot;{53A4988C-F91F-4054-9076-220AC5EC03F3}&quot; fullword\n\t\t$s1 = &quot;urlmon&quot; fullword\n\t\t$s2 = &quot;Registered trademarks and service marks are the property of their&quot; wide\n\t\t$s3 = &quot;XpsUnregisterServer&quot; fullword\n\t\t$s4 = &quot;XpsRegisterServer&quot; fullword\n\tcondition:\n\t\tuint16(0) == 0x5A4D and\n\t\t(\n\t\t\t( 1 of ($x*) ) or\n\t\t\t( 2 of ($a*) and all of ($s*) )\n\t\t)\n}\n<\/pre>\n<p>What I do when I review the 20 strings that are generated by yarGen is that I try to categorize the extracted strings in 3 different groups:<\/p>\n<ul>\n<li><strong>Very specific strings<\/strong> (one of them is sufficient for successful detection, e.g. IP addresses, payload URLs, PDB paths, user profile directories)<\/li>\n<li><strong>Specific strings<\/strong> (strings that look good but may appear in goodware as well, e.g. &#8220;wwwlib.dll&#8221;)<\/li>\n<li><strong>Other strings<\/strong> (even strings that appear in goodware; without random code from compressed or encrypted data; e.g. &#8220;ModuleStart&#8221;)<\/li>\n<\/ul>\n<p>Then I create a condition that defines:<\/p>\n<ul>\n<li>A Certain Magic Header (remove it in case of ASCII text like scripts or webshells)<\/li>\n<li>1 of the very specific strings OR<\/li>\n<li>some of the specific strings combined with many (but not all) of the common strings<\/li>\n<\/ul>\n<p>Here is another example that does only have very specific strings (x) and common strings (s):<\/p>\n<pre>rule Cobra_Trojan_Stage1 {\n\tmeta:\n\t\tdescription = &quot;Cobra Trojan - Stage 1&quot;\n\t\tauthor = &quot;Florian Roth&quot;\n\t\treference = &quot;https:\/\/blog.gdatasoftware.com\/blog\/article\/analysis-of-project-cobra.html&quot;\n\t\tdate = &quot;2015\/02\/18&quot;\n\t\thash = &quot;a28164de29e51f154be12d163ce5818fceb69233&quot;\n\tstrings:\n\t\t$x1 = &quot;KmSvc.DLL&quot; fullword wide\n\t\t$x2 = &quot;SVCHostServiceDll_W2K3.dll&quot; fullword ascii\n\t\t$s1 = &quot;Microsoft Corporation. All rights reserved.&quot; fullword wide\n\t\t$s2 = &quot;srservice&quot; fullword wide\n\t\t$s3 = &quot;Key Management Service&quot; fullword wide\n\t\t$s4 = &quot;msimghlp.dll&quot; fullword wide\n\t\t$s5 = &quot;_ServiceCtrlHandler@16&quot; fullword ascii\n\t\t$s6 = &quot;ModuleStart&quot; fullword ascii\n\t\t$s7 = &quot;ModuleStop&quot; fullword ascii\n\t\t$s8 = &quot;5.2.3790.3959 (srv03.sp2.070216-1710)&quot; fullword wide\n\tcondition:\n\t\tuint16(0) == 0x5A4D and filesize &amp;lt; 50000 and 1 of ($x*) and 6 of ($s*)\n}\n<\/pre>\n<p>If you can&#8217;t create a rule that is sufficiently specific, I recommend the following methods to restrict the rule:<\/p>\n<ul>\n<li><strong>Magic Header<\/strong> (use it as first element in condition &#8211; see performance guidelines, e.g. &#8220;uint16(0) == 0x5A4D&#8221;)<\/li>\n<li><strong>File Size<\/strong> (malware that mimics valid system files, drivers or legitimate software often differs significantly in size; try to find the valid files online and set a size value in your rule, e.g. &#8220;filesize &gt; 200KB and filesize &lt; 600KB&#8221;)<\/li>\n<li><strong>String Location<\/strong> (see the &#8220;Location is Everything&#8221; section)<\/li>\n<li><strong>Exclude strings<\/strong> that occur in false positives (e.g. $fp1 = &#8220;McAfeeSig&#8221;)<\/li>\n<\/ul>\n<h2>Location is Everything<\/h2>\n<p>One of the most underestimated features of Yara is the possibility to define a range in which strings occur in order to match. I used this technique to create a rule that detect metasploit meterpreter payloads quite reliably even if it&#8217;s encoded\/cloaked. How that?<br \/>\nIf you see malware code that is hidden in an overlay at the end of a valid executable (e.g. &#8220;ab.exe&#8221;) and you see only strings that are typical function exports or mimics a well-known executable ask the following questions:<\/p>\n<ul>\n<li>Is it normal that these strings are located at this location in the file?<\/li>\n<li>Is it normal that these strings occur more than once in that file?<\/li>\n<li>Is the distance between two strings somehow specific?<\/li>\n<\/ul>\n<div id=\"attachment_1352\" style=\"width: 596px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1352\" src=\"\/wp-content\/uploads\/2015\/10\/Screen_strings.png\" alt=\"Malware Strings\" width=\"586\" height=\"580\" class=\"size-full wp-image-1352\" srcset=\"\/wp-content\/uploads\/2015\/10\/Screen_strings.png 586w, \/wp-content\/uploads\/2015\/10\/Screen_strings-480x475.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 586px, 100vw\" \/><p id=\"caption-attachment-1352\" class=\"wp-caption-text\">Malware Strings<\/p><\/div>\n<p>In case of the unspecific malware code in the PE overlay, try to define a rule that looks for a certain file size (e.g. filesize &gt; 800KB) and the malware strings relative to the end of the file (e.g. $s1 in (filesize-500..filesize)).<br \/>\nThe following example shows a unspecified webshell that contains strings that may be modified by an attacker in future versions when applied in a victim&#8217;s network. Try always to extract strings that are less likely to be changed.<\/p>\n<div id=\"attachment_1344\" style=\"width: 442px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1344\" class=\"size-full wp-image-1344\" src=\"\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-08.10.41.png\" alt=\"Webshell Code PHP\" width=\"432\" height=\"184\" \/><p id=\"caption-attachment-1344\" class=\"wp-caption-text\">Webshell Code PHP<\/p><\/div>\n<p>The variable name &#8220;$code&#8221; is more likely to change than the function combination &#8220;@eval(gzinflate(base64_decode(&#8221; at the end of the file. It is possible that valid php code contains &#8220;eval(gzinflate(base64_decode(&#8221; somewhere in the code but it is less likely that it occurs in the last 50 bytes of the file.<br \/>\nI therefore wrote the following rule:<\/p>\n<pre>rule Webshell_b374k_related_1 {\n\tmeta:\n\t\tdescription = &quot;Detects b374k related webshell&quot;\n\t\tauthor = &quot;Florian Roth&quot;\n\t\treference = &quot;https:\/\/goo.gl\/ZuzV2S&quot;\n\t\tscore = 65\n\t\thash = &quot;d5696b32d32177cf70eaaa5a28d1c5823526d87e20d3c62b747517c6d41656f7&quot;\n\t\tdate = &quot;2015-10-17&quot;\n\tstrings:\n\t\t$m1 = &quot;&lt;!--?php&quot;\n  \t\t$s1 = &quot;@eval(gzinflate(base64_decode(&quot; ascii\n \tcondition:\n \t\t$m1 at 0 and $s1 in (filesize-50..filesize) and filesize &amp;lt; 20KB \n}\n<\/pre>\n<h2>Performance Guidelines<\/h2>\n<p>I collected many ideas by Wesley Shields and Victor M. Alvarez and composed a gist called &#8220;Yara Performance Guidelines&#8221;. This guide shows you how to write Yara rules that use less CPU cycles by avoiding CPU intensive checks or using new condition checking shortcuts introduced in Yara version 3.4.<br \/>\n<a href=\"https:\/\/gist.github.com\/Neo23x0\/e3d4e316d7441d9143c7\" target=\"_blank\" rel=\"noopener noreferrer\">Yara Performance Guidelines<\/a><\/p>\n<h2>PE Module<\/h2>\n<p>People sometimes ask why I don&#8217;t use the PE module. The reason is simple: I avoid using modules that are rather new and would like to see it thoroughly tested prior using it in my scanners running in productive environments. It is a great module and a lot of effort went into it. I would always recommend using the PE module in lab environments or sandboxes. In scanners that walk huge directory trees a minor memory leak in one of the modules could lead to severe memory shortages. I&#8217;ll give it another year to prove its stability and then start using it in my rules.<\/p>\n<h2>yarGen<\/h2>\n<p>yarGen has an opcode feature since the last minor version. It is active by default but only useful in cases in which not enough strings could be extracted.<br \/>\nI currently use the following parameters to create my rules:<\/p>\n<pre>python yarGen.py --noop -z 0 -a \"Florian Roth\" -r \"http:\/\/link-to-sample\" \/mal\/malware\n<\/pre>\n<p>The problem with the opcode feature is that it requires about 2,5 GB more main memory during rule creation. I&#8217;ll change it to an optional parameter in the next version.<\/p>\n<h2>yarAnalyzer<\/h2>\n<p>yarAnalyzer is a rather new tool that focuses on rule coverage. After creating a bigger rule set or a generic rule that should match on several samples you&#8217;d like to check the coverage of your rules in order to detect overlapping rules (which is often OK).<br \/>\nyarAnalyzer helps you to get an overview on:<\/p>\n<ul>\n<li>rules that match on more than one sample<\/li>\n<li>samples that show hits from more than one rule<\/li>\n<li>rules without hits<\/li>\n<li>samples without hits<\/li>\n<\/ul>\n<div id=\"attachment_1347\" style=\"width: 630px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1347\" src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/screen2.png\" alt=\"Yara Rule Analyzer\" width=\"620\" height=\"360\" class=\"size-large wp-image-1347\" srcset=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/screen2.png 620w, https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/screen2-480x279.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 620px, 100vw\" \/><p id=\"caption-attachment-1347\" class=\"wp-caption-text\">yarAnalayzer Screenshot<\/p><\/div>\n<p><a href=\"https:\/\/github.com\/Neo23x0\/yarAnalyzer\" target=\"_blank\" rel=\"noopener noreferrer\">yarAnalyzer Github Repository<\/a><\/p>\n<h2>String Extraction and Colorization<\/h2>\n<p>To review the strings in a sample I use a simple shell one-liner that a good friend sent me once.<br \/>\n&#8220;strings&#8221; version for Linux<\/p>\n<pre>#!\/bin\/bash\n(strings -a -td \"$@\" | sed 's\/^\\(\\s*[0-9][0-9]*\\) \\(.*\\)$\/\\1 A \\2\/' ; strings -a -td -el \"$@\" | sed 's\/^\\(\\s*[0-9][0-9]*\\) \\(.*\\)$\/\\1 W \\2\/') | sort -n\n<\/pre>\n<p>&#8220;gstrings&#8221; version for OS X (sudo port install binutils)<\/p>\n<pre>#!\/bin\/bash\n(gstrings -a -td \"$@\" | gsed 's\/^\\(\\s*[0-9][0-9]*\\) \\(.*\\)$\/\\1 A \\2\/' ; gstrings -a -td -el \"$@\" | gsed 's\/^\\(\\s*[0-9][0-9]*\\) \\(.*\\)$\/\\1 W \\2\/') | sort -n\n<\/pre>\n<p>It produces an output as shown in the above screenshot with green text and the description &#8220;Malware Strings&#8221; showing the offset, ascii (A) or wide (W) and the string at this offset.<br \/>\nFor a colorization of the string check my new tool &#8220;<a href=\"https:\/\/github.com\/Neo23x0\/prisma\" target=\"_blank\" rel=\"noopener noreferrer\">prisma<\/a>&#8221; that colorizes random type standard output.<\/p>\n<div id=\"attachment_1366\" style=\"width: 536px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1366\" src=\"\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-12.31.52.png\" alt=\"Prisma STDOUT colorization\" width=\"526\" height=\"598\" class=\"size-full wp-image-1366\" srcset=\"\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-12.31.52.png 526w, \/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-12.31.52-480x546.png 480w\" sizes=\"(min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) 526px, 100vw\" \/><p id=\"caption-attachment-1366\" class=\"wp-caption-text\">Prisma STDOUT colorization<\/p><\/div>\n<h2>Contact<\/h2>\n<p>Follow me on Twitter: <a href=\"https:\/\/twitter.com\/Cyb3rOps\" target=\"_blank\" rel=\"noopener noreferrer\">@Cyb3rOps<\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Months ago I wrote a blog article on &#8220;How to write simple but sound Yara rules&#8221;. Since then the mentioned techniques and tools have improved. I&#8217;d like to give you a brief update on certain Yara features that I frequently use and tools that I use to generate and test my rules. Handle Very Specific Strings Differently In the past I was glad to see very specific strings in samples and sometimes used these strings as the only indicator for detection. E.g. whenever I&#8217;ve found a certain typo in the PE header fields like &#8220;Micorsoft Corportation&#8221; I cheered and thought that this would make a great signature. But &#8211; and I have to admit that now &#8211; this only makes a nice signature. Great signatures require not only to match on a certain sample in the most condensed way but aims to match on similar samples created by the same author or group. Look at the following rule: rule Enfal_Malware_Backdoor { meta: description = &quot;Generic Rule to detect the Enfal Malware&quot; author = &quot;Florian Roth&quot; date = &quot;2015\/02\/10&quot; super_rule = 1 hash0 = &quot;6d484daba3927fc0744b1bbd7981a56ebef95790&quot; hash1 = &quot;d4071272cc1bf944e3867db299b3f5dce126f82b&quot; hash2 = &quot;6c7c8b804cc76e2c208c6e3b6453cb134d01fa41&quot; score = 60 strings: $x1 = &quot;Micorsoft Corportation&quot; fullword wide [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1359,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"Months ago I wrote a blog article on \"<a href=\"https:\/\/www.bsk-consulting.de\/2015\/02\/16\/write-simple-sound-yara-rules\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to write simple but sound Yara rules<\/a>\". Since then the mentioned techniques and tools have improved. I'd like to give you a brief update on certain Yara features that I frequently use and tools that I use to generate and test my rules.\r\n<!--more-->\r\n<h2>Handle Very Specific Strings Differently<\/h2>\r\nIn the past I was glad to see very specific strings in samples and sometimes used these strings as the only indicator for detection. E.g. whenever I've found a certain typo in the PE header fields like \"Micorsoft Corportation\" I cheered and thought that this would make a great signature. But - and I have to admit that now - this only makes a nice signature. Great signatures require not only to match on a certain sample in the most condensed way but aims to match on similar samples created by the same author or group.\r\nLook at the following rule:\r\n[cc lang=\"javascript\"]\r\nrule Enfal_Malware_Backdoor {\r\n\tmeta:\r\n\t\tdescription = \"Generic Rule to detect the Enfal Malware\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\tdate = \"2015\/02\/10\"\r\n\t\tsuper_rule = 1\r\n\t\thash0 = \"6d484daba3927fc0744b1bbd7981a56ebef95790\"\r\n\t\thash1 = \"d4071272cc1bf944e3867db299b3f5dce126f82b\"\r\n\t\thash2 = \"6c7c8b804cc76e2c208c6e3b6453cb134d01fa41\"\r\n\t\tscore = 60\r\n\tstrings:\r\n\t\t$x1 = \"Micorsoft Corportation\" fullword wide\r\n\t\t$x2 = \"IM Monnitor Service\" fullword wide\r\n\t\t$a1 = \"imemonsvc.dll\" fullword wide\r\n\t\t$a2 = \"iphlpsvc.tmp\" fullword\r\n\t\t$a3 = \"{53A4988C-F91F-4054-9076-220AC5EC03F3}\" fullword\r\n\t\t$s1 = \"urlmon\" fullword\r\n\t\t$s2 = \"Registered trademarks and service marks are the property of their\" wide\r\n\t\t$s3 = \"XpsUnregisterServer\" fullword\r\n\t\t$s4 = \"XpsRegisterServer\" fullword\r\n\tcondition:\r\n\t\tuint16(0) == 0x5A4D and\r\n\t\t(\r\n\t\t\t( 1 of ($x*) ) or\r\n\t\t\t( 2 of ($a*) and all of ($s*) )\r\n\t\t)\r\n}\r\n[\/cc]\r\nWhat I do when I review the 20 strings that are generated by yarGen is that I try to categorize the extracted strings in 3 different groups:\r\n<ul>\r\n<li><strong>Very specific strings<\/strong> (one of them is sufficient for successful detection, e.g. IP addresses, payload URLs, PDB paths, user profile directories)<\/li>\r\n<li><strong>Specific strings<\/strong> (strings that look good but may appear in goodware as well, e.g. \"wwwlib.dll\")<\/li>\r\n<li><strong>Other strings<\/strong> (even strings that appear in goodware; without random code from compressed or encrypted data; e.g. \"ModuleStart\")<\/li>\r\n<\/ul>\r\nThen I create a condition that defines:\r\n<ul>\r\n\t<li>A Certain Magic Header (remove it in case of ASCII text like scripts or webshells)<\/li>\r\n\t<li>1 of the very specific strings OR<\/li>\r\n\t<li>some of the specific strings combined with many (but not all) of the common strings<\/li>\r\n<\/ul>\r\nHere is another example that does only have very specific strings (x) and common strings (s):\r\n[cc lang=\"javascript\"]\r\nrule Cobra_Trojan_Stage1 {\r\n\tmeta:\r\n\t\tdescription = \"Cobra Trojan - Stage 1\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https:\/\/blog.gdatasoftware.com\/blog\/article\/analysis-of-project-cobra.html\"\r\n\t\tdate = \"2015\/02\/18\"\r\n\t\thash = \"a28164de29e51f154be12d163ce5818fceb69233\"\r\n\tstrings:\r\n\t\t$x1 = \"KmSvc.DLL\" fullword wide\r\n\t\t$x2 = \"SVCHostServiceDll_W2K3.dll\" fullword ascii\r\n\t\t$s1 = \"Microsoft Corporation. All rights reserved.\" fullword wide\r\n\t\t$s2 = \"srservice\" fullword wide\r\n\t\t$s3 = \"Key Management Service\" fullword wide\r\n\t\t$s4 = \"msimghlp.dll\" fullword wide\r\n\t\t$s5 = \"_ServiceCtrlHandler@16\" fullword ascii\r\n\t\t$s6 = \"ModuleStart\" fullword ascii\r\n\t\t$s7 = \"ModuleStop\" fullword ascii\r\n\t\t$s8 = \"5.2.3790.3959 (srv03.sp2.070216-1710)\" fullword wide\r\n\tcondition:\r\n\t\tuint16(0) == 0x5A4D and filesize < 50000 and 1 of ($x*) and 6 of ($s*)\r\n}\r\n[\/cc]\r\nIf you can't create a rule that is sufficiently specific, I recommend the following methods to restrict the rule:\r\n<ul>\r\n\t<li><strong>Magic Header<\/strong> (use it as first element in condition - see performance guidelines, e.g. \"uint16(0) == 0x5A4D\")<\/li>\r\n\t<li><strong>File Size<\/strong> (malware that mimics valid system files, drivers or legitimate software often differs significantly in size; try to find the valid files online and set a size value in your rule, e.g. \"filesize > 200KB and filesize < 600KB\")<\/li>\r\n\t<li><strong>String Location<\/strong> (see the \"Location is Everything\" section)<\/li>\r\n\t<li><strong>Exclude strings<\/strong> that occur in false positives (e.g. $fp1 = \"McAfeeSig\")<\/li>\r\n<\/ul>\r\n<h2>Location is Everything<\/h2>\r\nOne of the most underestimated features of Yara is the possibility to define a range in which strings occur in order to match. I used this technique to create a rule that detect metasploit meterpreter payloads quite reliably even if it's encoded\/cloaked. How that?\r\nIf you see malware code that is hidden in an overlay at the end of a valid executable (e.g. \"ab.exe\") and you see only strings that are typical function exports or mimics a well-known executable ask the following questions:\r\n<ul>\r\n\t<li>Is it normal that these strings are located at this location in the file?<\/li>\r\n\t<li>Is it normal that these strings occur more than once in that file?<\/li>\r\n\t<li>Is the distance between two strings somehow specific?<\/li>\r\n<\/ul>\r\n[caption id=\"attachment_1352\" align=\"alignnone\" width=\"586\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen_strings.png\"><img src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen_strings.png\" alt=\"Malware Strings\" width=\"586\" height=\"580\" class=\"size-full wp-image-1352\" \/><\/a> Malware Strings[\/caption]\r\nIn case of the unspecific malware code in the PE overlay, try to define a rule that looks for a certain file size (e.g. filesize > 800KB) and the malware strings relative to the end of the file (e.g. $s1 in (filesize-500..filesize)).\r\nThe following example shows a unspecified webshell that contains strings that may be modified by an attacker in future versions when applied in a victim's network. Try always to extract strings that are less likely to be changed.\r\n[caption id=\"attachment_1344\" align=\"alignnone\" width=\"432\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-08.10.41.png\"><img class=\"size-full wp-image-1344\" src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-08.10.41.png\" alt=\"Webshell Code PHP\" width=\"432\" height=\"184\" \/><\/a> Webshell Code PHP[\/caption]\r\nThe variable name \"$code\" is more likely to change than the function combination \"@eval(gzinflate(base64_decode(\" at the end of the file. It is possible that valid php code contains \"eval(gzinflate(base64_decode(\" somewhere in the code but it is less likely that it occurs in the last 50 bytes of the file.\r\nI therefore wrote the following rule:\r\n[cc lang=\"javascript\"]\r\nrule Webshell_b374k_related_1 {\r\n\tmeta:\r\n\t\tdescription = \"Detects b374k related webshell\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https:\/\/goo.gl\/ZuzV2S\"\r\n\t\tscore = 65\r\n\t\thash = \"d5696b32d32177cf70eaaa5a28d1c5823526d87e20d3c62b747517c6d41656f7\"\r\n\t\tdate = \"2015-10-17\"\r\n\tstrings:\r\n\t\t$m1 = \"<?php\"\r\n\t\t$s1 = \"@eval(gzinflate(base64_decode(\" ascii\r\n\tcondition:\r\n\t\t$m1 at 0 and $s1 in (filesize-50..filesize) and filesize < 20KB\r\n}\r\n[\/cc]\r\n<h2>Performance Guidelines<\/h2>\r\nI collected many ideas by Wesley Shields and Victor M. Alvarez and composed a gist called \"Yara\r\nPerformance Guidelines\". This guide shows you how to write Yara rules that use less CPU cycles by avoiding CPU intensive checks or using new condition checking shortcuts introduced in Yara version 3.4.\r\n<a href=\"https:\/\/gist.github.com\/Neo23x0\/e3d4e316d7441d9143c7\" target=\"_blank\" rel=\"noopener noreferrer\">Yara Performance Guidelines<\/a>\r\n<h2>PE Module<\/h2>\r\nPeople sometimes ask why I don't use the PE module. The reason is simple: I avoid using modules that are rather new and would like to see it thoroughly tested prior using it in my scanners running in productive environments. It is a great module and a lot of effort went into it. I would always recommend using the PE module in lab environments or sandboxes. In scanners that walk huge directory trees a minor memory leak in one of the modules could lead to severe memory shortages. I'll give it another year to prove its stability and then start using it in my rules.\r\n<h2>yarGen<\/h2>\r\nyarGen has an opcode feature since the last minor version. It is active by default but only useful in cases in which not enough strings could be extracted.\r\nI currently use the following parameters to create my rules:\r\n[cc lang=\"javascript\"]\r\npython yarGen.py --noop -z 0 -a \"Florian Roth\" -r \"http:\/\/link-to-sample\" \/mal\/malware\r\n[\/cc]\r\nThe problem with the opcode feature is that it requires about 2,5 GB more main memory during rule creation. I'll change it to an optional parameter in the next version.\r\n<h2>yarAnalyzer<\/h2>\r\nyarAnalyzer is a rather new tool that focuses on rule coverage. After creating a bigger rule set or a generic rule that should match on several samples you'd like to check the coverage of your rules in order to detect overlapping rules (which is often OK).\r\nyarAnalyzer helps you to get an overview on:\r\n<ul>\r\n\t<li>rules that match on more than one sample<\/li>\r\n\t<li>samples that show hits from more than one rule<\/li>\r\n\t<li>rules without hits<\/li>\r\n\t<li>samples without hits<\/li>\r\n<\/ul>\r\n[caption id=\"attachment_1347\" align=\"alignnone\" width=\"620\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/screen2.png\"><img src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/screen2-620x360.png\" alt=\"Yara Rule Analyzer\" width=\"620\" height=\"360\" class=\"size-large wp-image-1347\" \/><\/a> yarAnalayzer Screenshot[\/caption]\r\n<a href=\"https:\/\/github.com\/Neo23x0\/yarAnalyzer\" target=\"_blank\" rel=\"noopener noreferrer\">yarAnalyzer Github Repository<\/a>\r\n<h2>String Extraction and Colorization<\/h2>\r\nTo review the strings in a sample I use a simple shell one-liner that a good friend sent me once.\r\n\"strings\" version for Linux\r\n[cc lang=\"bash\"]\r\n#!\/bin\/bash\r\n(strings -a -td \"$@\" | sed 's\/^(s*[0-9][0-9]*) (.*)$\/1 A 2\/' ; strings -a -td -el \"$@\" | sed 's\/^(s*[0-9][0-9]*) (.*)$\/1 W 2\/') | sort -n\r\n[\/cc]\r\n\"gstrings\" version for OS X (sudo port install binutils)\r\n[cc lang=\"bash\"]\r\n#!\/bin\/bash\r\n(gstrings -a -td \"$@\" | gsed 's\/^(s*[0-9][0-9]*) (.*)$\/1 A 2\/' ; gstrings -a -td -el \"$@\" | gsed 's\/^(s*[0-9][0-9]*) (.*)$\/1 W 2\/') | sort -n\r\n[\/cc]\r\nIt produces an output as shown in the above screenshot with green text and the description \"Malware Strings\" showing the offset, ascii (A) or wide (W) and the string at this offset.\r\nFor a colorization of the string check my new tool \"<a href=\"https:\/\/github.com\/Neo23x0\/prisma\" target=\"_blank\" rel=\"noopener noreferrer\">prisma<\/a>\" that colorizes random type standard output.\r\n[caption id=\"attachment_1366\" align=\"alignnone\" width=\"526\"]<a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-12.31.52.png\"><img src=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-12.31.52.png\" alt=\"Prisma STDOUT colorization\" width=\"526\" height=\"598\" class=\"size-full wp-image-1366\" \/><\/a> Prisma STDOUT colorization[\/caption]\r\n<h2>Contact<\/h2>\r\nFollow me on Twitter: <a href=\"https:\/\/twitter.com\/Cyb3rOps\" target=\"_blank\" rel=\"noopener noreferrer\">@Cyb3rOps<\/a>\r\n","_et_gb_content_width":"","footnotes":""},"categories":[264,269,47],"tags":[90,517,13,187,518,124,519,520,502,62,55,101,48],"class_list":["post-7055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tool","category-tutorial","category-yara","tag-analysis","tag-better","tag-detection","tag-features","tag-improve","tag-malware","tag-overlay","tag-performance","tag-rule","tag-rules","tag-signature","tag-signatures","tag-yara"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Write Simple but Sound Yara Rules - Part 2 - Nextron Systems<\/title>\n<meta name=\"description\" content=\"A guide on how to write simple but sound Yara rules - Part 2\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"How to Write Simple but Sound Yara Rules &#8211; Part 2\",\"datePublished\":\"2015-10-17T16:53:11+00:00\",\"dateModified\":\"2023-02-02T15:52:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/\"},\"wordCount\":1252,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-10.58.33.png\",\"keywords\":[\"analysis\",\"better\",\"detection\",\"features\",\"improve\",\"malware\",\"overlay\",\"performance\",\"rule\",\"Rules\",\"signature\",\"signatures\",\"YARA\"],\"articleSection\":[\"Tool\",\"Tutorial\",\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/\",\"name\":\"How to Write Simple but Sound Yara Rules - Part 2 - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-10.58.33.png\",\"datePublished\":\"2015-10-17T16:53:11+00:00\",\"dateModified\":\"2023-02-02T15:52:19+00:00\",\"description\":\"A guide on how to write simple but sound Yara rules - Part 2\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#primaryimage\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-10.58.33.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-10.58.33.png\",\"width\":709,\"height\":529,\"caption\":\"Yara Rule\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Write Simple but Sound Yara Rules - Part 2 - Nextron Systems","description":"A guide on how to write simple but sound Yara rules - Part 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"How to Write Simple but Sound Yara Rules &#8211; Part 2","datePublished":"2015-10-17T16:53:11+00:00","dateModified":"2023-02-02T15:52:19+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/"},"wordCount":1252,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-10.58.33.png","keywords":["analysis","better","detection","features","improve","malware","overlay","performance","rule","Rules","signature","signatures","YARA"],"articleSection":["Tool","Tutorial","YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/","url":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/","name":"How to Write Simple but Sound Yara Rules - Part 2 - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#primaryimage"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-10.58.33.png","datePublished":"2015-10-17T16:53:11+00:00","dateModified":"2023-02-02T15:52:19+00:00","description":"A guide on how to write simple but sound Yara rules - Part 2","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/2015\/10\/17\/how-to-write-simple-but-sound-yara-rules-part-2\/#primaryimage","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-10.58.33.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2015\/10\/Screen-Shot-2015-10-17-at-10.58.33.png","width":709,"height":529,"caption":"Yara Rule"},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=7055"}],"version-history":[{"count":11,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7055\/revisions"}],"predecessor-version":[{"id":15932,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7055\/revisions\/15932"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media\/1359"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=7055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=7055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=7055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}