This article explains how to use Yara in ATTK for LINUX.
To use YARA in ATTK for Linux:
- Prepare your own YARA Rule and rename it to "hcyara.ptext.ptn".
- Place the file in the Pattern folder.
- Run ATTK for Linux.
- Consider the Scan Type to use when hunting files using YARA. Take note of the Scan Profiles for ATTK for Linux on this page.
- Start the scan.
Results should be shown and the files should be seen as Suspicious.
- To confirm that the Suspicious Detections are from your YARA Rule, you can verify the information in detectreport.xml from the ATTK Logs. From there, the YARA Rule name should be the one shown in <Detection>.