Recorded Future Sandbox - API - Yara

The Yara API endpoint allows yara rules to be uploaded, manipulated and deleted. Keep in mind that the rules are still compiled to check compatibility. For more information about compatibility please refer to the documentation : custom yara documentation

GET /yara

Returns a listing of yara rules that are accessible by the user.

  • namespecify the current rule name in the query/v0/yara/bazar.yarato retrieve a detailed listing of a rule.

Retrieve all yara rules

curl --request GET \
  --url https://sandbox.recordedfuture.com/api/v0/yara \
  --header 'Authorization: Bearer <YOUR_ACCESS_KEY>'

Result:

{"rules":[{"name":"msrule.yara"},{"name":"bzrule.yara"}]}

Retrieve specific yara rule

curl --request GET \
  --url https://sandbox.recordedfuture.com/api/v0/yara/arkei.yara \
  --header 'Authorization: Bearer <YOUR_ACCESS_KEY>'

Result:

{"warnings":["info: rule family_arkei: has no triage_score metadata","info: rule family_arkei: has no triage_description metadata"],"rule":"rule family_arkei {\n    meta:\n        author = \"Nikos 'n0t' Totosis\"\n        description = \"Arkei Stealer Payload\"\n        triage_family = \"arkei\"\n        triage_tags = \"stealer\"\n\n    strings:\n        $c1 = \"/c timeout /t 5 & del /f /q \\\"%s\\\" & exit\" ascii\n        $c2 = \"BCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\" ascii\n\n        $s1 = \"%dx%d\" ascii\n        $s2 = \"%d/%d/%d %d:%d:%d\" ascii\n        $s3 = \"%s / %s\" ascii\n        $s4 = \"%d MB\" ascii\n        $s5 = \"UTC%d\" ascii\n        $s6 = \"JohnDoe\" ascii\n        $s7 = \"HAL9TH\" ascii\n\n    condition:\n        1 of ($c*) and 4 of ($s*)\n}\n","name":"arkei.yara"}

Non existing rule:

{"error":"NOT_FOUND","message":"could not get yara rule: file not found"}

POST /yara

Create a new yara rule

curl --request POST \
  --url https://sandbox.recordedfuture.com/api/v0/yara \
  --header 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
  --header 'Content-Type: application/json' \
  --data '{
    "name": "arkei.yara",
    "rule": "rule family_arkei {\n    meta:\n        author = \"Nikos '\''n0t'\'' Totosis\"\n        description = \"Arkei Stealer Payload\"\n        triage_family = \"arkei\"\n        triage_tags = \"stealer\"\n\n    strings:\n        $c1 = \"/c timeout /t 5 & del /f /q \\\"%s\\\" & exit\" ascii\n        $c2 = \"BCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\" ascii\n\n        $s1 = \"%dx%d\" ascii\n        $s2 = \"%d/%d/%d %d:%d:%d\" ascii\n        $s3 = \"%s / %s\" ascii\n        $s4 = \"%d MB\" ascii\n        $s5 = \"UTC%d\" ascii\n        $s6 = \"JohnDoe\" ascii\n        $s7 = \"HAL9TH\" ascii\n\n    condition:\n        1 of ($c*) and 4 of ($s*)\n}"
  }'

Result

success:

{}

Existing rule with that name:

{"error":"ERRONEOUS_FILENAME","message":"filename is invalid"}

Compilation error:

{"error":"COMPILE_ERROR","message":"Compile Source failed to compile: duplicated identifier \"family_arkei\""}

PUT /yara

Update an existing yara rule

Notes:

  • When updating a yara rule the compilation can fail. If that is the case the rule name is updated, but the old rule content will remain.
  • Both name and rule are always required to be filled, even when changing only one of the attributes.

Query Parameters

  • namespecify the current rule name in the query/v0/yara/bazar.yaraUpdate name and file content:
curl --request PUT \
  --url https://sandbox.recordedfuture.com/api/v0/yara/arkei.yara \
  --header 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
  --header 'Content-Type: application/json' \
  --data '{
    "name": "arkei_new.yara"
    "rule": "rule family_arkei {\n    meta:\n        author = \"Nikos 'n0t' Totosis\"\n        description = \"Arkei Stealer Payload\"\n        triage_family = \"arkei\"\n        triage_tags = \"stealer\"\n\n    strings:\n        $c1 = \"/c timeout /t 5 & del /f /q \\\"%s\\\" & exit\" ascii\n        $c2 = \"BCDEFGHIJKLMNOPQRSTUVWXYZ1234567890\" ascii\n\n        $s1 = \"%dx%d\" ascii\n        $s2 = \"%d/%d/%d %d:%d:%d\" ascii\n        $s3 = \"%s / %s\" ascii\n        $s4 = \"%d MB\" ascii\n        $s5 = \"UTC%d\" ascii\n        $s6 = \"JohnDoe\" ascii\n        $s7 = \"HAL9TH\" ascii\n\n    condition:\n        1 of ($c*) and 4 of ($s*)\n}"
  }'

Result

success:

{}

Existing rule with that name:

{"error":"ERRONEOUS_FILENAME","message":"filename is invalid"}

Compilation error:

{"error":"COMPILE_ERROR","message":"Compile Source failed to compile: duplicated identifier \"family_arkei\""}

Non existing rule:

{"error":"NOT_FOUND","message":"could not get yara rule: file not found"}

DELETE /yara

Delete an exising yara rule

curl --request DELETE \
  --url https://sandbox.recordedfuture.com/api/v0/yara/arkei.yara \
  --header 'Authorization: Bearer <YOUR_ACCESS_KEY>'

success:

{}

Non existing rule:

{"error":"NOT_FOUND","message":"could not get yara rule: file not found"}
This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more