Yara Toolkit

Transcript

1. YARA TOOLKIT

2. None

3. DEMO DEMO

4. 👀

5. Analysis similar binaries Identify unique patterns strings, code... Build the

   rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything

6. Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule

   Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd

7. memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =

   0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }

8. CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows

   10, exploited in the wild by the Bitter APT.
9. None
10. None
11. None
12. None
13. None
14. None
15. None

16. Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the

    data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨‍⚕️ Retrieval Augmented Generation
17. None
18. None
19. None