Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
88
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.4k
Prompt Engineering for Threat Intelligence
fr0gger
1
530
State-Sponsored Financially Motivated Attacks
fr0gger
0
680
Binary Instrumentation for Malware Analysis
fr0gger
2
1.6k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
1.9k
Code Graphology
fr0gger
0
770
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
980
AISA - Practical Threat Intelligence
fr0gger
0
1.4k
Other Decks in Programming
See All in Programming
Boost Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
730
未経験でSRE、はじめました! 組織を支える役割と軌跡
curekoshimizu
1
130
AIの力でお手軽Chrome拡張機能作り
taiseiue
0
190
ML.NETで始める機械学習
ymd65536
0
230
Amazon Q Developer Proで効率化するAPI開発入門
seike460
PRO
0
120
推しメソッドsource_locationのしくみを探る - はじめてRubyのコードを読んでみた
nobu09
2
140
Rails アプリ地図考 Flush Cut
makicamel
1
130
たのしいSocketのしくみ / Socket Under a Microscope
coe401_
8
1.1k
Honoをフロントエンドで使う 3つのやり方
yusukebe
7
3.5k
sappoRo.R #12 初心者セッション
kosugitti
0
270
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
880
Honoのおもしろいミドルウェアをみてみよう
yusukebe
1
220
Featured
See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.2k
Side Projects
sachag
452
42k
Building an army of robots
kneath
303
45k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Agile that works and the tools we love
rasmusluckow
328
21k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.5k
RailsConf 2023
tenderlove
29
1k
Optimising Largest Contentful Paint
csswizardry
34
3.1k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.1k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None