Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
110
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.5k
Prompt Engineering for Threat Intelligence
fr0gger
1
560
State-Sponsored Financially Motivated Attacks
fr0gger
0
690
Binary Instrumentation for Malware Analysis
fr0gger
2
1.6k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2k
Code Graphology
fr0gger
0
790
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
990
AISA - Practical Threat Intelligence
fr0gger
0
1.4k
Other Decks in Programming
See All in Programming
コンテナでLambdaをデプロイするときに知っておきたかったこと
_takahash
0
180
Enterprise Web App. Development (1): Build Tool Training Ver. 5
knakagawa
1
110
メモリウォールを超えて:キャッシュメモリ技術の進歩
kawayu
0
1.9k
Deoptimization: How YJIT Speeds Up Ruby by Slowing Down / RubyKaigi 2025
k0kubun
0
370
Building Scalable Mobile Projects: Fast Builds, High Reusability and Clear Ownership
cyrilmottier
2
250
フロントエンドテストの育て方
quramy
11
2.9k
Java 24まとめ / Java 24 summary
kishida
3
440
リストビュー画面UX改善の振り返り
splcywolf
0
120
AI Agents with JavaScript
slobodan
0
210
新卒から4年間、20年もののWebサービスと 向き合って学んだソフトウェア考古学
oguri
8
7.2k
Chrome Extension Techniques from Hell
moznion
1
160
これだけは知っておきたいクラス設計の基礎知識 version 2
masuda220
PRO
24
5.9k
Featured
See All Featured
Writing Fast Ruby
sferik
628
61k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Six Lessons from altMBA
skipperchong
27
3.7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Fireside Chat
paigeccino
37
3.4k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.2k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None