Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
210
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
Generative AI Breaches: Threats, Investigations, and Response
fr0gger
0
670
The XZ Backdoor Story
fr0gger
0
4.7k
Prompt Engineering for Threat Intelligence
fr0gger
1
700
State-Sponsored Financially Motivated Attacks
fr0gger
0
730
Binary Instrumentation for Malware Analysis
fr0gger
2
1.7k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2.1k
Code Graphology
fr0gger
0
860
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
1.1k
Other Decks in Programming
See All in Programming
モテるデスク環境
mozumasu
3
480
SODA - FACT BOOK(JP)
sodainc
1
8.6k
3年ぶりにコードを書いた元CTOが Claude Codeと30分でMVPを作った話
maikokojima
0
610
他言語経験者が Golangci-lint を最初のコーディングメンターにした話 / How Golangci-lint Became My First Coding Mentor: A Story from a Polyglot Programmer
uma31
0
320
Flutterで分数(Fraction)を表示する方法
koukimiura
0
140
Leading Effective Engineering Teams in the AI Era
addyosmani
7
550
Devoxx BE - Local Development in the AI Era
kdubois
0
130
iOSでSVG画像を扱う
kishikawakatsumi
0
150
What Spring Developers Should Know About Jakarta EE
ivargrimstad
0
370
Range on Rails ―「多重範囲型」という新たな選択肢が、複雑ロジックを劇的にシンプルにしたワケ
rizap_tech
0
6.7k
One Enishi After Another
snoozer05
PRO
0
140
アメ車でサンノゼを走ってきたよ!
s_shimotori
0
230
Featured
See All Featured
Build your cross-platform service in a week with App Engine
jlugia
232
18k
Git: the NoSQL Database
bkeepers
PRO
431
66k
We Have a Design System, Now What?
morganepeng
53
7.8k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.6k
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.5k
Leading Effective Engineering Teams in the AI Era
addyosmani
7
550
The Straight Up "How To Draw Better" Workshop
denniskardys
238
140k
Bash Introduction
62gerente
615
210k
Rails Girls Zürich Keynote
gr2m
95
14k
Practical Orchestrator
shlominoach
190
11k
Designing for Performance
lara
610
69k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None