Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
88
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.4k
Prompt Engineering for Threat Intelligence
fr0gger
1
530
State-Sponsored Financially Motivated Attacks
fr0gger
0
680
Binary Instrumentation for Malware Analysis
fr0gger
2
1.6k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
1.9k
Code Graphology
fr0gger
0
770
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
980
AISA - Practical Threat Intelligence
fr0gger
0
1.4k
Other Decks in Programming
See All in Programming
「個人開発マネタイズ大全」が教えてくれたこと
bani24884
1
200
PHPのバージョンアップ時にも役立ったAST
matsuo_atsushi
0
230
もう少しテストを書きたいんじゃ〜 #phpstudy
o0h
PRO
17
4k
Rubyと自由とAIと
yotii23
6
1.8k
Formの複雑さに立ち向かう
bmthd
1
940
TCAを用いたAmebaのリアーキテクチャ
dazy
0
100
Rails 1.0 のコードで学ぶ find_by* と method_missing の仕組み / Learn how find_by_* and method_missing work in Rails 1.0 code
maimux2x
1
230
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
900
15分で学ぶDuckDBの可愛い使い方 DuckDBの最近の更新
notrogue
3
520
kintone開発を効率化するためにチームで試した施策とその結果を大放出!
oguemon
0
160
もう僕は OpenAPI を書きたくない
sgash708
6
1.9k
Boos Performance and Developer Productivity with Jakarta EE 11
ivargrimstad
0
340
Featured
See All Featured
KATA
mclloyd
29
14k
Facilitating Awesome Meetings
lara
52
6.2k
A better future with KSS
kneath
238
17k
Music & Morning Musume
bryan
46
6.4k
Adopting Sorbet at Scale
ufuk
74
9.2k
Designing for Performance
lara
604
68k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Bootstrapping a Software Product
garrettdimon
PRO
306
110k
Being A Developer After 40
akosma
89
590k
Optimising Largest Contentful Paint
csswizardry
34
3.1k
Writing Fast Ruby
sferik
628
61k
Mobile First: as difficult as doing things right
swwweet
223
9.4k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None