Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
150
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.6k
Prompt Engineering for Threat Intelligence
fr0gger
1
610
State-Sponsored Financially Motivated Attacks
fr0gger
0
710
Binary Instrumentation for Malware Analysis
fr0gger
2
1.6k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2k
Code Graphology
fr0gger
0
820
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
1k
AISA - Practical Threat Intelligence
fr0gger
0
1.4k
Other Decks in Programming
See All in Programming
統一感のある Go コードを生成 AI の力で手にいれる
otakakot
0
3k
Datadog RUM 本番導入までの道
shinter61
1
260
RubyKaigiで得られる10の価値 〜Ruby話を聞くことだけが RubyKaigiじゃない〜
tomohiko9090
0
140
実はすごいスピードで進化しているCSS
hayato_yokoyama
0
110
Create a website using Spatial Web
akkeylab
0
280
Rails産でないDBを Railsに引っ越すHACK - Omotesando.rb #110
lnit
1
160
人には人それぞれのサービス層がある
shimabox
3
670
コードに語らせよう――自己ドキュメント化が内包する楽しさについて / Let the Code Speak
nrslib
6
1.4k
事業戦略を理解してソフトウェアを設計する
masuda220
PRO
22
6k
F#で自在につくる静的ブログサイト - 関数型まつり2025
pizzacat83
0
290
生成AIで日々のエラー調査を進めたい
yuyaabo
0
530
Webからモバイルへ Vue.js × Capacitor 活用事例
naokihaba
0
550
Featured
See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
81
9k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Being A Developer After 40
akosma
90
590k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
107
19k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Automating Front-end Workflow
addyosmani
1370
200k
Building an army of robots
kneath
306
45k
KATA
mclloyd
29
14k
Docker and Python
trallard
44
3.4k
Writing Fast Ruby
sferik
628
61k
Faster Mobile Websites
deanohume
307
31k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None
fr0gger
otakakot
shinter61
tomohiko9090
hayato_yokoyama
akkeylab
lnit
shimabox
nrslib
masuda220
pizzacat83
yuyaabo
naokihaba
samanthasiow
garrettdimon
akosma
panda_program
lynnandtonic
addyosmani
kneath
mclloyd
trallard
sferik
deanohume
kastner
