Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
330
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
More Decks by Thomas Roccia
See All by Thomas Roccia
Sleuthcon Keynote - How Cybercriminals (ab)use AI
fr0gger
0
210
Where is My Crypto Dude!
fr0gger
0
110
Generative AI Breaches: Threats, Investigations, and Response
fr0gger
0
1k
The XZ Backdoor Story
fr0gger
0
4.9k
Prompt Engineering for Threat Intelligence
fr0gger
1
860
State-Sponsored Financially Motivated Attacks
fr0gger
0
790
Binary Instrumentation for Malware Analysis
fr0gger
2
1.9k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1.1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2.2k
Other Decks in Programming
See All in Programming
なぜ型を書くのか? TSKaigi2026で改めて考える #tskaigi_smarthr
kajitack
0
170
決定論的オーケストレーションの設計と実装 / Design and Implementation of Deterministic Orchestration
nrslib
4
1.5k
作って学ぶ、 JSX (TSX) ランタイムの基本
syumai
7
1.7k
はてなアカウント基盤 State of the Union
cockscomb
1
980
Inside Stream API
skrb
1
800
そのテスト、説明できますか?~LWテスト戦略FW~のご紹介
nakahara
0
180
AIキャラアプリkaiwaの低遅延音声通話基盤をどう作ったか - AWS Gravitonで支える低遅延・低コストAI Agent基盤
mogamit
0
120
act1-costs.pdf
sumedhbala
0
130
IBM Bobを活用したレガシーアプリの最新化
oniak3ibm
PRO
1
220
脅威をエンジニアリングの糧にして――現場編 / Turning Threats into Engineering Fuel — Field Edition
nrslib
0
310
The NotImplementedError Problem in Ruby
koic
1
970
ふつうのFeature Flag実践入門
irof
8
4.2k
Featured
See All Featured
Paper Plane
katiecoart
PRO
1
52k
Navigating Weather and Climate Data
rabernat
0
250
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
Odyssey Design
rkendrick25
PRO
2
710
GitHub's CSS Performance
jonrohan
1033
470k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
56k
Are puppies a ranking factor?
jonoalderson
1
3.7k
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
290
Build your cross-platform service in a week with App Engine
jlugia
234
18k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
1
1.8k
The Cost Of JavaScript in 2023
addyosmani
55
10k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None