Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
110
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.5k
Prompt Engineering for Threat Intelligence
fr0gger
1
560
State-Sponsored Financially Motivated Attacks
fr0gger
0
690
Binary Instrumentation for Malware Analysis
fr0gger
2
1.6k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2k
Code Graphology
fr0gger
0
780
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
990
AISA - Practical Threat Intelligence
fr0gger
0
1.4k
Other Decks in Programming
See All in Programming
Preact、HooksとSignalsの両立 / Preact: Harmonizing Hooks and Signals
ssssota
1
750
Django for Data Science (Boston Python Meetup, March 2025)
wsvincent
0
240
バックエンドNode.js × フロントエンドDeno で開発して得られた知見
ayame113
5
1.3k
生産性アップのためのAI個人活用
kunoyasu
0
650
アプリを起動せずにアプリを開発して品質と生産性を上げる
ishkawa
0
380
The Evolution of Enterprise Java with Jakarta EE 11 and Beyond
ivargrimstad
0
990
AtCoder Heuristic First-step Vol.1 講義スライド
terryu16
2
1k
PHPによる"非"構造化プログラミング入門 -本当に熱いスパゲティコードを求めて- #phperkaigi
o0h
PRO
0
1.1k
S3静的ホスティング+Next.js静的エクスポート で格安webアプリ構築
iharuoru
0
200
AHC 044 混合整数計画ソルバー解法
kiri8128
0
300
remix + cloudflare workers (DO) docker上でいい感じに開発する
yoshidatomoaki
0
120
AtCoder Heuristic First-step Vol.1 講義スライド(山登り法・焼きなまし法編)
takumi152
3
990
Featured
See All Featured
Into the Great Unknown - MozCon
thekraken
36
1.7k
Making Projects Easy
brettharned
116
6.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The World Runs on Bad Software
bkeepers
PRO
67
11k
Stop Working from a Prison Cell
hatefulcrawdad
268
20k
Typedesign – Prime Four
hannesfritz
41
2.6k
Visualization
eitanlees
146
16k
Unsuck your backbone
ammeep
670
57k
4 Signs Your Business is Dying
shpigford
183
22k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
102
18k
Statistics for Hackers
jakevdp
798
220k
Git: the NoSQL Database
bkeepers
PRO
429
65k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None