Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
160
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.6k
Prompt Engineering for Threat Intelligence
fr0gger
1
620
State-Sponsored Financially Motivated Attacks
fr0gger
0
710
Binary Instrumentation for Malware Analysis
fr0gger
2
1.6k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2k
Code Graphology
fr0gger
0
830
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
1k
AISA - Practical Threat Intelligence
fr0gger
0
1.4k
Other Decks in Programming
See All in Programming
データの民主化を支える、透明性のあるデータ利活用への挑戦 2025-06-25 Database Engineering Meetup#7
y_ken
0
340
関数型まつりレポート for JuliaTokai #22
antimon2
0
160
PHPでWebSocketサーバーを実装しよう2025
kubotak
0
270
dbt民主化とLLMによる開発ブースト ~ AI Readyな分析サイクルを目指して ~
yoshyum
3
760
A2A プロトコルを試してみる
azukiazusa1
2
1.3k
猫と暮らす Google Nest Cam生活🐈 / WebRTC with Google Nest Cam
yutailang0119
0
100
新メンバーも今日から大活躍!SREが支えるスケールし続ける組織のオンボーディング
honmarkhunt
3
5.9k
Code as Context 〜 1にコードで 2にリンタ 34がなくて 5にルール? 〜
yodakeisuke
0
120
PHP 8.4の新機能「プロパティフック」から学ぶオブジェクト指向設計とリスコフの置換原則
kentaroutakeda
2
740
#QiitaBash MCPのセキュリティ
ryosukedtomita
0
960
童醫院敏捷轉型的實踐經驗
cclai999
0
210
初学者でも今すぐできる、Claude Codeの生産性を10倍上げるTips
s4yuba
16
10k
Featured
See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
30
2.1k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Adopting Sorbet at Scale
ufuk
77
9.4k
Building a Modern Day E-commerce SEO Strategy
aleyda
42
7.4k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.5k
Music & Morning Musume
bryan
46
6.6k
Gamification - CAS2011
davidbonilla
81
5.3k
Balancing Empowerment & Direction
lara
1
410
Building an army of robots
kneath
306
45k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
How GitHub (no longer) Works
holman
314
140k
Bash Introduction
62gerente
614
210k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None