Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
120
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.5k
Prompt Engineering for Threat Intelligence
fr0gger
1
560
State-Sponsored Financially Motivated Attacks
fr0gger
0
690
Binary Instrumentation for Malware Analysis
fr0gger
2
1.6k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2k
Code Graphology
fr0gger
0
790
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
1k
AISA - Practical Threat Intelligence
fr0gger
0
1.4k
Other Decks in Programming
See All in Programming
Compose Hot Reload is here, stop re-launching your apps! (Android Makers 2025)
zsmb
1
540
Fiber Scheduler vs. General-Purpose Parallel Client
hayaokimura
1
110
リアルタイムレイトレーシング + ニューラルレンダリング簡単紹介 / Real-Time Ray Tracing & Neural Rendering: A Quick Introduction (2025)
shocker_0x15
1
310
The Nature of Complexity in John Ousterhout’s Philosophy of Software Design
philipschwarz
PRO
0
130
note の Elasticsearch 更新系を支える技術
tchov
0
110
Vibe Coding の話をしよう
schroneko
12
2.8k
Lambda(Python)の リファクタリングが好きなんです
komakichi
3
210
メモリウォールを超えて:キャッシュメモリ技術の進歩
kawayu
0
1.9k
PHPバージョンアップから始めるOSSコントリビュート / how2oss-contribute
dmnlk
1
1.1k
個人開発の学生アプリが企業譲渡されるまで
akidon0000
0
860
一緒に働きたくなるプログラマの思想 #QiitaConference
mu_zaru
65
16k
スモールスタートで始めるためのLambda×モノリス(Lambdalith)
akihisaikeda
2
290
Featured
See All Featured
Measuring & Analyzing Core Web Vitals
bluesmoon
7
390
Done Done
chrislema
183
16k
A Tale of Four Properties
chriscoyier
158
23k
How to train your dragon (web standard)
notwaldorf
90
6k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
12k
GraphQLの誤解/rethinking-graphql
sonatard
71
10k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
19
1.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.4k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
9
760
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.6k
Being A Developer After 40
akosma
91
590k
Rebuilding a faster, lazier Slack
samanthasiow
80
8.9k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None