Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
130
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.5k
Prompt Engineering for Threat Intelligence
fr0gger
1
580
State-Sponsored Financially Motivated Attacks
fr0gger
0
700
Binary Instrumentation for Malware Analysis
fr0gger
2
1.6k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2k
Code Graphology
fr0gger
0
810
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
1k
AISA - Practical Threat Intelligence
fr0gger
0
1.4k
Other Decks in Programming
See All in Programming
Feature Flag 自動お掃除のための TypeScript プログラム変換
azrsh
PRO
4
560
JVM の仕組みを理解して PHP で実装してみよう
m3m0r7
PRO
1
240
AIエージェントによるテストフレームワーク Arbigent
takahirom
0
180
2025年のz-index設計を考える
tak_dcxi
13
5.1k
CRUD から CQRS へ ~ 分離が可能にする柔軟性
tkawae
0
210
Duke on CRaC with Jakarta EE
ivargrimstad
1
590
CQRS/ESのクラスとシステムフロー ~ RailsでフルスクラッチでCQRSESを組んで みたことから得た学び~
suzukimar
0
180
AI Coding Agent Enablement in TypeScript
yukukotani
15
6k
イベントソーシングとAIの親和性ー物語とLLMに理解できるデータ
tomohisa
1
150
External SecretsのさくらProvider初期実装を担当しています
logica0419
0
190
MLOps Japan 勉強会 #52 - 特徴量を言語を越えて一貫して管理する, 『特徴量ドリブン』な MLOps の実現への試み
taniiicom
2
350
ドメイン駆動設計とXPで支える子どもの未来 / Domain-Driven Design and XP Supporting Children's Future
nrslib
0
350
Featured
See All Featured
Rails Girls Zürich Keynote
gr2m
94
13k
Become a Pro
speakerdeck
PRO
28
5.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Speed Design
sergeychernyshev
30
960
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.3k
How to Think Like a Performance Engineer
csswizardry
23
1.6k
Being A Developer After 40
akosma
91
590k
Faster Mobile Websites
deanohume
307
31k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.2k
Optimising Largest Contentful Paint
csswizardry
37
3.2k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
830
Writing Fast Ruby
sferik
628
61k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None