Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
180
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
Generative AI Breaches: Threats, Investigations, and Response
fr0gger
0
490
The XZ Backdoor Story
fr0gger
0
4.6k
Prompt Engineering for Threat Intelligence
fr0gger
1
660
State-Sponsored Financially Motivated Attacks
fr0gger
0
720
Binary Instrumentation for Malware Analysis
fr0gger
2
1.7k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2k
Code Graphology
fr0gger
0
840
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
1k
Other Decks in Programming
See All in Programming
物語を動かす行動"量" #エンジニアニメ
konifar
14
5.4k
Infer入門
riru
4
1.6k
サイトを作ったらNFCタグキーホルダーを爆速で作れ!
yuukis
0
480
kiroでゲームを作ってみた
iriikeita
0
180
State of CSS 2025
benjaminkott
1
120
TanStack DB ~状態管理の新しい考え方~
bmthd
2
320
The state patternの実践 個人開発で培ったpractice集
miyanokomiya
0
150
Portapad紹介プレゼンテーション
gotoumakakeru
1
130
LLMOpsのパフォーマンスを支える技術と現場で実践した改善
po3rin
8
980
Dart 参戦!!静的型付き言語界の隠れた実力者
kno3a87
0
210
ライブ配信サービスの インフラのジレンマ -マルチクラウドに至ったワケ-
mirrativ
2
260
Claude Codeで実装以外の開発フロー、どこまで自動化できるか?失敗と成功
ndadayo
2
1.3k
Featured
See All Featured
Facilitating Awesome Meetings
lara
55
6.5k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
The World Runs on Bad Software
bkeepers
PRO
70
11k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
570
Fireside Chat
paigeccino
39
3.6k
Site-Speed That Sticks
csswizardry
10
780
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Designing Experiences People Love
moore
142
24k
4 Signs Your Business is Dying
shpigford
184
22k
Optimizing for Happiness
mojombo
379
70k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None