Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Yara Toolkit
Search
Thomas Roccia
December 16, 2024
Programming
0
210
Yara Toolkit
This talk was presented at Hack Sydney and Bsides Gold Coast.
Thomas Roccia
December 16, 2024
Tweet
Share
More Decks by Thomas Roccia
See All by Thomas Roccia
Generative AI Breaches: Threats, Investigations, and Response
fr0gger
0
660
The XZ Backdoor Story
fr0gger
0
4.7k
Prompt Engineering for Threat Intelligence
fr0gger
1
700
State-Sponsored Financially Motivated Attacks
fr0gger
0
730
Binary Instrumentation for Malware Analysis
fr0gger
2
1.7k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
1k
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
2k
Code Graphology
fr0gger
0
860
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
1.1k
Other Decks in Programming
See All in Programming
Go言語はstack overflowの夢を見るか?
logica0419
0
370
What Spring Developers Should Know About Jakarta EE
ivargrimstad
0
210
NixOS + Kubernetesで構築する自宅サーバーのすべて
ichi_h3
0
1k
bootcamp2025_バックエンド研修_WebAPIサーバ作成.pdf
geniee_inc
0
110
AI駆動で0→1をやって見えた光と伸びしろ
passion0102
1
280
Introduce Hono CLI
yusukebe
6
2.7k
Claude Agent SDK を使ってみよう
hyshu
0
1.1k
非同期jobをtransaction内で 呼ぶなよ!絶対に呼ぶなよ!
alstrocrack
0
980
uniqueパッケージの内部実装を支えるweak pointerの話
magavel
0
1k
Go Conference 2025: Goで体感するMultipath TCP ― Go 1.24 時代の MPTCP Listener を理解する
takehaya
9
1.7k
Range on Rails ―「多重範囲型」という新たな選択肢が、複雑ロジックを劇的にシンプルにしたワケ
rizap_tech
0
6.7k
AIと人間の共創開発!OSSで試行錯誤した開発スタイル
mae616
1
650
Featured
See All Featured
It's Worth the Effort
3n
187
28k
Making the Leap to Tech Lead
cromwellryan
135
9.6k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
Raft: Consensus for Rubyists
vanstee
140
7.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
115
20k
Building Better People: How to give real-time feedback that sticks.
wjessup
369
20k
Context Engineering - Making Every Token Count
addyosmani
7
260
The Cost Of JavaScript in 2023
addyosmani
55
9k
KATA
mclloyd
32
15k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
253
22k
What's in a price? How to price your products and services
michaelherold
246
12k
We Have a Design System, Now What?
morganepeng
53
7.8k
Transcript
YARA TOOLKIT
None
DEMO DEMO
👀
Analysis similar binaries Identify unique patterns strings, code... Build the
rule with your findings Test on a cleaned dataset Deploy to the service of choice Monitor everything
Import Module pe, elf, hash, math, cuckoo, dotnet, time Rule
Name Global rules, Private rules, Rule tags Metadata Author, Date, Description, Etc… Strings Text strings, Hexadecimal string, Regex Text Strings nocase, wide, fullword, xor(0x01-0xff), base64 Hexadecimal Wild-cards: { 00 ?2 A? }, Jump: { 3B [2-4] B4 }Alternatives: { F4 (B4 | 56) } REGEX Conditions Boolean operators, Arithmetic operators, Bitwise operators, Counting strings, Strings, offset https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd
memset(key, fillValue, sizeof(key)); memset(permutedArray, fillValue_1, sizeof(permutedArray)); for ( i =
0i64; i != 256; ++i ) { permutedArray[i] = i; key[i] = RC4key[(int)i % 12]; // '3jB(2bsG#@c7' } index1 = 0i64; index2 = 0; do { currentValue = permutedArray[index1]; index2 += key[index1] + currentValue; swapValue = permutedArray[index2]; permutedArray[index2] = currentValue; permutedArray[index1++] = swapValue; }
CVE-2021-1732 was a Local Privilege Escalation (LPE) exploit on Windows
10, exploited in the wild by the Bitter APT.
None
None
None
None
None
None
None
Yara Documentation, Useful resources. Knowledge Base Embedding Retriever Putting the
data in a multi dimensional vector Retrieve information from the database based on similarity RAG DocYara Help you understand how to use Yara Help you create your rule Help you refine your rule 👨⚕️ Retrieval Augmented Generation
None
None
None