Are you a security professional looking for ways to identify and classify malware families? While most commonly associated with malware, YARA can actually be used against any file. In this presentation, we'll pull back the curtain and give you an introduction to how you can use this powerful tool.
In this short time, we'll discuss the basic format and structure of a YARA rule and introduce a few tricks to increase efficiency and performance. We will walk you through a few examples and show you some automated tools and how they can help. Lastly, we'll tie things up with some pointers on how organize rules for best effect.
Outline:
I. Introduction 1 Intro: John Laycock 2 Intro: Monty St John
II. What is YARA?
A. Basic layout and types
1. Rule Name
2. Meta
3. Strings
4. Filter
5. External Variables
B. Rule Organization
1. Private versus Public
2. Monolithic versus Modular
III. Ransomware Example
IV. QBot Example
V. Tools / Resources A. yarGen B. PEID C. Yara Exchange D. ATX Yara-Python Scripts
VI. Conclusion
VI. References
Mr. Laycock has been involved with forensics for over 17 years. Starting out in the world of video forensics before moving over to computer forensics for the Department of Defense. He now works on the Threat Research Team for Fidelis Cybersecurity. Mr. Laycock lives in Maryland where he is a happily married father of 3 children. As a life-long suffering Cubs fan, he keeps hoping that this is the year.
Monty St John is partner for ATX Forensics and a frequent contributor to community and industry events. Previous contributions have focused on research and interests in banking and healthcare security topics. His current research focuses on harvesting the DNS for threat intelligence. His latest contributions are to a book on network side of malware analysis and an open malware analysis book.