Are you a security professional looking for ways to identify and classify malware families? While most commonly associated with malware, YARA can actually be used against any file. In this presentation, we'll pull back the curtain and give you an introduction to how you can use this powerful tool.
In this short time, we'll discuss the basic format and structure of a YARA rule and introduce a few tricks to increase efficiency and performance. We will walk you through a few examples and show you some automated tools and how they can help. Lastly, we'll tie things up with some pointers on how organize rules for best effect.
Outline:
I. Introduction 1 Intro: John Laycock 2 Intro: Monty St John
II. What is YARA?
A. Basic layout and types
1. Rule Name
2. Meta
3. Strings
4. Filter
5. External Variables
B. Rule Organization
1. Private versus Public
2. Monolithic versus Modular
III. Ransomware Example
IV. QBot Example
V. Tools / Resources A. yarGen B. PEID C. Yara Exchange D. ATX Yara-Python Scripts
VI. Conclusion
VI. References