Detecting Malicious Files with YARA Rules as They Traverse the Network

Black Hat USA 2019

Presented by: David Bernal
Date: Wednesday August 07, 2019
Time: 17:05 - 17:30
Location: Islander FG

YARA, the pattern matching swiss knife for malware researchers, has been extremely useful at detecting suspicious files on the endpoint. However, little or no information is publicly available on how to leverage this useful tool to scan for files as they are traversing the network.

In this presentation, I will show how you can open source Zeek IDS (formerly bro) and how some custom developed scripts can be used to extract files from the network and identify attacks on an early stage before it causes more damage. Scanning for YARA files on the network has the benefit of increased performance, as compared to scanning several gigabytes or terabytes on the endpoint, as well as target specific mime types, used for malware delivery. Additionally, Zeek IDS can provide additional context whenever a YARA rule is triggered, that will provide defenders with more information to act more rapidly.

David Bernal

David Bernal Michelena has 10 years of experience in information security and holds a bachelor's degree in Computer Engineering from the National Autonomous University of Mexico (UNAM). Since June 2015, he has served as a cyber security researcher in a Cyber Security Team in Scitum, a large consultant company in Mexico and Latin America. David's main activities are malware analysis, cyber threat intelligence, digital forensics, validation of security technologies and writing and testing various detection rules to better protect the customers. David holds the following industry certifications: GREM, GCFA, GCFE, GCTI, GCIA, GASF, GXPN. In his free time, he likes to swim and play the piano


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats