YAYA (Yet Another YARA Allocution)

BSidesDC 2016

Presented by: Monty St John, John Laycock
Date: Sunday October 23, 2016
Time: 09:00 - 09:50
Location: Grand Central
Track: Track 2

Are you a security professional looking for ways to identify and classify malware families? While most commonly associated with malware, YARA can actually be used against any file. In this presentation, we'll pull back the curtain and give you an introduction to how you can use this powerful tool.

In this short time, we'll discuss the basic format and structure of a YARA rule and introduce a few tricks to increase efficiency and performance. We will walk you through a few examples and show you some automated tools and how they can help. Lastly, we'll tie things up with some pointers on how organize rules for best effect.

Outline:

I. Introduction 1 Intro: John Laycock 2 Intro: Monty St John

II. What is YARA? A. Basic layout and types 1. Rule Name 2. Meta
3. Strings 4. Filter 5. External Variables B. Rule Organization 1. Private versus Public 2. Monolithic versus Modular

III. Ransomware Example

IV. QBot Example

V. Tools / Resources A. yarGen B. PEID C. Yara Exchange D. ATX Yara-Python Scripts

VI. Conclusion

VI. References

John Laycock

Mr. Laycock has been involved with forensics for over 17 years. Starting out in the world of video forensics before moving over to computer forensics for the Department of Defense. He now works on the Threat Research Team for Fidelis Cybersecurity. Mr. Laycock lives in Maryland where he is a happily married father of 3 children. As a life-long suffering Cubs fan, he keeps hoping that this is the year.

Monty St John

Monty St John is partner for ATX Forensics and a frequent contributor to community and industry events. Previous contributions have focused on research and interests in banking and healthcare security topics. His current research focuses on harvesting the DNS for threat intelligence. His latest contributions are to a book on network side of malware analysis and an open malware analysis book.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats