An Introduction to YARA

by Matt Brooks

YARA is a tool used for malware analysis and incident response. This workshop is geared towards beginners who have heard of the tool and would like to learn more. Exercises range from writing the first signature as a group to getting creative and "solving puzzles" over a large malware repository.
 
Requirements
Participants should be comfortable looking at the strings or hex dump of a file but do not need experience using disassemblers or debuggers. As this is hands-on, participants will need to bring their own laptop meeting the following requirements:

 

  • Safe to handle Windows malware samples. (We will work with live Windows malware, not crackme files)
  • Access to *nix command line

  • The following tools installed:

    • YARA
    • radare2 (r2)
    • python installed with the following libraries from pip:
      • pefile

      • oletools

  • The following scripts included:

    • rtfdump.py and oledump.py by Didier Stevens

The instructor will be working from macOS locally outside a VM.
 
Materials
Please also download the materials from the following link and have the directory located in your home directory:

 

https://bit.ly/2GyL4SR

 

The password will be given out at the start of the Workshop. If you want it early, reach out to me via Twitter (@cmatthewbrooks).

Infosec in the City. Copyright © 2017-2019
IIC Productions (Pte. Ltd.). All rights reserved.

  • @infoseccity
  • @infosec_city

Contact Us  |  Join Our Mailing List   |  Follow Us :