Tweet
Title: (Beginner) Leveraging the critical YARA skills for Blue Teamers
Description:
YARA rules have become one of the de facto industry standards for threat detection on files. It is important that blue teamers know what are YARA rules and the basic skills to correctly leverage them on file system, memory dumps and traffic analysis. This is useful for multiple blue team roles mainly malware researchers, security analysts, threat hunters and intelligence analyst.
YARA rules have become one of the de facto industry standards for threat detection on files. It is important that blue teamers know what are YARA rules and the basic skills to correctly leverage them on file system, memory dumps and traffic analysis. This is useful for multiple blue team roles mainly malware researchers, security analysts, threat hunters and intelligence analyst.
Writing YARA rules
Reading YARA rules
Enhancing YARA rules
I will prepare a LINUX virtual machine that will be given to the attendees with some malware samples, memory dumps and pcaps and they will perform various exercises to learn the basic YARA skills. In this training, the attendees will learn:
• How to install on Linux and Windows
• How to develop several YARA rules for several malware samples
• How to do targeted scans with YARA on file system
• How to do memory YARA scans with volatility and rekall
• How to YARA scan files on the network traffic
• Video showing YARA detection on malicious files on pcap
• Tool for automatically extracting and analyzing files with YARA rules on network traffic created by the author (YARAZeek)
• Getting open YARA open source rules from well-known security researchers and other reputable sources.
• Using VirusTotal Retrohunt
Speaker(s): David Bernal Michelena
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-08 09:00 (09:00 AM) PDT (UTC -07:00)
Event ends: 2020-08-08 10:30 (10:30 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T00:14 (UTC).
Description:
YARA rules have become one of the de facto industry standards for threat detection on files. It is important that blue teamers know what are YARA rules and the basic skills to correctly leverage them on file system, memory dumps and traffic analysis. This is useful for multiple blue team roles mainly malware researchers, security analysts, threat hunters and intelligence analyst.
YARA rules have become one of the de facto industry standards for threat detection on files. It is important that blue teamers know what are YARA rules and the basic skills to correctly leverage them on file system, memory dumps and traffic analysis. This is useful for multiple blue team roles mainly malware researchers, security analysts, threat hunters and intelligence analyst.
Writing YARA rules
Reading YARA rules
Enhancing YARA rules
I will prepare a LINUX virtual machine that will be given to the attendees with some malware samples, memory dumps and pcaps and they will perform various exercises to learn the basic YARA skills. In this training, the attendees will learn:
• How to install on Linux and Windows
• How to develop several YARA rules for several malware samples
• How to do targeted scans with YARA on file system
• How to do memory YARA scans with volatility and rekall
• How to YARA scan files on the network traffic
• Video showing YARA detection on malicious files on pcap
• Tool for automatically extracting and analyzing files with YARA rules on network traffic created by the author (YARAZeek)
• Getting open YARA open source rules from well-known security researchers and other reputable sources.
• Using VirusTotal Retrohunt
Speaker(s): David Bernal Michelena
Location: Blue Team Vlg / Blue Team Vlg - Workshop Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-08 09:00 (09:00 AM) PDT (UTC -07:00)
Event ends: 2020-08-08 10:30 (10:30 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-03T00:14 (UTC).