top of page

Introduction to YARA — by Matt Brooks

Writer's picture: Infosec In the City (IIC)Infosec In the City (IIC)

Updated: Jun 19, 2020

#IICSG2018 Conference Workshop Track


Day 2 (25 May 2018)

11.30am—3.15pm

@ Bras Basah Room



Abstract

YARA is a tool used for malware analysis and incident response. This workshop is geared towards beginners who have heard of the tool and would like to learn more. Exercises range from writing the first signature as a group to getting creative and "solving puzzles" over a large malware repository.

Requirements

Participants should be comfortable looking at the strings or hex dump of a file but do not need experience using disassemblers or debuggers. As this is hands-on, participants will need to bring their own laptop meeting the following requirements:
  • Safe to handle Windows malware samples (we will work with live Windows malware, not crackme files).

  • Access to *nix command line

  • The following tools installed: - YARA - radare2 (r2) - Python installed with pefile and oletools libraries (from pip)

  • The following scripts included: - rtfdump.py and oledump.py by Didier Stevens

The instructor will be working from MacOS locally outside a VM.

Materials

Please also download the materials from the following link and have the directory located in your home directory: https://bit.ly/2GyL4SR

The password will be given out at the start of the Workshop. If you want it early, reach out to me via Twitter (@cmatthewbrooks).


About Matt Brooks

Matt Brooks is a malware researcher with an interest in malware used to target civil society. In addition to private malware research, he has experience in intelligence and incident response in the US government and private sectors.

24 views0 comments

Comments


bottom of page