Abstract

Introduction:
This hands-on session involves understanding the basics of yara rules using yara tool, also highlights the importance of yara rules to detect indicators of compromise (IoC) at the time of incident response. Yara tool identifies the malware patterns (using hexadecimal strings, text strings and regular expressions) in various files and processes to help classify them into various user defined malware families. The practical part of the session deals with writing up basic rules and extends to writing up advanced yara rules for various files, memory dumps and process dumps.

Agenda:
• Intelligence driven Incident Response

• Cyber threat indicators
• Introduction to Yara – Pattern matching Swiss knife

• Setting up Yara platform
• Anatomy of Yara
• Writing basic yara rules
• Writing yara rules to scan malicious files ( PEs ) and processes

• Yara in Memory Forensics (Volatility )
• Yara modules – PE module at a glance.

Prerequisites:
• Basic understanding of C and Python (regular expressions )
• Basic Knowledge of windows PE and processes
• Hands on using tools like strings, hexdump, PE tools and sysinternals.

• Exposure to memory forensics ( memdump, dlldump, handles, mutantscan, yarascan etc.)
• Willingness to learn new things.

Come with the following:
• VMware Workstation 8 or above
• Download REMnux 6.0 at http://sourceforge.net/projects/remnux/files/version6/remnux-6.0-ova-public.ova/download

• Windows 7 VM with Yara. YARA available at https://goo.gl/PQjmsf
dependenices python 2.7 or above and Microsoft Visual C++ 2010 Redistributable Package (x86) (x64).

Speaker

D.M.Reddy

Security / Forensic Consultant

Timing

Starts at Saturday August 22 2015, 11:00 AM. The sessions runs for about 6 hours.

Resources