We’ve been hit, how can CyberDefenses help? Incident Hotline

Commanding YARA

$495.00

YARA is a powerful and free sleuthing tool that belongs in every threat, incident response or SOC team. It runs on any platform, is open source and is small enough to be an easy inclusion to any trusted tool set. Its ability to sift through data, identify files based on logic – not just by simple comparison but also via fuzzy logic – makes YARA pretty unbeatable. It can be used simply for insight on an isolated event or in sophisticated manner as part of an incident response or research laboratory. Those not using YARA are missing out on key intelligence capability. Its ease of use and ability to rapidly deploy means you can get into YARA quickly but can just as easily lead to missing the sophisticated and powerful ways to use it.


Course Unavailable

This class is not currently available at a scheduled time, but is instead being scheduled in response to customer interest. If you are interested in taking this class, please provide your contact information and we will reach out to with dates that are currently under consideration.

Currently Unavailable

Course Objectives

Through the user interactive labs the student will learn:

  • File classification
  • YARA rule creation
  • Fuzzy logic
  • Rule organization and strategy

Date & Time

Target Student

Who should attend?

  • Individuals new to or desiring a better understanding of how to use YARA.
  • Professionals who deal with technical issues but feel they do not have enough background in using YARA successfully.
  • Technical professionals that need to be armed with greater knowledge of incident response, threat Intelligence and their role in resolving incidents.

Location

CDI Academy
1205 Sam Bass Road, Suite 300
Round Rock, TX 78681
(512) 255-3700

Course Outline

Introduction

Setup

YARA fundamentals

  • Lab 0 – YARA introduction
  • Strategies (direct, indirect, inverse)
  • Logic (Declarative, Connective, Cause & Effect)
  • Lab 1 – strings, hex & regex

File Magic

  • File types and file magic
  • Lab 2 – file magic (PE, PDF, Zip)

Structure and Format

  • Files and data organization
  • Lab 3 – Email (a & b)

Data and Content

  • BOF & EOF
  • Lab 4 – B/EOF (PDF, JPG)

Structural Detection

  • Lab 5 – Detection by Format (PDF)

YARA Keywords

  • Keywords
  • Rule organization basics
  • Lab 6 – Keyword modifications (PE/malware)
  • Lab (a-c) – Hex Jumps & Regexes (PE/malware)

Global Rules & Organization

  • Lab 7 – Classifying Emails
  • Negative Space (Inverse matching) topic
  • Lab 7a – Inverse matching email
  • Detection strategy & logic (one more time)
  • Classifying Malware Families
  • Core identification
  • Lab 8 – Malware classification (core)

Variations and derivatives

  • Lab 9 – Malware Family Classification

YARA Online

  • Basics to using YARA integrations online
  • Lab 10 – YARA on Alienvault OTX
  • Lab 11 – Sandboxes

YARA QA/QC

Tricks & Tips

Your Instructor

Monty St John

Monty St John has been in the security world for more than two decades. When he is not responding to incidents he teaches classes in Threat Intelligence, Incident Response and Digital Forensics.

Certification

Certification of Completion

Date(s)

(Online) Oct 25
(Online) Sept 15
(Round Rock) Oct 17