Classify Malware with YARA
ฝัง
- เผยแพร่เมื่อ 26 มิ.ย. 2024
- jh.live/soc || Join me for the SOC Analyst Appreciation Day! A completely FREE event on October 18th by DEVO! jh.live/soc
00:00 - YARA
00:47 - Setting Up
03:10 - Using YARA
04:02 - Writing rules
10:44 - Rule Resources
12:39 - Another Rule Resource
17:23 - YARA Integration
20:09 - Final Resources
🔥 TH-cam ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
The experience that he has speaks volumes with respect to how detailed he explains, yet it is so simple to understand.
Growing with JH's content is such a beautiful experience,, I love it ,, Keep it up, John.
John could you possibly make a video for beginners on how to store and safely manage malware in a virtual environment? ❤
John's content is really inspiring and his prowess in the field is something to behold. Quick question: How do I identify a malicious thread located in a memory dump file using memory forensics tools like volatility
This is awesome. Thanks.
Sounds like a cool tool... Only heard of it now. Shot Bro.
Growing ❤
ThankYou so much john
Nowdays, I'm study about malware analysis, at the right time you dropped the video 🤩🤩
why do you remove the subtitles?
Nice vide John! Quick question, how to do Yara rule scan for multiple hosts? for an example if we are looking for an signature in all the users endpoint then what will be the easier way to run it and pull that report? Thank you.
You can do this in a few ways-- if you want to scan hosts directly, something like Ansible is really going to prop up your SOC to distribute and establish any sort of scanning. We locally host our ruleset in a single location, and then pull that ruleset every time we perform a scan so we're operating on the most recent version.
Ultimately, it's typically a matter of simply pulling a ruleset from a single consolidated location to ensure you're operating on an updated ruleset, and then invoking it across each machine.
@@sudo-rem sorry didn't get all of it. Could you please share any link if this is something explained in detail? Thank you.
I ran into problem when importing all rules recursively and detecting using python rules downloaded from same repo but I solved it by removing certain yar files that listed and acted like index to every other actual rule files
Cool
I think Yara is a good tool to build an own antivirus client if you absolutely don't trust any existing AV solution or want a lightweight, dumbed-down, and customized AV.
@@newwindserver YARA can effectively detect certain types of variable obfuscation based on pattern occurrences or certain strings/operations/data surrounding certain functions. But in general, we levy different tools for this. YARA can and does support a large portion of antivirus solutions, but they're combined with other tools to perform the task.
❤❤
How much info do you have with Linux for people who absolutely hate "wind blows" Windows?
I know a lot of beta tests are run on Linux, but most people with desktops dual boot their computer.
Anything other than doing what I just did, post disparaging remarks, sorry, would help
Thanks 👍
Even if all of your machines are Linux machines, Windows still has the biggest market share, so you still need to know how it works. You would be severely limiting yourself, otherwise.
You didn’t say the acronym for YARA. But it’s absolutely hilarious 😆
what is it ?
Yet Another Ridiculous Acronym.
Please do video on how to create computer warm
Fire up any modern AAA video game!
Do you help recover google accounts?
Wow
2nd comment leggo
14 min ago 4th
5th
Pegasus ? 🤣