A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Detection of malicious capabilities using YARA - Brian Bell (BSides Augusta 2016) (Hacking Illustrated Series InfoSec Tutorial Videos)

Detection of malicious capabilities using YARA
Brian Bell

YARA, a powerful framework for pattern matching, is often used to detect malicious files, but it can also be used to detect specific capabilities within files. These capabilities signatures can then be aggregated to give a full picture of just how suspicious a given file is. Signatures can be written to detect keylogging, network capability, and many other potentially suspicious activities, as well as detection of packed or encrypted executables or sections.

Brian Bell is a malware analyst and threat researcher for a major retail organization; He was an IT in the US Navy, and Infantryman in the US Army, and spent a lot of time in the SIGINT forensics field before leaving the military to work as a government contractor. Brian has worked various missions at the US Air Force CERT as well as time spent as an instructor at the Joint Cyber Analysis Course. More recently, he has worked as a lead SOC analyst for Charles Schwab and as the malware analysis, threat intelligence, and host and network forensics lead for DataShield Consulting. Brian is currently GREM certified, and held GCIA certification in the past. He is also the holder of a SANS "Lethal Forensicator" coin.

@BiebsMalwareGuy

Back to BSides Augusta 2016 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast