null Mumbai Humla 17 October 2015 Incident Response with YARA | A pattern matching swiss knife - Part 2 Register

Null offensive hacking hands-on training.

Proposed sessions for this event:

• Incident Response with YARA - Part 2 by D.M.Reddy
• Incident Response with YARA - Part 2 Continued by D.M.Reddy

Incident Response with YARA {A pattern matching swiss knife } Part 2

This is a complete hands on session on volatility (open source memory forensics framework) and yara {A pattern matching swiss knife} to detect Indicators of compromise (IoC) a.k.a cyber threat indicators. Yara tool identifies the malware patterns (using hexadecimal strings, text strings and regular expressions) in various files and processes to help classify them into various user defined malware families. The practical part deals with memory dump analysis using volatility to levarge yara to write up advanced yara rules for various files, memory dumps and process dumps.

Agenda:
* Incident Response
* Cyber threat Indicators (IOC)
* Introduction to Yara – Pattern matching Swiss knife
* Writing yara rules to scan malicious files ( PEs ) and processes
* Yara in Memory Forensics (Volatility )

* Loki - Simple IOC Scanner

Prerequisites:
* Basic understanding of C and Python (regular expressions )
* Basic Knowledge of windows PE and processes
* Hands on using tools like strings, hexdump, PE tools and sysinternals.
* Exposure to memory forensics ( memdump, dlldump, handles, mutantscan, yarascan etc.)
* Willingness to learn new things.

Come with the following:
* VMware Workstation 8 or above
*Download REMnux 6.0 at http://sourceforge.net/projects/remnux/files/version6/remnux-6.0-ova-public.ova/download
* Windows 7 VM with Yara. YARA available at https://goo.gl/PQjmsf
dependenices python 2.7 or above and Microsoft Visual C++ 2010 Redistributable Package (x86) (x64)