O'Reilly logo

Digital Forensics and Incident Response by Gerard Johansen

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Yara and Loki

Two integrated tools that allow for leveraging threat intelligence during an incident are Yara and Loki. Yara is often referred to as the Swiss Army Knife of pattern matching. It was created to assist malware researches with classifying malware.(https://github.com/virustotal/yara). Through the use of Boolean expressions and strings, a malware sample can be classified. For example, the Yara rule for a variation of the PoisoIvy RAT looks like this:

 rule PoisonIvy_Generic_3 { meta: description = "PoisonIvy RAT Generic Rule" author = "Florian Roth" date = "2015-05-14" hash = "e1cbdf740785f97c93a0a7a01ef2614be792afcd" strings: $k1 = "Tiger324{" fullword ascii $s2 = "WININET.dll" fullword ascii $s3 = "mscoree.dll" fullword wide $s4 ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required