Since switching my focus from incident response to threat hunting I have been using YARA more and more often to identify new samples and track the threat actors using them. During 2023 I was able to complete Steve Miller‘s excellent “YARA for Security Analysts” course from Applied Network Defense, and wanted to challenge myself to write even more YARA rules, so am joining in the 2024 edition of #100DaysofYARA.
I am mostly focusing on specific malware families and tools that I encounter during my day-job, but also have plans for some more generic hunting rules that might catch something interesting.
I plan to add new rules each day, posting them on this blog and uploading them to Github where hopefully someone else will find them useful.
Unless otherwise stated, all of the samples I will be triaging will be acquired from public repositories such as those on Lenny Zeltser’s list of malware sources, or based on analysis of public reports and blogs.
#100DaysofYARA 2024 starts on the 1st of January. Let’s go!
Cyber Poking 