YAMAGoya: Open Source Threat Hunting Tool using YARA and SIGMA
DAY 2
15:00-
15:40
In recent years, malware analysts and security researchers have actively utilized signature-based formats such as YARA and SIGMA to aid in threat detection and hunting. However, existing endpoint security tools often lack the ability to directly leverage YARA and SIGMA, as they rely on their own proprietary detection engines.
Furthermore, kernel-level drivers for endpoint protection carry the risk of compromising OS stability. To address this, we developed YAMAGoya, a new Threat Hunting tool that operates solely in userland without requiring kernel drivers.
YAMAGoya supports SIGMA signatures and monitors a wide range of events including files, processes, registries, and network communications. It also implements a memory scanning function using YARA, enabling more precise malware detection. Designed for both GUI and command-line operation, it caters to a wide range of use cases, from security operations teams to individual researchers.
This session will detail how YAMAGoya achieves threat detection on Windows using YARA and SIGMA signatures. Through a demonstration simulating actual attack scenarios, we will specifically show how YAMAGoya visualizes, detects, and contains threats. We believe that this tool, which allows seamless utilization of the vast number of signatures published by the global security research community, will significantly expand the possibilities for endpoint threat countermeasures.
-
Location :
-
Track 3(Room 3)
-
-
Category :
-
Bluebox
-
-
Share :
Speakers
-
Shusei Tomonaga
朝長 秀誠
Shusei Tomonaga is a member of the Incident Response Group of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensic investigation. In particular, he spearheads the analysis of targeted attacks affecting critical Japanese industries. In addition, he has written blog posts on malware analysis and technical findings (https://blogs.jpcert.or.jp/en/). He has presented at CODE BLUE, BsidesLV, Botconf, VB Conference, Hitcon, PHDays, PacSec, FIRST Conference, DEF CON, BlackHat USA Arsenal and more.
-
Tomoya Kamei
亀井 智矢
Tomoya Kamei is a member of the Incident response team of JPCERT/CC. Since June 2023, he has been engaged in malware analysis and forensics investigation.