Time Table

In recent years, malware analysts and security researchers have actively utilized signature-based formats such as YARA and SIGMA to aid in threat detection and hunting. However, existing endpoint security tools often lack the ability to directly leverage YARA and SIGMA, as they rely on their own proprietary detection engines.

Furthermore, kernel-level drivers for endpoint protection carry the risk of compromising OS stability. To address this, we developed YAMAGoya, a new Threat Hunting tool that operates solely in userland without requiring kernel drivers.

YAMAGoya supports SIGMA signatures and monitors a wide range of events including files, processes, registries, and network communications. It also implements a memory scanning function using YARA, enabling more precise malware detection. Designed for both GUI and command-line operation, it caters to a wide range of use cases, from security operations teams to individual researchers.

This session will detail how YAMAGoya achieves threat detection on Windows using YARA and SIGMA signatures. Through a demonstration simulating actual attack scenarios, we will specifically show how YAMAGoya visualizes, detects, and contains threats. We believe that this tool, which allows seamless utilization of the vast number of signatures published by the global security research community, will significantly expand the possibilities for endpoint threat countermeasures.