YAMAGoya: Open Source Threat Hunting Tool using YARA and SIGMA
DAY 2
15:00-
15:40
In recent years, malware analysts and security researchers have actively utilized signature-based formats such as YARA and SIGMA to aid in threat detection and hunting. However, existing endpoint security tools often lack the ability to directly leverage YARA and SIGMA, as they rely on their own proprietary detection engines.
Furthermore, kernel-level drivers for endpoint protection carry the risk of compromising OS stability. To address this, we developed YAMAGoya, a new Threat Hunting tool that operates solely in userland without requiring kernel drivers.
YAMAGoya supports SIGMA signatures and monitors a wide range of events including files, processes, registries, and network communications. It also implements a memory scanning function using YARA, enabling more precise malware detection. Designed for both GUI and command-line operation, it caters to a wide range of use cases, from security operations teams to individual researchers.
This session will detail how YAMAGoya achieves threat detection on Windows using YARA and SIGMA signatures. Through a demonstration simulating actual attack scenarios, we will specifically show how YAMAGoya visualizes, detects, and contains threats. We believe that this tool, which allows seamless utilization of the vast number of signatures published by the global security research community, will significantly expand the possibilities for endpoint threat countermeasures.
-
Location :
-
Track 3(Room 3)
-
-
Category :
-
Bluebox
-
-
Share :
Speakers
-
Shusei Tomonaga
朝長 秀誠
朝長 秀誠は、JPCERT/CCのインシデントレスポンスグループのメンバーです。2012年12月より、マルウェア解析とフォレンジック調査に従事しています。特に、日本の重要産業に影響を及ぼす標的型攻撃の解析を主導しています。また、マルウェア解析と技術的知見に関するブログ記事(https://blogs.jpcert.or.jp/en/)も執筆しています。CODE BLUE、BsidesLV、Botconf、VB Conference、Hitcon、PHDays、PacSec、FIRST Conference、DEF CON、BlackHat USA Arsenalなどで講演を行っています。
-
Tomoya Kamei
亀井 智矢
亀井 智也は、JPCERT/CCのインシデントレスポンスチームのメンバーです。2023年6月より、マルウェア解析とフォレンジック調査に従事しています。