Detection Engineering

Resources

Name	Description	URL
Laurel	Transform Linux Audit logs for SIEM usage	https://github.com/threathunters-io/laurel
SIGMA	Generic Signature Format for SIEM Systems	https://github.com/SigmaHQ/sigma
sysmon-config	Sysmon configuration file template with default high-quality event tracing	https://github.com/SwiftOnSecurity/sysmon-config
Unvoder IO	Detection Engineering IDE	https://uncoder.io
YARA	The pattern matching swiss knife	https://github.com/VirusTotal/yara
yarGen	yarGen is a generator for YARA rules	https://github.com/Neo23x0/yarGen

https://yara.readthedocs.io/en/stable/gettingstarted.html

https://github.com/VirusTotal/yara/releases

$ sudo apt-get install automake libtool make gcc pkg-config

$ sudo apt-get install flex bison

$ ./bootstrap.sh

$ ./configure

$ make

$ sudo make install

$ make check

$ ./configure --enable-magic

$ yara /PATH/TO/yarGen/yarGen-0.23.4/yargen_rules.yar /PATH/TO/BINARY/<BINARY> -s <BINARY> /PATH/TO/BINARY/<BINARY>

https://github.com/Neo23x0/yarGen

$ mkdir yarGen

$ cd yarGen/

$ wget https://github.com/Neo23x0/yarGen/archive/refs/tags/0.23.4.zip

$ unzip 0.23.4.zip

$ cd yarGen-0.23.4/

$ python3 -m venv venv

$ source venv/bin/activate

$ pip3 install -r requirements.txt

$ python3 yarGen.py --update

$ mkdir sample

$ cp rusty-recon-bot sample/

$ python3 yarGen.py -a "<AUTHOR>" -r "<NAME>" -m sample/