Writing Yara Rules for Fun and Profit: Notes from the FireEye Breach Countermeasures, (Thu, Dec 10th)

By now, everyone should have seen that FireEye got breached and their red team tools got stolen. What is truly unique about their response is publishing detection rules&#;x26;#;xc2;&#;x26;#;xa0;to detect the use of those tools in the wild. However, the nature of some of those rules is that the detection will be short-lived. This isn&#;x26;#;39;t necessarily a fault of FireEye (as I will explain below) but it is useful as an exercise in writing Yara rules (or Snort, HXIOC, STIX, et al).