Practical YARA: Crafting Custom Rules for Targeted Malware Defense

Presented at DEF CON 33 (2025), Aug. 9, 2025, 9 a.m. (240 minutes).

Threat actors skillfully evade automated defenses. Countering them requires more than tools; it demands human insight and the art of precise detection. In Practical YARA: Crafting Custom Rules for Targeted Malware Defense, you'll move beyond generic signatures and learn the craft of building truly effective YARA rules. This workshop focuses on translating nuanced understanding gained from malware analysis and threat intelligence into powerful, human-authored detections. Through fast-paced, hands-on labs covering static and behavioral analysis, you will master the art of identifying unique malicious characteristics and expressing them effeciently in YARA. Learn to build high-fidelity rules that supercharge threat hunting, pinpoint emerging threats, and give you confident control—skills essential in an era where quality hand-crafted detection logic provides a critical edge. Leave ready to bolster your defensive arsenal with expertise, not just automation.

Presenters:

• Jae Young Kim - Google
  Jae Young Kim is a Senior Reverse Engineer on Mandiant's FLARE Team where he reverses malware and contributes to FLARE's automated analysis and binary similarity efforts. He is a seasoned instructor and a core contributor to FLARE’s educational content development efforts. He has a Bachelors in Computer Science from Columbia University.
• Joshua "jstrosch" Stroschein - Google
  Joshua is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. He is an accomplished trainer, providing training at places such as Ring Zero, Black Hat, DEF CON, ToorCon, Hack In The Box, SuriCon, and other public and private venues. He is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.
• Francisco Perdomo - Google
  Francisco is a skilled security professional with a strong background in detection engineering and threat intelligence. With extensive blue team experience, he currently works as a Security Engineer at Google's VirusTotal Research team, where he leverages his operational expertise to investigate malware trends and create insightful technical content. Francisco's background includes roles as a SecOps Engineer, and Professor of Computer Security.

Similar Presentations:

• DEF CON 32 (2024) / Dissecting Malware for Defense - Crafting Custom Yara Rules Workshop
• SAINTCON 2019 / Becoming the YARA Hunter Training
• DerbyCon 6.0 Recharge (2016) / Yara Rule QA: Can’t I Write Code to do This for Me?