 Hello, I'm Bdian Stevens. In several of the tools that I make, I also have support for Yara rules, and I'm going to illustrate this here with my Olidom tool. So for example, I have a malicious spreadsheet here, and it contains URLs with my strings tool. I can just search for HTTP in this malicious document, and here you can see the URLs that are embedded in that malicious document. So now we are going to use Yara rules to search for URLs like this. So I have a rule here that just looks for the string HTTP, a simple Yara rule. I can run Olidump, provide option Y, Yara, provide the rule, and then the document, and then here you see for every stream that contains the string Yara, that the rule will match, not the string Yara, sorry, the string HTTP. So every stream here for which the rule matches, you have a list here. So it's workbook stream where we have HTTP. If you want to know exactly where, then you can use option Yara strings, and then you'll see three positions here in the stream where HTTP was found. And this is the extra decimal representation of the string HTTP that was found. Now this advantage that I find to quickly use Yara rules like this is that each time you have to create a text file, a Yara rule like this one here, even if you're just looking for a simple string. And that is why I added some features to several of my tools like Olidump to have ad hoc Yara rules. So those are Yara rules that are generated by the tool itself, and you just need to provide a small option. So if I say Olidump, Yara rules here, and now instead of providing the name of a file with a Yara rule, I'm going to start with a hash and say S for string. So I'm going to search for generate a Yara rule that searches for a string and the string is HTTP. Now here on my Mac, I have to escape this, like this, 8, and then you see here Yara rule string matched here. So HTTP was found in Workbook. Now if you want to know exactly which rule was generated, I have the verbose option like this. And then you can see here clearly which Yara rule was generated. You see this is a template of a Yara rule string HTTP and the condition. Here also as you can see, it is looking for HTTP as ASCII or Unicode and the case is not significant. You can do the same for hexadecimal. So X for hexadecimal and then we can provide here the strings we are looking for. So if I'm not mistaken, it's 69, 74, 74, 70, no, that doesn't much. But you can see here the rule that was generated, 69, 74, 74, 70. Let's try 68, is that the age? Yeah, indeed so it was 68. The representation for HTTP. If I would have used Yara strings, I would have seen it immediately as 68, 74, 74, 70. That's what I'm looking for. So that's if you want to do a search with hexadecimal and you know with Yara rules here hexadecimal you can also use wildcards like this that represents each time a byte and then you can see you're getting part of the URL already. Now even better, too much URLs like that would be to use a regular expression and that's something you can do too with an atroc rule. Let me just start from scratch. Ole Dump verbose Yara. So a regular expression and I am searching for HTTP colon slash slash. Now a slash has a special meaning in regular expression so you have to escape this with a backslash and then we are going to look for a sequence of letters, digits, a dot and a slash which you also have to escape with a backslash. So we want this one or more, once or more. That's a regular expression here 8 and I'm going to use my option Yara strings and then as you can see here it was a regular expression rule that was generated. Also ASCII unicode no case and here we have matches. You can see the complete URL. So these are options that you have with the atroc Yara rules here. You can also provide a complete rule here. If you can type it like this then you just do hash and then you type your complete rule like rule test. I'm going to have to use double quotes for the string. So here I'm going to use single quotes to escape this. So rule test strings string a equals HTTP and then condition string a like this and then you also get your Yara rule. You can see here the Yara rule but that's much more to type and not always that convenient. Sometimes also if you cannot use a double quote then you can just use a single quote and you use option Q like this and this will just do a simple search and replace and replace a single quote by a double quote. And then what's also possible but it's something I don't use anymore but it's the possibility to provide the Yara rule in base 64 encoding or in hexadecimal encoding. So it's not an X rule but you provide a complete rule encoded in hexadecimal. So these are the options that you have here in my tool. Only them but you also have them in other tools like my pdf tools for example, my base 64 them tools and other tools like that.