Broken Lens Provides Deep Dive Into Camera Repair

Posted on May 13, 2024 by Dan Maloney

While most of us are probably willing to pick up the tools and void the warranty on just about anything, often just to see what’s inside, many of us draw …read more Continue reading Broken Lens Provides Deep Dive Into Camera Repair→

COM Objects Hijacking

Posted on March 7, 2024 by Joseliyo Sánchez

The COM Hijacking technique is often utilized by threat actors and various malware families to achieve both persistence and privilege escalation in target systems. It relies on manipulating Component Object Model (COM), exploiting the core architecture of Windows that enables communication between software components, by adding a new value on a specific registry key related to the COM object itself.

We studied the usage of this technique by different malware samples to pinpoint the most exploited COM objects in 2023.

Abused COM Objects

We identified the most abused COM objects by samples using MITRE’s T1546.015 technique during sandbox execution. In addition to the most abused ones, we will also highlight other abused COM objects that we found interesting.

The chart below shows the distribution of how many samples abused different COM objects for persistence:

You can find the most used COM / CLSIDs listed in the Appendix.

Berbew

One of the main malware families we have observed abusing COM for persistence is Padodor/Berbew. This Trojan primarily focuses on stealing credentials and exfiltrating them to remote hosts controlled by attackers. The main COM objects abused by this family are as follows:

{79ECA078-17FF-726B-E811-213280E5C831}
{79FEACFF-FFCE-815E-A900-316290B5B738}
{79FAA099-1BAE-816E-D711-115290CEE717}

The corresponding registry entries point to the malicious DLL. However, multiple samples of this family use a second registry key for persistence, which points to this previous CLSID we described, as in the following example :

In this case, the registry key …CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\(Default) points to the malicious DLL C:\Windows\SysWow64\Iimgdcia.dll. A second registry entry …Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger points to the previous CLSID {79ECA078-17FF-726B-E811-213280E5C831} which loads the malicious DLL.

The ShellServiceObjectDelayLoad registry entry (part of ShellServiceObjectDelayLoad), combined with the Web Event Logger subkey used here by Berbew, has frequently been utilized to initiate the loading of the genuine webcheck.dll. This DLL was tasked with monitoring websites within the Internet Explorer application.

The previously utilized CLSID by WebCheck registry key was {E6FB5E20-DE35-11CF-9C87-00AA005127ED} However, in certain instances today the CLSID {08165EA0-E946-11CF-9C87-00AA005127ED} is used. Both are responsible for loading the webcheck.dll DLL and are abused by malware samples.

RATs

The CLSID {89565275-A714-4a43-912E-978B935EDCCC} seems to be extensively used by various RATs . This CLSID has primarily been associated with families like RemcosRAT and AsyncRAT in our observations. However, we’ve also encountered instances where BitRAT samples have used it. Researchers at Cisco Talos found this CLSID activity associated with the SugarGh0st RAT malware.

In the majority of cases, the DLL used for persistence with this CLSID is dynwrapx.dll. This DLL was found in the wild in a GitHub repository, currently unavailable, however the DLL originates from a project named DynamicWrapperX (first seen in VirusTotal in 2010). It executes shellcode to inject the RAT into a process.

A similar case is CLSID {26037A0E-7CBD-4FFF-9C63-56F2D0770214}. The associated DLL for persistence is dbggame.dll. First uploaded to VirusTotal in 2012, this DLL is deployed by various types of malware, including ransomware such as XiaoBa.

RATs w/ vulnerabilities

To finish with RATs that use this technique, from late December 2023 to February 2024, there were various incidents linked to the CVE-2024-21412 vulnerability uncovered by the Trend Micro Zero Day Initiative team (ZDI). During these events, active campaigns were distributing the Darkme RAT. Throughout the infection process, a primary goal was to evade Microsoft Defender SmartScreen and introduce victims to the DarkMe malware.

The TrendMicro analysis highlights that the Darkme RAT sample utilizes the CLSID {74A94F46-4FC5-4426-857B-FCE9D9286279} to carry out the final load of the RAT. Yet, we’ve noted the utilization of other CLSIDs for persistence, including {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} in this sample.

Furthermore, to guarantee the DLL’s execution, they generate a registry key employing Autorun keys. This key’s objective is to initiate the CLSID using rundll32.exe and /sta parameter, which is used to load a COM object, in this case, the previous malicious COM object created.

EventID:13 
EventType:SetValue
Details:%windir%\SysWOW64\rundll32.exe /sta {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} "USB_Module"
TargetObject:HKU\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunDllModule

Why use one when you can use many?

Some samples (like this Sality one) use multiple CLSIDs:

{EBEB87A6-E151-4054-AB45-A6E094C5334B}
{57477331-126E-4FC8-B430-1C6143484AA9}
{241D7F03-9232-4024-8373-149860BE27C0}
{C07DB6A3-34FC-4084-BE2E-76BB9203B049}

The sample drops two different DLLs during execution, three of the registry keys point to one of them, the remaining one to the other. The sample also turns off the Windows firewall and UAC to carry out additional actions while infecting the system.

The Allaple worm family deploys multiple COM objects pointing to the malicious DLL during execution, like in this example:

Adware

Citrio, an adware web browser designed by Catalina Group, uses in its more recent versions a COM object for persistence with CLSID {F4CBF20B-F634-4095-B64A-2EBCDD9E560E}. It drops several harmful DLLs, one masquerades as Google Update (goopdate.dll), also observed as psuser.dll, that possesses the capability to establish services on the system along using a COM object for persistence.

Common folders used to store the payloads

Most malicious DLLs we saw so far are typically stored in the C:\Users\<user>\AppData\Roaming\ directory. It’s also common to create subfolders within this directory, the most frequently found include:

\qmacro
\mymacro
\MacroCommerce
\Plugin
\Microsoft

In addition to these, we also found the following folders being frequently used to hide malicious DLLs:

The C:\Windows\SysWow64 is a folder found in 64-bit versions of Windows, containing legitimate 32-bit system files and
libraries, and is oftenly used to conceal malicious DLLs. Its prevalence makes it an attractive
hiding place, complicating detection efforts. However, permissions are required to create files in
it.
The
C:\Program Files (x86)
folder is another legitimate directory used to store malicious COM hijacking payloads. Similar to
\AppData\Roaming, in this case we have observed that the malicious DLLs are stored under specific
subfolders, such as “\Google”, “\Mozilla Firefox”, “\Microsoft”, “\Common Files” or “\Internet
Download Manager”.
C:\Users\<user>\AppData\Local
is another folder used for storing these payloads, including the “\Temp”, “\Microsoft” and “\Google”
subfolders.

Detection

In order to detect unusual modifications to registry COM objects, there are a couple of crowdsourced Sigma rules to identify this behavior.

Potential
Persistence Via COM Hijacking From Suspicious Locations
(high risk level). Detects suspicious when creating a registry key using COM objects.

Potential
Persistence Via COM Search Order Hijacking
(medium risk level). Similar to the previous rule, it also filters out paths associated with
legitimate behaviors.

These rules will detect uncommon registry modifications related to COM objects. You can use the following queries to retrieve samples triggered by the previous rules, respectively: VTI query for sigma1 and VTI query for sigma2.

You can also identify this behavior using Livehunt rules that target the creation of registry keys utilized for this purpose, for instance with the vt.behaviour.registry_keys_set modifier.

import "vt"

rule CLSID_COM_Hijacking:  {
  meta:
    target_entity = "file"
    hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
    author = "@Joseliyo_Jstnk"
    mitre_technique = "T1546.015"
    mitre_tactic = "TA0003"

  condition:
    vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 
    for any vt_behaviour_registry_keys_set in vt.behaviour.registry_keys_set: (
      vt_behaviour_registry_keys_set.key matches /\\CLSID\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}\\InProcServer32\\\(Default\)/
    )  
}

The rule above might generate some noise, so we suggest considering polishing it by excluding certain common families like Berbew, which as mentioned, heavily relies on this technique:

and not 
    (
        for any engine, signature in vt.metadata.signatures : (  
        signature icontains "berbew"  
        )  
    )

You can also use the paths listed in Appendix to identify suspicious samples using them.

A final idea is including interesting existing Sigma rules into our Livehunt. Given that these rules already cover the targeted registry keys, we don’t need to use vt.behaviour.registry_keys_set in our condition.

import "vt"

rule CLSID_COM_Hijacking:  {
  meta:
    target_entity = "file"
    hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
    author = "@Joseliyo_Jstnk"
    sigma_authors = "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien"
    mitre_technique = "T1546.015"
    mitre_tactic = "TA0003"

  condition:
    vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 
    for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: (
      vt_behaviour_sigma_analysis_results.rule_id == "7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4"
    )
}

Wrapping up

The T1546.015 – Event Triggered Execution: Component Object Model Hijacking is just one of several techniques employed for persistence. Leveraging COM objects for this task is frequently straightforward for threat actors. The analysis of how malware abuses this technique helps us get a better understanding in how to identify different families and develop protection methods. Although the technique is not the most popular for persistence (that would be T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), it is widely abused by many malware families.

Identifying some of the most abused CLSIDs can help us generate detection rules that identify possible malware abuses in our infrastructure. It can also serve as a good guide for prevalence in order to detect any anomalies for new suspicious activity.

The use of VirusTotal sandbox reports provides a very powerful tool to translate TTPs into actionable queries and monitoring. In this example we used it to better understand how attackers use COM objects, but could be used for any techniques employed by different threat actors.

We hope you join our fan club of Sigma and VirusTotal, and as always we are happy to hear your feedback.

APPENDIX

Abused CLSIDs

Next, you’ll find a list of the main CLSIDs described in the blog, along with a chart to show which ones were used the most.

CLSID
– COM Objects

79FAA099-1BAE-816E-D711-115290CEE717

EBEB87A6-E151-4054-AB45-A6E094C5334B

241D7F03-9232-4024-8373-149860BE27C0

C07DB6A3-34FC-4084-BE2E-76BB9203B049

79ECA078-17FF-726B-E811-213280E5C831

22C6C651-F6EA-46BE-BC83-54E83314C67F

F4CBF20B-F634-4095-B64A-2EBCDD9E560E

57477331-126E-4FC8-B430-1C6143484AA9

C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9

89565275-A714-4a43-912E-978B935EDCCC

26037A0E-7CBD-4FFF-9C63-56F2D0770214

16426152-126E-4FC8-B430-1C6143484AA9

33414471-126E-4FC8-B430-1C6143484AA9

23716116-126E-4FC8-B430-1C6143484AA9

D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4

79FEACFF-FFCE-815E-A900-316290B5B738

74A94F46-4FC5-4426-857B-FCE9D9286279

Common paths

Below you will find a list with some of the most common paths used during the creation of the COM objects for persistence. The table contains the ‘parent’ paths as well, while the chart includes only the ‘subpaths’.

Common
paths used during COM object persistence

C:\Users\<user>\AppData\Roaming

C:\Users\<user>\AppData\Roaming\qmacro

C:\Users\<user>\AppData\Roaming\mymacro

C:\Users\<user>\AppData\Roaming\MacroCommerce

C:\Users\<user>\AppData\Roaming\Plugin

C:\Users\<user>\AppData\Roaming\Microsoft

C:\Windows\SysWow64

C:\Program
Files (x86)

C:\Program
Files (x86)\Google

C:\Program
Files (x86)\Mozilla Firefox

C:\Program
Files (x86)\Microsoft

C:\Program
Files (x86)\Common Files

C:\Program
Files (x86)\Internet Download Manager

C:\Users\<user>\AppData\Local

C:\Users\<user>\AppData\Local\Temp

C:\Users\<user>\AppData\Local\Microsoft

C:\Users\<user>\AppData\Local\Google

C:\Windows\Temp

Continue reading COM Objects Hijacking→

Sigma rules for Linux and MacOS

Posted on December 20, 2023 by Joseliyo Sánchez

TLDR: VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows.

We recently discussed how to maximize the value of Sigma rules by easily converting them to YARA Livehunts. Unfortunately, at that time Sigma rules were only matched against Windows binaries.

Since then, our engineering team worked hard to provide a better experience to Sigma lovers, increasing Crowdsourced Sigma rules value by extending matches to macOS and Linux samples.

Welcome macOS and Linux

Although we are still working to implement Sysmon in our Linux and macOS sandboxes, we implemented new features that allow Sigma rule matching by extracting samples’ runtime behavior.

For example, a process created in our sandbox that ends in “/crontab” and contains the “-l” parameter in the command line would match the following Sigma rule:

logsource:

product: linux

category: process_creation

detection:

selection:

Image|endswith: ‘/crontab’

CommandLine|contains: ‘ -l’

condition: selection

We have mapped all the fields used by Sigma rules with the information offered by our sandboxes, which allowed us to map rules for image_load, process_creation and registry_set, among others.

This approach has limitations. However, about 54% of Crowdsourced Sigma rules for Linux and 96% for macOS are related to process creation, meaning we already have enough information to match all these with our sandboxes’ output. The same happens for rules based on file creation.

Let’s look at some examples!

Linux, MacOS and Windows examples

The following shell script sample matches 11 Crowdsourced Sigma Rule matches.

For every rule, it is possible to check what triggered the match by clicking on “View matches”. In the case of Windows binaries, it would show what Sysmon event matched the behavior described in the Sigma rule, as we can see below:

In the case of the shell script mentioned above, it shows the values that are relevant to the logic of the rule as you can see in the following image:

Interestingly, Sigma rules intended for Linux also produce results in macOS environments, and vice versa. In this case, the shell script can be interpreted by both operating systems. Indeed, one of the matching rules for the sample called Indicator Removal on Host – Clear Mac System Logs was specifically created for macOS:

while a second matching rule, Commands to Clear or Remove the Syslog , was created for Linux:

To get more examples of samples with Sigma rules that match sandboxes’ output instead of Sysmon, you can use the following queries:

(have:sigma) and not have:evtx type:mac

(have:sigma) and not have:evtx type:linux

A second interesting example is a dmg matching 8 Sigma rules, 5 of them originally created for Linux OS under the “process_creation” category and 2 rules created for macOS. The last match… is a Sigma rule created for Windows samples!

The new feature matching Sigma rules with Linux and macOS samples helped us identify some rules that are maybe too generic, which is not necessarily a problem as long as this is the intended behavior.

In this case, the Usage Of Web Request Commands And Cmdlets rule was originally created to detect web request using Windows’ command line:

The rule seems a bit too generic since it only checks for a few strings in the command line, although it can be highly effective for generic detection of suspicious behavior.

To understand why our Macintosh Disk Image sample triggered a detection for this rule, we checked the matches:

As we can see, the use of the string “curl” in the command line was enough to match this sample.

This sigma rule had about 9k hits last year only, with more than 300 of the files being Linux or macOS samples. You can obtain the full list using the following query:

sigma_rule:f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 and (type:linux or type:mac)

Creating Livehunt rules from Sysmon EVTX outputs

So far we have mainly focused on samples that do not have Sysmon (EVTX) logs. Now let’s see how it is possible to create a Livehunt rule based on Sysmon logs. For this, we are going to use the “structure” functionality provided in the Livehunt YARA editor, as we explain in this post.

The sample we will use in this example is associated with CobaltStrike and matches multiple Sigma rules that identify certain behaviors. It is important to note that for every Sigma match, we will see in the file “structure” the context that matched but not the full EVTX logs. These can be downloaded from the sample’s VT report behavior section under “Download Artifacts” or using our API (available for public and privately scanned files).

The following image shows the matching raw EVTX generated by our sample:

From the sample’s JSON Structure, Sigma_analysis_results is an array that contains objects with all the relevant information related to the matching Sigma rules, including details about the rule itself and EVTX logs. From the previous image, the first highlighted section is related to process creation and the second one is a registry event (value set).

As explained in our post, by just clicking on the fields that you are interested in you can start building your Livehunt rule, and adjust values accordingly. In this case, our rule will identify files creating registry keys under \\CurrentVersion\\RunOnce\\ with a .bat or .vbs extension:

import
“vt”

rule
sigma_example_registry_keys {

meta:

target_entity
= “file”

condition:

for
any
vt_behaviour_sigma_analysis_results in
vt.behaviour.sigma_analysis_results: (

for
any
vt_behaviour_sigma_analysis_results_match_context in
vt_behaviour_sigma_analysis_results.match_context: (

vt_behaviour_sigma_analysis_results_match_context.values[“TargetObject”]
icontains
“\\CurrentVersion\\RunOnce\\”
and

(vt_behaviour_sigma_analysis_results_match_context.values[“Details”]
endswith
“.vbs”
or
vt_behaviour_sigma_analysis_results_match_context.values[“Details”]
endswith
“.bat”)

)

}

Running this YARA using a Retrohunt finds multiple files:

daef729493b9061e7048b4df10b71fdba2e11d9147512f48463994a88c834a30
141e87e62c110b86cf7b01a2def60faab6365f6391eb0d4a7cbad8d480dd4706
814b2cab7c5a12ec18f345eb743857e74f5be45c35642dc01330e7a0def6269a
31b0e9b188fe944d58867bbfc827d77c7711c3a690168a417377fe6bf1544408
dd6051509ed8cf3d059b538fa8878f87423c51b297b49a12144d3d2923c89cce
647323f0245da631cef57d9ca1e3327c3242fe1cbbf6582c4d187e9f5fbfb678
40a90dd3b2132a299f725e91a5d0127013b21af24074afb944d8bc5735c1bd53
b44c6d2dd8ad93cecd795cecde83081292ee9949d65b2e98d4a2a3c8a97bd936
710b0cca7e7c17a3dd2a309f5ca417b76429feac1ab5fb60f5502995ebbd1515
50c098119ce41771e7a3b8230a7aa61ebea925e8eda46c33f0dd42b8950b92fe

Here you can see some interesting matches:

The next rule focuses on file creation events related to Sysmon (EVID 11) under the “C:\Windows\System32” directory, with a “.dll” extension and having any “cve” tag (flagging potential CVE exploitation). Remember we can always include any additional details related to the samples we want to hunt, such as positives, metadata, tags, engines, … in addition to EVTX fields:

import
“vt”

rule
sigma_rule_evtx_cve {

meta:

target_entity
= “file”

condition:

for
any
vt_behaviour_sigma_analysis_results in
vt.behaviour.sigma_analysis_results: (

for
any
vt_behaviour_sigma_analysis_results_match_context in
vt_behaviour_sigma_analysis_results.match_context: (

vt_behaviour_sigma_analysis_results_match_context.values[“TargetFilename”]
startswith
“C:\\Windows\\System32\\”
and

vt_behaviour_sigma_analysis_results_match_context.values[“TargetFilename”]
endswith
“.dll”
and

for
any
vt_metadata_tags in
vt.metadata.tags: (

vt_metadata_tags
icontains
“cve-“

)

}

Sysmon EVTX fields – overlaps

Some of the details found in Sysmon EVTX fields (found in the VT JSON samples’ structure) can be redundant with details provided in other more traditional fields that you use for your Livehunt rules through the YARA VT module.

For example, instead of:
vt_behaviour_sigma_analysis_results_match_context.values[“TargetFilename”] from vt.behaviour.sigma_analysis_results

you could use: vt.behaviour.files_written to identify file creation events.

When that’s the case, we recommend using traditional fields found in VT samples’ structure for the following reasons:

Sysmon information is fully stored/indexed only the part matching the Sigma rule, which will limit any YARA hunting.
We mapped most Sysmon fields into YARA VT module for simplicity.
Linux and MacOS samples do not have any Sysmon information related to Sigma rules. Similar details about the match can be found under the “behaviour” JSON structure entry.

The new Sysmon-like details offered in the file “structure” also make VT an excellent platform for researchers and Sigma rule creators, allowing them to leverage this information without the need to create their own lab.

The following table helps mapping VT Intelligence queries, YARA VT module fields, Sigma Categories, and Sigma fields:

VT Intelligence	YARA VT module field	Sigma Category	Sigma Field
behavior_created_processes	vt.behaviour.processes_created	process_creation	Image CommandLine ParentCommandLine ParentImage OriginalFileName
behavior_files	vt.behaviour.files_attribute_changed vt.behaviour.files_deleted vt.behaviour.files_opened vt.behaviour.files_copied vt.behaviour.files_copied[x].destination vt.behaviour.files_copied[x].source vt.behaviour.files_written vt.behaviour.files_dropped vt.behaviour.files_dropped[x].path vt.behaviour.files_dropped[x].sha256 vt.behaviour.files_dropped[x].type	file_access file_change file_delete file_rename file_event	TargetFilename
behavior_injected_processes	vt.behaviour.processes_injected	process_access create_remote_thread process_creation	CallTrace GrantedAccess SourceImage TargetImage StartModule StartFunction TargetImage SourceImage
behavior_processes	vt.behaviour.processes_terminated vt.behaviour.processes_killed vt.behaviour.processes_created vt.behaviour.command_executions vt.behaviour.processes_injected	process_access create_remote_thread process_creation	CallTrace GrantedAccess SourceImage TargetImage StartModule StartFunction TargetImage SourceImage Image CommandLine ParentCommandLine ParentImage OriginalFileName
behavior_registry	vt.behaviour.registry_keys_deleted vt.behaviour.registry_keys_opened vt.behaviour.registry_keys_set vt.behaviour.registry_keys_set[x].key vt.behaviour.registry_keys_set[x].value	registry_add registry_delete registry_event registry_rename registry_set	EventType TargetObject Details
behavior_services	vt.behaviour.services_bound vt.behaviour.services_created vt.behaviour.services_opened vt.behaviour.services_started vt.behaviour.services_stopped vt.behaviour.services_deleted	registry_set process_creation	Image CommandLine ParentCommandLine ParentImage EventType TargetObject Details
behavior_network	vt.behaviour.dns_lookups vt.behaviour.dns_lookups[x].hostname vt.behaviour.dns_lookups[x].resolved_ips vt.behaviour.hosts_file vt.behaviour.ip_traffic vt.behaviour.ip_traffic[x].destination_ip vt.behaviour.ip_traffic[x].destination_port vt.behaviour.ip_traffic[x].transport_layer_protocol vt.behaviour.http_conversations vt.behaviour.http_conversations[x].url vt.behaviour.http_conversations[x].request_method vt.behaviour.http_conversations[x].request_headers vt.behaviour.http_conversations[x].response_headers vt.behaviour.http_conversations[x].response_status_code vt.behaviour.http_conversations[x].response_body_filetype vt.behaviour.smtp_conversations[x].hostname vt.behaviour.smtp_conversations[x].destination_ip vt.behaviour.smtp_conversations[x].destination_port vt.behaviour.smtp_conversations[x].smtp_from vt.behaviour.smtp_conversations[x].smtp_to vt.behaviour.smtp_conversations[x].message_from vt.behaviour.smtp_conversations[x].message_to vt.behaviour.smtp_conversations[x].message_cc vt.behaviour.smtp_conversations[x].message_bcc vt.behaviour.smtp_conversations[x].timestamp vt.behaviour.smtp_conversations[x].subject vt.behaviour.smtp_conversations[x].html_body vt.behaviour.smtp_conversations[x].txt_body vt.behaviour.smtp_conversations[x].x_mailer vt.behaviour.tls	network_connection	DestinationHostname DestinationIp DestinationIsIpv6 DestinationPort DestinationPortName SourceIp SourceIsIpv6 SourcePort SourcePortName
behavior (too generic)	vt.behaviour.modules_loaded	image_load	ImageLoaded Image OriginalFileName

Wrapping up

At VirusTotal, we believe that the Sigma language is a valuable tool for the community to share information about samples’ behavior. Our objective is to make its use on VT as simple as possible. Our addition of MacOS and Linux is just the start of what we are working on, as we aim to add Sysmon for Linux to obtain more robust results, including the ability to download full generated logs.

Remember that here you have a list of all the Crowdsourced Sigma rules that are currently deployed in VirusTotal and that you can use for threat hunting.

We hope you join our fan club of Sigma and VirusTotal, and as always we are happy to hear your feedback.

Happy Hunting!

Continue reading Sigma rules for Linux and MacOS→

Threat hunting converting SIGMA to YARA

Posted on June 26, 2023 by Karl Hiramoto

Malware threat hunting is the process of proactively searching for malicious activity. It is a critical part of any organization’s security posture, as it can help to identify and mitigate threats that may have otherwise gone undetected.

… Continue reading Threat hunting converting SIGMA to YARA→

Converting A Sigma Lens To Canon, Digital Functionality Included

Posted on July 1, 2022 by Lewin Day

These days, camera lenses aren’t just simple bits of glass in sliding metal or plastic housings. They’ve often got a whole bunch of electronics built in as well. [Dan K] …read more Continue reading Converting A Sigma Lens To Canon, Digital Functionality Included→

Sigma crams 61-MP full-frame sensor into compact mirrorless camera

Posted on March 25, 2021 by Paul Ridden

Back in 2019, Sigma unveiled a 24.6-megapixel full-frame mirrorless camera claimed to be the world’s smallest and lightest. Now the imaging company has turned the fp into a series with the addition of the fp L, which packs a 61-MP full-frame sensor int… Continue reading Sigma crams 61-MP full-frame sensor into compact mirrorless camera→

Detecting Zerologon (CVE-2020-1472) with Zeek

Posted on September 16, 2020 by Yacin Nadji

By Yacin Nadji, Corelight Security Researcher CVE-2020-1472 aka Zerologon, disclosed by Tom Tervoort of Secura, is an illustrative case study of how a small implementation mistake in cryptographic routines cascades into a privilege escalation vulnerabi… Continue reading Detecting Zerologon (CVE-2020-1472) with Zeek→

Zeek in it’s sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

Posted on July 28, 2020 by Ben Reardon

By Ben Reardon, Corelight Security Researcher Having a CVE 10 unauthenticated Remote Code Execution vulnerability on a central load balancing device? That’s bad… Not being able to detect when a threat actor attempts and/or succeeds in compr… Continue reading Zeek in it’s sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)→

Zeek & Sigma: Fully Compatible for Cross-SIEM Detections

Posted on June 25, 2020 by Alex Kirk

By Alex Kirk, Corelight Global Principal for Suricata Corelight recently teamed up with SOC Prime, creators of advanced cyber analytics platforms, to add support for the entire Zeek data set into Sigma, the only generic signature language that enables … Continue reading Zeek & Sigma: Fully Compatible for Cross-SIEM Detections→

Zeek & Sigma: Fully Compatible for Cross-SIEM Detections

Posted on June 25, 2020 by Alex Kirk