Monday, May 20, 2024

YARA is dead, long live YARA-X

For over 15 years, YARA has been growing and evolving until it became an indispensable tool in every malware researcher's toolbox. Throughout this time YARA has seen numerous updates, with new features added and countless bugs fixed. But today, I'm excited to announce the biggest change yet: a full rewrite.

YARA-X is a completely new implementation of YARA in Rust, and it has the following goals:

  • Better user experience: The new command-line interface is more modern and colorful, and error reports are now more explicative. More features aimed at improving the user's experience will be incorporated in the future.

  • Rule-level compatibility: While achieving 100% compatibility is tough, our aim is to make YARA-X 99% compatible with YARA at the rule level. Incompatibilities should be minimal and thoroughly documented.

  • Improved performance: YARA is known for its speed, but certain rules, especially those utilizing regular expressions or complex loops, can slow it down. YARA-X excels with these rules, often delivering significantly faster results. Our ultimate goal is for YARA-X to outperform YARA across the board.

  • Enhanced reliability and security: YARA's complexity in C code can lead to bugs and security vulnerabilities. YARA-X is built with Rust, offering greater reliability and security.

  • Developer-friendly: We're prioritizing ease of integration into other projects and simplified maintenance. Official APIs for Python, Golang, and C are provided to facilitate seamless integration. YARA-X also addresses some of the design flaws that made YARA challenging to maintain and extend.

Why a rewrite?

Was a complete rewrite necessary to achieve such goals? This question lingered in my mind for a long time before deciding to rewrite YARA. Rewriting is risky, it introduces new bugs, backward compatibility issues, and doubles the maintenance efforts, since legacy code doesn't disappear after launching the new system. In fact, the legacy system may be still in use for years, if not decades.

However, I believe a rewrite was the right decision for multiple reasons:

  • YARA is not a large project, it's a medium-size project that lacks subsystems or components large enough to be migrated in isolation. Incremental migration to Rust was impractical because large portions of the code are interconnected.
  • The improvements I envisioned required significant design changes. Implementing these in the existing C codebase would involve extensive rewrites, carrying the same risks as starting fresh with Rust.
  • After a year of working on the project, I’ve found Rust easier to maintain than C. Rust offers stronger reliability guarantees and simplifies integrating third-party code, especially for multi-platform projects.

Is YARA really dead?

Despite the dramatic title of this post, YARA is not actually dead. I’m aware that many people and organizations rely on YARA to get important work done, and I don’t want to let them down.

YARA is still being maintained, and future releases will include bug fixes and minor features. However, don’t expect new large features or modules. All efforts to enhance YARA, including the addition of new modules, will now focus on YARA-X.

What's the current state of YARA-X?

YARA-X is still in beta, but is mature and stable enough for use, specially from the command-line interface or one-shot Python scripts. While the APIs may still undergo minor changes, the foundational aspects are already established.

At VirusTotal, we have been running YARA-X alongside YARA for a while, scanning millions of files with tens of thousands of rules, and addressing discrepancies between the two. This means that YARA-X is already battle-tested. These tests have even uncovered YARA bugs!

Please test YARA-X and don't hesitate to open an issue if you find a bug or some feature that you want to see implemented.

What's next?

My aim is to surpass YARA in every possible aspect with YARA-X. I want it to be so superior that existing YARA users willingly migrate to YARA-X for its undeniable advantages, not because they are forced to do so.

Publishing a beta version is only the first step towards this goal. I'll continue to enhance YARA-X, releasing updates and sharing insights through blog posts like this one.

Stay tuned, because this journey has only just begun.

Wednesday, May 15, 2024

Crowdsourced AI += ByteDefend

We are pleased to announce the integration of a new solution into our Crowdsourced AI initiative. This model, developed by Dr. Ran Dubin from the Department of Computer Science at Ariel University and head of ByteDefend Cyber Lab at the Ariel Cyber Innovation Center, is designed to analyze suspicious macros in Microsoft Office files, including Word, Excel, and PowerPoint.

VirusTotal's Crowdsourced AI initiative leverages various AI models and community contributions to strengthen cyber defense strategies. Like any other security solution, AI-based models are not infallible, but they offer invaluable contributions by complementing other technologies in analyzing and detecting new threats. The integration of ByteDefend enhances VirusTotal's Code Insight capabilities, currently with up to three independent AI engines for Microsoft Office documents.

Here is the most recent example at the time of writing: all three models agree that the analyzed XLS file is malicious, each providing different levels of detail.


Here's another example where the models don't agree. ByteDefend flags a DOC file as malicious, while Hispasec's engine says it's benign. These disagreements are interesting because even though the final verdict can be subjective depending on the context (what's risky in one situation might not be in another), the models clearly explain how the macros work. This gives the human analyst all the information they need to make the final call..


AI reports’ results are available via VT Intelligence, allowing the use of the "bytedefend_ai_analysis:" modifier to search into the resulting AI’s output, and "bytedefend_ai_verdict:" to search by verdict - malicious or benign. As an example, below we show the results of searching for ByteDefend reports where "telegram" is mentioned and the verdict is "malicious". This search is performed using the following query: bytedefend_ai_analysis:telegram and bytedefend_ai_verdict:malicious


We extend our thanks to Dr. Ran Dubin and the ByteDefend Cyber Lab for their valuable contribution to VirusTotal's Crowdsourced AI initiative. We are continuously working to expand this effort by welcoming more contributors with diverse skills and expertise. Our goal is to build a collaborative and powerful defense strategy to tackle the constantly evolving landscape of cyber threats. We encourage others in the security community to join us in this effort.

Monday, May 06, 2024

VirusTotal's Mission Continues: Sharing Knowledge, Protecting Together

With the recent announcement of Google Threat Intelligence, I want to take this opportunity, as VirusTotal's founder, to directly address our community and reiterate our unwavering commitment to our core mission.

First and foremost, I want to assure our entire community, from security researchers and industry partners to individual users, that VirusTotal's core mission remains unchanged. We remain deeply dedicated to collective intelligence and collaboration, fostering a platform where everyone can come together to share knowledge, access valuable threat information, and contribute to the fight against cyber threats.

Google Threat Intelligence is a new offering that builds upon the strengths of Google, Mandiant, VirusTotal, and other sources. It will be available as a premium tier, evolving the existing VirusTotal Enterprise platform, as well as the Mandiant Advantage Threat Intelligence one.

Importantly, VirusTotal remains committed to a level playing field, ensuring all partners, including Google Threat Intelligence, have equal access to the crowdsourced data VirusTotal collects. We also want to assure you that the core features and functionalities of VirusTotal will remain free and accessible to everyone, as always.

The strength of VirusTotal lies in its network of contributors and the vast amount of data they provide. This data serves as a valuable resource for the entire security industry, empowering our partners and others to enhance their products and contribute to a more secure digital world. This collaborative approach, based on transparency and equal access, strengthens the industry as a whole, ultimately leading to better protection for everyone.

We understand that change can be unsettling, but we want to assure you that VirusTotal is here to stay. We are excited about the future and the opportunity to continue sharing knowledge and protecting together with all of you, making the digital world a safer place through the power of collective intelligence.

Thank you for your continued support.

Bernardo Quintero
Founder of VirusTotal

Tuesday, April 30, 2024

Analyzing Malware in Binaries and Executables with AI

In a recent post titled "From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis", published on the Google Cloud Security blog, we explore the capabilities of Gemini 1.5 Pro, which enhances malware analysis by processing up to 1 million tokens. This advancement allows the tool to analyze large amounts of disassembled or decompiled code in a single pass, providing a complete view of the malware's logic to produce verdicts and summary reports. The blog post highlights practical applications of this approach, using well-known malware such as WannaCry and also entirely new and previously undetected malware. These examples show that Gemini 1.5 Pro's reports are not based on pre-trained data of those specific samples but on its ability to analyze the code itself. For more details on how Gemini 1.5 Pro operates in malware analysis, we encourage you to read the complete post here.

At VirusTotal, Gemini 1.5 Pro has been effectively utilized in Code Insight to process macros in Office documents that exceed the token limits of traditional models. For instance, "PLEX.xlam" is the most recent file that, at the time of writing this paragraph, required the use of Gemini 1.5 Pro due to its long content. This file was flagged by several antivirus engines and two sandboxes. Code Insight conducted an analysis by extracting 34 macros, which resulted in 138,332 tokens. The detailed report from Code Insight provides a comprehensive understanding of the macros' functionalities. This analysis aids in clarifying the intentions behind these macros, helping to determine whether the security alerts indicate actual threats or potential false positives.


We will continue to deploy Gemini 1.5 Pro's analysis capabilities across various file formats and are actively working on scaling up disassembly and decompilation techniques to begin processing binaries, as demonstrated in the examples described earlier in this post. Our goal is to expand the scope of our automated malware analysis, enhancing our ability to handle increasingly complex threats efficiently.

We invite the community to collaborate in this initiative. If you have unpacking utilities, specialized models, or innovative ideas related to malware analysis, your contributions would be invaluable. Together, we can expand the boundaries of what is achievable in cybersecurity and strengthen our collective defenses against emerging threats.

Thursday, April 25, 2024

Mastering VirusTotal: Certification Course

We are pleased to announce the partnership with The SOC Academy, a new startup dedicated to providing cybersecurity education, debuting with a VirusTotal Certification course. Founded by Laura, a passionate entrepreneur and especially a cybersecurity enthusiast, The SOC Academy aims to enhance the skills and expertise of professionals in the field. Below, we dive into a conversation with Laura, exploring the motivation behind this initiative, what it offers, and her vision for the future of The SOC Academy.

Laura Marta Mantoani
Founder of The SOC Academy


Q1: Laura, could you tell us about your background in cybersecurity and what inspired you to launch The SOC Academy, particularly focusing on the VirusTotal Certification course?
Laura: Sure, I’d love to share more. Firstly, I studied Marketing, Business Communication and Global Markets at the University of Milan, where my passion for entrepreneurship was born. Then, I earned a second degree in engineering at the University of Malaga, where I focused on Software Engineering and Artificial Intelligence, as well as Reverse Engineering and Malware Intelligence. This background experience shaped my entrepreneurial spirit and particularly my enthusiasm for cybersecurity. Some of my Reverse Engineering and Malware Intelligence teachers, who were from the VirusTotal team, really opened my eyes to what you can do with VirusTotal. This experience got me thinking about how I could help others understand and use VirusTotal better, discovering all its tools and maximizing their potential. That’s why I started The SOC Academy and the VirusTotal Certification course to teach and inspire others in cybersecurity.

Q2: Can you explain the difference between the Free course and the VirusTotal Certification course?
Laura: Absolutely! The Free Introduction Course is designed to provide a taste of The SOC Academy's learning experience and offer a foundational understanding of VirusTotal. They are perfect for individuals curious about VirusTotal and cybersecurity who want to explore the platform before committing to a more in-depth program. The VirusTotal Certification course, on the other hand, is a comprehensive deep dive into all aspects of VirusTotal, from basic search functions to advanced hunting techniques. It is ideal for those who want to become true VirusTotal masters and gain a recognized certification.

Q3: The VirusTotal Certification seems to be a flagship course. What are some of the key benefits for those who complete it?
Laura: The VirusTotal Certification is designed not just as a course, but as a comprehensive learning experience. Those who complete the certification receive a badge on their VirusTotal.com profile, signaling their expertise to peers and potential employers, as well as an official VirusTotal certificate, that demonstrates the users' advanced level of proficiency with VirusTotal. Additionally, certified users gain unlimited access to the course with ongoing updates and early access to new features on the platform. This ensures our graduates are always at the cutting edge of cybersecurity practices.

Q4: How does The SOC Academy ensure the courses remain relevant in the rapidly changing field of cybersecurity?
Laura: We continuously update our course content to reflect the latest in cybersecurity threats and defenses. Our close partnership with VirusTotal allows us to integrate the newest features and updates directly into our curriculum, providing our students with relevant and immediate knowledge they can apply in real-world situations.

Q5: Finally, what’s next for The SOC Academy? Any future plans or developments?
Laura: We're always looking to expand our offerings. Future plans include more advanced courses and possibly live events to foster a greater sense of community and collaboration among our students. We also plan to incorporate more interactive and hands-on training methods to enhance learning outcomes.

At VirusTotal, we are proud to support Laura's initiative. Her passion for cybersecurity, entrepreneurial spirit, and dedication to knowledge sharing are truly inspiring. We encourage you to visit The SOC Academy, enroll in the free introductory course, and provide feedback to Laura as she continues to grow and improve this valuable platform. Together, we can foster a stronger and more knowledgeable cybersecurity community.

Tuesday, March 12, 2024

Know your enemies: An approach for CTI teams

VirusTotal’s Threat Landscape can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest malware trends used by a given Threat Actor to adjust our intelligence-led security posture accordingly. In this post, we will play the role of a CTI analyst working for a Singaporean financial institution.

As a first step, we search for threat actors that traditionally both targeted the financial industry and Singaporean companies.


TA505 and APT41 both match these requirements. For the moment let’s focus on TA505, which seems more active at the moment.

Understanding (TA505):

The Threat Actor card provides details on the actor, which seems to target organizations in the financial, healthcare, retail, and hospitality sectors across Europe, Asia Pacific region, Canada, India and the United States.


According to the description TA505 seems related to Dridex banking trojan and Locky ransomware activity.

In VirusTotal we can find two categories for TTPs:
- The First are TTPs directly ingested from MISP and MITRE.
- The second (called Toolkit TTPs) shows TTPs obtained from sandbox analysis of the IOCs related to a particular actor.

In this case, for TA505 we can find the following Toolkit TTPs:


The T1486 tactic (‘Data Encrypted technique for Impact') seems potentially related to the use of ransomware, such as Locky, by this actor. This seems like a good point for us to retrieve some fresh data and understand this actor’s recent activity. For instance, the following query provide fresh samples from the actor (samples submitted after January 1st, 2024) that use data encryption, and tagged as ransom by AVs:



Multiple of the returned samples belong to the “locky” Collection tagged as ‘locky’, which contains 510 files at the moment.


The Telemetry tab provides information about submissions and lookups, which helps us understand malware family’s distribution and timeframes of operations.


Tailoring defenses:

In addition, the Collection’s Rules panel provides details on crowdsourced Yara, sigma and IDS rules that match different indicators files in this collection.


In this case, the “win_locky_auto” yara rule matches almost all the files in this collection (505/510). This could help to enhance detection capabilities for this threat.

Collection’s commonalities refer to characteristics, behaviors, or technical attributes shared by a set of indicators, which helps to identify patterns. Let’s use this to create a new “Livehunt rule” to track this activity in the future. We will use only recent samples, we can filter them in the IOCS tab (“fs:180d+”):


Based on commonalities results, some useful information to create the livehunt rule may include:

Metadata:
  • File type: EXE and DLL formats.
    (vt.metadata.file_type == vt.FileType.PE_DLL or vt.metadata.file_type == vt.FileType.PE_EXE)
  • File size: Less than 1Mb.
    (vt.metadata.file_size < 1000000)
  • Main icon: Custom and specific icon.
    (vt.metadata.main_icon.dhash == "52c244c9a7a3998b")
  • Imphash: Hash value calculated from PE's import table, that could be matching some locky samples.
    (vt.metadata.imphash == "31553623c43827d554ad9e1b7dfa6a5a")

Behavior:
  • Sandbox attack techniques: Detect T1486 Encryption Data technique.
    (for any tec in vt.behaviour.mitre_attack_techniques: (tec.id == "T1486"))
  • Command execution: Identification of possible rescue note and background set.
    (for any ce in vt.behaviour.command_executions: (ce icontains "\\Desktop\\*.txt" or ce icontains "\\Desktop\\*.bmp"))
  • Memory patterns: Specific patterns observed in locky samples that could be reused.
    (for any mem in vt.behaviour.memory_pattern_urls: (mem icontains "checkupdate" or mem icontains "userinfo.php"))

Remember you can always follow Threat Actor and/or collections and receive fresh new IOCs through the IoC Stream.

Wrapping up:

Threat Landscape empowers CTI teams with insights for prioritizing threats, understanding threat actors and tracking their operations pivoting between Threat Actors <=> Collections <=> IOCs. This provides actionable details based on the technical capabilities of the malware used in these campaigns, including a set of TTPs based on sandbox detonation that we can use both for hunting and monitoring. Collections also provide “Commonalities” on different indicators, including which crowdsourced rules better detect them. This helps us to quickly create effective monitoring and hunting strategies for malware families and threats actors, as well as effective protections adjusted to recent campaigns and malicious activity.

If you have any suggestions or want to share feedback please feel free to reach out here.

Happy Hunting!

Thursday, March 07, 2024

, , , , ,

COM Objects Hijacking

The COM Hijacking technique is often utilized by threat actors and various malware families to achieve both persistence and privilege escalation in target systems. It relies on manipulating Component Object Model (COM), exploiting the core architecture of Windows that enables communication between software components, by adding a new value on a specific registry key related to the COM object itself.
We studied the usage of this technique by different malware samples to pinpoint the most exploited COM objects in 2023.

Abused COM Objects

We identified the most abused COM objects by samples using MITRE’s T1546.015 technique during sandbox execution. In addition to the most abused ones, we will also highlight other abused COM objects that we found interesting.
The chart below shows the distribution of how many samples abused different COM objects for persistence:
You can find the most used COM / CLSIDs listed in the Appendix.

Berbew

One of the main malware families we have observed abusing COM for persistence is Padodor/Berbew. This Trojan primarily focuses on stealing credentials and exfiltrating them to remote hosts controlled by attackers. The main COM objects abused by this family are as follows:
  • {79ECA078-17FF-726B-E811-213280E5C831}

  • {79FEACFF-FFCE-815E-A900-316290B5B738}

  • {79FAA099-1BAE-816E-D711-115290CEE717}

The corresponding registry entries point to the malicious DLL. However, multiple samples of this family use a second registry key for persistence, which points to this previous CLSID we described, as in the following example :
In this case, the registry key …CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\(Default) points to the malicious DLL C:\Windows\SysWow64\Iimgdcia.dll. A second registry entry …Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger points to the previous CLSID {79ECA078-17FF-726B-E811-213280E5C831} which loads the malicious DLL.
The ShellServiceObjectDelayLoad registry entry (part of ShellServiceObjectDelayLoad), combined with the Web Event Logger subkey used here by Berbew, has frequently been utilized to initiate the loading of the genuine webcheck.dll. This DLL was tasked with monitoring websites within the Internet Explorer application.
The previously utilized CLSID by WebCheck registry key was {E6FB5E20-DE35-11CF-9C87-00AA005127ED} However, in certain instances today the CLSID {08165EA0-E946-11CF-9C87-00AA005127ED} is used. Both are responsible for loading the webcheck.dll DLL and are abused by malware samples.

RATs

The CLSID {89565275-A714-4a43-912E-978B935EDCCC} seems to be extensively used by various RATs . This CLSID has primarily been associated with families like RemcosRAT and AsyncRAT in our observations. However, we've also encountered instances where BitRAT samples have used it. Researchers at Cisco Talos found this CLSID activity associated with the SugarGh0st RAT malware.
In the majority of cases, the DLL used for persistence with this CLSID is dynwrapx.dll. This DLL was found in the wild in a GitHub repository, currently unavailable, however the DLL originates from a project named DynamicWrapperX (first seen in VirusTotal in 2010). It executes shellcode to inject the RAT into a process.
A similar case is CLSID {26037A0E-7CBD-4FFF-9C63-56F2D0770214}. The associated DLL for persistence is dbggame.dll. First uploaded to VirusTotal in 2012, this DLL is deployed by various types of malware, including ransomware such as XiaoBa.

RATs w/ vulnerabilities

To finish with RATs that use this technique, from late December 2023 to February 2024, there were various incidents linked to the CVE-2024-21412 vulnerability uncovered by the Trend Micro Zero Day Initiative team (ZDI). During these events, active campaigns were distributing the Darkme RAT. Throughout the infection process, a primary goal was to evade Microsoft Defender SmartScreen and introduce victims to the DarkMe malware.
The TrendMicro analysis highlights that the Darkme RAT sample utilizes the CLSID {74A94F46-4FC5-4426-857B-FCE9D9286279} to carry out the final load of the RAT. Yet, we've noted the utilization of other CLSIDs for persistence, including {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} in this sample.
Furthermore, to guarantee the DLL's execution, they generate a registry key employing Autorun keys. This key's objective is to initiate the CLSID using rundll32.exe and /sta parameter, which is used to load a COM object, in this case, the previous malicious COM object created.
EventID:13 
EventType:SetValue
Details:%windir%\SysWOW64\rundll32.exe /sta {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} "USB_Module"
TargetObject:HKU\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunDllModule

Why use one when you can use many?

Some samples (like this Sality one) use multiple CLSIDs:
  • {EBEB87A6-E151-4054-AB45-A6E094C5334B}

  • {57477331-126E-4FC8-B430-1C6143484AA9}

  • {241D7F03-9232-4024-8373-149860BE27C0}

  • {C07DB6A3-34FC-4084-BE2E-76BB9203B049}

The sample drops two different DLLs during execution, three of the registry keys point to one of them, the remaining one to the other. The sample also turns off the Windows firewall and UAC to carry out additional actions while infecting the system.
The Allaple worm family deploys multiple COM objects pointing to the malicious DLL during execution, like in this example:

Adware

Citrio, an adware web browser designed by Catalina Group, uses in its more recent versions a COM object for persistence with CLSID {F4CBF20B-F634-4095-B64A-2EBCDD9E560E}. It drops several harmful DLLs, one masquerades as Google Update (goopdate.dll), also observed as psuser.dll, that possesses the capability to establish services on the system along using a COM object for persistence.

Common folders used to store the payloads

Most malicious DLLs we saw so far are typically stored in the C:\Users\<user>\AppData\Roaming\ directory. It's also common to create subfolders within this directory, the most frequently found include:
  • \qmacro

  • \mymacro

  • \MacroCommerce

  • \Plugin

  • \Microsoft

In addition to these, we also found the following folders being frequently used to hide malicious DLLs:
  • The C:\Windows\SysWow64 is a folder found in 64-bit versions of Windows, containing legitimate 32-bit system files and libraries, and is oftenly used to conceal malicious DLLs. Its prevalence makes it an attractive hiding place, complicating detection efforts. However, permissions are required to create files in it.

  • The C:\Program Files (x86) folder is another legitimate directory used to store malicious COM hijacking payloads. Similar to \AppData\Roaming, in this case we have observed that the malicious DLLs are stored under specific subfolders, such as “\Google”, “\Mozilla Firefox”, “\Microsoft”, “\Common Files” or “\Internet Download Manager”.

  • C:\Users\<user>\AppData\Local is another folder used for storing these payloads, including the “\Temp”, “\Microsoft” and “\Google” subfolders.

Detection

In order to detect unusual modifications to registry COM objects, there are a couple of crowdsourced Sigma rules to identify this behavior.

These rules will detect uncommon registry modifications related to COM objects. You can use the following queries to retrieve samples triggered by the previous rules, respectively: VTI query for sigma1 and VTI query for sigma2.
You can also identify this behavior using Livehunt rules that target the creation of registry keys utilized for this purpose, for instance with the vt.behaviour.registry_keys_set modifier.
import "vt"

rule CLSID_COM_Hijacking:  {
  meta:
    target_entity = "file"
    hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
    author = "@Joseliyo_Jstnk"
    mitre_technique = "T1546.015"
    mitre_tactic = "TA0003"

  condition:
    vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 
    for any vt_behaviour_registry_keys_set in vt.behaviour.registry_keys_set: (
      vt_behaviour_registry_keys_set.key matches /\\CLSID\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}\\InProcServer32\\\(Default\)/
    )  
}
The rule above might generate some noise, so we suggest considering polishing it by excluding certain common families like Berbew, which as mentioned, heavily relies on this technique:
and not 
    (
        for any engine, signature in vt.metadata.signatures : (  
        signature icontains "berbew"  
        )  
    )
You can also use the paths listed in Appendix to identify suspicious samples using them.
A final idea is including interesting existing Sigma rules into our Livehunt. Given that these rules already cover the targeted registry keys, we don’t need to use vt.behaviour.registry_keys_set in our condition.
import "vt"

rule CLSID_COM_Hijacking:  {
  meta:
    target_entity = "file"
    hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
    author = "@Joseliyo_Jstnk"
    sigma_authors = "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien"
    mitre_technique = "T1546.015"
    mitre_tactic = "TA0003"

  condition:
    vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 
    for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: (
      vt_behaviour_sigma_analysis_results.rule_id == "7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4"
    )
}

Wrapping up

The T1546.015 - Event Triggered Execution: Component Object Model Hijacking is just one of several techniques employed for persistence. Leveraging COM objects for this task is frequently straightforward for threat actors. The analysis of how malware abuses this technique helps us get a better understanding in how to identify different families and develop protection methods. Although the technique is not the most popular for persistence (that would be T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), it is widely abused by many malware families.
Identifying some of the most abused CLSIDs can help us generate detection rules that identify possible malware abuses in our infrastructure. It can also serve as a good guide for prevalence in order to detect any anomalies for new suspicious activity.
The use of VirusTotal sandbox reports provides a very powerful tool to translate TTPs into actionable queries and monitoring. In this example we used it to better understand how attackers use COM objects, but could be used for any techniques employed by different threat actors.
We hope you join our fan club of Sigma and VirusTotal, and as always we are happy to hear your feedback.

APPENDIX

Abused CLSIDs

Next, you'll find a list of the main CLSIDs described in the blog, along with a chart to show which ones were used the most.

CLSID - COM Objects

79FAA099-1BAE-816E-D711-115290CEE717

EBEB87A6-E151-4054-AB45-A6E094C5334B

241D7F03-9232-4024-8373-149860BE27C0

C07DB6A3-34FC-4084-BE2E-76BB9203B049

79ECA078-17FF-726B-E811-213280E5C831

22C6C651-F6EA-46BE-BC83-54E83314C67F

F4CBF20B-F634-4095-B64A-2EBCDD9E560E

57477331-126E-4FC8-B430-1C6143484AA9

C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9

89565275-A714-4a43-912E-978B935EDCCC

26037A0E-7CBD-4FFF-9C63-56F2D0770214

16426152-126E-4FC8-B430-1C6143484AA9

33414471-126E-4FC8-B430-1C6143484AA9

23716116-126E-4FC8-B430-1C6143484AA9

D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4

79FEACFF-FFCE-815E-A900-316290B5B738

74A94F46-4FC5-4426-857B-FCE9D9286279

Common paths

Below you will find a list with some of the most common paths used during the creation of the COM objects for persistence. The table contains the 'parent' paths as well, while the chart includes only the 'subpaths'.

Common paths used during COM object persistence

C:\Users\<user>\AppData\Roaming

C:\Users\<user>\AppData\Roaming\qmacro

C:\Users\<user>\AppData\Roaming\mymacro

C:\Users\<user>\AppData\Roaming\MacroCommerce

C:\Users\<user>\AppData\Roaming\Plugin

C:\Users\<user>\AppData\Roaming\Microsoft

C:\Windows\SysWow64

C:\Program Files (x86)

C:\Program Files (x86)\Google

C:\Program Files (x86)\Mozilla Firefox

C:\Program Files (x86)\Microsoft

C:\Program Files (x86)\Common Files

C:\Program Files (x86)\Internet Download Manager

C:\Users\<user>\AppData\Local

C:\Users\<user>\AppData\Local\Temp

C:\Users\<user>\AppData\Local\Microsoft

C:\Users\<user>\AppData\Local\Google

C:\Windows\Temp