Cookie Consent by Free Privacy Policy Generator 📌 Actionable Threat Intel (IV) - YARA beyond files: extending rules to network IoCs

🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security



📚 Actionable Threat Intel (IV) - YARA beyond files: extending rules to network IoCs


💡 Newskategorie: Malware / Trojaner / Viren
🔗 Quelle: blog.virustotal.com

We are extremely excited to introduce YARA Netloc, a powerful new hunting feature that extends YARA supported entities from traditional files to network infrastructure, including domains, URLs and IP addresses. This opens endless possibilities and brings your hunting to a whole new level. Let’s get started!


Creating Network rules

YARA Netloc is based on extended functionality implemented for the “vt” YARA module. In particular, you will find now a new ".net" attribute specifically for network related entities such as URLs, domains and IP addresses. Here you can find the full documentation. Remember you can use the “vt” YARA module for any of your LiveHunt YARA rules.
Before we start working on a few examples it is important to highlight what resources you have available to get you quickly up to speed. First, our new YARA editor has available several templates you can use to build your rules. Second, the whole community can benefit from VirusTotal’s community rules in our new crowdsourced YARA GitHub repository. The repository is split into four folders, each of which with rules matching different entities (file, domain, IP or URL).
Let’s start with a first example rule. The “New Livehunt Ruleset” dropdown on the Livehunt section now allows us to select what kind of YARA we want to create, depending on the entity we want to match against.


Let’s select “New ruleset matching against Domains” to deploy a rule to track if any of our domains is serving malware without our knowledge. We will use the “Domain serving malicious filestemplate available on the YARA editor.


import "vt"

rule malware_distribution {
  meta:
    description = "Detects if my infrastructure is being used to distribute malware or malicious domains are impersonating my legitimate domain with the same purpose."
    category = "infra-monitoring"
    references = "https://www.virustotal.com/gui/search/entity%253Adomain%2520domain%253Atelegram.com%2520downloaded_files_max_detections%253A5%252B/domains"
    creation_date = "2023-07-19"
    last_modified = "2023-07-19"
    target_entity = "domains"
  condition:
    vt.net.domain.raw icontains "telegram.com" and
    vt.net.domain.downloaded_file.analysis_stats.malicious >= 5
}
In this case we can easily see how the new “.net” attribute is used in this rule. First we use “domain.raw” to specify our domain by comparing it to a given string (“telegram.com” in this example). Then we simply check if any new downloaded file from that domain looks suspicious by having five or more antivirus verdicts. We will keep this rule running as a Livehunt, and will be notified through IoC Stream in case VirusTotal sees our domain downloading anything suspicious.

Let’s see another example.
Now we are going to reuse one of the rules available in our repository, in this case to track Cobalt Strike’s infrastructure. The rule tracks IP addresses serving a well-known Cobalt Strike certificate, which we check with the “ip.https_certificate.thumbprint” condition. We could easily create similar rules for all kinds of suspicious infrastructure serving https certificates identified as malicious.
import "vt"

rule Cobalt_Strike_Default_SSL_Certificate
{
  meta:
    name = "Default CobaltStrike self-signed SSL Certificate"
    description = "Find IP addresses serving the default SSL certificate used out of the box by Cobalt Strike for C2 comms"
    reference = "https://www.mandiant.com/resources/blog/defining-cobalt-strike-components"
    target_entity = "IPs"
  condition:
    vt.net.ip.https_certificate.thumbprint == "6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c"
}

For our final example we will create a rule from scratch.
In this case we are inspired by the Zaraza bot credential stealer that exfiltrates stolen data using Telegram channels so we will use VirusTotal to hunt for fresh infrastructure (URLs) used in that way. Our rule will check for known patterns in the URLs for a given domain (“api.telegram.org”), and then check if the last file seen communicating with them (“communicating_file”) seems suspicious (“analysis_stats.malicious”>5) and it has a particular AV verdict (“steal” or “exfilt”) looping its “signatures” .
import "vt"

rule telegram_bot_stealer {
  meta:
    description = "Detects Telegram channels that bots potentially use to exfiltrate data to."
    category = "MAL-infra"
    malware = "Stealer"
    reference = "https://www.uptycs.com/blog/zaraza-bot-credential-password-stealer"
    examples = "https://www.virustotal.com/gui/file/2cb42e07dbdfb0227213c50af87b2594ce96889fe623dbd73d228e46572f0125/detection, https://www.virustotal.com/gui/url/f4abd85188b86df95c7f8571f8043d92ad033b6376a113fd0acd8714bd345798/detection"
    creation_date = "2023-07-06"
    last_modified = "2023-07-06"
    target_entity = "url"

  condition:
    vt.net.url.raw icontains "https://api.telegram.org/bot" and
    (
      (
        vt.net.url.raw icontains "/sendMessage?" and
        vt.net.url.query icontains "text="
      ) or
      vt.net.url.raw icontains "/sendDocument?"
    ) and
    vt.net.url.query icontains "chat_id=" and
    vt.net.url.communicating_file.analysis_stats.malicious > 5 and
    for any engine, signature in vt.net.url.communicating_file.signatures : (
      signature icontains "steal" or signature icontains "exfilt"
    )
}

Wrapping up

YARA rules are no longer limited only to tracking files. The new “.net” attribute in the “vt” YARA module empowers users with the ability to discover suspicious network infrastructure and combine it with VirusTotal’s metadata for a huge range of use cases.
The YARA “vt” module provides standardized syntax for files and network detection rules and allows combining attributes of different entities for highly customized monitoring rules. Additionally, it replaces the need of periodic (manual, but specially automated) lookups by allowing the deployment of Livehunt rules for monitoring.
Although this blog post shows some of the new YARA Netloc capabilities using a few examples, there are infinite possibilities. You can use it to track threat actors’ infrastructure, to monitor your own infrastructure (including IP ranges) or to detect phishing campaigns targeting your company, amongst many other use cases. You can find many more ideas by checking the YARA editor templates, checking the official documentation or the YARA rules GitHub repository.
We will be back soon with more details, use cases and examples for YARA Netloc hunting capabilities, but in the meantime do not hesitate to contact us for anything you need.
Happy hunting!
...



📌 Actionable Threat Intel (V) - Autogenerated Livehunt rules for IoC tracking


📈 40.84 Punkte

📌 Actionable Threat Intel (VI) - A day in a Threat Hunter's life


📈 37.62 Punkte

📌 DHS Alert on Dragonfly APT Contains IOCs, Rules Likely to Trigger False Positives


📈 32.03 Punkte

📌 Actionable Threat Intel (II) - IoC Stream


📈 30.89 Punkte

📌 No IOCs? No Problem! Getting a Start Hunting for Malicious Office Files, (Wed, Apr 15th)


📈 29.15 Punkte

📌 Five Strategies for Extending Automation and Orchestration Beyond the SOC


📈 27.75 Punkte

📌 Researchers Revive 'Foreshadow' Attack by Extending It Beyond L1 Cache


📈 27.75 Punkte

📌 David Sinclair: Extending the Human Lifespan Beyond 100 Years | Lex Fridman Podcast #189


📈 27.75 Punkte

📌 NASA Open To Extending ISS Beyond 2030


📈 27.75 Punkte

📌 How to Transform Data Into Actionable Threat Intelligence


📈 26.13 Punkte

📌 How Relevance Scoring Can Make Your Threat Intelligence More Actionable


📈 26.13 Punkte

📌 Transforming Threat Data into Actionable Intelligence


📈 26.13 Punkte

📌 The ART of Making Threat Intelligence Actionable


📈 26.13 Punkte

📌 The ART of Making Threat Intelligence Actionable


📈 26.13 Punkte

📌 How to Configure Distributed Fail2Ban: Actionable Threat Feed Intelligence


📈 26.13 Punkte

📌 From unstructured data to actionable intelligence: Using machine learning for threat intelligence


📈 26.13 Punkte

📌 Agari Active Defense delivers actionable BEC intelligence through active threat actor engagement


📈 26.13 Punkte

📌 Flashpoint acquires CRFT to build automation around actionable threat intelligence


📈 26.13 Punkte

📌 RSA NetWitness Detect AI provides advanced analytics for actionable threat detection


📈 26.13 Punkte

📌 Network Data: The Best Source for Actionable Data in Cybersecurity


📈 25.13 Punkte

📌 How NetBeez Reveals Actionable Data for Effective Network Management


📈 25.13 Punkte

📌 Gigamon GigaVUE 6.0 provides IT teams with actionable network-level intelligence


📈 25.13 Punkte

📌 Sophos XDR: Extending Sophos Endpoint protection with threat detection and response


📈 24.48 Punkte

📌 Microsoft Extending Threat Protection Portfolio, Unifying Security Solutions


📈 24.48 Punkte

📌 7 Days to Lift: A Mission in Microcode -- Extending the Hex-Rays Decompiler to Support Intel AVX Instructions


📈 22.51 Punkte

📌 Tracking Malware: IOCs and Hashing


📈 22.08 Punkte

📌 Emotet IOCs 2/5/2019


📈 22.08 Punkte

📌 Boost security defenses against Kwampirs RAT malware with new list of IOCs


📈 22.08 Punkte

📌 Collecting IOCs from IMAP Folder, (Thu, Apr 30th)


📈 22.08 Punkte

📌 A few IoCs related to CVE-2020-5092, (Wed, Jul 22nd)


📈 22.08 Punkte

📌 Chile's bank regulator shares IOCs after Microsoft Exchange hack


📈 22.08 Punkte

📌 Codecov begins notifying affected customers, discloses IOCs


📈 22.08 Punkte

📌 Ioccheck - A Tool For Simplifying The Process Of Researching IOCs


📈 22.08 Punkte

📌 Deep Dive Malware Analysis Series Of Hermes Ransomware Pt 4 - IOCs & Wrap Up


📈 22.08 Punkte











matomo