Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ Actionable Threat Intel (III) - Introducing the definitive YARA editor

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š Actionable Threat Intel (III) - Introducing the definitive YARA editor


๐Ÿ’ก Newskategorie: Malware / Trojaner / Viren
๐Ÿ”— Quelle: blog.virustotal.com

One of VirusTotal's biggest strengths is its Hunting capabilities using YARA rules. In addition to matching all files against a big set of crowdsourced YARA rules, it also allows users to create their own detection and classification rules.
YARA was originally intended to support file-based rules. VirusTotal's "vt" module extended YARA's capabilities with fileโ€™s metadata and behavior. This allows our users to create advanced Livehunt and Retrohunt rules and get notified via IoC Stream every time new or re-scanned files match our rules.
Designing good YARA rules requires some level of expertise and time investment. Thatโ€™s why we have reengineered our built-in YARA editor to make it easier for our users to create, test and deploy rules. In this post we will provide details for all its new capabilities!
Other than making YARAs look glorious with full syntax coloring and auto-complete, there is much more this editor offers. But first letโ€™s clarify how to find the new editor.
The new YARA editor can be accessed from the Livehunt or Retrohunt dashboards over the Hunting dropdown on the top left menu of the landing page. From the Livehunt dashboard, the โ€œNew Livehunt Rulesetโ€ dropdown has 4 options that link you to the YARA editor for the specific entity of your interest.
This post will focus on file rules - but stay tuned for future posts detailing all other options.
Ok, now letโ€™s see in more detail all the big new features!

Feature #1 - YARA rule templates

The YARA editor provides you with pre-defined self-descriptive rule templates (here you can find full details). We will keep adding more templates in the future and refreshing existing ones.
For instance, letโ€™s say that you are interested in new samples, detected as malicious by AntiVirus engines, and hosted on a certain domain or URL. You can filter out templates available using keywords such as: โ€œURLโ€, โ€œdownloadโ€ and โ€œpositiveโ€, and select the one that fits you better based on its description, as shown in the image below.
Now itโ€™s easier to build your own rules by making use of the suggested templates. You just need to replace the placeholders with your specifics. Additionally, it is very important to rename the predefined rules so you can easily identify the source of the notifications you'll receive in your IoC Stream. In this case, the target URL and the number of detections for new files.
We will create a new rule based on these templates, with a few extra details: [1] we want to get PDF files only, [2] check if the file was seen hosted in a given domain, and [3] add a couple of extra domains to check if the file resolved them when executed in any of our sandboxes. Here is the resulting rule:
import "vt"

rule malware_hosted_on_strikinglycdn {

ย ย meta:
ย ย ย ย description = "Detects malicious files hosted on strikinglycdn.com domain."
ย ย ย ย category = "MAL"
ย ย ย ย examples = "https://www.virustotal.com/gui/search/p%253A5%252B%2520itw%253Astrikinglycdn.com%2520(behaviour_network%253A%2522oyndr.com%2522%2520or%2520behaviour_network%253A%2522fancli.com%2522)/files"
ย ย ย ย creation_date = "2023-07-11"
ย ย ย ย last_modified = "2023-07-11"

ย ย condition:
ย ย ย ย // combining existing templates
ย ย ย ย vt.metadata.analysis_stats.malicious > 5 and
ย ย ย ย vt.metadata.new_file and
ย ย ย ย // [1] checking filetype
ย ย ย ย vt.metadata.file_type == vt.FileType.PDF and
ย ย ย ย // [2] check if the file was hosted in this domain
ย ย ย ย (
ย ย ย ย ย ย vt.metadata.itw.domain.raw iendswith ".strikinglycdn.com" or
ย ย ย ย ย ย vt.metadata.itw.domain.raw == "strikinglycdn.com"
ย ย ย ย ) and
ย ย ย ย // [3] check if it resolves these domains during sandbox detonation
ย ย ย ย for any dns_lookup in vt.behaviour.dns_lookups : (
ย ย ย ย ย ย dns_lookup.hostname == "oyndr.com" or
ย ย ย ย ย ย dns_lookup.hostname == "fancli.com"
ย ย ย ย )
}

Feature #2 - YARA playground

When designing a rule it is always very hard to find the right balance between over and under fitting. Is our rule detecting the samples it is based on? How many other samples are being detected by it? Does our rule detect any unintended legitimate samples? Given this is the first thing every security expert would do, we decided to make it easier to test your fresh new rule against a set of IoCs.
In the bottom of the editor you will find 3 tabs. In the TEST tab you can add a set of IOCs you want to test your rule against, as shown below.
Then we are ready to Run test and find TEST RESULTS in the next tab, showing how the tested IoCs matched our rule.
If anything happens, the PROBLEMS tab will give you details.
Additionally, when working with multiple rulesets in multiple web browser tabs at the same time, the YARA editor displays a message on the top right corner to help you to always keep in the spotlight the entity you are targeting with your rules.

Wrapping up

The new YARA editor is integrated with both Livehunt and Retrohunt, so basically will be our default editor for anything YARA-related in VirusTotal. The goal is making writing rules easier and faster, and finding everything you need, from templates to testing, in one place.
You may have noticed that the ITW feature is not included in the official documentation, and that it was not previously possible to perform this type of check. This is because it is part of our ongoing improvements to the "vt" module for YARA, which we will be introducing to you very soon.
We hope you find all these new features as useful as we do. If you have any questions or requests please do not hesitate to contact us.
Donโ€™t forget to stay tuned, Netloc Hunting is coming! And as always, happy hunting!
...



๐Ÿ“Œ Actionable Threat Intel (I) - Crowdsourced YARA Hub


๐Ÿ“ˆ 48.3 Punkte

๐Ÿ“Œ Actionable Threat Intel (I) - Crowdsourced YARA Hub


๐Ÿ“ˆ 48.3 Punkte

๐Ÿ“Œ Actionable Threat Intel (IV) - YARA beyond files: extending rules to network IoCs


๐Ÿ“ˆ 48.3 Punkte

๐Ÿ“Œ Actionable Threat Intel (VI) - A day in a Threat Hunter's life


๐Ÿ“ˆ 38.47 Punkte

๐Ÿ“Œ Sony Xperia 1 III, 5 III & 10 III: Variable Blende sorgt fรผr zwei Brennweiten mit einer Kamera


๐Ÿ“ˆ 35.11 Punkte

๐Ÿ“Œ Sony Xperia 1 III, Xperia 5 III und Xperia 10 III offiziell vorgestellt


๐Ÿ“ˆ 35.11 Punkte

๐Ÿ“Œ Actionable Threat Intel (V) - Autogenerated Livehunt rules for IoC tracking


๐Ÿ“ˆ 31.55 Punkte

๐Ÿ“Œ Actionable Threat Intel (II) - IoC Stream


๐Ÿ“ˆ 31.55 Punkte

๐Ÿ“Œ The ART of Making Threat Intelligence Actionable


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ How to Transform Data Into Actionable Threat Intelligence


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ How Relevance Scoring Can Make Your Threat Intelligence More Actionable


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ Transforming Threat Dataย into Actionable Intelligence


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ The ART of Making Threat Intelligence Actionable


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ How to Configure Distributed Fail2Ban: Actionable Threat Feed Intelligence


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ From unstructured data to actionable intelligence: Using machine learning for threat intelligence


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ Agari Active Defense delivers actionable BEC intelligence through active threat actor engagement


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ Flashpoint acquires CRFT to build automation around actionable threat intelligence


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ RSA NetWitness Detect AI provides advanced analytics for actionable threat detection


๐Ÿ“ˆ 26.63 Punkte

๐Ÿ“Œ Age of Empires III: Closed Beta zur Definitive Edition startet in Kรผrze


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Age of Empires III: Definitive Edition


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Age of Empires III: Closed Beta zur Definitive Edition startet in Kรผrze


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Mafia: Trilogy details revealed, Mafia III: Definitive Edition free upgrade


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Age of Empires III: Definitive Edition is coming October 15


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Age of Empires III: Definitive Edition: erscheint am 15. Oktober


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Pre-order Age of Empires III: Definitive Edition, which launches Oct. 15


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Where's the best place to buy Age of Empires III: Definitive Edition?


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Grab one of these laptops and enjoy Age of Empires III: Definitive Edition


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ We go hands-on with the remastered Age of Empires III: Definitive Edition


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Review โ€” Age of Empires III: Definitive Edition brings needed revolution


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Xbox Game Pass: Zweites Oktober-Update bringt Age of Empires III: Definitive Edition


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Age of Empires III: Definitive Edition is now available worldwide


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ You can now play Age of Empires III: Definitive Edition, releases today


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Upgrade your Age of Empires III: Definitive Edition game with these 8 tips


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Here's what's in the first Age of Empires III: Definitive Edition update


๐Ÿ“ˆ 25.13 Punkte

๐Ÿ“Œ Knights of the Mediterranean DLC comes to Age of Empires III: Definitive Edition


๐Ÿ“ˆ 25.13 Punkte











matomo