Posts

Use EVTX files on VirusTotal with Timesketch and Sigma (Part 2)

Image
  Use VirusTotal EVTX files to test / verify Sigma rules (Part 2) This is the second part of a blog series. In the first part we covered manual and automated ways to download a recently added feature of VirusTotal to download EVTX from Sandbox execution. This second part explores ways to use a VirusTotal EVTX file to test a Sigma rule and adjust Sigma config in Timesketch to make the rule work. For this we will use a different sample than in part 1 that matches a rule that would not work out of the box in Timesketch. Disclaimer Most of our other blog posts cover open source techniques. The API feature described in this post is part of a commercial offering from VirusTotal and is not available to free tier accounts. Similar files could be created with Cuckoo Sandbox, an open source malware analysis system. Sigma rule This article assumes the reader is familiar with basic use of Sigma in Timesketch that was covered in Sigma in Timesketch - let's rule the sketch . To get started we w

Use EVTX files on VirusTotal with Timesketch and Sigma (Part1)

Image
  TDLR: VirusTotal added a new feature to allow VirusTotal Enterprise customers to download Windows XML EventLog files (.evtx) for a sandbox execution of submitted samples. This article covers how this feature can help incident responders and digital forensic analysts develop detections and how to use the new API to test an existing detection pipeline. Over the course of the article, tools like DFTimewolf, Plaso and Timesketch will be used. Disclaimer Most of our other blog posts cover open source techniques. The API feature described in this post is part of a commercial offering from VirusTotal and is not available to free tier accounts. Similar files could be created with Cuckoo Sandbox , an open source malware analysis system. Prerequisite In order to follow this guide, we will need a running Timesketch server and docker on our local computer and installed DFTimewolf . In addition we need access to the private API of VirusTotal. Context Windows EventLogs are an important source fo