Use EVTX files on VirusTotal with Timesketch and Sigma (Part 2)
Use VirusTotal EVTX files to test / verify Sigma rules (Part 2) This is the second part of a blog series. In the first part we covered manual and automated ways to download a recently added feature of VirusTotal to download EVTX from Sandbox execution. This second part explores ways to use a VirusTotal EVTX file to test a Sigma rule and adjust Sigma config in Timesketch to make the rule work. For this we will use a different sample than in part 1 that matches a rule that would not work out of the box in Timesketch. Disclaimer Most of our other blog posts cover open source techniques. The API feature described in this post is part of a commercial offering from VirusTotal and is not available to free tier accounts. Similar files could be created with Cuckoo Sandbox, an open source malware analysis system. Sigma rule This article assumes the reader is familiar with basic use of Sigma in Timesketch that was covered in Sigma in Timesketch - let's rule the sketch . To get started we w
