STIXv2 Support in SPARK

SPARK Version 1.17.0 adds extensive STIXv2 support.

This allows you to easily extend SPARK’s signature bases with IOCs from any sandbox, analysis or threat intel platforms that support STIXv2 export by placing the exported *.json files in the ./custom-signatures folder.

For now, the supported observable object types are:

  • file:name with = != LIKE and MATCHES
  • file:parent_directory_ref.path with = != LIKE and MATCHES
  • file:hashes.sha-256 / file:hashes.sha256 with = and !=
  • file:hashes.sha-1 / file:hashes.sha1 with = and !=
  • file:hashes.md-5 / file:hashes.md5 with = and !=
  • file:size with < <= > >= = !=
  • file:created with < <= > >= = !=
  • file:modified with < <= > >= = !=
  • file:accessed with < <= > >= = !=
  • win-registry-key:key with = != LIKE and MATCHES
  • win-registry-key:values.name with = != LIKE and MATCHES
  • win-registry-key:values.data with = != LIKE and MATCHES
  • win-registry-key:values.modified_time with < <= > >= = !=

These types are applied in different modules:

  • FileScan: file:*
  • Registry: win-registry-key:* and file:name (applied to data field)

You can find a list of products that support the STIX data exchange format here.

Short Tutorial: How to Create a YARA Rule for a Compromised Certificate

Working in incident response or malware analysis, you may have come across compromised and sometimes revoked certificates used to sign malware of different types. Often threat groups use stolen certificates to sign their malware.

I’d like to show you an easy way to create a YARA rule for such a certificate. We will look at a sample that has been marked as malware by many Antivirus engines on Virustotal and the “Details” tab shows a revoked certificate. That’s a good indicator for a compromised certificate that has been and sometimes is still used by threat groups to sign their binaries.

Sample: ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4

Let’s look at the details. I recommend creating a YARA that uses the “pe” module of YARA and integrate the Serial Number and the Issuer of the certificate to create an unambiguous rule.

rule MAL_Compromised_Cert_Nov18_1 {
   meta:
      description = "Detects a compromised certificate of CORP 8 LIMITED - identified in November 2018"
      date = "2018-11-01"
      hash = "ee5340b2391fa7f8d6e22b32dcd48f8bfc1951c35491a1e2b4bb4ab2fcbd5cd4"
   condition:
      uint16(0) == 0x5a4d and
      for any i in (0 .. pe.number_of_signatures) : (
         pe.signatures[i].issuer contains "COMODO RSA Code Signing CA" and
         pe.signatures[i].serial == "4c:75:75:69:2c:2d:06:51:03:1a:77:ab:49:22:4c:cc"
      )
}

As you can see, you need to copy two strings from Virustotals web page:

Copy the CA name and use it for the “.issue” condition as well as the serial number, which you use for the “.serial” condition. Make sure that you changed the casing to lower-case as YARA does not expect and understand uppercase characters in the serial field.

Virustotal Intelligence users can use the following hunting rule to detect new uploaded malicious samples with revoked certificates:

rule Compromised_Certificate {
  condition:
    // New files, detected by more than 30 engines and revoked certificate
   new_file and positives > 30 and tags contains "revoked-cert"
}