Private Sigma Rule Feed in Valhalla and Partnership with SOC Prime

Private Sigma Rule Feed in Valhalla and Partnership with SOC Prime

Mar 13, 2023 | Newsletter, Nextron, Security Monitoring, Sigma, VALHALLA

We are proud to announce the integration of our private Sigma rule set in Valhalla. This rule set is used in our scanner THOR and endpoint agent Aurora. 

The rule set currently contains more than 250 quality-tested and generic rules written by Nextron’s detection engineering team. 

Valhalla Front Page Now Shows Sigma Rule Information

The Valhalla front page already shows Sigma rule information. The grey bars show the number of new Sigma rules created per day.

Two new tables on the front page list new Sigma rules and the rule categories. The first table contains new rules with rule title, description, creation date, a reference link and an info page.

The second table on the front page shows for which type of log source the rules have been written for.

This can help you decide if the contents of the feed align with the log data your organisation collects.

Feed Characteristics

The feed can be requested as a ZIP archive, which contains all rules in separate files or in form of one big a JSON file.

The rules included in the feed share the following features:

  • Each rules went through several stages of internal quality testing
  • Each rule is tagged with the current MITRE ATT&CK® techniques
  • Most of the rules use a more or less generic detection logic focussing on methods and not on tools

The feed is offered in a form that facilitates filtering of the rules based on levels, type or keywords. 

Future versions of the feed will include usage and false positive statistics based on anonymised data collected through Nextron Systems’ MSP partners. 

Web Access and API

The feed can be retrieved from the web page using the respective form on the Valhalla front page. Using the “demo” key, you can get the rules maintained in the public sigma repository in the streamlined form in which we offer all our rules. 

The Python module “valhallaAPI” has been updated to support the new Sigma rule feed. 

Partnership with SOC Prime

We are also excited to announce that we have entered into a partnership with SOC Prime, a renowned threat intelligence and cybersecurity content platform.

As part of this collaboration, Nextron’s detection rules will be made available in SOC Prime’s threat detection rule marketplace, providing SOC Prime’s customers with access to a wider variety of rules for identifying potential security threats. Nextron will be the first B2B partner to participate in this program, with their feed accessible to SOC Prime’s customers after a subscription update.

We believe that this partnership will provide significant value to both Nextron and SOC Prime’s customers by enhancing their ability to detect and respond to cyber threats.

Pricing

We would like to inform our customers that the subscription to our threat detection rule feed is priced at 15,000 USD per year.

However, we are currently offering the feed at a reduced price of 10,000 USD per year. This offer is only valid for new customers who subscribe within the promotional period which ends at the end of May 2023.

The subscription fee provides access to our constantly updated and comprehensive threat detection rules, which have been carefully curated by our team of cybersecurity experts. We believe that this is a valuable investment for organizations looking to enhance their security posture and mitigate the risks of cyber threats. Don’t miss out on this limited time offer and subscribe today!

Use the “Get Started” button in the upper right corner of this web page to contact our sales team for details.

Sigma Rule Feed in Valhalla

Dec 5, 2022 | Newsletter, Sigma, VALHALLA

Nextron Systems has always supported the Sigma project, investing hundreds of work hours into creating and maintaining the community rules shared in the public Sigma rule repository. Apart from the community support, we’ve created a set of internal detection rules for our products, THOR and Aurora, that we kept confidential for various reasons and didn’t share publicly.

Today we are glad to announce that we’ve started feeding these rules into the Valhalla service.

Similarly to the YARA feed, we’ve integrated all types of Sigma rules, publicly shared and private rules.

Using the “demo” API key, you can retrieve all public rules in a structured form from Valhalla.

The private Sigma rule feed contains 190 Sigma rules at the date of this blog post and is expected to grow by 600 rules every year. The following table from the front page of the Valhalla web service shows the different categories and the number of rules per category.

The Sigma rules can be retrieved in plain text or JSON format.

The JSON format allows users to filter or select based on certain values without parsing the rules, e.g., “only select rules that have been modified in the last 7 days”. 

Getting started

We offer the Sigma feed subscription independently of the YARA rule subscription at a much lower price. If you’re interested, please get in touch with your sales representative for pricing information or fill out this form.

 

VALHALLA API 1.1 Changes

Jan 5, 2021 | Newsletter, Nextron, VALHALLA

We’ve made some changes to VALHALLA and released version 1.1 and valhallAPI version 0.5 to reflect these changes.

The new modified date shows when this rule has last been modified. 

See this example.

The modified date will also appear in the JSON feed and metadata of the text feed.

Rules now contain a “hash1” value, which is one of the samples from which it has been derived.

The API offers two new endpoints named “keyword” and “keyword-matches”, which allow two new lookups. (customers only)

The “keyword” lookup is not very spectacular and simply returns a list of rule meta data based on a certain keyword. 

However, the “keyword-matches” endpoint adds a new vector. It combines a keyword lookup on the rules with a lookup on matches created by these rules. 

E.g. by providing the keyword “Turla”, you get a list of sample hashes on which Turla related rules matched in the past.

The new valhallaAPI client and Python module in version 0.5 allow to use these features.

You can upgrade your current version with

pip3 install valhallaAPI --upgrade

New VALHALLA Web Features

Jul 25, 2020 | Newsletter, VALHALLA

The newest update of our popular YARA rule feed named VALHALLA adds new features to its web interface.

The most awaited new feature is a keyword search that allows you to query the database for certain keywords, rule names, reports, MITRE ATT&CK ids or tags.

The result page shows you if VALHALLA already has related rules in its database. 

 

Keyword Search

The search results show all rules in our database related to the search keyword.

You can see the rule name, description, the rule date, a reference URL and a set of links.

The new search function helps you to determine if VALHALLA and THOR already contain rules for a given report or threat. 

New Links

We have integrated new links that lead you to:

  1. the reference listed in the rule (report, source)
  2. a Virustotal lookup for that rule / sample
  3. a detailed info page for that specific rule

Rule Info Pages

The rule info page contains all the details to a certain rule. These include all metadata values liks score, tags, reference links, required YARA version and modules, the rule date and the average AV detection ratio.

Two additional tables include all antivirus verdicts for samples on which that rule has matched and a list of all observed samples with links to Virustotal. 

 

Community Rule Info

We’ve also added notes on the 2400+ rules that are available as open source in the signature-base repository on github, e.g. try SUSP_LNK_Big_Link_File.

Category Counts

A new table on the start page informs users about the rules per subscribable category. 

Also note that queries of any type to Valhalla are rate limited. Too many requests in a relatively short time frame will lead to complete blocks as well as a high amount of requests over a longe time period and other suspicious activity. Customers can get their source IP addresses whitelisted on request. 

The new version will be deployed in the coming days.

New VALHALLA Features That You Might Have Missed

May 15, 2020 | Newsletter, VALHALLA

Rule Info Pages

The new rule info pages allow you to get more information on a certain rule. You can find all the meta data, as well as past rule matches and previous antivirus verdicts.

A second tab contains statistics. 

You can also report false positives that you’ve encountered with that rule using the button in the tab bar. 

Note that the rule info lookups in the web GUI are rate limited. If you query rule infos too often, you get blocked.

The rule info pages can be access using this URL scheme: 

https://valhalla.nextron-systems.com/info/rule/RULE_NAME

For example:

https://valhalla.nextron-systems.com/info/rule/HKTL_Empire_ShellCodeRDI_Dec19_1

 

Rule Info & Hash Info

The rule info and hash info API endpoints are available for customers with valid API key only.

The API is not rate limited.

Customers can find information on how to use these end points here.

 

Automated Tagging

The automated tagging has been extended to included MITRE ATT&CK threat actor group IDs. 

Status Includes Version

The status endpoint now includes a version number.

The version number is an integer value generated from the last update timestamp using a format string “%Y%m%d%H”. This way it is not just a version number that you can compare with you local last change (e.g. “>=”) but also an implicit timestamp.

You can access that endpoint via POST request (/api/v1/status) or Python API’s “get_status()” function.

 

You can find more information on Valhalla on our web page.

Spotlight: Threat Hunting YARA Rule Example

Apr 29, 2019 | VALHALLA, YARA

With this post, we would like to demonstration the YARA rule creation process for the so-called “threat hunting” rule category that we use in VALHALLA.

We noticed that many interested parties thought that “threat hunting” YARA rules are just rules with lower scores indicating a lower certainty. But in fact, they’re our most successful rules. The reason behind this is that they focus on anomalies as they appear in obfuscated samples and we’re not just talking about different forms of encoding.

Looking at the current table named “Successful YARA Rules in Set” on the VALHALLA start page, you’ll see many rule names that start with “SUSP_” for “suspicious”. 

These rules don’t match on a specific threat / malware but detect

  • certain methods (evasion, exploitation, side-loading, LOLBASs, LOLBINs)
  • casing anomalies (like cMd.ExE)
  • many forms of suspicious encodings
  • reversed strings
  • suspicious parameter combinations (e.g. certutil -decode)
  • suspicious packer / PE information combinations (like AutoIt executables from Microsoft)
  • and much more

So, these rules cannot be used for classification but they’re certainly priceless to detect new unknown threats.

Genesis of a New Threat Hunting YARA Rule

Processing different samples from various threat groups we often notice patterns in malicious code that looks as if it could be used for a generic “threat hunting” rule. 

The MuddyWater sample (8f0c6a09d1fca3d0002d3047733b50fe5153a33436d576c5020f0a21761242f1) contains the following base64 encoded block. 

While looking at this code block you can see repeating patterns even before decoding it just by scrolling over it. 

A good analysts asks himself “could this pattern serve as a signature?”.

To answer the question he decodes the base64 encoded chunk and gets a script with the following content:

He’ll notice a block of hex encoded values in a list. It seems that the obfuscation of the lower level (hex) can be detected in the upper layer (base64). So, by using a combination of these two forms of obfuscation, the attackers provide us a pretty specific pattern to detect a malicious – or rather – a highly suspicious code.

Next we try to figure out the exact usable patterns and put them to the test with different offsets. We use simple regular expressions in CyberChef to highlight matches. 

For our YARA rules, we don’t want to use regular expressions but byte patterns with place holders. Even for this task we can make use of CyberChef. 

The output can be used in a YARA rule that looks like this:

[code lang=”javascript”]
rule SUSP_Base64_Encoded_Hex_Encoded_Code {
meta:
author = “Florian Roth”
description = “Detects hex encoded code that has been base64 encoded”
date = “2019-04-29”
score = 65
reference = “Internal Research”
strings:
$x1 = { 78 34 4e ?? ?? 63 65 44 ?? ?? 58 48 67 }
$x2 = { 63 45 44 ?? ?? 58 48 67 ?? ?? ?? 78 34 4e }
condition:
1 of them
}
[/code]

To us it is not surprising that a test with the rule returned a lot of samples with low or no AV detection at all. We tested the hash list of the samples retrieved from a Virustotal Retrohunt with Munin and got the following results: 

As you can see, it’s not possible to verify the results based on the AV detection ratio. However, it’s a good sign that other threat hunting rules or even rules for known webshells from our ruleset match on these samples as well. We typically evaluate the false positive rate of this type of rules with the help of the file names (e.g. c99.php, virus.txt, *_codexgigas, Virusshare_*) and some spot checks.

You’ll also note that the rule matches many different content types – emails (.eml), executables, web shells, scripts. That’s one of the reasons why we love these rules so much.

The second screenshot contains some reassuring matches of the customized older version of the LaZagne credential dumper used by MuddyWater and apparently also encoded in the described form. (b8e97c96aa18916c15eea5c78d5a20b966aa45f332a5ea4d9ac2c87ebe5adff6)

You can find a full munin result file of the retrohunt matches here.

The YARA rule will be pushed to the signature-base that we provide for the community and will also be available in a streamlined form in the VALHALLA demo feed very soon. 

I hope you liked it.

For more information like this, please subscribe to the newsletter or follow us on twitter: @thor_scanner 

GDPR Cookie Consent with Real Cookie Banner