Signature Based Detection.

-

 What is signature-based detection?

Signature-based detection matches known patterns (signatures) against observed artefacts (files, network traffic, logs). It’s the classic approach used by AV, IDS/IPS (Snort/Suricata), email gateways, and many EDR rules. Signatures can be exact matches (file hash), pattern matches (byte sequence), structural rules (YARA), or behavioral/log patterns (SIEM rules).

Common signature types

  • File hashes (exact-match signatures)

    • MD5, SHA-1, SHA-256 (and SHA-512). Used to uniquely identify a file binary or sample. Fast to compute, cheap to compare.

    • Recommendations: use SHA-256 for new work (collision resistance + wide adoption). MD5/SHA-1 are weak for cryptographic guarantees but still used as legacy identifiers.

  • Fuzzy / similarity hashes

    • ssdeep (context triggered piecewise hashing) — measures similarity between files; useful for variants (packing, minor edits).

    • TLSH (Trend-micro Locality Sensitive Hash) — another similarity hash.

    • Use when exact hashes differ due to minor changes but you still want to detect family variants.

  • YARA rules (file content / structure rules)

    • Very flexible: match strings, hex patterns, file offsets, metadata, boolean logic, and modules for PE/ELF parsing. Great for malware family detection and hunting.

    • Example (very small):

      rule Suspicious_Packer {
  strings:
    $s1 = "UPX" nocase
    $s2 = { 4D 5A }          // MZ header
  condition:
    $s1 or $s2
}

  • IDS/IPS rules (Snort/Suricata)

    • Signatures for network traffic: HTTP patterns, protocol anomalies, specific payload bytes, flows, port-based detections. Example: alert tcp any any -> any 80 (msg:"SQLi"; content:"UNION SELECT"; sid:1000001;)

  • Log/behavior signatures (Sigma, SIEM rules)

    • Detect sequences in logs (process spawn chains, suspicious command-lines, Lateral movement patterns). Sigma is a vendor-agnostic rule format that translates into Splunk/Elastic/QRadar rules.

  • IOC lists

    • Simple indicators: filenames, mutex names, registry keys, IPs, domains, URLs. Often used in blocklists or quick detection.

  • Non-cryptographic hashes for indexing

    • CRC32, MurmurHash — used internally for fast lookups (not for security).

Properties of different hash families (short)

  • MD5 — fast, 128-bit; collisions are trivial to produce now. Good as an identifier but not secure against attackers.

  • SHA-1 — 160-bit; collision attacks exist. Avoid for security-sensitive use.

  • SHA-2 (SHA-256/512) — secure for current practical needs. Use SHA-256 for file identification and signing workflows.

  • ssdeep / TLSH — not cryptographically secure but similarity metrics are useful for clustering variants.

How signatures are used in practice

  • AV engine: exact-hash for known malicious binaries + YARA for families + heuristics for packed/obfuscated code.

  • IDS: network pattern matching + protocol decoding + rule thresholds (to avoid floods).

  • EDR & Hunting: YARA + fuzzy hashes + behavioral detection (abnormal process creation, suspicious command lines).

  • Threat intel sharing: publish hashes, YARA rules, domains, IPs as IOCs.

Strengths and weaknesses

Strengths:

  • Very precise for known threats (low false negatives for exact signatures).

  • Fast and deterministic.

  • Easy to share (hash lists, YARA rules).

Weaknesses:

  • Only detects what’s known — fails against novel malware, zero-days, or significant polymorphism.

  • Evasion: trivial binaries changes break exact hashes; packers, encryption, polymorphism, and runtime code generation avoid static signatures.

  • False positives/negatives: poorly written rules can match benign content or miss variants.

  • Volume / performance: large rule sets or regex-heavy signatures can tax endpoints or sensors.

Common evasion techniques

  • Changing a single byte or timestamp to alter exact hash.

  • Packing/packing with custom packers (changing file envelope).

  • Polymorphic/encrypted payloads; unpacking only at runtime.

  • Domain generation algorithms (DGAs) for network indicators.

  • Living-off-the-land (LoL) — using signed/legit binaries (bypass file-based detection).

Mitigations & best practices

  • Layered detection: don’t rely only on hashes. Combine static signatures (hashes, YARA) with behavioral detection, heuristics, telemetry, and sandboxing.

  • Prefer strong hashes (SHA-256) for IOC publication. Include ssdeep or TLSH for family clustering.

  • YARA + modules: use metadata, file format checks, PE/ELF parsing to reduce false positives.

  • Triage & threat intel: validate IOCs (avoid blind blocking), add context (first seen, source reputation).

  • Update cadence: keep signature/rule feeds current; roll out safely to avoid mass false positives.

  • Testing: test signatures in a staging environment and tune thresholds.

  • Canonicalization and normalization: normalize URLs/paths before rule matching to avoid trivial evasion.

Practical examples

Compute common hashes on Linux:

  • md5sum sample.exe

  • sha1sum sample.exe

  • sha256sum sample.exe

Small YARA example (file detection + metadata):

rule EvilBackdoor
{
  meta:
    author = "analyst"
    description = "detects sample family X"
  strings:
    $c1 = "steal_credentials" ascii
    $s2 = { 8B FF 55 8B EC }   // some byte pattern
  condition:
    (any of ($c*) and $s2) or filesize < 1MB
}

Small ssdeep example (compare similarity):

  • Generate fuzzy hash: ssdeep -b sample.exe

  • Compare: ssdeep -k sample1.ssdeep sample2.ssdeep

Rule writing tips

  • Use anchored strings or hex patterns with offsets when possible (reduces false positives).

  • Avoid overly broad regexes across large inputs.

  • Add metadata (malware family, confidence, source) to rules.

  • Rate-limit noisy rules in network sensors (threshold options) to avoid alert storms.

When to use which signature

  • Use exact hashes for blocking confirmed, immutable malicious files (but with caution).

  • Use fuzzy hashes for hunting and clustering variants.

  • Use YARA for family detection, structural checks, and hunting in repositories.

  • Use IDS rules for network IOCs and protocol anomalies.

  • Use Sigma / SIEM rules for log-based behavioral detection.

Signature Based Detection Lab - Simple Example.



This is a custom made msfvenom payload that is a PE executable, compressed in a zip and locked with a a password, this is one of the common ways of hackers throwing around malicious softwares to meet their objectives, whatever their motive is. Signature based detection cannot pick this up until the file is unzipped and checked/or executed.



Comments

Post a Comment

Popular posts from this blog

Common Network Commands: IP R

-
IP R Command Overview The `ip r` command is part of the `iproute2` package in Linux systems. It is used for displaying and manipulating the routing table, which determines how network packets are directed to their destinations. This command is vital for network configuration, management, and troubleshooting. Origin and Development The `iproute2` package was created to replace the older `net-tools` package, which included commands like `ifconfig` and `route`. The `ip` command provides a more unified interface for network management, supporting advanced features and modern networking protocols. It offers better capabilities for managing complex networking scenarios, making it a crucial tool for system and network administrators. Basic Functionality The `ip r` command serves several functions: - Displays current routing table entries. - Shows destination networks, gateways, and associated interfaces. - Allows for the addition, deletion, and modification of routes. Key Command Syntax 1. Di...
Read more

Junior Security Analyst Intro

-
Why SOC Analyst L1 is Considered a Triage Specialist. A Level 1 Security Operations Center (SOC) Analyst is often regarded as a triage specialist because they are the first responders to cybersecurity alerts. Much like how a triage nurse assesses patients' conditions in a hospital, a Level 1 SOC Analyst evaluates and categorizes alerts generated by security tools to determine their severity and prioritize response efforts. Their primary focus is to: Filter Noise: Modern networks generate massive amounts of data, with many false positives. SOC L1 analysts must sift through this data to identify real threats. Categorize Alerts: Assign severity levels to incidents, such as low, medium, or high priority. Initial Response: Perform basic investigations (e.g., checking IP addresses, scanning logs) and decide whether to escalate incidents to Level 2 or 3 analysts. This role is vital because it ensures that high-priority threats are addressed quickly and resources are allocated ...
Read more

Example of A Day in the Life of a Junior (Associate) Security Analyst

-
The day begins early for the Junior Security Analyst, stepping into the office or logging into their remote workstation. The quiet hum of servers and the glow of multiple screens set the stage for another day at the heart of the cybersecurity battlefield. Their first task is to review the handover notes from the previous shift or the daily briefing. This update includes summaries of unresolved incidents, ongoing investigations, and any notable changes in the organization’s threat landscape. Equipped with this crucial information, the analyst prepares to navigate a world where even the smallest anomaly could signify a major threat. Logging into the array of tools—a Security Information and Event Management (SIEM) platform, endpoint detection systems, firewalls, and intrusion detection/prevention systems (IDS/IPS)—the analyst is immediately immersed in the flow of alerts. Every beep, flash, and log entry represents a potential threat. The first challenge is triage. Like a digital detecti...
Read more