Overview

In our modern threat landscape, it is common for threat actors to design malware from scratch to evade standard security tools. Default rulesets like those provided in Datadog's Workload Protection are no exception.

Modern endpoint protection products and standard SIEM defaults typically only detect known threats, or maybe you’ve identified visibility gaps in your security posture. Truly bespoke threats often bypass out-of-the-box rule sets. To close this gap, security teams follow a recurring lifecycle:

1. Telemetry & Sample Collection: Gather suspicious binaries, scripts, or executables from alerts, sandbox detonations, or threat-intelligence feeds.
2. Reverse Engineering: Unpack and analyze samples to uncover unique strings, API call patterns, file I/O behaviors, and other distinctive elements.
3. Identify IoCs: Extract custom artifacts (command-and-control domains, registry keys, etc.) serving as precise Indicators of Compromise.
4. Rule Creation: Convert artifacts into detection logic for real-time SIEM evaluation.
5. Deployment & Tuning: Deploy new rules into Datadog Workload Protection or another SIEM solution, monitor for hits and false positives, and refine rules as adversaries adapt.

In the following sections, we’ll walk through a simplified variant of this process, enabling even less-experienced engineers to use a malware sample to create targeted Datadog rules for hardening your environment.

Sample Collection

We will examine an active malware named "Myth Stealer," an info-stealer designed to covertly gather information and exfiltrate it to a command-and-control (C2) server. Typically delivered through social engineering, info-stealers are straightforward to detect due to their predictable data-exfiltration methods.

For this article, assume this malware was identified during incident response for unauthorized access using stolen browser credentials. The sample was retrieved from the user's Downloads folder and secured for analysis.

Reverse Engineering

The simplest approach to reverse engineering malware is to observe its behavior. A secure, isolated environment is essential for this step. A recommended tool for basic malware analysis is Triage, a free service that allows secure uploading, execution, and analysis of malware samples.

This tool sufficiently automates dynamic analysis for you, useful for the purpose of identifying Indicators of Compromise (IoCs) and creating relevant detection rules.

After analysis, Triage will include a breakdown of significant indicators, such as file modifications, network connections, etc, enabling you to clearly understand and address the threat.

Identifying IoCs

Identifying IoCs requires analytical consideration. Key actions performed by this specific sample include:

• Reading Virtualization DLLs
• Initiating Browser Remote Debugging
• Creating Startup Files
• Reading Browser Profile Data
• Modifying Registry Entries

A low-hanging fruit approach to creating effective detection rules is focusing initially on the data-exfiltration process itself, which tends to follow predictable patterns across various malware families. Since these exfiltration methods are common and consistently applied, detection rules developed around these techniques likely provide broad protection against similar threats as well.

Observing the malware’s process tree reveals it spawning a subprocess of Chrome immediately after execution. We will craft a detection rule targeting processes run from specific directories that initiate Chrome with remote debugging flags.

Rule Creation

Following Datadog's guidelines for Creating Agent Rule Expressions, we create the following rule to capture the described behavior:

exec.cmdline =~ "*--remote-debugging-port=*"
  && process.ancestors.file.path in [
        "C:\\Users\\*\\Downloads\\**",
        "C:\\Users\\*\\Desktop\\**",
        "C:\\Users\\*\\Documents\\**",
        "C:\\Users\\*\\AppData\\Roaming\\**",
        "C:\\Users\\*\\AppData\\Local\\Temp\\**",
        "C:\\Temp\\**",
        "C:\\Windows\\Temp\\**"
      ]

This rule detects any process (Chrome, Edge, Brave, etc.) started with the "remote-debugging-port" flag from directories commonly used by the malware family, indicating potential user-initiated malware.

To deploy this rule:

• Navigate to Datadog Dashboard > Security > Workload Protection > Policies.
• Choose an existing policy or create a new one.
• Select "Add Agent Rule," provide a name and description, and insert the rule into the "Expression" field.
• Activate the rule under "Set rule status."

Triggered events will appear in the Agent Events Explorer.

Deployment and Tuning

Ideally, testing should involve deploying the Datadog agent within a secure sandbox environment where the detection rules are already configured. In this environment, safely detonate the malware sample and verify that Workload Protection correctly identifies and logs its behaviors. However, to minimize risk in this demonstration, we'll instead use a simplified Go-based simulation that replicates the behavior of launching Chrome with the debugging flag, avoiding the need to execute actual malware samples directly.

Upon running this test, the Workload Protection "Agent Events Explorer" immediately detects the event. Details confirm detection from the downloads folder and the debugging flag.

Continuous Monitoring & Security Posture

Implementing a detection rule is just the start—it's crucial to continuously monitor your environment and iteratively improve your security measures. Organizations embracing continuous monitoring drastically reduce detection and response times, making it harder for attackers to establish a foothold.

To maximize the value of your Datadog Workload Security policies, leverage Datadog’s built-in threat intelligence to keep up with the latest intel:

• Continuous Monitoring & Rule Refinement: Regularly review alerts and logs generated by your detection rules. Use insights from actual incidents or false positives to refine rules, improving accuracy and coverage.

• Expand Indicators of Compromise (IoCs): Strengthen detection by incorporating additional IoCs. For example, if malware creates persistence through startup files or registry keys, add these indicators to new or existing detection rules for broader threat visibility.

• Real-Time Alerts & Automated Response: Configure Datadog Security Signals to trigger real-time alerts based on your detection rules. Link these alerts to automated response workflows with Datadog Workflow Automations, enabling immediate and consistent incident handling. This automation significantly reduces response time and limits attacker dwell time.

By following these proactive steps, your organization shifts from reactive security measures to a robust, proactive stance, significantly enhancing your overall security posture.

How RapDev Can Help

Managing and continuously refining detection capabilities requires resources and expertise—that’s where RapDev can help. Our team provides specialized support for all Datadog security modules, assisting organizations through every stage of the detection lifecycle. RapDev focuses on collaboration to streamline your processes and optimize your effectiveness. Ready to strengthen your security posture? Contact us today and unlock the true potential of your security teams.