Thomas Patzke

@[email protected]
213 Followers
143 Following
173 Posts
Incident Response, Threat Hunting. Opensource security tool developer. The guy formerly known as @blubbfiction of Twitter.
GitHubhttps://thomaspatzke.github.io
Webhttps://patzke.org
Twitterhttps://twitter.com/blubbfiction
Searchablehttps://www.tootfinder.ch/
Thomas PatzkeMar 4

Just released Sigma Engine on GitHub, a Rust-based library with the focus on performant and scalable matching of Sigma rules against logs. It implements Sigma rule parsing, processing pipelines as known from pySigma and a multi-threaded matching engine. Currently, it's in a very early stage and not yet released on crates.io, APIs might change.

On top of this I plan to build a CLI for applying Sigma rules on EVTX or JSON files as well as a web API server for integration into log pipelines.

Thomas PatzkeNov 23

Just released pySigma 1.0.0 🥳🎉🚀

Lot of changes that improve quality under the hood, like full type hinting which caused that some not yet found bugs were fixed.

https://github.com/SigmaHQ/pySigma/releases/tag/v1.0.0

There are breaking changes but most of them appear only under certain conditions and special use cases:

https://github.com/SigmaHQ/pySigma/blob/v1.0.0/docs/Breaking_Changes.rst

Release v1.0.0 · SigmaHQ/pySigma

BREAKING CHANGES Check the breaking changes documentation for a full list of changes that might break existing code. What's Changed Implemented a better date conversion for 'date:' and 'modified:'...

GitHub
Thomas PatzkeJul 30, 2025

Python developers, be careful! Someone tries to phish PyPI accounts using the domain pypj[.]org.

https://discuss.python.org/t/pypi-org-phishing-attack/100267/7

Thomas PatzkeOct 24, 2024
Threat InsightOct 22, 2024

In August 2024, Proofpoint published research highlighting an unusual, suspected espionage campaign targeting dozens of organizations worldwide to deliver a custom malware family named “Voldemort”.

Proofpoint analysts now attribute this campaign to the China-aligned threat group #TA415 (also known as #APT41 and #BrassTyphoon).

This attribution is based on multiple newly identified high confidence links between the campaign distributing Voldemort and known TA415-attributed infrastructure, including overlaps with activity publicly reported by Mandiant in July 2024: https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust.

Furthermore, in late August 2024, Proofpoint identified a targeted campaign featuring an almost identical attack chain to deliver the Voldemort backdoor. This activity spoofed a Taiwanese aerospace industry association and repeatedly targeted fewer than five aerospace companies in the US and Taiwan, aligning with more typical targeting associated with TA415 and other China-aligned actors.

The screenshot below shows a machine translated version of a phishing email associated with this campaign (originally written in Traditional Chinese).

In this campaign, TA415 began using Google AMP Cache URLs that redirected to password protected 7-Zip files hosted on OpenDrive. These archives contained malicious Microsoft Shortcut (LNK) files that attempted to download a Python script hosted on paste[.]ee. This activity continued into late September 2024 and also targeted a small number of organizations in the chemicals, insurance, and manufacturing industries.

The initial widespread #TA415 campaign distributing Voldemort remains unusual due to its widespread targeting and techniques more commonly observed in cybercrime activity.

While this volume of targeting from an APT actor is uncommon, it is not unheard of, as Proofpoint
observed similar high volume targeting by the Russia state-aligned threat actor #TA422 in 2023: https://ow.ly/BJuW50TQSt0.

⬇️⬇️⬇️

Read our recent blog to learn more about the TA415 Voldemort campaign: https://ow.ly/8Cka50TQSv1.

APT41 Has Arisen From the DUST | Google Cloud Blog

Mandiant has observed a sustained campaign by the advanced persistent threat group APT41.

Google Cloud Blog
Thomas PatzkeOct 23, 2024

Here's the recording of my yesterdays hack.lu talk "Lessons Learned From (Almost) 8 Years Of Sigma Development":

https://www.youtube.com/watch?v=tnYTTPX11WM&ab_channel=Cooper

Lessons Learned From (Almost) 8 Years Of Sigma Development - Thomas Patzke

YouTube
Thomas PatzkeOct 23, 2024

Here are the slides and pipelines from my yesterdays workshop "Operationalization of Sigma Rules with Processig Pipelines":

https://github.com/thomaspatzke/sigma-workshop-operationalization

GitHub - thomaspatzke/sigma-workshop-operationalization: Workshop "Operationalization of Sigma Rules with Processing Pipelines" at Hack.lu 2024

Workshop "Operationalization of Sigma Rules with Processing Pipelines" at Hack.lu 2024 - thomaspatzke/sigma-workshop-operationalization

GitHub
Thomas PatzkeSep 2, 2024

Yesterdays pySigma release 0.11.11 and todays 0.11.12 contain lot of new features, fixes and improvements:

* Nested processing pipeline transformations allowing to execute a block of transformations under given conditions. Together with processing pipeline condition expressions this enables complex transformation scenarios.
* New transformation to set custom attributes on rules.
* Updated MITRE ATT&CK and added DEF3ND content.

Thanks to all contributors to make this happen!

https://github.com/SigmaHQ/pySigma/releases/tag/v0.11.12

https://github.com/SigmaHQ/pySigma/releases/tag/v0.11.11

https://sigmahq-pysigma.readthedocs.io/en/latest/Processing_Pipelines.html#sigma.processing.transformations.NestedProcessingTransformation

Release v0.11.12 · SigmaHQ/pySigma

What's Changed Nested processing pipelines by @thomaspatzke in #270 Full Changelog: v0.11.11...v0.11.12

GitHub
Thomas PatzkeAug 8, 2024

Introducing Sigma Specification v2.0

https://blog.sigmahq.io/introducing-sigma-specification-v2-0-25f81a926ff0

Introducing Sigma Specification v2.0 - Sigma_HQ

The SigmaHQ team is pleased to announce the latest update to the Sigma specification, the long awaited version 2.0 is now available for all Sigma users and creators. This release marks an important…

Sigma_HQ
Thomas PatzkeJul 15, 2024
Koen Van ImpeJul 15, 2024
New @misp playbook! Tackle the week with JARM fingerprint investigations to track threat actor infrastructure using @censys , @shodan and MISP. Boost your #cti game with #automation and #infrastructure insights. https://github.com/MISP/misp-playbooks/blob/main/misp-playbooks/pb_jarm_verification-with_output.ipynb
misp-playbooks/misp-playbooks/pb_jarm_verification-with_output.ipynb at main · MISP/misp-playbooks

MISP Playbooks. Contribute to MISP/misp-playbooks development by creating an account on GitHub.

GitHub
Thomas PatzkeJul 15, 2024
Virus BulletinJul 15, 2024
Palo Alto Networks' Unit 42 researchers review a DarkGate malware campaign from March-April 2024 that uses Microsoft Excel files to download a malicious software package from public-facing SMB file shares. https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/
DarkGate: Dancing the Samba With Alluring Excel Files

We perform an in-depth study of a DarkGate malware campaign exploiting Excel files from early this year, assessing its functionality and its C2 traffic.

Unit 42