How to Collect Threat Intelligence Using Search Parameters in TI Lookup
ANY.RUN‘s Threat Intelligence Lookup is a valuable resource for security professionals searching for information on the latest cyber threats.
One of the key features of Threat Intelligence Lookup is its extensive search capabilities. The service offers over 40 different search parameters that can be combined to form specific queries. These parameters allow you to filter and refine your search results based on various criteria, such as IOCs, behavioral indicators, and other relevant information.
Let’s explore each search parameter and provide examples of how they can be used in your investigations.
About Threat Intelligence Lookup
Threat Intelligence Lookup is a centralized platform for threat data exploration, collection, and analysis.
At the core of Threat Intelligence Lookup lies a global network of over 400,000 security experts. These individuals actively contribute by submitting suspicious samples to the ANY.RUN sandbox for advanced analysis on a daily basis.
The submission process generates a wealth of valuable threat data, including indicators of compromise (IOCs), which are then extracted and integrated into Threat Intelligence Lookup.
Thanks to its integration with ANY.RUN’s Interactive Sandbox, users can access real-time search results, each one linked to a corresponding sandbox session, enabling in-depth analysis of the identified threats.
Search Parameters in TI Lookup
Search parameters in TI Lookup are divided into separate groups: tasks, registry, environment, detection, module, connection, process, network threats, file, synchronization, and URL.
Task
Task parameters refer to the characteristics of tasks (sandbox sessions).
threatName
The name of a particular threat: malware family, threat type, etc., as identified by the sandbox.
Examples: “Phishing”, “xworm”, “ransomware”, “tycoon”.
submissionCountry
The country from which the threat sample was submitted.
Examples: “es”, “us”, “de”.
Here is an example of a query for samples of the Remcos malware submitted by users in Brazil. The service provides a list of sandbox sessions that correspond to the request.
Try it:
threatLevel
A verdict on the threat level of the sample.
Examples: “malicious”, “suspicious”.
taskType
The type of the sample submitted to the sandbox.
Examples: “URL”, “file”.
In this screenshot, you can see a query for malicious URLs uploaded to the sandbox over the past 24 hours. TI Lookup displays a list of the latest one hundred sessions.
Try it:
Registry
Registry parameters refer to specific attributes related to registry modifications detected within sandbox sessions. These parameters provide insights into how a threat interacts with the Windows registry.
registryKey
The specific key within the registry hive where the modification occurred. Please note: when entering registry keys, use a double backslash () to escape the single backslash.
Examples: “Windows\CurrentVersion\RunOnce”, “Windows NT\CurrentVersionWindows”.
registryName
The name of the Windows Registry key field.
Examples: “browseinplace”, “docobject”, “isshortcut”.
registryValue
The value of the Windows Registry key.
Examples: “internet exploreriexplore.exe”.
Using the query above, we can identify threats that aim to execute malicious code through scheduled tasks.
Try it:
Environment
These parameters are used to provide context about the environment where a threat was detected or executed.
os
The specific version of Windows used in the environment.
Examples: “11”, “10”, “7”.
osSoftwareSet
The software package of applications installed on the OS.
Examples: “clean”, “office”, “complete”.
osBitVersion
The bitness of the operating system, 32-bit or 64-bit.
Examples: “32”, “64”.
We can use these parameters to, for instance, discover Windows 11 x64 sandbox sessions containing analysis of the Lumma stealer launched in the service over the past 14 days.
Try it:
Detection
These parameters are utilized to describe the detection signatures and MITRE TTPs relating to the execution of threats in the sandbox.
ruleName
The name of the detection rule.
Examples: “Executable content was dropped or overwritten”, “Phishing has been detected”.
ruleThreatLevel
The threat level assigned to a particular event.
Examples: “malicious”, “suspicious”, “info”.
MITRE
Techniques used by the malware according to the MITRE ATT&CK classification.
Examples: “T1071”, “T1114.001”.
Let’s consider a query combining the MITRE ATT&CK technique T1053.005, which describes a common persistence mechanism, with a detection rule for threats that steal browser credentials.
Try it:
Module
Module parameters refer to specific modules or components within a threat. This can be a DLL, library, or other executable that is loaded by the main executable.
moduleImagePath
The full path to the module’s image file, the location on the disk where the module’s executable is stored.
Examples: “SysWOW64\cryptbase.dll”, “SysWOW64\msasn1.dll”.
Above you can see an example of a query that looks for all instances of sandbox sessions where KernelBase.dll was called.
Try it:
Connection
The Connection parameters describe network-related aspects of a threat.
domainName
The domain name that was recorded during the threat execution in a sandbox.
Examples: “tventyvd20sb[.]top”, “5.tcp.ngrok[.]io”.
destinationIP
The IP address of the network connection that was established or attempted.
Examples: “147[.]185[.]221[.]22”, “162[.]125[.]66[.]15”.
destinationPort
The network port through which the connection was established.
Examples: “49760”, “49780”.
destinationIpAsn
Detected ASN.
Examples: “akamai-as”, “akamai international b.v.”.
destinationIPgeo
Two-letter country or region code of the detected IP geolocation.
Examples: “ae”, “de”.
ja3, ja3s, jarm
Types of TLS fingerprints that can indicate certain threats.
Examples: “1af33e1657631357c73119488045302c” (JA3S), “a0e9f5d64349fb13191bc781f81f42e1” (JA3).
In the picture above, we can see a query that searches for threats that made connections to IP addresses located in the Czech Republic (CZ), belonging to Cogent Communications.
Try it:
Process
The following parameters relate to processes registered during active sandbox sessions.
imagePath
Full path to process image.
Examples: “System32\conhost.exe”, “Framework\v4.0.30319\RegAsm.exe”.
commandLine
The full command line that initiated the process.
Examples: “PDQConnectAgent\pdq-connect-agent.exe –service”, “system32\cmd.exe /c”.
Using these parameters, we can find Strela stealer samples that use net.exe to mount a C2 server containing a ‘davwwwroot’ folder.
Try it:
Network Threats
These parameters describe network-based threats detected by the Suricata intrusion detection system (IDS).
suricataMessage
The description of the threat according to Suricata.
Examples: “ET INFO 404/Snake/Matiex Keylogger Style External IP Check”, “STEALER [ANY.RUN] Stealc HTTP POST Request”.
We can use a Suricata message to discover more samples, as well as IOCs, including those extracted directly from malware’s configs, relating to a particular threat.
Try it:
suricataClass
The category assigned to the threat by Suricata based on its characteristics.
Examples: “misc activity”, “a network trojan was detected”.
suricataID
The unique identifier of the Suricata rule.
Examples: “2044767”, “8001997”.
suricataThreatLevel
The verdict on the threat according to Suricata based on its potential impact.
Examples: “malicious”, “suspicious”, “info”
By combining this parameter with threaName, we can collect Surica rules relating to a specific malware.
Try it:
File
These parameters describe file-related aspects of a threat.
filePath
The full path to the file on the system.
Examples: “invoice”, “order”
We can use this parameter along with threatLevel to find specific files in sandbox sessions with malicious content.
Try it: filePath:”Users\admin\Desktop\README.TXT” AND threatLevel:”malicious”
fileExtension
The extension that indicates the file type.
Examples: “exe”, “dll”.
sha256, sha1, md5
Hash values relating to a file.
Examples: “1412faf1bfd96e91340cedcea80ee09d”, “ce554fe53b2620c56f6abb264a588616”
We can use the hash of a malicious file to discover the specific malware family it relates to.
Try it:
Synchronization
These parameters describe synchronization-related activities within a threat, such as mutexes.
syncObjectName
The name or identifier of the synchronization object used.
Examples: “rmc”, “m0yv”.
syncObjectType
The type of synchronization object used.
Examples: “event”, “mutex”.
syncObjectOperation
The operation performed on the synchronization object.
Examples: “create”, “open”.
By combining operation and type parameters with threatName, we can search for specific mutexes or events created during the execution of a particular malware
Try it:
URL
These parameters describe network traffic related to HTTP requests and responses.
url
The URL called by the process.
Examples: “http://192[.]168[.]37[.]128:8880[/]zv8u”, “http://tventyvd20sb[.]top/v1/upload[.]php”.
httpRequestContentType
The content type of the HTTP request sent to the server.
Examples: “application/octet-stream”.
httpResponseContentType
The content type of the HTTP response received from the server.
Examples: “text/html”.
httpRequestFileType
The file type of the file being uploaded in the HTTP request.
Examples: “binary”.
httpResponseFileType
The file type of the file being downloaded in the HTTP response.
Examples: “binary”.
It is possible to use the parameter with threatName again to find binary files that were requested during the analysis in the sandbox.
Try it:
Conclusion
ANY.RUN’s Threat Intelligence Lookup offers a comprehensive set of search parameters that enable security professionals to effectively analyze and investigate threats. Using these search options, you can identify and enrich your information on emerging threats.
Try Threat Intelligence Lookup for free →
About ANY.RUN
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
The post How to Collect Threat Intelligence Using Search Parameters in TI Lookup appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More