ANY.RUN‘s Threat Intelligence Lookup is a valuable helpful useful resource for security professionals looking for information on the newest cyber threats.
One in all many key choices of Threat Intelligence Lookup is its in depth search capabilities. The service affords over 40 fully completely different search parameters that could be blended to type explicit queries. These parameters allow you to filter and refine your search outcomes based mostly totally on assorted requirements, much like IOCs, behavioral indicators, and completely different associated information.
Let’s uncover each search parameter and provide examples of how they are often utilized in your investigations.
About Threat Intelligence Lookup
Threat Intelligence Lookup is a centralized platform for danger info exploration, assortment, and analysis.
On the core of Threat Intelligence Lookup lies a world group of over 400,000 security specialists. These folks actively contribute by submitting suspicious samples to the ANY.RUN sandbox for superior analysis every day.
The submission course of generates a wealth of valuable danger info, along with indicators of compromise (IOCs), which might be then extracted and built-in into Threat Intelligence Lookup.
Due to its integration with ANY.RUN’s Interactive Sandbox, prospects can entry real-time search outcomes, every linked to a corresponding sandbox session, enabling in-depth analysis of the acknowledged threats.
Search Parameters in TI Lookup
Search parameters in TI Lookup are divided into separate groups: duties, registry, environment, detection, module, connection, course of, group threats, file, synchronization, and URL.
Course of
Course of parameters search recommendation from the traits of duties (sandbox intervals).
threatName
The title of a specific danger: malware family, danger kind, and so forth., as acknowledged by the sandbox.
Occasions: “Phishing”, “xworm”, “ransomware”, “tycoon”.
submissionCountry
The nation from which the danger sample was submitted.
Occasions: “es”, “us”, “de”.
Proper right here is an occasion of a query for samples of the Remcos malware submitted by prospects in Brazil. The service provides a listing of sandbox intervals that correspond to the request.
Attempt it:
threatLevel
A verdict on the danger stage of the sample.
Examples: “malicious”, “suspicious”.
taskType
The form of the sample submitted to the sandbox.
Examples: “URL”, “file”.
On this screenshot, you may even see a query for malicious URLs uploaded to the sandbox over the earlier 24 hours. TI Lookup exhibits a listing of the newest 100 intervals.
Attempt it:
Registry
Registry parameters search recommendation from explicit attributes related to registry modifications detected inside sandbox intervals. These parameters current insights into how a danger interacts with the Residence home windows registry.
registryKey
The exact key contained in the registry hive the place the modification occurred. Please discover: when coming into registry keys, use a double backslash () to flee the one backslash.
Examples: “Residence windowsCurrentVersionRunOnce”, “Residence home windows NTCurrentVersionWindows”.
registryName
The title of the Residence home windows Registry key space.
Examples: “browseinplace”, “docobject”, “isshortcut”.
registryValue
The price of the Residence home windows Registry key.
Examples: “net exploreriexplore.exe”.
Using the query above, we’re in a position to set up threats that goal to execute malicious code by scheduled duties.
Attempt it:
Environment
These parameters are used to produce context in regards to the environment the place a danger was detected or executed.
os
The exact mannequin of Residence home windows used inside the environment.
Examples: “11”, “10”, “7”.
osSoftwareSet
The software program program bundle of capabilities put in on the OS.
Examples: “clear”, “office”, “full”.
osBitVersion
The bitness of the working system, 32-bit or 64-bit.
Examples: “32”, “64”.
We are going to use these parameters to, as an illustration, uncover Residence home windows 11 x64 sandbox intervals containing analysis of the Lumma stealer launched inside the service over the earlier 14 days.
Attempt it:
Detection
These parameters are utilized to elucidate the detection signatures and MITRE TTPs referring to the execution of threats inside the sandbox.
ruleName
The title of the detection rule.
Examples: “Executable content material materials was dropped or overwritten”, “Phishing has been detected”.
ruleThreatLevel
The danger stage assigned to a specific event.
Examples: “malicious”, “suspicious”, “info”.
MITRE
Methods utilized by the malware consistent with the MITRE ATT&CK classification.
Examples: “T1071”, “T1114.001”.
Let’s have in mind a query combining the MITRE ATT&CK method T1053.005, which describes a typical persistence mechanism, with a detection rule for threats that steal browser credentials.
Attempt it:
Module
Module parameters search recommendation from explicit modules or elements inside a danger. This usually is a DLL, library, or completely different executable that is loaded by the first executable.
moduleImagePath
The overall path to the module’s image file, the location on the disk the place the module’s executable is saved.
Examples: “SysWOW64cryptbase.dll”, “SysWOW64msasn1.dll”.
Above you may even see an occasion of a query that seems for all circumstances of sandbox intervals the place KernelBase.dll was generally known as.
Attempt it:
Connection
The Connection parameters describe network-related options of a danger.
domainName
The world title that was recorded by means of the danger execution in a sandbox.
Examples: “twentyvd20sb[.]excessive”, “5.tcp.ngrok[.]io”.
destinationIP
The IP sort out of the group connection that was established or tried.
Examples: “147[.]185[.]221[.]22”, “162[.]125[.]66[.]15”.
destinationPort
The group port by which the connection was established.
Examples: “49760”, “49780”.
destinationIpAsn
Detected ASN.
Examples: “akamai-as”, “akamai worldwide b.v.”.
destinationIPgeo
Two-letter nation or space code of the detected IP geolocation.
Examples: “ae”, “de”.
ja3, ja3s, jarm
Sorts of TLS fingerprints that will level out positive threats.
Examples: “1af33e1657631357c73119488045302c” (JA3S), “a0e9f5d64349fb13191bc781f81f42e1” (JA3).
Throughout the picture above, we’re in a position to see a query that searches for threats that made connections to IP addresses located inside the Czech Republic (CZ), belonging to Cogent Communications.
Attempt it:
Course of
The subsequent parameters relate to processes registered all through energetic sandbox intervals.
imagePath
Full path to course of image.
Examples: “System32conhost.exe”, “Frameworkv4.0.30319RegAsm.exe”.
commandLine
The overall command line that initiated the tactic.
Examples: “PDQConnectAgentpdq-connect-agent.exe –service”, “system32cmd.exe /c”.
Using these parameters, we’re in a position to uncover Strela stealer samples that use net.exe to mount a C2 server containing a ‘davwwwroot’ folder.
Attempt it:
Group Threats
These parameters describe network-based threats detected by the Suricata intrusion detection system (IDS).
suricataMessage
The define of the danger consistent with Suricata.
Examples: “ET INFO 404/Snake/Matiex Keylogger Mannequin Exterior IP Look at”, “STEALER [ANY.RUN] Stealc HTTP POST Request”.
We are going to use a Suricata message to seek out additional samples, along with IOCs, along with these extracted straight from malware’s configs, referring to a specific danger.
Attempt it:
suricataClass
The category assigned to the danger by Suricata based mostly totally on its traits.
Examples: “misc train”, “a group trojan was detected”.
suricataID
The distinctive identifier of the Suricata rule.
Examples: “2044767”, “8001997”.
suricataThreatLevel
The choice on the danger consistent with Suricata based mostly totally on its potential affect.
Examples: “malicious”, “suspicious”, “info”
By combining this parameter with threatName, we’re in a position to collect Suricata tips referring to a specific malware.
Attempt it:
File
These parameters describe file-related options of a danger.
filePath
The overall path to the file on the system.
Examples: “invoice”, “order”
We are going to use this parameter along with threatLevel to look out explicit info in sandbox intervals with malicious content material materials.
Attempt it:
fileExtension
The extension that signifies the file kind.
Examples: “exe”, “dll”.
sha256, sha1, md5
Hash values referring to a file.
Examples: “1412faf1bfd96e91340cedcea80ee09d”, “ce554fe53b2620c56f6abb264a588616”
We are going to use the hash of a malicious file to seek out the exact malware family it pertains to.
Attempt it:
Synchronization
These parameters describe synchronization-related actions inside a danger, much like mutexes.
syncObjectName
The title or identifier of the synchronization object used.
Examples: “rmc”, “m0yv”.
syncObjectType
The form of synchronization object used.
Examples: “event”, “mutex”.
syncObjectOperation
The operation carried out on the synchronization object.
Examples: “create”, “open”.
By combining operation and sort parameters with threatName, we’re in a position to search for explicit mutexes or events created by means of the execution of a specific malware
Attempt it:
URL
These parameters describe group guests related to HTTP requests and responses.
url
The URL generally known as by the tactic.
Examples: “http://192[.]168[.]37[.]128:8880[/]zv8u”, “http://tventyvd20sb[.]excessive/v1/add[.]php”.
httpRequestContentType
The content material materials type of the HTTP request despatched to the server.
Examples: “software program/octet-stream”.
httpResponseContentType
The content material materials type of the HTTP response acquired from the server.
Examples: “textual content material/html”.
httpRequestFileType
The file type of the file being uploaded inside the HTTP request.
Examples: “binary”.
httpResponseFileType
The file type of the file being downloaded inside the HTTP response.
Examples: “binary”.
It is potential to utilize the parameter with threatName as soon as extra to look out binary info which have been requested by means of the analysis inside the sandbox.
Attempt it:
Conclusion
ANY.RUN’s Threat Intelligence Lookup affords a whole set of search parameters that permit security professionals to efficiently analyze and study threats. Using these search decisions, it’s possible you’ll set up and enrich your information on rising threats.
Attempt Threat Intelligence Lookup completely free →
About ANY.RUN
ANY.RUN helps higher than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that consider every Residence home windows and Linux strategies. Our danger intelligence merchandise, TI Lookup, Yara Search and Feeds, present you uncover IOCs or info to be taught additional in regards to the threats and reply to incidents sooner.
