Tim Thorne
Updated: 14th June 2024
Immediately identify and focus on the most critical areas for further investigation
DRONE is AIR’s built-in automated compromise assessment technology which slashes the time required to identify and investigate IoCs during a threat investigation and begin containment and remediation. DRONE flies above your live systems and data acquisitions to deliver an unparalleled decision support system.
DRONE provides rapid, automated analysis that will guide investigators, helping them pinpoint anomalies quickly by labeling findings by their severity, High, Medium, Low, or Matched.
Streamlining Investigation Workflows
Binalyze AIR streamlines the investigative workflow by combining evidence acquisition and analysis into a single, efficient process. An acquisition task can be initiated automatically via a webhook, scheduled for specific times, or created manually. Regardless of the initiation method, DRONE automates the analysis, ensuring that all findings are seamlessly consolidated in the Investigation Hub. This integration simplifies the investigator's job, making it faster and easier to gather and assess critical evidence
Investigators can easily enable or disable DRONE, or any of the individual analyzers in AIR, by toggling the associated switches on or off, either when setting up automated acquisition profiles or before manually launching an AIR task.
Disabling DRONE will continue to display your evidence in AIR’s Investigation Hub as an acquisition tasking report. However, it will not include automated analysis or reveal any findings related to that evidence:
When the same acquisition profile is run again just minutes later, this time with DRONE activated, it quickly becomes apparent that there are issues with this asset. The DRONE findings are highlighted, offering extremely useful insights. This enables the investigators to immediately identify and focus on the most critical areas for further investigation:
DRONE, your rapid and fully automated decision
support system
Each evidence item is processed by DRONE’s 20 proprietary analyzers (see table below) which check for specific characteristics of the evidence data.
Each analyzer has multiple stages through which the evidence item must pass to identify if the item is ‘correct’ or not, to then assign it a level of severity to help prioritise next steps in the investigation.
High: Flags threats that pose immediate and significant risks, demanding urgent action to prevent or mitigate severe impacts. Example: An IIS process executing cmd.exe or powershell.exe, which could indicate a web shell.
Medium: Targets activities that deviate from expected norms and could indicate potential threats, suggesting a need for deeper scrutiny. Example: A running unsigned process located in a temporary folder, or use of known hacking tools like "mimikatz."
Low: Identifies less critical but still unusual activities that could benefit from further investigation to clarify their nature and intent. Example: System-level processes initiated by non-privileged users, or processes operating from non-existent directories.
Matched: Involves confirmed matches to predefined security rules, keywords, hashes, or patterns within the analyzed data, signaling recognized threat indicators. Example: A detected scheduled task named "MalwareTask*" that aligns with a user-defined keyword "MalwareTask*".
Additionally, it is important to note that any High, Medium, or Low finding can also be marked as 'Matched,' and that this can occur multiple times. For instance, a file classified as a High finding could also contain a keyword or triage hit, making it appear as a Matched item as well as a High finding.
A good example would be a password-protected archive or a macro-enabled document. While these file types are commonly used for legitimate purposes, they have for some time been popular among malicious actors for exploitation. As a result, such files might receive a Medium severity finding. If the file name also contains a keyword you are searching for, it would be additionally marked as 'Matched.
DRONE will then report, within the Investigation Hub, on any item that displays attributes the analyzer believes may be worthy of further investigation, along with detailing the reasons for highlighting issues with that particular item.
DRONE is not simply detecting malware, in fact, malware detection is only a small part of the process and a by-product of MITRE ATT&CK scanning. The DRONE analyzers deliver much more and guide the investigator as to where to prioritize their efforts to help speed up the entire investigation.
Without DRONE, investigators will, as they have done for many years, work their own, individual manual ‘pipelines’ and processes using a variety of often very slow legacy forensic techniques and tools.
For instance, investigators will need to select and investigate individual processes, assess entropy levels, and organize process lists. They must also search for potential encryption, review command histories, and filter processes for those that are 'unsigned.' Additionally, sorting by username and creation date is essential. These steps must be repeated for each subsequent item under investigation
It’s an extremely manual, laborious, and time-consuming process.
DRONE automates all these tasks for the investigator and more. By utilizing Webhooks (integrations) and accessing the AIR API, the entire process can be completely automated, complementing existing security investments and eco-system. Consequently, the first item an investigator and his team might encounter following a breach is DRONE findings in the Investigation Hub that directly highlights critical areas of concern. In the section below, we will explore a scenario where DRONE is effectively utilized.
Within AIR, an EDR alert has automatically initiated an acquisition profile, tasking the Responder to execute on a specified, or any number of assets. Concurrently, DRONE runs its MITRE ATT&CK analyzers on the asset and applies additional analyzers to the gathered evidence. The findings, alongside the evidence, are then displayed in the Investigation Hub. They can be presented as either an individual report for the specific tasking assignment or consolidated with other related activities for a case. All findings are categorized as High, Medium, Low, or Matched, highlighting actionable items that offer valuable insights into the incident, facilitating further investigation and remediation efforts
The Process Analyzer discovers an unsigned process running, DRONE reports a finding scored as Medium to bring it to the attention of investigators.
The pipeline is ordered by the severity level descending, so this means higher-scoring finding rules are checked first, and as soon as there is a hit the pipeline does not need to be checked any further.
DRONE scoring mechanism
Let's delve into how DRONE allocates points and assigns findings to items, categorizing them as High, Medium, or Low.
Here's an overview of the scoring system and classification process used by DRONE to ensure accurate threat assessment.
|
Score |
Value |
|
High |
Greater than or equal to 80 points |
|
Medium |
65 - 79 points |
|
Low |
10 - 64 points |
Some rules, on their own, may not be worth reporting, but when brought together with others, they could assist in solving a case.
Example 1: Scheduled Task Analyzer
In the Scheduled Task Analyzer, DRONE checks the command lines of scheduled tasks. If one line is "cmd.exe /c start C:\temp\m.bat", it would be captured by two scoring rules:
- The item has a scripting extension - the ‘.bat’
- The item's location is unusual.
The result of this is that this particular item will be allocated a score of 65, which means that it is categorized as "Medium" by DRONE.
In the example above, DRONE has identified four critical factors that justify categorizing a file found in the Windows Prefetch as 'High' severity. These factors collectively elevate its score above the 80 points required for a ‘High’ severity classification:
- The file was only executed once.
- It happened at a super-relevant time.
- The entropy is suspiciously high.
- The location from where it ran is ‘rare’.
- And the file name is unusually short.
Another example of how the score of an item can result in a finding can be seen with date relevance:
This function is used to check if the item's date and time stamps display activity at a time relevant to the incident under investigation:
SuperRelevant is between now and 1 week
HighlyRelevant is between now and 3 weeks
Relevant - between now and 3 months
In all other cases, later dates, the function return is irrelevant and no points will be allocated.
This analyzer pipeline process is implemented by proprietary algorithms, so they’re not publicly available.
Example 2: Process Analyzer
Let’s look at another example: Imagine AIR’s collection engine, has collected all of the artifacts requested in an acquisition profile, and passed them to DRONE for post-acquisition analysis.
As we now know, DRONE has a number of analyzers, and each of them executes rules for the specific type of artifact collected. For example, the Process Analyzer executes the rules related to processes only.
Let's say AIR has collected 5 processes and we’ve 3 rules in the processes analyzer, in reality, DRONE actually has many more rules in the pipeline for the analysis of processes. The 3 rules will be executed against each of the 5 collected processes, so basically this pipeline has 3 stages through which the process artifact must pass.
This means a process artifact visits only 1 pipeline. Most of the analyzers work in this way right now, but this is not a constant behavior and can be changed according to needs.
DRONE Analyzers
Let's take a look at some more information about the DRONE analyzers:
Browsing History Analyzer as an example, here we check the URLs for; Cross-Site Scripting, XSS strings, Macro Enabled Extensions, and blacklisted domains.
- So, any document files downloaded with macros will result in a finding
- Any strange domain extensions identified will also equal a finding
- Application categories such as Bitcoin wallets will also be shown as a finding.
The Ransomware Identifier Analyzer is based on YARA rules and runs on the endpoint not the collected data. We only search using these YARA rules in specific paths such as;
- Running process paths and sub-directories
- Prefetch paths and subdirectories
- User folders and subdirectories
- Recycle bin folders
The Events of Interest Analyzer takes a look at certain Windows events of note - a good example being where there have been a lot of RDP connection requests in the night, this will equal a finding.
The DRONE Generic Webshell Analyzer will also detect 95%+ of Webshell compromises.
Let’s take a look at a more detailed list of the DRONE analyzers for Windows:
|
Windows Analyzers |
Does what? |
How is it doing that? |
|
MITRE ATT&CK Scanner |
Scans to detect and map MITRE ATT&CK tactics & techniques |
MITRE ATT&CK mapping, a vital part of AIR, employs YARA rules to scan folders and processes for threats, ensuring up-to-date IoC identification. Automated updates keep you current with evolving threats. Learn more here. |
|
Generic WebShell Analyzer |
Analyzes assets for web shells using specific YARA rules |
DRONE utilizes YARA rules to identify the most well-known 'bad' webshells. These rules are maintained in our DFIR Lab and are included in the Mitre.zip package automatically delivered to customers. Learn more here. |
|
Vulnerability Analyzer |
Executes rules to identify assets compromised with known vulnerabilities |
This hard-coded analyzer searches for specific OS vulnerabilities on the asset, including MS-Exchange CVE-2021-42321, Npcap, and executable files in the User/Public folder. This scanner runs directly on the asset and does not analyze evidence in the Case file. |
|
Ransomware Identifier Analyzer |
Scans assets for ransomware-specific IoCs |
DRONE utilizes YARA rules to identify the most well-known ransomware via rules that are researched and maintained in our DFIR Lab, they are automatically included in the Mitre.zip package. |
|
Amcache Analyzer |
Executes rules on AmCache entries to identify generic hacker tools. |
AIR's acquisition process can collect the AmCache and the results are stored in the Case file amcache_file database table. Our DFIR Lab maintains a list of generic hacker tool names for this analyzer to execute Dynamo rules to search for these hacker tool names within the amcache_file table. |
|
Browser History Analyzer |
Executes URLbased checks on the browser histories |
Browser History evidence is stored in the Case file browser_history database table. The DFIR Lab researches and maintains a list of suspicious URLs, which is then executed by Dynamo rule searches across the URLs in the browser_history table. Learn more here. |
|
Downloads Analyzer |
Executes rules on Download records to identify generic hacker tools and commands. |
Downloaded Files Information acquired by AIR is stored in the downloads database table. The Binalyze DFIR Lab maintains a list of Generic Hacker Tools and Generic Hacker Commands for this analyzer to execute Dynamo rule searches for these hacker tool names and commands within the downloads table. |
|
$MFT Analyzer |
Executes rules for MFT records |
AIR collects the full $MFT or File Record entries by formatting output as a CSV with the -mftcsv parameter. Suspicious MFT records are identified using logic from Dynamo rules maintained by DFIR Lab, which, for example, checks for hacker tool names, hidden attributes, dates, sizes, and specific file paths or names ending in .exe.dmp or .dll.dmp. |
|
Powershell History Analyzer |
Executes rules on Powershell ConsoleHost History records to identify generic hacker tools. |
AIR collects PowerShell ConsoleHost History, storing the results in the powershell_consolehost_history database table. We maintain and update a list of Generic Hacker Tools that AIR's Dynamo analyzer uses to execute rules identifying hits within the powershell_consolehost_history table. |
|
Process Analyzer |
Executes rules for running processes, process modules, and process handles |
AIR collects process entries and stores the results in the processes database table. We identify suspicious processes using our proprietary detection logic Process Dynamo Rules. These rules, provided and maintained by DFIR Lab, analyze the many and various attributes of processes to determine potential threats. |
|
Scheduled Task Analyzer |
Executes rules on scheduled task entries. |
AIR collects Autoruns Scheduled Task entries with the -aui parameter and stores them in the autoruns_scheduled_tasks database table. Using Dynamo rules, maintained by DFIR Lab, we detect suspicious tasks by checking digital signatures, file sizes, command lines, task names, entropy, executable locations, file names, last run times, and known hacker tools/commands. |
|
ShellBags Analyzer |
Analyzer for checking admin shares |
AIR collects ShellBags entries using the -sbgs parameter, storing results in the shell_bags database table. We detect suspicious entries by checking for Generic Hacker Tools and Admin Share Names using the ShellBags Dynamo rule set developed by our DFIR Lab. |
|
User Folders Analyzer |
Executes rules for user folders |
AIR collects User Folder entries and stores them in the user_folders database table. Using the User Folders Dynamo Rules, maintained by DFIR Lab, we detect suspicious user folders by checking usernames, creation dates, first logon dates, and username similarities. |
|
Event Records Analyzer |
Analyzing event records with the Sigma rules |
Event Log files in Windows store crucial system events categorized by unique Event IDs. Binalyze AIR collects and parses these logs, focusing on 171 event types essential for investigations, presenting up to 2695 events per type in the Investigation Hub. |
|
Executes Binalyze DFIR lab-developed detection rules to identify evidence and enhance existing analyzer capability. |
Dynamo Analyzer enhances AIR's capabilities by parsing .ppc files and flagging suspicious entries, covering areas like Windows registry, scheduled tasks, DNS cache, and more. It detects outdated software versions, crypto miner domains in the DNS cache, and fileless malware techniques, offering a comprehensive cybersecurity solution. |
|
|
Application Analyzer |
Executes rules for identifying malicious installed applications. |
AIR collects Installed Applications, utilizing the -apps parameter, and stores results in the installed_applications database table. Our detection logic uses the Applications Dynamo Rules to identify suspicious applications. |
|
DNS Cache Analyzer |
Executes rule DNS Cache records for identifying abused TLDs. |
AIR collects DNS Cache entries using the -dnss and -dnsc parameters, storing results in the dns_cache database table. Our detection logic, embedded in the DNS Cache Dynamo Rules identify suspicious DNS records. |
|
Hosts File Analyzer |
Analyzing host file entries for malicious entries |
AIR collects hosts entries using the -hosts parameter, storing results in the hosts database table. Our detection logic, in the Hosts Dynamo Rule provided by DFIR Lab, identifies suspicious Host records. |
|
Network Share Analyzer |
Executes rules for network shares |
AIR collects Network Shares entries using the -netshr parameter, storing results in the net_shares database table. Embedded in the Network Share Dynamo Rules are used to identify suspicious network share information. |
|
Prefetch Analyzer |
Executes rules for files in the parsed prefetches |
DRONE detects suspicious Windows Prefetch file entries, revealing crucial insights into application execution and potential malware activity including valuable data on execution history, timestamps, frequency, associated files, and evasion techniques. Learn more here. |
|
Registry Analyzer |
Executes rules for checking autoruns registry records. |
AIR collects Autoruns Registry entries using the -aui parameter, storing results in the autoruns_registry and autoruns_registry_arguments database tables. DRONE uses Dynamo Rules to identify suspicious registry records. |
|
Windows Services Analyzer |
Executes rules for Windows services. |
Autoruns Services entries are collected using the -aui parameter, storing outcomes in the autoruns_services and autoruns_services_arguments database tables. DRONE uses the Dynamo Rules to identify suspicious services. |
|
AppCompatCache Analyzer |
Executes rules on AppCompatCache entries, revealing shimmed executable files. |
AIR retrieves ShimEntry entries using the -appcc parameter, storing results in the app_compat_cache database table. Our detection logic, contained in the AppCompatCache Dynamo Rules, identifies suspicious entries related to Generic Hacker Tools and Commands. |
The MITRE ATT&CK Framework is globally recognized as a leading knowledge base with a standardized language of adversary tactics and techniques based on real-world observations.
The MITRE ATT&CK scanner in DRONE is powerful and uses over a thousand YARA rules to detect Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs). These findings are invaluable for threat investigations. Developed by our world-class DFIR Lab team, the scanner offers high detection rates with minimal false positives
Looking at the investigation process as a whole, with the MITRE ATT&CK scanner in place we’re now delivering a platform that supplies investigators with the most comprehensive solution for threat investigations. This information gives key pointers and direct signposting as to where and how breaches may have occurred, simplifying an often complex portion of the investigation, especially for less-seasoned analysts and responders, by providing a quick overview of public-knowledge attack vectors
As with all parts of AIR, we’ll continue to enhance this capability – adding further rules to shorten overall investigation times and reduce the potential for data loss and reputational damage.
AIR now automatically checks for any new MITRE ATT&CK rules that the Binalyze Threat Hunting Team has written. If you don’t have the latest version, the new rules will be pushed to your AIR platform automatically, potentially saving yet more valuable time, and avoiding any delay to you having access to the latest rule sets.
With our comprehensive analyzers, customers will see the attack stages, the footprints of any attackers, and which of the Tactics in MITRE ATT&CK were used.
By using this option, users have a greater understanding of what the attacker's intentions were and what they’ve done in their systems. We then have three verdict levels representing how serious any discovered threat is.
Deploy DRONE in your Investigation Workflows
Binalyze AIR is the disruptive force in the cybersecurity space right now. This is because we combine lightning-fast forensics with automation, supporting a wide range of integrations with which SOC investigators can today, easily and quickly remediate incidents.
All of this is further enhanced with DRONE’s powerful capabilities, enabled with just one click. Along with new enhancements like our Investigation Hub, consolidating insights in a single, collaborative workspace.
So, if you’re ready to see how AIR and DRONE’s automated compromise assessment can make a difference in your organization, help maintain a more resilient cyber security posture, and save you time - why not sign up for a free 14-day trial?