Tim Thorne
Enhanced Security Through Advanced Threat Detection
In a landscape where rapid and precise threat detection across assets in your IT estates is crucial. The Binalyze Dynamo Analyzer bridges the gap between traditional Security Information and Event Management (SIEM) systems and advanced asset analysis technologies. Dynamo Analyzer is Binalyze AIR’s innovative rule engine that’s transforming how threats are detected, analyzed, and managed directly from your specified evidence collections.
Introducing Dynamo: Advanced Threat Detection
Dynamo is not just another tool in your DFIR arsenal. It revolutionizes threat detection, analysis, and management directly on evidence collected from your assets, whether on Windows, Linux, or macOS. Dynamo's unique approach involves the active collection, parsing, and sophisticated rule-based analysis of asset data, ensuring rapid and accurate threat detection.
Dynamo's Core Functionalities
Software Vulnerability Detection: Dynamo can scan for outdated software installations using a comprehensive database of known vulnerabilities. It employs heuristic analysis to detect potential vulnerabilities that may not yet be cataloged.
DNS Cache and Scheduled Task Analysis: Dynamo analyzes DNS cache records to identify domains linked to known malicious activities. It evaluates scheduled tasks, focusing on anomalies in task configurations and execution paths that are commonly exploited by malware.
Fileless Malware Detection: Dynamo's advanced algorithms detect fileless malware by parsing collected evidence and matching relevant items with a large, ever-growing set of detection rules.
Analyzing Parsed Forensic Evidence: Binalyze AIR’s evidence collection capability is widely respected, and the forensic collections from assets are stored in an SQLite database. This allows Dynamo to deliver complex SQL script-based queries against the collected data, which can be further enhanced with uGO scripting language for more advanced logics, enabling sophisticated pattern detection analysis.
We could say that the uGO Scripting Language serves as an advanced integration and orchestration framework designed to seamlessly connect and leverage the capabilities of various engines such as YARA, Sigma, osquery, and more. It empowers users with the flexibility to define custom workflows and logic, enabling the correlation of diverse inputs from these engines. This holistic approach significantly enhances the decision-making process, providing more accurate and comprehensive verdicts. uGO's versatile scripting capabilities facilitate efficient threat detection, system analysis, and security automation, making it an invaluable tool in complex IT environments.
Integration with osquery: Dynamo leverages osquery for advanced system queries. This integration allows Dynamo to perform an in-depth analysis of system states and configurations, enhancing its detection capabilities.
Correlation Rule Capabilities: Dynamo's advanced correlation engine then aggregates individual findings to identify complex threat patterns. This enables Dynamo to transform low-level signals into actionable high-fidelity alerts.
Technical Specifications:
- Data Parsing: Dynamo uses advanced parsing algorithms capable of interpreting complex data structures from various sources, including system logs and network traffic.
- Alert Mechanism: Implements a sophisticated alerting mechanism that categorizes threats based on severity, impact, and confidence levels.
- Integration: Offers seamless integration with existing security infrastructure investments, including SIEM systems, threat intelligence platforms, and incident response workflows.
- File Formats: Supports a wide range of file formats for analysis, including but not limited to 'EVT', 'EVTX', SQL, and various other binary and text-based log formats.
Advantages of Dynamo:
On Asset Analysis: By performing analysis on the asset, Dynamo minimizes latency and bandwidth issues associated with data transfer, ensuring timely detection even in bandwidth-constrained environments.
Privacy & Compliance: Dynamo addresses privacy and compliance concerns by processing data locally on the asset (for example, endpoints and servers), reducing the need to export sensitive data.
Customization: Dynamo supports Binalyze to customize our own detection rules and analysis parameters to best respond at speed to new security postures and evolving threat landscapes.
Our Dynamo implementation is seamlessly integrated within DRONE, alongside our suite of proprietary analyzers, poised to meticulously analyze any evidence gathered during your evidence acquisition processes.
The data you collect with AIR is saved to an SQL database (case.db) which is part of the overall .ppc file that is generated for each Tasking Assignment run by the AIR agent on an asset.
Binalyze’s DFIR Lab, our team of in-house researchers and threat hunters, is constantly adding many new SQL queries to the Dynamo Analyzer, which in turn interrogates the evidence collected in the case.db file.
A very simple example of one such rule may look something like this where Dynamo will be searching the collected evidence for an attempt at achieving ‘persistence’ on the asset by scheduling the automatic running of an application from the Windows Temp folder:
SELECT * FROM autoruns_scheduled_tasks
WHERE command_line LIKE '%\Windows\Temp\%'
The SQL queries written by our DFIR Lab using Dynamo are typically much more advanced and are crafted to swiftly identify and grade Findings, thereby guiding the user's investigation more efficiently.
Let’s look at an example where our implementation of Dynamo has delivered findings into AIR’s Investigation Hub.
Here we see 4 findings marked as ‘Dangerous’, and when you hover over the ‘Dangerous badge,’ the tool-tip explains that these items are; ‘WMI suspicious commands’.
A closer inspection of the Investigation Hub details window reveals that:
- The PowerShell command was hidden.
- Conversion from Base64 was used.
- The domain URL has been obfuscated by concatenation.
For these reasons, this WMI command is marked as Dangerous by DRONE.
From here, the investigator could inspect the DNS cache in the Investigation Hub, and in our case, we can see a Relevant Finding which reveals the URL in its unobfuscated state.
Selecting the embedded Virus Total Details link immediately identifies that this WMI command and the subsequent DNS cache entry are both associated with the well-known malware, LemonDuck.
In conclusion:
Dynamo Analyzer is a comprehensive security solution that fills the gaps left by traditional tools like YARA. By offering advanced functionalities, such as fileless malware detection and DNS cache analysis, Dynamo provides a more robust and nuanced approach to threat detection and system security.
In future AIR releases, we plan to open up Dynamo to our users so they can apply their own rules to the engine.
For a secure and resilient cybersecurity infrastructure, Dynamo Analyzer is another valuable automated analyzer provided by AIR. Dynamo has been designed to effortlessly identify any vulnerable machines within your network of hundreds or even thousands of assets.
With Dynamo Analyzer, you can finally say goodbye to the tedious search for the proverbial needle in a haystack and reallocate that valuable time to other vital aspects of the DFIR investigation process.
To learn more about how the Dynamo Analyzer can supercharge your investigation and threat-hunting efforts, contact us today or try it for yourself.
