Analyzers

DRONE includes two core analyzer components:

1. DRONE analyzers

2. MITRE ATT&CK analyzer

Updates for the MITRE ATT&CK analyzer are delivered independently of standard AIR or DRONE releases via the AIR platform's MITRE ATT&CK analyzer framework. The version in use can be verified under AIR Settings, and a detailed changelog is maintained in the Knowledge Base.

DRONE Analyzers

Each analyzer queries specific artifact tables (such as processes, registry, MFT, SRUM, etc.) and runs the data through a series of check functions that score or flag suspicious indicators. These indicators include unsigned executables, masquerading, hacker tool names, suspicious paths, suspicious commands, anomalous timestamps, entropy checks and more. Items that exceed suspicion thresholds are reported with MITRE ATT&CK tags and verdicts ranging from "relevant" to "dangerous."

Windows Analyzers

AmCache Analyzer

Parses: amcache_file table Purpose: Analyze Windows Amcache registry entries for executed files, checking for hacker tools and RMM software

AmCache Program Analyzer

Parses: amcache_program table Purpose: Analyze Windows Amcache program entries for application names that may be relevant to the investigation

AppCompatCache Analyzer

Parses: app_compat_cache table Purpose: Analyze Windows Application Compatibility Cache for hacker tools and RMM software

Application Analyzer

Parses: installed_applications table Purpose: Analyze installed Windows applications for suspicious categories, hacker tools and RMM software

Browser Downloads Analyzer

Parses: browser_downloads table Purpose: Analyze browser download history for suspicious file paths, URLs, and referrers

Browser History Analyzer

Parses: browser_history table Purpose: Analyze browser history for suspicious URLs and hacker tool references

DNS Cache Analyzer

Parses: dns_cache table Purpose: Analyze Windows DNS cache for suspicious domains, crypto domains, and abused TLDs

Downloads Analyzer

Parses: downloads table Purpose: Analyze Windows download history for hacker tools and RMM software

Dynamo Analyzer

Dynamo is a rule-based analysis engine for digital forensics and incident response (DFIR) investigations.

Rule Types

Dynamo supports three rule execution modes:

• SQL Rules: Execute SQL queries directly against forensic databases

• osquery: Execute osquery prompts on the live asset

• UGO Script Rules: Execute custom scripts using the UGO scripting language for complex analysis logic

Data Sources

The analyzer can query data from multiple forensic sources:

• The AIR case database: Primary forensic case data repository

• The live system/asset: Using osquery

Analysis Functions

Dynamo provides a comprehensive library of built-in analysis functions, including:

• Threat Detection: Suspicious commands, hacking tools, RMM tools, obfuscated strings

• File Analysis: File size, entropy, masquerading, alternate data streams, executable locations

• System Artifacts: Registry keys, scheduled tasks, digital signatures, host processes

• Network Analysis: URL patterns, domain validation, domain categorization

• Command Line: Command patterns, unusual length detection, script execution artifacts

• Trust & Reputation: Publisher validation, application categorization, malicious service detection

• User Analysis: Username patterns, first logon detection, temporal analysis

Use Cases

Dynamo is used for suspicious process detection, file system anomaly detection, network activity analysis, registry anomaly detection, command line analysis, timeline correlation, and threat hunting.

Event Records Analyzer

Parses: Windows Event Logs (.evtx files) Purpose: Analyze Windows Event Logs using Sigma rules to detect suspicious activity and security incidents

The analyzer processes Windows Event Logs from \Windows\System32\Winevt\Logs and applies Sigma detection rules

Events that match detection rules are reported with MITRE ATT&CK tags and severity scores to help prioritize investigation efforts.

Hosts File Analyzer

Parses: hosts table Purpose: Analyze the Windows hosts file for suspicious URL mappings

$MFT Analyzer

Parses: MFT (Master File Table) CSV files Purpose: Analyze Windows file system entries for suspicious files, hidden executables, and hacker tools

Network Share Analyzer

Parses: net_shares table Purpose: Analyze Windows network shares for rare/uncommon shares and active connections

PowerShell History Analyzer

Parses: powershell_consolehost_history table Purpose: Analyze PowerShell command history for hacker tools, RMM software and suspicious commands

Prefetch Analyzer

Parses: prefetch_parsed and prefetch_files tables Purpose: Analyze Windows Prefetch entries for suspicious executables and hacker tools

Process Analyzer

Parses: processes table Purpose: Analyze Windows processes for suspicious behavior, suspicious commmands and processes names of interest.

Registry Analyzer

Parses: autoruns_registry table Purpose: Analyze Windows registry autorun entries for suspicious executables and hacker tools

Scheduled Task Analyzer

Parses: autoruns_scheduled_tasks table Purpose: Analyze Windows scheduled tasks for suspicious behavior and suspicious commmands

ShellBags Analyzer

Parses: shell_bags table Purpose: Analyze Windows ShellBags for suspicious admin share access behavior

SRUM Analyzers

Parses: srum_network_data_usage, srum_application_timeline and srum_application_resource_usage tables Purpose: Analyze Windows System Resource Utilization Monitor data for suspicious application usage including hacker tools and RMM software

User Folders Analyzer

Parses: user_folders table Purpose: Analyze Windows user profile folders for suspicious usernames and creation patterns

Windows Services Analyzer

Parses: autoruns_services table Purpose: Analyze Windows services for suspicious behavior, known malicious services, hacker tools and suspicious command-line.

Linux Analyzers

CronJob Analyzer

Parses: cron_jobs table Purpose: Analyze Linux/macOS cron jobs for suspicious commands and hacker tools

Package Manager Analyzer

Parses: apt_history table Purpose: Analyze the Linux APT package manager history for suspicious installation timestamps

Process Analyzer (Linux)

Parses: processes table Purpose: Analyze Linux processes for suspicious behavior, systemd anomalies, and hacker tools

Shell History Analyzer

Parses: shell_history table Purpose: Analyze Linux/macOS shell command history for suspicious commands and hacker tools

Cross-Platform Analyzers

Browser History Analyzer

Parses: browser_history table Purpose: Analyze browser history for suspicious URLs and hacker tool references (Windows, Linux, macOS)

Browser Downloads Analyzer

Parses: browser_downloads table Purpose: Analyze browser download history for suspicious file paths, URLs, and referrers (Windows, macOS)

macOS Analyzers

Dylib Hijack Analyzer

Parses: installed_apps and apps_dylibs tables Purpose: Analyze macOS applications for dynamic library hijacking vulnerabilities

MITRE ATT&CK Analyzer

The MITRE ATT&CK Analyzer leverages YARA-based scanning with modular, cross-platform capabilities that inspect both the filesystem and live process memory. The analyzer relies on rule sets maintained by the Binalyze threat hunting team and augmented by curated open-source YARA rules.

Performance Optimizations

There are some limitations implemented for performance optimization:

• On Windows, MITRE ATT&CK Analyzer does not scan the entire drive. It scans a preconfigured list of directories on the system, where 99% of malware has historically been found. To scan the entire drive, users can use the Triage/Hunt module.

• The file size limit is 250MB.

Detection Results

YARA scan results can be seen under MITRE ATT&CK Fs and MITRE ATT&CK Memory evidence categories. The user can see various details about detection:

• YARA matched strings

• YARA meta information, such as Description, Author name, and References for further reading

• Various date information related to the Filesystem and Process Creation date when the result is found in process memory