Back to binalyze.com

Analyzers

DRONE Analyzers

DRONE includes two core components:

  1. DRONE analyzers.

  2. The MITRE ATT&CK analyzer.

Updates for the MITRE ATT&CK analyzer are delivered independently of standard AIR or DRONE releases via the AIR platform's MITRE ATT&CK analyzer framework. The version in use can be verified under AIR Settings, and a detailed changelog is maintained in the Knowledge Base.

1. DRONE Analyzers

Each analyzer queries specific artifact tables (like processes, registry, MFT, SRUM, etc.), then runs the data through a series of check functions that score or flag suspicious indicators (e.g., unsigned executables, masquerading, hacker tool names, suspicious paths, anomalous timestamps, entropy checks), ultimately reporting items that exceed suspicion thresholds with MITRE ATT&CK tags and verdicts ranging from "relevant" to "dangerous."

Windows Analyzers

AmCache Analyzer

  • Parses: amcache_file table

  • Purpose: Analyze Windows Amcache registry entries for executed files, checking for hacker tools and RMM tools

AmCache Program Analyzer

  • Parses: amcache_program table

  • Purpose: Analyze Windows Amcache program entries for suspicious application names

Application Analyzer

  • Parses: installed_applications table

  • Purpose: Analyze installed Windows applications for suspicious categories, hacker tools, and RMM tools

Browser Downloads Analyzer

  • Parses: browser_downloads table

  • Purpose: Analyze browser download history for suspicious file paths, URLs, and referrers

Browser History Analyzer

  • Parses: browser_history table

  • Purpose: Analyze browser history for suspicious URLs and hacker tool references

Downloads Analyzer

  • Parses: downloads table

  • Purpose: Analyze Windows download history for suspicious file paths and zone identifiers

Dynamo Analyzer

Dynamo is a rule-based analysis engine for digital forensics and incident response (DFIR) investigations.

Rule Types

Dynamo supports three rule execution modes:

  • SQL Rules: Execute SQL queries directly against forensic databases

  • osquery: Execute osquery prompts on the live asset.

  • UGO Script Rules: Execute custom scripts using the UGO scripting language for complex analysis logic

Data Sources

The analyzer can query data from multiple forensic sources:

  • The AIR case database: Primary forensic case data repository

  • The live system/asset: Using osquery.

Analysis Functions

Dynamo provides a comprehensive library of built-in analysis functions, including:

  • Threat Detection: Suspicious commands, hacking tools, RMM tools, obfuscated strings

  • File Analysis: File size, entropy, masquerading, alternate data streams, executable locations

  • System Artifacts: Registry keys, scheduled tasks, digital signatures, host processes

  • Network Analysis: URL patterns, domain validation, domain categorization

  • Command Line: Command patterns, unusual length detection, script execution artifacts

  • Trust & Reputation: Publisher validation, application categorization, malicious service detection

  • User Analysis: Username patterns, first logon detection, temporal analysis

Use Cases

Dynamo is used for suspicious process detection, file system anomaly detection, network activity analysis, registry anomaly detection, command line analysis, timeline correlation, and threat hunting.

DNS Cache Analyzer

  • Parses: dns_cache table

  • Purpose: Analyze Windows DNS cache for suspicious domains, crypto domains, and abused TLDs

Hosts File Analyzer

  • Parses: hosts table

  • Purpose: Analyze the Windows hosts file for suspicious URL mappings

$MFT Analyzer

  • Parses: MFT (Master File Table) CSV files

  • Purpose: Analyze Windows file system entries for suspicious files, hidden executables, and hacker tools

Network Share Analyzer

  • Parses: net_shares table

  • Purpose: Analyze Windows network shares for rare/uncommon shares and active connections

PowerShell History Analyzer

  • Parses: powershell_consolehost_history table

  • Purpose: Analyze PowerShell command history for hacker tools and suspicious commands

Prefetch Analyzer

  • Parses: prefetch_parsed and prefetch_files tables

  • Purpose: Analyze Windows Prefetch files for suspicious executables and hacker tools

Process Analyzer (Windows)

  • Parses: processes table

  • Purpose: Analyze Windows processes for suspicious behavior, privilege escalation, and hacker tools

Registry Analyzer

  • Parses: autoruns_registry table

  • Purpose: Analyze Windows registry autorun entries for suspicious executables and hacker tools

Scheduled Task Analyzer

  • Parses: autoruns_scheduled_tasks table

  • Purpose: Analyze Windows scheduled tasks for suspicious executables and hacker tools

Windows Services Analyzer

  • Parses: autoruns_services table

  • Purpose: Analyze Windows services for suspicious executables, known malicious services, and hacker tools

ShellBags Analyzer

  • Parses: shell_bags table

  • Purpose: Analyze Windows ShellBags for suspicious folder access and admin share names

AppCompatCache Analyzer

  • Parses: app_compat_cache table

  • Purpose: Analyze Windows Application Compatibility Cache for suspicious file paths and hacker tools

SRUM Analyzer

  • Parses: srum_network_data_usage and srum_application_resource_usage tables

  • Purpose: Analyze Windows System Resource Usage Monitor data for suspicious application usage

User Folders Analyzer

  • Parses: user_folders table

  • Purpose: Analyze Windows user profile folders for suspicious usernames and creation patterns

Linux Analyzers

CronJob Analyzer

  • Parses: cron_jobs table

  • Purpose: Analyze Linux/macOS cron jobs for suspicious commands and hacker tools

Package Manager Analyzer

  • Parses: apt_history table

  • Purpose: Analyze the Linux APT package manager history for suspicious installation timestamps

Process Analyzer (Linux)

  • Parses: processes table

  • Purpose: Analyze Linux processes for suspicious behavior, systemd anomalies, and hacker tools

Shell History Analyzer

  • Parses: shell_history table

  • Purpose: Analyze Linux/macOS shell command history for suspicious commands and hacker tools

Cross-Platform Analyzers

Browser History Analyzer

  • Parses: browser_history table

  • Purpose: Analyze browser history for suspicious URLs and hacker tool references (Windows, Linux, macOS)

Browser Downloads Analyzer

  • Parses: browser_downloads table

  • Purpose: Analyze browser download history for suspicious file paths, URLs, and referrers (Windows, macOS)

macOS Analyzers

Dylib Hijack Analyzer

  • Parses: installed_apps and apps_dylibs tables

  • Purpose: Analyze macOS applications for dynamic library hijacking vulnerabilities

2. MITRE ATT&CK Analyzer

The MITRE ATT&CK Analyzer leverages YARA-based scanning with modular, cross-platform capabilities that inspect both the filesystem and live process memory. The analyzer relies on rule sets maintained by the Binalyze DFIR Lab and augmented by curated open-source YARA rules.

There are some limitations implemented for performance optimizations:

  • MITRE ATT&CK Analyzer does not scan the entire drive. It scans a preconfigured list of directories on the system, where 99% of malware has historically been found. To scan the entire drive, users can use our Triage/Hunt module.

  • The file size limit is 250MB.

YARA scan results can be seen under MITRE ATT&CK Fs and MITRE ATT&CK Memory evidence categories. The user can see various details about detection:

  • YARA matched strings

  • YARA meta information, such as Description, Author name, and References for further reading

  • Various date information related to the Filesystem and Process Creation date when the result is found in process memory

PreviousWhat is an Analysis Pipeline?NextMITRE ATT&CK Analyzer changelog

Last updated

Was this helpful?