Dynamo Analyzer

Dynamo Analyzer will parse the database in the .ppc file generated as the result of a Windows, Linux, or macOS collection tasking assignment assignment and highlight suspicious entries.

AIR's existing YARA integration can scan the filesystem and memory of assets but it cannot on its own parse the Window's registry database, scheduled tasks, DNS cache, WMI, firewall rules and other persistence methods or configuration databases - all areas of systems often abused by malicious actors.

Imagine having installed an outdated and vulnerable version of popular software, Dynamo will be able to warn you about it

Or perhaps a crypto miner domain in DNS cache records, or a scheduled task executing suspicious extension in the TEMP folder, and so on and so on.

Fileless Malware Techniques

Consider a scenario where malware stores its payload in a base64 encoded format within a registry key. It then uses a scheduled task to run and inject the payload directly into memory. Dynamo is designed to detect such fileless attack techniques, thereby bringing a considerable uplift to scanning capabilities within AIR.

Conclusion

Dynamo Analyzer is not just another tool, it's a comprehensive solution designed to identify and alert you about various forms of suspicious activities. By extending its capabilities beyond what traditional tools like YARA offer, Dynamo provides a more robust and nuanced approach to AIR and cybersecurity in general.

Last updated