Keyword & Hash Search
We already have a keyword search mechanism. We also add hash search and users can import keywords and search lists from files.
  • In CLI mode; users can provide keywords to search or a file path to import. In the example below, the user provides 2 keywords and a keyword file. The keyword file will be separated with a new line and each line will be accepted as a keyword. Also, wildcards and regexes are supported as well.
DRONE.exe --keyword mimikatz --keyword nmap --keyword-file suspicious-words.txt
  • In Tower mode; Keyword files will be listed under the “Keyword List” section. Selected keywords will be imported and will be searched in all evidence. Listed files will be bound to the UI from ./DRONE.Keywords folder, so the user has to create this folder and put the txt files in it.
This is pretty much similar to keyword search. But there is an important difference. All these provided hashes will be also searched in the file system using Hash YARA Scanner. This scanner automatically adds it to the execution list when the user provides a hash.
  • In CLI mode; users can provide hashes to search or a file path to import. In the example below, the user provides 2 hashes and a hash file. Hash file will be separated with a new line and each line will be accepted as a keyword.
DRONE.exe --hash 05F001F1B2653DB6288AAA7EF105E520 --hash 69B5071ED217275F20D58DD79F576767 --hash-file suspicious-hashes.txt
  • In Tower mode; Hash files will be listed under the “Hash List” section. Selected hashes will be imported and will be searched in all evidences and in the file system. Listed files will be bound to the UI from the./DRONE.Hashes folder, so the user has to create this folder and put the txt files in it.
  • In the Case file, we only support sha256 hashes but in file system search(Hash YARA Scanner) we can match using MD5, SHA1, and SH256 algorithms.

Special Cases

Event records and MFT analyzers have their own logic, once you give a keyword or a hash to the DRONE, users have to enable these two analyzers for matching. This is not necessary for other analyzers.