Skip to the main content.

3 min read

Threat Hunting with DRONE and MITRE ATT&CK Analyzer

Featured Image

We recently updated Binalyze AIR MITRE ATT&CK Analyzer to version 5.7.0. This update brings significant enhancements to our threat detection capabilities, reinforcing our commitment to providing the best cybersecurity solutions. In this blog post, we'll dive into the key updates in this release and introduce you to the powerful combination of Binalyze DRONE and MITRE ATT&CK within Binalyze AIR.

Understanding DRONE & MITRE ATT&CK

What is DRONE?

DRONE is Binalyze's advanced live and post-acquisition analyzer, designed to assist all security teams in quickly identifying and prioritizing potential threats. By leveraging a robust pipeline of analyzers, DRONE can efficiently sift through evidence, highlighting anomalies and providing actionable insights. This decision-support system streamlines the investigation and decision-making process, allowing team leaders and analysts to focus on the most critical aspects of an incident.

See here how our trusted partners at TransAm succeed when using AIR to accelerate their investigations and threat-hunting activities with DRONE.

What is MITRE ATT&CK?

MITRE ATT&CK is a globally recognized framework for understanding adversary tactics, techniques, and procedures (TTPs). It provides a detailed matrix of attack vectors that adversaries use to infiltrate and maneuver within networks. Integrating MITRE ATT&CK into Binalyze AIR allows us to map detected threats directly to known attack techniques, providing valuable context and enabling more effective defense strategies.

Key Updates in MITRE ATT&CK Analyzer 5.7.0

Yara Updates:

  • Pirpi Backdoor Detection: Now identifies threats attributed to the Chinese APT3 group (G0022). Pirpi is a sophisticated backdoor used in cyber-espionage campaigns, and detecting it helps protect sensitive data from nation-state actors.

  • APT41 IOCs Detection: Enhanced detection for indicators of compromise used in recent APT41 attacks (G0096). APT41 is known for its dual mission of cyber espionage and financially motivated cybercrime. Detecting these IOCs ensures comprehensive protection against this versatile threat actor.

  • URL Shortcuts Vulnerability Detection: Improved detection for URL shortcuts exploiting CVE-2024-38112. This vulnerability allows attackers to craft malicious URL shortcuts that can execute arbitrary code, posing a significant risk to systems. Enhanced detection helps prevent these exploitations.

  • Malicious VSCode Extensions: New detections for known malicious VSCode extensions. These extensions can serve as vectors for malware distribution and data exfiltration. Detecting them ensures the integrity of development environments.

  • ProxyShell Exploitation Detection: Enhanced detection of successful ProxyShell exploitations in server logs. ProxyShell is a critical vulnerability in Microsoft Exchange servers, and improved detection helps prevent unauthorized access and data breaches.

  • DISGOMOJI Malware Detection: Added detection for malware using emojis for C2 communication. This innovative malware uses emojis to evade traditional detection methods. Enhanced detection capabilities ensure even the most elusive threats are identified and neutralized.

  • Durian Backdoor Detection: New detection for the Durian backdoor attributed to the Kimsyky ATP group (G0094). Detecting this backdoor helps protect against targeted attacks from this advanced threat group.

  • BadSpace Backdoor: Detection for the newly identified BadSpace backdoor. Identifying this backdoor prevents unauthorized access and potential data theft.

  • ASPX Compiled DLL Webshells: Improved detection of these webshells. Webshells are used by attackers to maintain persistent access to compromised servers, and improved detection helps maintain server integrity.

Dynamo Improvements:

  • CobaltStrike Detection: Enhanced detection for CobaltStrike service installations. CobaltStrike is a popular tool among cybercriminals for post-exploitation activities, and improved detection helps prevent lateral movement within networks.

  • Encoded PowerShell Keywords: Improved detection for Registry Run entries and Scheduled Tasks with base64 encoded PowerShell commands. PowerShell obfuscation is commonly used to bypass security measures, and improved detection ensures these malicious activities are identified.

Sigma Enhancements:

  • PowerShell Obfuscation: Improved detection for PowerShell processes using base64 obfuscation. This enhancement ensures that obfuscated PowerShell commands used in attacks are detected, preventing malicious scripts from executing undetected.

How DRONE and MITRE ATT&CK Enhance Binalyze AIR

The integration of DRONE and MITRE ATT&CK within Binalyze AIR provides a comprehensive solution for incident response and threat detection. DRONE's advanced analysis capabilities combined with the MITRE ATT&CK framework enable:

  1. Rapid Identification: Quickly pinpoint threats and map them to known attack techniques, providing clear context for each incident.
  2. Prioritization: DRONE scores and prioritizes threats, allowing analysts to focus on the most critical issues first.
  3. Efficiency: Streamlined workflows and automated analysis reduce the time and effort required for thorough investigations.
  4. Comprehensive Coverage: Enhanced detection capabilities ensure that even the most sophisticated threats are identified and mitigated.

At Binalyze, we are committed to staying ahead in the cybersecurity landscape by continuously improving our tools and services. The latest updates to the MITRE ATT&CK Analyzer, combined with the power of DRONE, demonstrate our dedication to providing the best possible protection for your organization.

To learn more about using DRONE see it in action here; Investigating A Malware Attack Using Binalyze AIR’s Investigation Hub

Stay secure with Binalyze AIR!