Proactive threat hunting has become an essential discipline for Security Operations Center (SOC) analysts and Managed Security Service Providers (MSSPs).
Traditional detection methods often miss novel or sophisticated adversarial techniques, making it critical for security teams to leverage advanced tools and methodologies.
ANY.RUN’s Threat Intelligence Lookup (TI Lookup) empowers analysts with granular insights into Indicators of Compromise (IOCs), Indicators of Behavior (IOBs), and Indicators of Attack (IOAs), directly sourced from a vast interactive sandbox environment.
Unlocking TI Lookup’s Core Capabilities
TI Lookup provides immediate access to a malware database enriched by contributions from over 500,000 sandbox users, including 15,000 corporate SOC teams.
With 50 trial requests available, a single query can return hundreds of relevant sessions, samples, and artifacts for targeted research. Key functions include:
- IOC Lookups: Search file hashes, IP addresses, domain names, and URLs to validate suspicious artifacts.
- Behavioral Lookups: Identify registry modifications, process activities, network communications, and mutex creations—critical for detecting emerging threats lacking established IOCs.
- MITRE ATT&CK Integration: Query specific tactics, techniques, and procedures (TTPs) to align hunts with known adversary frameworks.
- File/Event Correlation: Uncover relationships between disparate artifacts to reveal broader attack campaigns.
- YARA-Based Queries: Execute pattern-based searches for precise file characteristic matches.
- Advanced Query Syntax: Leverage over 40 parameters, wildcards, and logical operators (AND, OR, NOT, parentheses, *, ?, ^, $) for complex, contextual hunting scenarios.
Practical Threat Hunting Use Cases
- Country-Based Detection:
Geographic filtering (e.g., submissionCountry:”br” AND threatName:”phishing”) reveals regional phishing trends, while combining submissionCountry:”in” with commandLine:”powershell” and threatLevel:”malicious” pinpoints PowerShell-based attacks in India. - MITRE Technique-Focused Queries:
- Command & Script Execution (T1059): (MITRE:”T1059” AND (commandLine:”powershell” OR imagePath:”mshta.exe”)) surfaces sandbox events using PowerShell or mshta.exe.
- Registry Persistence (T1547): MITRE:”T1547” AND registryKey:”CurrentVersion\Run” identifies malware auto-start behaviors via Windows registry.
- Obfuscated File Behavior:
Detect executables hiding in non-standard directories: fileExtension:”exe” AND NOT filePath:”Windows*” AND NOT filePath:”Program Files*”. Spot script-based obfuscation with commandLine:”powershell” AND fileExtension:”js”. - Persistence & Mutex Hunting:
Find malware mutexes using syncObjectName:”rmc” to detect Remcos trojan instances, illustrating how mutex names can fingerprint sophisticated threats. - Domain Generation Algorithm (DGA) Detection:
Target cheap-TLD DGAs: domainName:”.top” OR domainName:”.xyz” AND (destinationPort:”80” OR destinationPort:”443”) AND threatLevel:”malicious”. Identify Cloudflare-hosted phishing via domainName:”.workers.dev” AND threatLevel:”malicious”. - Malware Family Behavior:
- Formbook: threatName:”formbook” OR (MITRE:”T1055” AND registryKey:”CurrentVersion\Run” AND fileExtension:”exe”).
- AsyncRAT: threatName:”asyncrat” AND (commandLine:”mshta.exe” OR commandLine:”powershell”).
- Thematic Search Subscriptions:
Receive automated alerts for credential stealer campaigns by subscribing to custom queries combining known stealer names with registry access patterns.
By integrating TI Lookup into SOC playbooks, analysts can slash Mean Time to Respond (MTTR) through sub-two-second query responses, contextualize alerts with rich threat intelligence, and proactively hunt unseen threats before they escalate.
Whether isolating regional attack waves, zeroing in on specific MITRE techniques, or mapping complex multi-vector campaigns, ANY.RUN’s TI Lookup equips SOC teams and MSSPs with the actionable data required for swift, informed decision-making.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
