This post results from the project “DFIR & Threat Intelligence” within the Munich Cyber Security Program (MCSP). The MCSP is a cooperation project between Champlain College and Com|Code (Germany). This project focuses on new developments in the Digital Forensics and Incident Response fields as well as performing research for clients of Com|Code.
Binalyze Tool Evaluation Triage & Malware
This week we got to test Binalyze’s triage and DRONE tools against malware. Starting off with triage, this tool allows the user to create Yara or Sigma rules to scan the connected systems for IOCs. We tested this a few different times also adding our own rules. There are three default rulesets that comes with it: webshell detection, FireEye Sunburst Countermeasures, and FireEye Red Team Countermeasures. In our testing, these rulesets were a good starting point; however they are definitely not the only ones to use. In order to use its full potential you will need to add your own rules, which are easily editable and can be imported inside the tool. Once we added some other rules, we were able to see how well the tool worked. Here is some very useful information on Yara rules and a great resource to import new rulesets. After the scan finishes you can easily view what detections were made along with file paths.
Next we have the malware tests, which consisted of WannaCry ransomware and a piece of spyware. Starting of with WannaCry, the tool was still able to function fully after the system had been attacked. Drone was able to detect the ransomware and allow us to see everything that was going on with it. However, one thing we noticed was that even though it tagged it as ransomware, it was not considered high on the dangerous scale and was only at medium. This is a bit confusing since ransomware is extremely dangerous to have on a computer. We understood that WannaCry isn’t the best ransomware to test against it, because of how old it is, but we wanted to see how Binalyze reacted to a new and old piece of ransomware. The acquisitions ran as normal and the tool worked great.
The spyware was a bit of a different story. DRONE was able to detect the windows defender logs that caught it, but was unable to detect the malware itself. The acquisition took approx. 9 hours to complete due to the fact that the spyware used up most of the CPU leaving very little for Binalyze to run. This can definitely change depending on the spyware used, although it was able to finish and have a complete report as usual. Rather than detecting any running processes linked to the spyware, DRONE identified the .bin file used to execute it as suspicious because it was run but was not an .exe.
Overall, the tool worked as it is advertised to. It is not meant to be used as a main way to detect and protect systems. It is an incident response tool made for figuring out what is happening/has happened. In my eyes it did its job and a forensic analyst can go over the findings in an organized way. I think this would be a good tool to put in a kit with other incident response tools that cover the rest of the necessary software.
Follow us for more updates on this project! For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de
–Written by Michael Pinelli ‘23 //Computer Science & Cybersecurity
Follow Us!