You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to add hueristic detections to ScanCore. We should flag files for things like....
File modified.
File type.
File permissions
File owner.
File contents.
File location.
File is executable.
File header matches extension.
File contains code / macros.
File is hosted.
File is currently open / in-use.
Add up all of these & assign a "Suspicion Score".
Having the core know some of this information gives us the ability to flag files as suspicious when we see several flags put together, or a certain threshold of flags has been reached. So if a database was recently moved to a hosted location by the sudo user (and the rest of the files in that folder are owned by www-data) we can flag that file as suspicious. The core should not need any definitions to tell it that this file needs attention.
But if we also add one additional column to the Definition File for "Hueristic Flags" which contain a comma-separated list of two or three character strings that represent some suspicious behaviour, we can use this information to look for specific behaviour in scanned files. So if an IOC is a batch file that gets copied to a temporary location, is obfuscated, recently created, and has specific network connections open we can flag that combination as a specific IOC.
There are two components we need to develop in the Core;
Implicit Hueristics - Detecting files based on observed behaviour. Contained in new .hdef Definition Files.
Explicit Hueristics - Detecting files based on defined behaviour. Contained in existing .def Definition Files.
Implicit Hueristics
Stored in .hdef "Hueristic Definition Files". These files are going to contain combinations of "Suspiscious Traits" which the core will stack up into a "Suspiscion Score". If the score gets too high, a file is flagged even if it does not have an associated definition from a .def Definition File.
Explicit Hueristics
Stored in .def "Definition Files" alongside existing Definition Data. These files already contain infection specific data regarding specific IOCs, so naturally this is the place where we should store IOC specific hueristic data. By addint another column to our existing Definition Files we can store a CSV string of flags which identify specific behaviour we want to flag.
Examples
General Flags:
php - Is PHP script file.
db1 - Is a Database file (MySQL).
hos - Is in a hosted location.
m24 - Modified in the past 24 hours.
ows - Owned by sudo or Administrator user.
pm1 - Permissions are oddly permissive.
ap1 - Application binaries or executable code in non-code location.
mc1 - Contains macros or scripts (XML).
fd1 - File is a minified or obfuscated script file.
fd2 - File is currently open by PID ###.
nt1 - File has ### open network connections.
Implicit Only Flags:
ow1 - Strange Owner (doesn't match siblings).
Explicit Only Flags:
nt2 - File has a network connection to ###.###.###.###.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I want to add hueristic detections to ScanCore. We should flag files for things like....
Having the core know some of this information gives us the ability to flag files as suspicious when we see several flags put together, or a certain threshold of flags has been reached. So if a database was recently moved to a hosted location by the sudo user (and the rest of the files in that folder are owned by www-data) we can flag that file as suspicious. The core should not need any definitions to tell it that this file needs attention.
But if we also add one additional column to the Definition File for "Hueristic Flags" which contain a comma-separated list of two or three character strings that represent some suspicious behaviour, we can use this information to look for specific behaviour in scanned files. So if an IOC is a batch file that gets copied to a temporary location, is obfuscated, recently created, and has specific network connections open we can flag that combination as a specific IOC.
There are two components we need to develop in the Core;
.hdefDefinition Files..defDefinition Files.Implicit Hueristics
Stored in
.hdef"Hueristic Definition Files". These files are going to contain combinations of "Suspiscious Traits" which the core will stack up into a "Suspiscion Score". If the score gets too high, a file is flagged even if it does not have an associated definition from a.defDefinition File.Explicit Hueristics
Stored in
.def"Definition Files" alongside existing Definition Data. These files already contain infection specific data regarding specific IOCs, so naturally this is the place where we should store IOC specific hueristic data. By addint another column to our existing Definition Files we can store a CSV string of flags which identify specific behaviour we want to flag.Examples
General Flags:
Implicit Only Flags:
Explicit Only Flags:
Beta Was this translation helpful? Give feedback.
All reactions