To protect your organization from cyber threats, you need a clear picture of the current threat landscape. This means constantly expanding your knowledge of new and current threats.
There are many methods that analysts can use to gather critical information about cyber threats. Let’s take a look at five that can significantly improve your threat investigation.
Turn on C2 IP addresses for accurate malware detection
Valuable indicators are the IP addresses used by the malware to communicate with its command and control (C2) servers. They can help not only update your defenses, but also identify relevant infrastructure and tools owned by threat actors.
This is done using a pivoting method that allows analysts to find additional threat context using an existing indicator.
To accomplish the pivot, analysts use a variety of sources, including threat intelligence databases that store large volumes of fresh threat data and offer search capabilities.
One useful tool Search for threat intelligence from ANY.RUN. This service allows you to search the database using more than 40 different query parameters, such as:
- Network indicators (IP addresses, domain names)
- Paths to the registry and file system
- Specific threat names, filenames, and hashes
ANYONE. RUN provides the data associated with the indicators or artifacts in your query, as well as the sandbox sessions in which the data was found. This helps analysts identify a specific indicator or combination of indicators for a particular attack, discover its context, and gather important threat intelligence.
To demonstrate how this works, let’s use the following IP address as part our query is: 162(.)254(.)34(.)31. In your case, the initial indicator may come from an alert generated by a SIEM system, a threat intelligence feed, or research.
 |
| The Overview tab shows the main results of our search |
Submitting an IP address to TI Lookup instantly allows us to see that its IP has been associated with malicious activity. This also lets us know that the specific threat used with this IP is AgentTesla.
The service displays the domains associated with the indicator, as well as the ports used by malicious programs when connecting to this address.
 |
| The Suricata IDS rule associated with the requested IP indicates data theft via SMTP |
Other information available to us includes files, synchronization objects (mutexes), ASNs, and running Suricata rules that were detected in sandbox sessions involving the IP address in question.
 |
| The sandbox session is listed as one of the results in the TI Lookup |
We can also go to one of the sandbox sessions where the IP address was spotted to see the full attack and gather even more relevant information and re-run the sample analysis for real-time study.
Check out TI Lookup to learn how it can improve threat investigation. Request a 14-day free trial.
Using URLs to expose the infrastructure of threat actors
Examining domains and subdomains can provide valuable information about the URLs used to host malware. Another common use case is to identify websites used in phishing attacks. Phishing websites often mimic legitimate sites to trick users into entering sensitive information. By analyzing these domains, analysts can uncover patterns and the broader infrastructure that attackers use.
 |
| URLs matching our search query for Lumma Payload Hosting Infrastructure |
For example, the Lumma malware is known to use URLs ending in “.shop” to store malicious files. Pa sending this metric to TI Lookup along with the threat name, we can zoom in on recent domains and URLs that have been used in malware attacks.
Identify threats using specific MITRE TTPs
The MITER ATT&CK framework is a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTP). Using certain TTPs as part of your investigations can help you identify new threats. Proactively increasing your knowledge of current threats helps prepare you for future attacks.
 |
| Top 60-day TTPs shown on ANY.RUN Threat Intelligence Portal |
ANY.RUN provides a live ranking of the most popular TTPs identified in the thousands of malware and phishing samples analyzed in the ANY.RUN sandbox.
 |
| Sandbox sessions that match a query specifying MITER’s TTP along with a discovery rule |
We can select any of the TTPs and send it to TI Lookup to find the sandbox sessions where their instances were found. As shown above, combining T1552.001 (Credentials on files) with the rule “Steal credentials from web browsers” allows us to identify threat analyzes related to these actions.
Sample collection with YARA regulations
YARA is a tool used to generate descriptions of malware families based on text or binary patterns. A YARA rule can look for specific strings or byte sequences that are specific to a particular malware family. This method is very effective for automating the detection of known malware and for quickly identifying new variants that have similar characteristics.
Services such as TI Lookup provide a built-in YARA search that allows you to load, edit, save, and use custom rules to find matching samples.
 |
| A search using the XenoRAT YARA rule found over 170 matching files |
We can use the YARA rule for XenoRAT, a popular family of malware used for remote control and data theft, to detect the latest samples of this threat. In addition to the files that match the content of the rule, the service also provides sandbox sessions to explore these files in a wider context.
Malware detection with command line artifacts and process names
Identifying malware through command-line artifacts and process names is an effective but unusual method, as most threat intelligence sources do not provide such capabilities.
ANY.RUN’s threat intelligence database stands out because it derives data from live sandbox sessions, offering access to real data from the command line, processes, registry modifications, and other components and events recorded during sandbox malware execution.
 |
| TI Lookup results for command line and search process related to Strela stealer |
As an example, you can use a command line string used by the Strela stealer program along with the net.exe process to access a folder on the remote server called “davwwwroot”.
TI Lookup provides many samples, files, and events found in sandbox sessions that match our query. We may use the information to gain a better understanding of the threat we face.
Integration of Threat Intelligence Lookup with ANY.RUN
To speed up and improve the quality of your threat research efforts, you can use TI Lookup.
Try TI Lookup and see how it can help your threat investigations with a 14-day trial →
ANY.RUN’s threat intelligence is derived from samples uploaded to the sandbox for analysis by more than 500,000 researchers worldwide. You can search this massive database using more than 40 search parameters.
To learn more about how to improve threat investigation with TI Lookup, join ANY.RUN’s live webinar October 23, 14:00 GMT (UTC +0).
