How to Collect Threat Intelligence Using Search Parameters in TI Lookup

ANY.RUN‘s Threat Intelligence Lookup is a valuable resource for security professionals searching for information on the latest cyber threats.

One of the key features of Threat Intelligence Lookup is its extensive search capabilities. The service offers over 40 different search parameters that can be combined to form specific queries. These parameters allow you to filter and refine your search results based on various criteria, such as IOCs, behavioral indicators, and other relevant information.

Let’s explore each search parameter and provide examples of how they can be used in your investigations.

About Threat Intelligence Lookup

Threat Intelligence Lookup is a centralized platform for threat data exploration, collection, and analysis.

At the core of Threat Intelligence Lookup lies a global network of over 400,000 security experts. These individuals actively contribute by submitting suspicious samples to the ANY.RUN sandbox for advanced analysis on a daily basis.

The submission process generates a wealth of valuable threat data, including indicators of compromise (IOCs), which are then extracted and integrated into Threat Intelligence Lookup.

Thanks to its integration with ANY.RUN’s Interactive Sandbox, users can access real-time search results, each one linked to a corresponding sandbox session, enabling in-depth analysis of the identified threats.

Search Parameters in TI Lookup

Search parameters in TI Lookup are divided into separate groups: tasks, registry, environment, detection, module, connection, process, network threats, file, synchronization, and URL.

Task

Task parameters refer to the characteristics of tasks (sandbox sessions).

threatName

The name of a particular threat: malware family, threat type, etc., as identified by the sandbox.

Examples: “Phishing”, “xworm”, “ransomware”, “tycoon”.

submissionCountry

The country from which the threat sample was submitted.

Examples: “es”, “us”, “de”.

*Results for a query that includes a threat name (Remcos) and country (Brazil)*

Here is an example of a query for samples of the Remcos malware submitted by users in Brazil. The service provides a list of sandbox sessions that correspond to the request.

Try it:

threatLevel

A verdict on the threat level of the sample.

Examples: “malicious”, “suspicious”.

taskType

The type of the sample submitted to the sandbox.

Examples: “URL”, “file”.

*You can adjust the timeframe of your search to 180, 90, 60, 30, 7, 3, or 1 days*

In this screenshot, you can see a query for malicious URLs uploaded to the sandbox over the past 24 hours. TI Lookup displays a list of the latest one hundred sessions.

Try it:

Registry

Registry parameters refer to specific attributes related to registry modifications detected within sandbox sessions. These parameters provide insights into how a threat interacts with the Windows registry.

registryKey

The specific key within the registry hive where the modification occurred. Please note: when entering registry keys, use a double backslash (\) to escape the single backslash.

Examples: “Windows\\CurrentVersion\\RunOnce”, “Windows NT\\CurrentVersion\Windows”.

registryName

The name of the Windows Registry key field.

Examples: “browseinplace”, “docobject”, “isshortcut”.

registryValue

The value of the Windows Registry key.

Examples: “internet explorer\iexplore.exe”.

*The service provides events, synchronization, and network threats associated with the query*

Using the query above, we can identify threats that aim to execute malicious code through scheduled tasks.

Try it:

Environment

These parameters are used to provide context about the environment where a threat was detected or executed.

The specific version of Windows used in the environment.

Examples: “11”, “10”, “7”.

osSoftwareSet

The software package of applications installed on the OS.

Examples: “clean”, “office”, “complete”.

osBitVersion

The bitness of the operating system, 32-bit or 64-bit.

Examples: “32”, “64”.

*The service provides Lumma analysis sessions that you can explore*

We can use these parameters to, for instance, discover Windows 11 x64 sandbox sessions containing analysis of the Lumma stealer launched in the service over the past 14 days.

Try it:

Detection

These parameters are utilized to describe the detection signatures and MITRE TTPs relating to the execution of threats in the sandbox.

ruleName

The name of the detection rule.

Examples: “Executable content was dropped or overwritten”, “Phishing has been detected”.

ruleThreatLevel

The threat level assigned to a particular event.

Examples: “malicious”, “suspicious”, “info”.

MITRE

Techniques used by the malware according to the MITRE ATT&CK classification.

Examples: “T1071”, “T1114.001”.

*The service provides events, mutexes, files, network threats, and sessions*

Let’s consider a query combining the MITRE ATT&CK technique T1053.005, which describes a common persistence mechanism, with a detection rule for threats that steal browser credentials.

Try it:

Module

Module parameters refer to specific modules or components within a threat. This can be a DLL, library, or other executable that is loaded by the main executable.

moduleImagePath

The full path to the module’s image file, the location on the disk where the module’s executable is stored.

Examples: “SysWOW64\\cryptbase.dll”, “SysWOW64\\msasn1.dll”.

*The service yields events, files, and other results in response to the query*

Above you can see an example of a query that looks for all instances of sandbox sessions where KernelBase.dll was called.

Try it:

Connection

The Connection parameters describe network-related aspects of a threat.

domainName

The domain name that was recorded during the threat execution in a sandbox.

Examples: “tventyvd20sb[.]top”, “5.tcp.ngrok[.]io”.

destinationIP

The IP address of the network connection that was established or attempted.

Examples: “147[.]185[.]221[.]22”, “162[.]125[.]66[.]15”.

destinationPort

The network port through which the connection was established.

Examples: “49760”, “49780”.

destinationIpAsn

Detected ASN.

Examples: “akamai-as”, “akamai international b.v.”.

destinationIPgeo

Two-letter country or region code of the detected IP geolocation.

Examples: “ae”, “de”.

ja3, ja3s, jarm

Types of TLS fingerprints that can indicate certain threats.

Examples: “1af33e1657631357c73119488045302c” (JA3S), “a0e9f5d64349fb13191bc781f81f42e1” (JA3).

*You can explore network threats tab to see triggered Suricata IDS rules*

In the picture above, we can see a query that searches for threats that made connections to IP addresses located in the Czech Republic (CZ), belonging to Cogent Communications.

Try it:

Process

The following parameters relate to processes registered during active sandbox sessions.

imagePath

Full path to process image.

Examples: “System32\\conhost.exe”, “Framework\\v4.0.30319\\RegAsm.exe”.

commandLine

The full command line that initiated the process.

Examples: “PDQConnectAgent\\pdq-connect-agent.exe –service”, “system32\\cmd.exe /c”.

*The events tab shows the exact processes corresponding to the query*

Using these parameters, we can find Strela stealer samples that use net.exe to mount a C2 server containing a ‘davwwwroot’ folder.

Try it:

Network Threats

These parameters describe network-based threats detected by the Suricata intrusion detection system (IDS).

suricataMessage

The description of the threat according to Suricata.

Examples: “ET INFO 404/Snake/Matiex Keylogger Style External IP Check”, “STEALER [ANY.RUN] Stealc HTTP POST Request”.

*Search using Suricata message reveals malconf IPs of Redline*

We can use a Suricata message to discover more samples, as well as IOCs, including those extracted directly from malware’s configs, relating to a particular threat.

Try it:

suricataClass

The category assigned to the threat by Suricata based on its characteristics.

Examples: “misc activity”, “a network trojan was detected”.

suricataID

The unique identifier of the Suricata rule.

Examples: “2044767”, “8001997”.

suricataThreatLevel

The verdict on the threat according to Suricata based on its potential impact.

Examples: “malicious”, “suspicious”, “info”

*The service returns Suricata IDS rules detecting njRAT*

By combining this parameter with threaName, we can collect Surica rules relating to a specific malware.

Try it:

File

These parameters describe file-related aspects of a threat.

filePath

The full path to the file on the system.

Examples: “invoice”, “order”

*A query searching for sessions where a readme.txt file was dropped on the desktop, a common ransomware sign*

We can use this parameter along with threatLevel to find specific files in sandbox sessions with malicious content.

Try it: filePath:”Users\\admin\\Desktop\\README.TXT” AND threatLevel:”malicious”

fileExtension

The extension that indicates the file type.

Examples: “exe”, “dll”.

sha256, sha1, md5

Hash values relating to a file.

Examples: “1412faf1bfd96e91340cedcea80ee09d”, “ce554fe53b2620c56f6abb264a588616”

*In response to a hash query, the service returns events, network threats, files, and other data*

We can use the hash of a malicious file to discover the specific malware family it relates to.

Try it:

Synchronization

These parameters describe synchronization-related activities within a threat, such as mutexes.

syncObjectName

The name or identifier of the synchronization object used.

Examples: “rmc”, “m0yv”.

syncObjectType

The type of synchronization object used.

Examples: “event”, “mutex”.

syncObjectOperation

The operation performed on the synchronization object.

Examples: “create”, “open”.

*The service provides a long list of objects found in sessions containing analysis of the Xworm malware*

By combining operation and type parameters with threatName, we can search for specific mutexes or events created during the execution of a particular malware

Try it:

URL

These parameters describe network traffic related to HTTP requests and responses.

url

The URL called by the process.

Examples: “http://192[.]168[.]37[.]128:8880[/]zv8u”, “http://tventyvd20sb[.]top/v1/upload[.]php”.

httpRequestContentType

The content type of the HTTP request sent to the server.

Examples: “application/octet-stream”.

httpResponseContentType

The content type of the HTTP response received from the server.

Examples: “text/html”.

httpRequestFileType

The file type of the file being uploaded in the HTTP request.

Examples: “binary”.

httpResponseFileType

The file type of the file being downloaded in the HTTP response.

Examples: “binary”.

*Results for binary file requests in HijackLoader sandbox sessions*

It is possible to use the parameter with threatName again to find binary files that were requested during the analysis in the sandbox.

Try it:

Conclusion

ANY.RUN’s Threat Intelligence Lookup offers a comprehensive set of search parameters that enable security professionals to effectively analyze and investigate threats. Using these search options, you can identify and enrich your information on emerging threats.

Try Threat Intelligence Lookup for free →

About ANY.RUN

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.