ANY.RUN‘s Threat Intelligence Lookup is a valuable resource for security professionals searching for information on the latest cyber threats.
One of the key features of Threat Intelligence Lookup is its extensive search capabilities. The service offers over 40 different search parameters that can be combined to form specific queries. These parameters allow you to filter and refine your search results based on various criteria, such as IOCs, behavioral indicators, and other relevant information.
Let’s explore each search parameter and provide examples of how they can be used in your investigations.
About Threat Intelligence Lookup
Threat Intelligence Lookup is a centralized platform for threat data exploration, collection, and analysis.
At the core of Threat Intelligence Lookup lies a global network of over 400,000 security experts. These individuals actively contribute by submitting suspicious samples to the ANY.RUN sandbox for advanced analysis on a daily basis.
The submission process generates a wealth of valuable threat data, including indicators of compromise (IOCs), which are then extracted and integrated into Threat Intelligence Lookup.
Thanks to its integration with ANY.RUN’s Interactive Sandbox, users can access real-time search results, each one linked to a corresponding sandbox session, enabling in-depth analysis of the identified threats.
Search Parameters in TI Lookup
Search parameters in TI Lookup are divided into separate groups: tasks, registry, environment, detection, module, connection, process, network threats, file, synchronization, and URL.
Task
Task parameters refer to the characteristics of tasks (sandbox sessions).
threatName
The name of a particular threat: malware family, threat type, etc., as identified by the sandbox.
Examples: “Phishing”, “xworm”, “ransomware”, “tycoon”.
submissionCountry
The country from which the threat sample was submitted.
Examples: “es”, “us”, “de”.
Results for a query that includes a threat name (Remcos) and country (Brazil) Here is an example of a query for samples of the Remcos malware submitted by users in Brazil. The service provides a list of sandbox sessions that correspond to the request.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522remcos%255C%2522%2520AND%2520submissionCountry:%255C%2522es%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">threatName:"remcos" AND submissionCountry:"es"</a> </td>
</tr>
</tbody></table>
threatLevel
A verdict on the threat level of the sample.
Examples: “malicious”, “suspicious”.
taskType
The type of the sample submitted to the sandbox.
Examples: “URL”, “file”.
You can adjust the timeframe of your search to 180, 90, 60, 30, 7, 3, or 1 daysIn this screenshot, you can see a query for malicious URLs uploaded to the sandbox over the past 24 hours. TI Lookup displays a list of the latest one hundred sessions.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522threatLevel:%255C%2522malicious%255C%2522%2520AND%2520taskType:%255C%2522URL%255C%2522%2522,%2522dateRange%2522:1%7D" rel="noreferrer" target="_blank">threatLevel:"malicious" AND taskType:"URL"</a> </td>
</tr>
</tbody></table>
Registry
Registry parameters refer to specific attributes related to registry modifications detected within sandbox sessions. These parameters provide insights into how a threat interacts with the Windows registry.
registryKey
The specific key within the registry hive where the modification occurred. Please note: when entering registry keys, use a double backslash (\) to escape the single backslash.
Examples: “Windows\\CurrentVersion\\RunOnce”, “Windows NT\\CurrentVersion\Windows”.
registryName
The name of the Windows Registry key field.
Examples: “browseinplace”, “docobject”, “isshortcut”.
registryValue
The value of the Windows Registry key.
Examples: “internet explorer\iexplore.exe”.
The service provides events, synchronization, and network threats associated with the queryUsing the query above, we can identify threats that aim to execute malicious code through scheduled tasks.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522registryKey:%255C%2522CurrentVersion%255C%255C%255C%255CSchedule%255C%2522%2520AND%2520registryValue:%255C%2522.exe%255C%2522%2522,%2522dateRange%2522:14%7D" rel="noreferrer" target="_blank">registryKey:"CurrentVersion\\Schedule" AND registryValue:".exe"</a> </td>
</tr>
</tbody></table>
Environment
These parameters are used to provide context about the environment where a threat was detected or executed.
os
The specific version of Windows used in the environment.
Examples: “11”, “10”, “7”.
osSoftwareSet
The software package of applications installed on the OS.
Examples: “clean”, “office”, “complete”.
osBitVersion
The bitness of the operating system, 32-bit or 64-bit.
Examples: “32”, “64”.
The service provides Lumma analysis sessions that you can exploreWe can use these parameters to, for instance, discover Windows 11 x64 sandbox sessions containing analysis of the Lumma stealer launched in the service over the past 14 days.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522lumma%255C%2522%25C2%25A0AND%25C2%25A0os:%255C%252210%255C%2522%25C2%25A0AND%25C2%25A0osSoftwareSet:%255C%2522complete%255C%2522%25C2%25A0AND%25C2%25A0osBitVersion:%255C%252264%255C%2522%2522,%2522dateRange%2522:14%7D" rel="noreferrer" target="_blank">threatName:"lumma" AND os:"10" AND osSoftwareSet:"complete" AND osBitVersion:"64"</a> </td>
</tr>
</tbody></table>
Detection
These parameters are utilized to describe the detection signatures and MITRE TTPs relating to the execution of threats in the sandbox.
ruleName
The name of the detection rule.
Examples: “Executable content was dropped or overwritten”, “Phishing has been detected”.
ruleThreatLevel
The threat level assigned to a particular event.
Examples: “malicious”, “suspicious”, “info”.
MITRE
Techniques used by the malware according to the MITRE ATT&CK classification.
Examples: “T1071”, “T1114.001”.
The service provides events, mutexes, files, network threats, and sessionsLet’s consider a query combining the MITRE ATT&CK technique T1053.005, which describes a common persistence mechanism, with a detection rule for threats that steal browser credentials.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522MITRE:%255C%2522T1053.005%255C%2522%2520AND%2520ruleName:%255C%2522Steals%2520credentials%2520from%2520Web%2520Browsers%255C%2522%2522,%2522dateRange%2522:14%7D" rel="noreferrer" target="_blank">MITRE:"T1053.005" AND ruleName:"Steals credentials from Web Browsers"</a> </td>
</tr>
</tbody></table>
Module
Module parameters refer to specific modules or components within a threat. This can be a DLL, library, or other executable that is loaded by the main executable.
moduleImagePath
The full path to the module’s image file, the location on the disk where the module’s executable is stored.
Examples: “SysWOW64\\cryptbase.dll”, “SysWOW64\\msasn1.dll”.
The service yields events, files, and other results in response to the queryAbove you can see an example of a query that looks for all instances of sandbox sessions where KernelBase.dll was called.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522moduleImagePath:%255C%2522SysWOW64%255C%255C%255C%255CKernelBase.dll%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">moduleImagePath:"SysWOW64\\KernelBase.dll"</a> </td>
</tr>
</tbody></table>
Connection
The Connection parameters describe network-related aspects of a threat.
domainName
The domain name that was recorded during the threat execution in a sandbox.
Examples: “tventyvd20sb[.]top”, “5.tcp.ngrok[.]io”.
destinationIP
The IP address of the network connection that was established or attempted.
Examples: “147[.]185[.]221[.]22”, “162[.]125[.]66[.]15”.
destinationPort
The network port through which the connection was established.
Examples: “49760”, “49780”.
destinationIpAsn
Detected ASN.
Examples: “akamai-as”, “akamai international b.v.”.
destinationIPgeo
Two-letter country or region code of the detected IP geolocation.
Examples: “ae”, “de”.
ja3, ja3s, jarm
Types of TLS fingerprints that can indicate certain threats.
Examples: “1af33e1657631357c73119488045302c” (JA3S), “a0e9f5d64349fb13191bc781f81f42e1” (JA3).
You can explore network threats tab to see triggered Suricata IDS rulesIn the picture above, we can see a query that searches for threats that made connections to IP addresses located in the Czech Republic (CZ), belonging to Cogent Communications.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522destinationIpAsn:%255C%2522cogent-174%255C%2522%2520AND%2520destinationIPgeo:%255C%2522cz%255C%2522%2520AND%2520threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">destinationIpAsn:"cogent-174" AND destinationIPgeo:"cz" AND threatLevel:"malicious"</a> </td>
</tr>
</tbody></table>
Process
The following parameters relate to processes registered during active sandbox sessions.
imagePath
Full path to process image.
Examples: “System32\\conhost.exe”, “Framework\\v4.0.30319\\RegAsm.exe”.
commandLine
The full command line that initiated the process.
Examples: “PDQConnectAgent\\pdq-connect-agent.exe –service”, “system32\\cmd.exe /c”.
The events tab shows the exact processes corresponding to the queryUsing these parameters, we can find Strela stealer samples that use net.exe to mount a C2 server containing a ‘davwwwroot’ folder.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup #%7B%2522query%2522:%2522commandLine:%255C%2522davwwwroot*dll%255C%2522%2520AND%2520imagePath:%255C%2522net.exe%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">commandLine:"davwwwroot*dll" AND imagePath:"net.exe"</a> </td>
</tr>
</tbody></table>
Network Threats
These parameters describe network-based threats detected by the Suricata intrusion detection system (IDS).
suricataMessage
The description of the threat according to Suricata.
Examples: “ET INFO 404/Snake/Matiex Keylogger Style External IP Check”, “STEALER [ANY.RUN] Stealc HTTP POST Request”.
Search using Suricata message reveals malconf IPs of RedlineWe can use a Suricata message to discover more samples, as well as IOCs, including those extracted directly from malware’s configs, relating to a particular threat.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522suricataMessage:%255C%2522ET%2520MALWARE%2520Redline%2520Stealer%2520TCP%2520CnC%2520Activity%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">suricataMessage:"ET MALWARE Redline Stealer TCP CnC Activity"</a> </td>
</tr>
</tbody></table>
suricataClass
The category assigned to the threat by Suricata based on its characteristics.
Examples: “misc activity”, “a network trojan was detected”.
suricataID
The unique identifier of the Suricata rule.
Examples: “2044767”, “8001997”.
suricataThreatLevel
The verdict on the threat according to Suricata based on its potential impact.
Examples: “malicious”, “suspicious”, “info”
The service returns Suricata IDS rules detecting njRATBy combining this parameter with threaName, we can collect Surica rules relating to a specific malware.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522suricataThreatLevel:%255C%2522malicious%255C%2522%2520AND%2520threatName:%255C%2522njrat%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">suricataThreatLevel:"malicious" AND threatName:"njrat"</a> </td>
</tr>
</tbody></table>
File
These parameters describe file-related aspects of a threat.
filePath
The full path to the file on the system.
Examples: “invoice”, “order”
A query searching for sessions where a readme.txt file was dropped on the desktop, a common ransomware signWe can use this parameter along with threatLevel to find specific files in sandbox sessions with malicious content.
Try it: filePath:”Users\\admin\\Desktop\\README.TXT” AND threatLevel:”malicious”
fileExtension
The extension that indicates the file type.
Examples: “exe”, “dll”.
sha256, sha1, md5
Hash values relating to a file.
Examples: “1412faf1bfd96e91340cedcea80ee09d”, “ce554fe53b2620c56f6abb264a588616”
In response to a hash query, the service returns events, network threats, files, and other dataWe can use the hash of a malicious file to discover the specific malware family it relates to.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522md5:%255C%25224d77626d9f9d029f9f5059d72264231d%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">md5:"4d77626d9f9d029f9f5059d72264231d"</a> </td>
</tr>
</tbody></table>
Synchronization
These parameters describe synchronization-related activities within a threat, such as mutexes.
syncObjectName
The name or identifier of the synchronization object used.
Examples: “rmc”, “m0yv”.
syncObjectType
The type of synchronization object used.
Examples: “event”, “mutex”.
syncObjectOperation
The operation performed on the synchronization object.
Examples: “create”, “open”.
The service provides a long list of objects found in sessions containing analysis of the Xworm malwareBy combining operation and type parameters with threatName, we can search for specific mutexes or events created during the execution of a particular malware
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522syncObjectOperation:%255C%2522create%255C%2522%2520AND%2520syncObjectType:%255C%2522mutex%255C%2522%2520AND%2520threatName:%255C%2522xworm%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">syncObjectOperation:"create" AND syncObjectType:"mutex" AND threatName:"xworm"</a> </td>
</tr>
</tbody></table>
URL
These parameters describe network traffic related to HTTP requests and responses.
url
The URL called by the process.
Examples: “http://192[.]168[.]37[.]128:8880[/]zv8u”, “http://tventyvd20sb[.]top/v1/upload[.]php”.
httpRequestContentType
The content type of the HTTP request sent to the server.
Examples: “application/octet-stream”.
httpResponseContentType
The content type of the HTTP response received from the server.
Examples: “text/html”.
httpRequestFileType
The file type of the file being uploaded in the HTTP request.
Examples: “binary”.
httpResponseFileType
The file type of the file being downloaded in the HTTP response.
Examples: “binary”.
Results for binary file requests in HijackLoader sandbox sessionsIt is possible to use the parameter with threatName again to find binary files that were requested during the analysis in the sandbox.
Try it:
<tbody> <tr>
<td>
<a href="https://intelligence.any.run/analysis/lookup/?utm_source=anyrunblog&utm_medium=article&utm_campaign=search_params_ti&utm_term=180924&utm_content=linktolookup#%7B%2522query%2522:%2522httpRequestFileType:%255C%2522binary%255C%2522%2520AND%2520threatName:%255C%2522hijackloader%255C%2522%2522,%2522dateRange%2522:180%7D" rel="noreferrer" target="_blank">httpRequestFileType:"binary" AND threatName:"hijackloader"</a> </td>
</tr>
</tbody></table>
Conclusion
ANY.RUN’s Threat Intelligence Lookup offers a comprehensive set of search parameters that enable security professionals to effectively analyze and investigate threats. Using these search options, you can identify and enrich your information on emerging threats.
Try Threat Intelligence Lookup for free →
About ANY.RUN
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
The post How to Collect Threat Intelligence Using Search Parameters in TI Lookup appeared first on ANY.RUN's Cybersecurity Blog.
Article Link: How to Get Threat Intelligence Using TI Lookup Search Parameters