The Recorded Future Browser Extension can be used to gain additional context into observables pulled out of sandbox detonations, and to investigate the behavior and maliciousness of samples.
Prerequisites
- Download Recorded Future Browser Extension (Chrome, Firefox, Edge)
- Access to SecOps and Threat Intelligence Modules
- This applies only to Part 3
Part 1: Set-Up
Step 1
In the settings, ensure the toggle for “show in-page risk scores” is on.
Step 2
Then, in Advanced Options, select to show in-page scores for “Low and Above”.
Part 2: Identifying IOCs in Sandbox Detonations
Step 3
In the Recorded Future Sandbox, navigate from the overview page of a detonated sample to the specific VM report that was detected as malicious.
Step 4
From here, the Browser Extension may detect previous sightings of the hash value for the file in question and you can pivot into the portal to investigate.
*Note that it is likely that the detonation may be the only reference of the hash Recorded Future has, so the malicious score in-line from the extension is likely from the submission you are looking at.
In this example, you can see that the Sandbox detected PowerShell making a network request, which is not typical behavior for this process, and is likely a sign of maliciousness.
Step 5
Scroll down to the Network section of the report to hone in. Here, you’ll note that Powershell made a request to a Russia-based IP, and has some interesting risk rules triggered, namely Recent Suspected C&C Server.
Part 3: Investigating the IP
Note: If you do not have access to the Recorded Future portal, investigate the IP in your own security tool.
Step 6
Now pivot from the Browser Extension to the Intelligence Card in the portal.
In this example, this IP has been detected as a Qakbot C&C server in the past, using both the Recorded Future risk rules and technical links. You can also see that one of the other IPs picked up on in the Network Traffic of the detonation (91.193.43.101) was previously detected as a Qakbot IP as well.
Step 7
When you pivot into the references for this IP, you will see that it was picked up by Network Intelligence as a Qakbot C2 as recently as June 8th.
Step 8
PowerShell is cited as an attack vector on the Qakbot Intelligence Card, but you can also query for other instances of Qakbot and Powershell and System Information Discovery, which was also cited as a technique in the Sandbox detonation.
