Recorded Future Sandbox - Scoring

Triage uses 1 - 10 scoring to reflect whether something is malicious or not. The following is an explanation of what each score means and what can cause this score.

10.png

Known bad

Example:

  • A malware family was detected.
8-9.png

Likely malicious

One or more known damaging malware attack patterns were detected.

Example:

  • The deleting of shadow copies on Windows.
6-7.png

Shows suspicious behavior

One or more suspicious actions were detected. The detected actions can be malicious, but also have (common) benign uses.

Examples:

  • Changing file permissions.
  • Anti-VM behavior/trying to detect a VM.
2-5.png

Likely benign

One or more interesting behaviors were detected. The detected actions are interesting enough to be notified about, but are not directly malicious.

1.png

No (potentially) malicious behavior was detected.

Note: it is important to look at the actual signatures that triggered. The score is determined by these.

Why do I sometimes see different severities and scores?

When you detonate a hash in the Recorded Future Sandbox, the resulting score may trigger a corresponding Recorded Future Risk Rule. For example, if the sample is malicious with a score of 8-9 or 10, it will trigger our Positive Malware Verdict risk rule. If the sample scores a 6-7 for suspicious behavior, it will trigger the Suspicious Behavior Detected risk rule. 

However, when Recorded Future risk scores a hash, that score can include multiple pieces of evidence, including sandbox results as well as evidence from other sources. As a result, you may see a risk score that is higher than the score in the sandbox due to evidence of malicious activity from other sources. Note that you will not see a lower risk score, as additional evidence can only raise - not lower - a risk score.

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
7 out of 7 found this helpful

Articles in this section

See more