Sandbox_Scryer – Tool For Producing Threat Hunting And Intelligence Data From Public Sandbox Detonation Output



[root] version.txt – Current tool version LICENSE – Defines license for source and other contents README.md – This file

[rootbin] Linux – Pre-build binaries for running tool in Linux. Currently supports: Ubuntu x64 MacOS – Pre-build binaries for running tool in MacOS. Currently supports: OSX 10.15 x64 Windows – Pre-build binaries for running tool in Windows. Currently supports: Win10 x64

[rootpresentation_video] Sandbox_Scryer__BlackHat_Presentation_and_demo.mp4 – Video walking through slide deck and showing demo of tool

[rootscreenshots_and_videos] Various backing screenshots

[rootscripts] Parse_report_set.* – Windows PowerShell and DOS Command Window batch file scripts that invoke tool to parse each HA Sandbox report summary in test set Collate_Results.* – Windows PowerShell and DOS Command Window batch file scripts that invoke tool to collate data from parsing report summaries and generate a MITRE Navigator layer file

[rootslides] BlackHat_Arsenal_2022__Sandbox_Scryer__BH_template.pdf – PDF export of slides used to present the Sandbox Scryer at Black Hat 2022

[rootsrc] Sandbox_Scryer – Folder with source for Sandbox Scryer tool (in c#) and Visual Studio 2019 solution file

[roottest_data] (SHA256 filenames).json – Report summaries from submissions to Hybrid Analysis enterprise-attack__062322.json – MITRE CTI data TopAttackTechniques__High__060922.json – Top MITRE ATT&CK techniques generated with the MITRE calculator. Used to rank techniques for generating heat map in MITRE Navigator

[roottest_output] (SHA256)_report__summary_Error_Log.txt – Errors (if any) encountered while parsing report summary for SHA256 included in name (SHA256)_report__summary_Hits__Complete_List.png – Graphic showing tecniques noted while parsing report summary for SHA256 included in name (SHA256)_report__summary_MITRE_Attck_Hits.csv – For collation step, techniques and tactics with select metadata from parsing report summary for SHA256 included in name (SHA256)_report__summary_MITRE_Attck_Hits.txt – More human-readable form of .csv file. Includes ranking data of noted techniques

collated_data collated_080122_MITRE_Attck_Heatmap.json – Layer file for import into MITRE Navigator

The Sandbox Scryer is intended to be invoked as a command-line tool, to facilitate scripting

Operation consists of two steps:

Invocation examples:

Parsing

Collation

If the parameter “-h” is specified, the built-in help is displayed as shown here Sandbox_Scryer.exe -h

Within the Navigator, techniques noted in the sandbox report summaries are highlighted and shown with increased heat based on a combined scoring of the technique ranking and the count of hits on the technique in the sandbox report summaries. Howevering of techniques will show select metadata.

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top