The Sandbox Scryer is an open-source device for producing menace searching and intelligence information from public sandbox detonation output The device leverages the MITRE ATT&CK Framework to arrange and prioritize findings, helping within the meeting of IOCs, understanding assault motion and in menace searching By permitting researchers to ship hundreds of samples to a sandbox for constructing a profile that can be utilized with the ATT&CK approach, the Sandbox Scryer delivers an unprecedented capacity to resolve use circumstances at scale The device is meant for cybersecurity professionals who’re curious about menace searching and assault evaluation leveraging sandbox output information. The Sandbox Scryer device at present consumes output from the free and public Hybrid Evaluation malware evaluation service serving to analysts expedite and scale menace searching
[root] model.txt – Present device model LICENSE – Defines license for supply and different contents README.md – This file
[rootbin] Linux – Pre-build binaries for operating device in Linux. Presently helps: Ubuntu x64 MacOS – Pre-build binaries for operating device in MacOS. Presently helps: OSX 10.15 x64 Home windows – Pre-build binaries for operating device in Home windows. Presently helps: Win10 x64
[rootpresentation_video] Sandbox_Scryer__BlackHat_Presentation_and_demo.mp4 – Video strolling by way of slide deck and exhibiting demo of device
[rootscreenshots_and_videos] Numerous backing screenshots
[rootscripts] Parse_report_set.* – Home windows PowerShell and DOS Command Window batch file scripts that invoke device to parse every HA Sandbox report abstract in check set Collate_Results.* – Home windows PowerShell and DOS Command Window batch file scripts that invoke device to collate information from parsing report summaries and generate a MITRE Navigator layer file
[rootslides] BlackHat_Arsenal_2022__Sandbox_Scryer__BH_template.pdf – PDF export of slides used to current the Sandbox Scryer at Black Hat 2022
[rootsrc] Sandbox_Scryer – Folder with supply for Sandbox Scryer device (in c#) and Visible Studio 2019 answer file
[roottest_data] (SHA256 filenames).json – Report summaries from submissions to Hybrid Evaluation enterprise-attack__062322.json – MITRE CTI information TopAttackTechniques__High__060922.json – Prime MITRE ATT&CK strategies generated with the MITRE calculator. Used to rank strategies for producing warmth map in MITRE Navigator
[roottest_output] (SHA256)_report__summary_Error_Log.txt – Errors (if any) encountered whereas parsing report abstract for SHA256 included in identify (SHA256)_report__summary_Hits__Complete_List.png – Graphic exhibiting tecniques famous whereas parsing report abstract for SHA256 included in identify (SHA256)_report__summary_MITRE_Attck_Hits.csv – For collation step, strategies and techniques with choose metadata from parsing report abstract for SHA256 included in identify (SHA256)_report__summary_MITRE_Attck_Hits.txt – Extra human-readable type of .csv file. Consists of rating information of famous strategies
collated_data collated_080122_MITRE_Attck_Heatmap.json – Layer file for import into MITRE Navigator
The Sandbox Scryer is meant to be invoked as a command-line device, to facilitate scripting
Operation consists of two steps:
- Parsing, the place a specified report abstract is parsed to extract the output famous earlier
- Collation, the place the info from the set of parsing outcomes from the parsing step is collated to provide a Navigator layer file
Invocation examples:
If the parameter “-h” is specified, the built-in assistance is displayed as proven right here Sandbox_Scryer.exe -h
Choices:
-h Show command-line choices
-i Enter filepath
-ita Enter filepath - MITRE report for prime strategies
-o Output folder path
-ft Kind of file to submit
-name Title to make use of with output
-sb_name Identifier of sandbox to make use of (default: ha)
-api_key API key to make use of with submission to sandbox
-env_id Atmosphere ID to make use of with submission to sandbox
-inc_sub Embrace sub-techniques in graphical output (default is to not embody)
-mitre_data Filepath for mitre cti information to parse (to populate att&ck strategies)
-cmd Command
Choices:
parse Course of report file from prior sandbox submission
Makes use of -i, -ita, - o, -name, -inc_sub, -sig_data parameters
col Collates report information from prior sandbox submissions
Makes use of -i (handled as folder path), -ita, -o, -name, -inc_sub, -mitre_data parameters
As soon as the Navigator layer file is produced, it could be loaded into the Navigator for viewing through https://mitre-attack.github.io/attack-navigator/
Inside the Navigator, strategies famous within the sandbox report summaries are highlighted and proven with elevated warmth primarily based on a mixed scoring of the approach rating and the depend of hits on the approach within the sandbox report summaries. Howevering of strategies will present choose metadata.
