Using our Detect & Hunt feature, you can extract rules to proactively hunt for infected machines within your organization. See how it works in this 1 minute example video or scroll down for instructions:
To extract rules, follow these steps:
1. Mark the artifacts you would like to use for hunting. We recommend considering the pyramid of effectiveness (a simplified version of David Bianco's Pyramid of Pain). The effectiveness level is per artifact type. It is determined by the expected potential of detection accuracy and average lifespan the artifact type has.
2. Select the tool that you are using and click. This will download a text file containing all relevant rules.
3. Use the generated rules to directly hunt with your security tool. In the following example, we used SentinelOne.
-- Intezer Generated Rules
-- =======================
-- Rule format: SentineleOne Deep Visibility
-- Time: July 24, 2022 | 09:48
-- Source file: 65a139a094689ba7f639f7067377bda80f46b901989ff95ff29346e065820975
-- Source analysis: https://analyze.intezer.com/analyses/73042b80-1bf2-4c9b-8a9d-28d03aa0da1a
-- Looks for suspicious process tree associated with malicious library
(SrcProcParentName In Contains ("wscript.exe") or SrcProcParentDisplayName In Contains ("wscript.exe")) and (SrcProcName In Contains Anycase ("powershell.exe") or SrcProcDisplayName In Contains Anycase ("powershell.exe")) and (TgtProcName In Contains Anycase ("powershell.exe") or TgtProcDisplayName In Contains Anycase ("powershell.exe"))
-- Looks for suspicious network ip associated with Generic Malware
DstIP in Contains ("88.99.90.21","212.192.246.226")
-- Looks for suspicious network dns associated with Generic Malware
DnsRequest in Contains ("mail.keefort.com.ec")
-- Looks for suspicious process tree associated with Generic Malware
(SrcProcParentName In Contains ("powershell.exe") or SrcProcParentDisplayName In Contains ("powershell.exe")) and (SrcProcName In Contains Anycase ("powershell.exe") or SrcProcDisplayName In Contains Anycase ("powershell.exe")) and (TgtProcName In Contains Anycase ("cvtres.exe") or TgtProcDisplayName In Contains Anycase ("cvtres.exe"))
(SrcProcName In Contains ("powershell.exe") or SrcProcDisplayName In Contains Anycase ("powershell.exe")) and (TgtProcDisplayName In Contains ("cvtres.exe") or TgtProcName In Contains ("cvtres.exe"))
(SrcProcParentName In Contains ("powershell.exe") or SrcProcParentDisplayName In Contains ("powershell.exe")) and (SrcProcName In Contains Anycase ("powershell.exe") or SrcProcDisplayName In Contains Anycase ("powershell.exe")) and (TgtProcName In Contains Anycase ("powershell.exe") or TgtProcDisplayName In Contains Anycase ("powershell.exe"))
For reference, here's how it looks after loading the query in SentinelOne for hunting:
