File Analysis
The File Analysis Detector identifies malicious files on endpoints with the Taegis™ XDR Endpoint Agent. This detector generates two types of alerts: YARA Rule and Malicious File Found in Telemetry.
YARA Rule ⫘
YARA Rule alerts are triggered when a new filehash is seen in Taegis Endpoint Agent telemetry. The Taegis Endpoint Agent fetches the file from the endpoint and analyzes the file against Secureworks Counter Threat Unit™ (CTU)-curated YARA rules. If a YARA rule matches, the detector creates an alert with the rule's confidence and severity.
Note
File upload capability requires a Taegis Endpoint Agent version ≥ 1.2.
YARA Alert
Malicious File Found in Telemetry ⫘
The file analysis platform will deem files malicious and future observations of that file's filehash will generate Malicious File Found in Telemetry alerts.
Malicious File Found in Telemetry Alert
Analysis
These alerts contain the telemetry which contained the filehash.
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
Inputs ⫘
Detections are from the following normalized sources:
- Taegis Endpoint Agents telemetry where sensor_type:
ENDPOINT_TAEGIS
and sensor_version is 1.2 and greater; or files fetched from Taegis Endpoint Agents
Outputs ⫘
Alerts pushed to the XDR Alert Database and XDR Alert Triage Dashboard. These alerts have the detector name File Analysis and detector_id: app:file-analysis
.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant. Tenants can choose to opt out of file fetching for agents. Follow the instructions in Group Policies to opt out of this feature.
MITRE ATT&CK Category ⫘
Each alert is assigned based upon the YARA rule and you can check the alert for the specific mapping. Generally, they will be mapped to the following but could vary based on the YARA rule:
- MITRE Enterprise ATT&CK - Resource Development - Develop Capabilities - Malware. For more information, see MITRE Technique T1587.001.
Detector Testing ⫘
This detector does have a supported testing method.
There are two testing options for the File Analysis detector:
Option One: Execute Mimikatz on an endpoint with the Taegis Endpoint Agent that supports file analysis. The file analysis engine will only analyze a file once based on unique filehash, and this file is commonly seen by the platform. Therefore, this test will generate "Malicious file found in telemetry" alerts, which indicate the filehash was seen in telemetry. To do so:
- Download a Mimikatz archive distribution and extract the archive.
- Execute either Win32 or x64 version of mimikatz.exe.
- Exit Mimikatz. There is no need to perform any actions in Mimikatz.
After execution, you will see an alert similar to the following:
Mimikatz Alert
Option Two: Execute file with EICAR String. To do so:
- Open Windows Powershell
powershell.exe
and run the following commands to create an executable EICAR file. copy c:\Windows\system32\notepad.exe notepad2.exe
$eicar='$EICAR-STANDARD-ANTIVIRUS-TEST-FILE! ' + [guid]::NewGuid().ToString()
Add-Content -Path .\notepad2.exe -Value $eicar
- Execute
notepad2.exe
- Execute
Get-Filehash notepad2.exe
and copy the SHA256. - Perform the following XDR Advanced Search query:
@hash='REPLACE_SHA256_HERE' and Earliest = -1d
This test will result in an info level alert with title "RESEARCH: Yara rule(s) matched".
Testing - Advanced Search ⫘
The Advanced Search query to use to find File Analysis alerts is:
FROM alert WHERE metadata.creator.detector.detector_id='app:file-analysis'
References ⫘
- Schemas
FAQ ⫘
What files are fetched by Taegis Endpoint Agents? ⫘
The file analysis pipeline only analyzes a file one time. The file analysis pipeline calculates hash values for the file and tracks the file based on these hash values.
Fetch requests are sent to Taegis Endpoint Agents based on the following criteria:
-
Filehash is seen in normalized telemetry where sensor_type is
ENDPOINT_TAEGIS
. The following are common schemas that contain filehashes:process
— executed filesprocessmodule
— filehash of libraries loaded by different processes
-
The filehash has not been analyzed before
- The filehash is not on a list of known good filehashes
Is file analysis performed only on certain drives, shared drives, or directory paths? ⫘
The file path is not considered.
Does file fetch place extra burden on the endpoint? ⫘
File fetch requests are rate limited to one file per minute to prevent burdening the endpoint.
How long are fetched files retained? ⫘
The Data Retention Policy applies to fetched files.
How are retained files used? ⫘
Files are retained for future use to analyze and develop new YARA rules as new Threat Intelligence is discovered.
Are fetched files private to my tenant only? ⫘
Yes, files are private within your tenant; however, filehashes are utilized across all tenant telemetry. For example, if a file is analyzed from one tenant and YARA rules deem it malicious, then Secureworks® Taegis™ XDR will alert when that filehash is seen in another tenant's telemetry.
What file types have metadata extracted and viewable within file details? ⫘
XDR file analysis pipeline will analyze all file formats, but metadata is only available for the following file formats: PE files, ELF files, LNK files.
What data about the file is available? ⫘
See File Details.
Can I search for files fetched from my endpoints? ⫘
Search is not available at this time; however, you can search alerts by filehash or filename.
Can I download the file for offline analysis? ⫘
Download is not available at this time.
I downloaded an EICAR test file, but do not see any alerts in Taegis? ⫘
File analysis today is limited to executed files, and EICAR files are generally data at rest. The Taegis Endpoint Agent file analysis is not a replacement for anti-virus on the endpoint, and anti-virus is still required to monitor for malicious files at rest.