🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

File Analysis

detectors

The File Analysis Detector identifies malicious files on endpoints with the Taegis™ XDR Endpoint Agent. This detector generates two types of alerts: YARA Rule and Malicious File Found in Telemetry.

YARA Rule

YARA Rule alerts are triggered when a new filehash is seen in Taegis Endpoint Agent telemetry. The Taegis Endpoint Agent fetches the file from the endpoint and analyzes the file against Secureworks Counter Threat Unit™ (CTU)-curated YARA rules. If a YARA rule matches, the detector creates an alert with the rule's confidence and severity.

Note

File upload capability requires a Taegis Endpoint Agent version ≥ 1.2.

YARA Alert

YARA Alert

Malicious File Found in Telemetry

The file analysis platform will deem files malicious and future observations of that file's filehash will generate Malicious File Found in Telemetry alerts.

Malicious File Found in Telemetry Alert

Malicious File Found in Telemetry Alert

Analysis

These alerts contain the telemetry which contained the filehash.

Requirements

This detector requires the following data sources, integrations, or schemas:

Inputs

Detections are from the following normalized sources:

Outputs

Alerts pushed to the XDR Alert Database and XDR Alert Triage Dashboard. These alerts have the detector name File Analysis and detector_id: app:file-analysis.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant. Tenants can choose to opt out of file fetching for agents. Follow the instructions in Group Policies to opt out of this feature.

MITRE ATT&CK Category

Each alert is assigned based upon the YARA rule and you can check the alert for the specific mapping. Generally, they will be mapped to the following but could vary based on the YARA rule:

Detector Testing

This detector does have a supported testing method.

There are two testing options for the File Analysis detector:

Option One: Execute Mimikatz on an endpoint with the Taegis Endpoint Agent that supports file analysis. The file analysis engine will only analyze a file once based on unique filehash, and this file is commonly seen by the platform. Therefore, this test will generate "Malicious file found in telemetry" alerts, which indicate the filehash was seen in telemetry. To do so:

  1. Download a Mimikatz archive distribution and extract the archive.
  2. Execute either Win32 or x64 version of mimikatz.exe.
  3. Exit Mimikatz. There is no need to perform any actions in Mimikatz.

After execution, you will see an alert similar to the following:

Mimikatz Alert

Mimikatz Alert

Option Two: Execute file with EICAR String. To do so:

  1. Open Windows Powershell powershell.exe and run the following commands to create an executable EICAR file.
  2. copy c:\Windows\system32\notepad.exe notepad2.exe
  3. $eicar='$EICAR-STANDARD-ANTIVIRUS-TEST-FILE! ' + [guid]::NewGuid().ToString()
  4. Add-Content -Path .\notepad2.exe -Value $eicar
  5. Execute notepad2.exe
  6. Execute Get-Filehash notepad2.exe and copy the SHA256.
  7. Perform the following XDR Advanced Search query: @hash='REPLACE_SHA256_HERE' and Earliest = -1d

This test will result in an info level alert with title "RESEARCH: Yara rule(s) matched".

The Advanced Search query to use to find File Analysis alerts is:

FROM alert WHERE metadata.creator.detector.detector_id='app:file-analysis'

References

FAQ

What files are fetched by Taegis Endpoint Agents?

The file analysis pipeline only analyzes a file one time. The file analysis pipeline calculates hash values for the file and tracks the file based on these hash values.

Fetch requests are sent to Taegis Endpoint Agents based on the following criteria:

Is file analysis performed only on certain drives, shared drives, or directory paths?

The file path is not considered.

Does file fetch place extra burden on the endpoint?

File fetch requests are rate limited to one file per minute to prevent burdening the endpoint.

How long are fetched files retained?

The Data Retention Policy applies to fetched files.

How are retained files used?

Files are retained for future use to analyze and develop new YARA rules as new Threat Intelligence is discovered.

Are fetched files private to my tenant only?

Yes, files are private within your tenant; however, filehashes are utilized across all tenant telemetry. For example, if a file is analyzed from one tenant and YARA rules deem it malicious, then Secureworks® Taegis™ XDR will alert when that filehash is seen in another tenant's telemetry.

What file types have metadata extracted and viewable within file details?

XDR file analysis pipeline will analyze all file formats, but metadata is only available for the following file formats: PE files, ELF files, LNK files.

What data about the file is available?

See File Details.

Can I search for files fetched from my endpoints?

Search is not available at this time; however, you can search alerts by filehash or filename.

Can I download the file for offline analysis?

Download is not available at this time.

I downloaded an EICAR test file, but do not see any alerts in Taegis?

File analysis today is limited to executed files, and EICAR files are generally data at rest. The Taegis Endpoint Agent file analysis is not a replacement for anti-virus on the endpoint, and anti-virus is still required to monitor for malicious files at rest.

 

On this page: