4. FileScan
Events reported by the FileScan
module typically originate
from the file system scan. But due to the "Message Enrichment"
feature, other modules that include events with full "file path"
strings may also produce events of this type (e.g. module SHIMCache
, Eventlog
).
Filescan events are rich in attributes and extra information.
4.1. Sample
Dec 2 19:29:43 PROMETHEUS/10.0.2.4
THOR: Notice: MODULE: Filescan
MESSAGE: Suspicious file found
FILE: C:\Program Files (x86)\HaoZip\HaoZipExt64.dll
SCORE: 54
MD5: 60873d6560b29bdb30235e05eda97539
SHA1: d312157d7c890a68eed85c5a2fd17fdfe6defa87
OWNER: BUILTIN\Administrators
SIZE: 513800
TYPE: EXE
FIRSTBYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
COMPANY: ACME
DESC: 2345-Windows
CREATED: Thu Jul 26 05:20:04 2012
MODIFIED: Thu Jul 26 05:20:04 2012
ACCESSED: Fri Sep 20 12:47:39 2013
REASON_1: Haozip_SFX / Haozip SFX Compressed Executable
Score: +50
Trigger: Specific Rule Value:
Str1: release\pdb\HaoZip
4.2. Typical False Positives
Legitimate files matching a filename regular expression IOC
YARA rules matching THOR reports or clear-text signatures from former scans have been left on the system
Dual use tools used by administration (e.g.
nmap.exe
,ncat.exe
)Legitimate tools moved to the Recycle Bin and therefore detected with wrong name (e.g.
Psexec
as$IR4HB6A.exe
)Legitimate but very old files that trigger the file size anomaly
Old and rare versions of legitimate programs that trigger the file signature anomalies (that often happens with
javaw.exe
/java.exe
)
4.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
FILE |
See chapter File Path Checks |
|||
MD5/SHA1/SHA256 |
See chapter Hash Checks for generic checks on hashes |
|||
SIZE |
Is the file size 0 bytes? (Probably reset by AV due to a detected infection) |
Yes |
Good |
High |
FIRSTBYTES |
Do the fist bytes contain words in native language - e.g. |
Yes |
Good |
High |
FIRSTBYTES |
Do the first 20 bytes already contain executables or command line tools - e.g. |
Yes |
Bad |
Medium |
OWNER |
Is the owner of the file a typical user account - e.g. |
Yes |
Good |
Low |
OWNER |
Is the owner of the file |
Yes |
||
OWNER |
Does the owner string of the file contain |
Yes |
Bad |
Medium |
TYPE |
Does the type match the extension? |
No |
Bad |
Low |
TYPE |
Is the type EXE and the extension a benign looking one - e.g. |
Yes |
Bad |
Medium |
COMPANY |
Does the company string from the PE header match the expected values - e.g. |
No |
Bad |
Medium |
DESC |
Does the description string from the PE header match the expected values - e.g. |
No |
Bad |
Low |
CREATED/MODIFIED |
Has the file been created very far in the past - e.g. time stamp shows 2021 and older |
Yes |
Good |
Low |
CREATED/MODIFIED |
Has the file been modified on a Sunday (does not apply to regions were admins work on a Sunday for example) |
Yes |
Bad |
Medium |
4.4. Typical REASONs
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
REASON_1 |
Is the only REASON a file name pattern match (prone to false positives) |
Yes |
Good |
Low |
REASON_2 |
Is the file located in a personal user folder and does it look like that the user changed the extensiopn to avoid certain filter mechanisms - e.g. |
Yes |
Good |
Medium |
... |
Does the Reason field report a file anomaly and the file is located in a backup folder from a very old version of Windows (or maybe a outdated version of the original program) - e.g. |
Yes |
Good |
Medium |
Does the REASON report a suspicious, unsigned javaw.exe and is that file located in a folder of a software product (Rule: Javaws_Not_Verisign) - e.g. |
Yes |
Good |
Medium |
|
Rule starts with |
Yes |
Good |
Medium |
|
Does the rule match on a hack tool, which is installed in a typical location on disk or in a backup location - e.g. |
Yes |
Good |
Medium |