search

saferwall / saferwall-ui

🚀 The UI FrontEnd behind saferwall.com
https://saferwall.com
Apache License 2.0
2 stars 3 forks source link

Dynamic Overview page #5

Closed yassinrais closed 5 months ago

yassinrais commented 1 year ago

Example Hash: b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801

LordNoteworthy commented 1 year ago

When the user is browsing a file object in the UI and he goes into one of menus that involves dynamic analysis, a default behavior report ID is available in the file object at the field named:

  "default_behavior_id": "18c612a2-9805-48a4-b38e-40465d4f17ab",

behavior_report_id is now available in summary/ for your convenience.

Use the file hash SHA256: b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801 when working in this issue.

LordNoteworthy commented 1 year ago

For Process tree:

GET /v1/behaviors/<guid>/fields=proc_tree.

This will returns to you a list of all processes related to that dynamic analysis. Exampe:

{
  "proc_tree": [
    {
      "detection": "",
      "file_type": "exe",
      "parent_link": "root",
      "parent_pid": "0x0",
      "path": "C:\\Users\\saferwall\\Downloads\\patronised.exe",
      "pid": "0xb90",
      "proc_name": "C:\\Users\\saferwall\\Downloads\\patronised.exe"
    }
  ]
}
LordNoteworthy commented 1 year ago

System Events

GET /v1/behaviors/<guid>/sys-events?pid=0xb90

This returns a paginated list of sys events objects. Each object looks like this:

{
  "page": 1,
  "per_page": 100,
  "page_count": 10,
  "total_count": 997,
  "items": [
    {
      "op": "create",
      "path": "C:\\Windows\\system32\\msiexec.exe",
      "pid": "0xb90",
      "type": "file"
    },
    {
      "op": "create",
      "path": "C:\\ProgramData\\rdpclient.exe",
      "pid": "0xb90",
      "type": "file"
    },
    {
      "op": "create",
      "path": "C:\\Boot\\memtest.exe",
      "pid": "0xb90",
      "type": "file"
    },
    {
      "op": "create",
      "path": "C:\\Program Files\\7-Zip\\7z.exe",
      "pid": "0xb90",
      "type": "file"
    },
    {
      "op": "create",
      "path": "C:\\$Recycle.Bin\\S-1-5-21-2330711508-101187315-1671589219-1000\\RESTORE_FILES.txt",
      "pid": "0xb90",
      "type": "file"
    },

In our UI, we always display system events for a given process ID because of the tree structure, so use:

GET /v1/behaviors/<guid>/sys-events?pid=0x465

You can also filter by event type using:

GET /v1/behaviors/<guid>/sys-events?type=file&pid=0xb90

LordNoteworthy commented 6 months ago

This looks ready @yassinrais , shall we close this ?

yassinrais commented 6 months ago

I'll fix a bug in the dynamic overview and close it afterwards :)