BinLib
- 10 Dec 2024
- 4 Minutes to read
- Contributors
- Print
- Dark
BinLib
- Updated on 10 Dec 2024
- 4 Minutes to read
- Contributors
- Print
- Dark
Article summary
Did you find this summary helpful?
Thank you for your feedback
Binary Library, or "BinLib", is a collection of executable binaries, such as EXE or ELF, files that have been observed within your environment. If enabled, this Extension helps you build your own private collection of observed executables for subsequent analysis and searching.
When LimaCharlie observes a binary and path for the first time, a CODE_IDENTITY event is generated. The metadata from this event is stored within binlib, and is available for searching, tagging, and downloading. Additionally, you can run YARA scans against observed binaries.
Enabling BinLib
BinLib requires subscribing to the ext-reliable-tasking Extension in order to function properly. This can be enabled in the Add-ons marketplace.
BinLib can be a powerful additional to your detection and response capabilities. Analysts can:
Look for historical evidence of malicious binaries
Tag previously-observed files for data enrichment (i.e. MITRE ATT&CK Techniques)
Compare observed hashes to known good or known bad lists
YARA scan and auto-tag for integration in detection & response rules
Usage
First, subscribe your tenant to the BinLib extension.
To perform one of the following operations against your own library, choose the command and select 'Run Request'.
The BinLib page in the web app offers an easy way to get started with some of the core requests exposed by the extension: Check Hash, Search, and Yara Scan.
check_hash
Accepted Values: MD5, SHA1, SHA256
The check_hash operation lets you search to see if a particular hash has been observed in your Organization. Output includes a Boolean if the hash was found and three hash values, if available.
Sample Output:
get_hash_data
Accepted Values: MD5, SHA1, SHA256
Careful Downloading Binaries
LimaCharlie does not filter the binaries observed by your organization. You must exercise caution if downloading a malicious file. We recommend downloading potential malicious binaries to an isolated analysis system.
The get_hash_data operation provides a link to the raw data for the hash of interest, allowing you to download the resulting binary file (if previously observed within your environment).
Sample Output:
get_hash_metadata
Accepted Values: MD5, SHA1, SHA256
The get_hash_metadata operation obtains the metadata for a hash of interest, including signing details, file type, and additional hashes.
search
The search operation searches the library for binary data points, including or other than a known hash. Searchable fields include:
imp_hash
res_company_name
res_file_description
res_product_name
sha256
sig_authentihash
sig_hash
sig_issuer
sig_subject
size
type
Note that search criteria are ANDed. Binaries must meet ALL criteria to be returned.
Search results can be downloaded as a CSV.
tag
The tag operation allows you to add tag(s) to a hash, allowing for additional classification within binlib.
The below example Tags the Google Installer with the google tag.
Successful tagging yields an updated event:
untag
The untag operation removes a tag from a binary.
YARA scan
The yara_scan operation lets you run YARA scans across observed files. Scans require:
Criteria or hash to filter files to be scanned
Rule name(s) or rule(s)
You also have the option to tag hits on match.
Note that search criteria are ANDed. Binaries must meet ALL criteria to be returned.
Automating
Here are some examples of useful D&R rules that could be used to automate interactions with Binlib.
Scan all acquired files with Yara
This rule will automatically scan all acquired files in binlib with a Yara rule:
and this rule will alert on matches:
Was this article helpful?
