Get better threat intelligence with Metadata Searching in PolySwarm

Metadata can provide useful intelligence about the attributes, content, and functionality of an artifact (file, URL, etc.), giving malware analysts a foundation for understanding potential threats. Tools to support efficient malware analysis can be the difference between 15 minutes vs. 15 hours to triage and analyze a suspect artifact.

PolySwarm users - at any level, including the free Community plan - can now perform keyword searches through all the metadata PolySwarm has collected about every artifact, making it easier for researchers and incident response teams to find relationships between artifacts and gain useful insights.

In the PolySwarm ecosystem, we are ingesting huge amounts of file sets, all analyzed by a network of crowdsourced malware scanning tools from around the world. Beyond volume, PolySwarm offers unique, specialized engines, helping to detect zero-days and other harder-to-detect malware. By combining protection from all participating anti-malware engines with diverse domains of expertise, and economically rewarding accuracy of threat detection, PolySwarm provides broader, more accurate, and up-to-date protection.

Try PolySwarm Metadata Searching now at polyswarm.network

How to use Metadata Searching in PolySwarm:

All artifacts submitted to the marketplace are processed by our metadata analyzers. (The results of those analyzers can be viewed on the File Details tab on the Scan Results page if you are using the PolySwarm UI. If you are using the PolySwarm CLI tools, you’ll see all of the metadata in the JSON scan result object.)

Because of that first step and what we are announcing with this blog post, we now support the ability to search all of that metadata using elsaticsearch queries. (The full list of supported search keywords is available in our PolySwarm API/CLI documentation. To perform metadata searches in PolySwarm, we support the same functionality via both the PolySwarm UI and the PolySwarm CLI and API tools.)

In the PolySwarm UI, a metadata search can be entered in the main search box on the Scan page.

Or, users can go directly to the Search page and use the Metadata Searching tab to perform queries. Regardless of which location a user enters a search query, the search results are displayed on the Metadata Searching tab.

In the PolySwarm CLI, a metadata search can be entered using the 'search metadata' arguments.

$ polyswarm -o /tmp/test.txt search metadata "strings.domains:en.wikipedia.org AND exiftool.ZipFileName:AndroidManifest.xml AND exiftool.ZipRequiredVersion:>19"
$ cat /tmp/test.txt | more
Found 18 matches to the search query.
Search results for {'query': {'query_string': {'query': 'strings.domains:en.wikipedia.org AND exiftool.ZipFileName:AndroidManifest.xml AND exiftool.ZipRequiredVersion:>19'}}}
File 1d38780c2327086816d0a87d878d57b943d6ad5109b9389b5d5ffe3f9065698b
File type: mimetype: application/java-archive, extended_info: Java archive data (JAR)
	SHA256: 1d38780c2327086816d0a87d878d57b943d6ad5109b9389b5d5ffe3f9065698b
	SHA1: 76f5b2c6abbd6b30dc00fbe797001bf7247f423b
	MD5: 12a1028e90696d9f3926ac3ab150950c
	First seen: Sun, 24 Mar 2019 15:27:32 GMT
	Observed countries: 
	Observed filenames: 1d38780c2327086816d0a87d878d57b943d6ad5109b9389b5d5ffe3f9065698b


File d8e6ac2884597021479796d252fcd61dbbfd71f7c07af54d71478af377e0bfb9
	File type: mimetype: application/java-archive, extended_info: Java archive data (JAR)
	SHA256: d8e6ac2884597021479796d252fcd61dbbfd71f7c07af54d71478af377e0bfb9
	SHA1: a5b267cd66d0da885d252b279d28cb887f8b901c
	MD5: bb0dd7f93ef2eaacfde18d07909fac0b
	First seen: Sun, 31 Mar 2019 08:58:17 GMT
	Observed countries: 
	Observed filenames: d8e6ac2884597021479796d252fcd61dbbfd71f7c07af54d71478af377e0bfb9


File 041044068eb8295a4d80786c3f55c77c641b6f3eb33187bbf504aa923ec5db78
	File type: mimetype: application/java-archive, extended_info: Java archive data (JAR)
	SHA256: 041044068eb8295a4d80786c3f55c77c641b6f3eb33187bbf504aa923ec5db78
	SHA1: 5ab68f339ddf9d8701d2c3947cc0596652b92cb0
	MD5: c93a8476c16cc7e044be305b71fe1b1f
	First seen: Wed, 27 Mar 2019 07:02:24 GMT
	Observed countries: 
--More--
  

Using the optional “-o /tmp/test.txt” argument, we are writing the output of the command to a text file for easy reading.

(Check out an example of PolySwarm Threat Hunting and Metadata Searching in action hunting a recent zero-day.)

***

Yes, there are other scanning aggregators out there that provide metadata searches, but PolySwarm is different in that it has a number of unique and specialized scanning engines, plus it provides more in-depth data that you won’t see aggregated in one place.

Many research tools are slow or are missing the multiple sources of data to be accurate and effective. This leads to false positives, incorrect analysis, and just bad data.

PolySwarm delivers a novel approach to threat analysis. Using PolySwarm is easy. Simply set up an account and get started!