Hawk Eye Analysis Tool (Formerly Orion Malware Cleaner)- by Trident [Deleted]

Status
Not open for further replies.
  • Like
  • +Reputation
  • Applause
Reactions: Jonny Quest, SeriousHoax, simmerskool and 3 others
Botnet Detection in action (specially crafted files for testing purposes of the UI)

1759487965986.png


1759487991234.png
 
  • Like
  • +Reputation
  • Wow
Reactions: Sorrento, Jonny Quest, simmerskool and 3 others
  • Like
  • +Reputation
Reactions: Sorrento, harlan4096 and Jonny Quest
The following anti-bot heuristics have been implemented, in addition to the updatable database.


Orion:Botnet.NetSupport!AWS_C2_P1024,"A program is talking to Amazon's cloud servers in a way that is a known calling card for a specific malicious tool.","High"

Orion:Botnet.NetSupport!AWS_C2_P20548,"A program is talking to Amazon's cloud servers in a way that is a known calling card for a specific malicious tool.","High"

Orion:Botnet.Remcos!Primary_C2_P8780,"A connection is being made to a specific ""address number"" (port) commonly used by a known remote access trojan.","High"

Orion:Botnet.AsyncRAT!Primary_C2_P8848,"A program is connecting to a known hideout (port/provider) used by a specific piece of spyware.","High"

Orion:C2.Exfil!Telegram,"A program that isn't the official Telegram app is trying to talk to Telegram's servers, a sneaky way to steal data.","High"

Orion:Payload.ClearFake!Domain_Pattern_RU,"A connection is being made to a web address that follows a pattern used by a known malware delivery network.","High"

Orion:Botnet.XWorm!Primary_C2_P9990,"A program is connecting to a specific ""address number"" (port) that a particular type of malware uses to get its instructions.","High"

Orion:Botnet.QuasarRAT!Primary_C2_P5552,"A connection to a default ""address number"" (port) used by a well-known remote access tool.","High"

Orion:Botnet.NjRAT!Primary_C2_P6606,"A program is connecting to an ""address number"" (port) that a specific, nasty remote access trojan favors.","High"

Orion:Botnet.CobaltStrike!DigitalOcean_Beacon,"A system utility is talking to a specific cloud provider in a way that strongly suggests a sophisticated hacking tool is at play.","High"

Orion:Botnet.Sliver!AWS_Beacon,"A program is talking to Amazon's cloud servers in a way that is a known calling card for a specific malicious tool.","High"

Orion:Botnet.AsyncRAT!Secondary_C2_P*,"A program is connecting to a known hideout (port/provider) used by a specific piece of spyware.","High"

Orion:Botnet.XWorm!Secondary_C2_P7777,"A program is connecting to a specific ""address number"" (port) that a particular type of malware uses to get its instructions.","High"

Orion:Botnet.Remcos!Contabo_C2,"A connection is made to a known bad neighborhood (hosting provider and port) frequently used by a specific remote access trojan.","High"

Orion:Botnet.AsyncRAT!DigitalOcean_C2,"A program is connecting to a known hideout (port/provider) used by a specific piece of spyware.","High"

Orion:NetworkHeur!UnexpectedProcess_Calc,"A very simple program that should never use the internet (like Calculator) is suddenly making a network connection.","High"

Orion:NetworkHeur!UnexpectedProcess_Notepad,"A very simple program that should never use the internet (like Notepad) is suddenly making a network connection.","High"

Orion:NetworkHeur!UnexpectedProcess_LSASS,"A core security process is talking to a non-Microsoft server, which looks a lot like it's leaking passwords.","High"

Orion:NetworkHeur!AbusedService_Pastebin,"A system process is connecting to a file/text sharing site, a common technique for retrieving payloads.","High"

Orion:NetworkHeur!AbusedService_Discord,"A system process is connecting to Discord's file servers, a known malware hosting technique.","High"

Orion:NetworkHeur!AbusedService_Ngrok,"A connection is detected using a service (Ngrok) that's often used by attackers to sneakily tunnel back into a network.","High"

Orion:NetworkHeur!UnexpectedProcess_Spoolsv,"A core Windows component (like the Print Spooler) that should never connect to the internet is making an external connection.","High"

Orion:NetworkHeur!AnomalousProcess_DNSEdge,"Your own secure DNS client is observed trying to communicate with an unknown, non-approved server.","High"

Orion:NetworkHeur!UnexpectedProcess_*,"A core Windows component that should not make network connections is doing so, indicating process injection or abuse.","High"

Orion:NetworkHeur!UnexpectedProcess_Rundll32,"A core Windows utility is making a direct, non-Microsoft external connection, a common malware TTP.","High"

Orion:NetworkHeur!KnownRAT_Port_P31337,"A connection is being made to a very old and infamous ""hacker port number"".","High"

Orion:NetworkHeur!AnomalousProcess_*,"A specific system tool is being used to make a network connection, likely to download a payload.","High"

Orion:NetworkHeur!DirectToIP,"A program is trying to connect to a raw internet address number instead of a normal website name, which is often shady.","High"

Orion:NetworkHeur!HighEntropyDomain,"A device is trying to contact a website with a name that looks like complete gibberish, suggesting it was randomly generated by malware.","Medium"

Orion:NetworkHeur!AbusedTLD_Connection,"A connection is being made to a website ending in a less-common suffix (like `.xyz` or `.club`) that is known to be popular with criminals.","Medium"

Orion:NetworkHeur!SuspiciousHostingASN_Vultr,"A program is communicating with a hosting provider that, while legitimate, is known to be frequently abused by malware authors.","Medium"

Orion:NetworkHeur!KnownRAT_Port_P*,"A connection is made using a port number that is commonly, though not exclusively, associated with various remote access trojans.","Medium"

Orion:NetworkHeur!UnexpectedProcess_Explorer,"The main Windows user interface (File Explorer) is making a connection to a random, non-Microsoft server, which is out of character.","Medium"
 
  • Like
  • +Reputation
Reactions: simmerskool, Sorrento, EASTER and 2 others
Trident said:
The following anti-bot heuristics have been implemented, in addition to the updatable database.


Orion:Botnet.NetSupport!AWS_C2_P1024,"A program is talking to Amazon's cloud servers in a way that is a known calling card for a specific malicious tool.","High"

Orion:Botnet.NetSupport!AWS_C2_P20548,"A program is talking to Amazon's cloud servers in a way that is a known calling card for a specific malicious tool.","High"

Orion:Botnet.Remcos!Primary_C2_P8780,"A connection is being made to a specific ""address number"" (port) commonly used by a known remote access trojan.","High"

Orion:Botnet.AsyncRAT!Primary_C2_P8848,"A program is connecting to a known hideout (port/provider) used by a specific piece of spyware.","High"

Orion:C2.Exfil!Telegram,"A program that isn't the official Telegram app is trying to talk to Telegram's servers, a sneaky way to steal data.","High"

Orion:Payload.ClearFake!Domain_Pattern_RU,"A connection is being made to a web address that follows a pattern used by a known malware delivery network.","High"

Orion:Botnet.XWorm!Primary_C2_P9990,"A program is connecting to a specific ""address number"" (port) that a particular type of malware uses to get its instructions.","High"

Orion:Botnet.QuasarRAT!Primary_C2_P5552,"A connection to a default ""address number"" (port) used by a well-known remote access tool.","High"

Orion:Botnet.NjRAT!Primary_C2_P6606,"A program is connecting to an ""address number"" (port) that a specific, nasty remote access trojan favors.","High"

Orion:Botnet.CobaltStrike!DigitalOcean_Beacon,"A system utility is talking to a specific cloud provider in a way that strongly suggests a sophisticated hacking tool is at play.","High"

Orion:Botnet.Sliver!AWS_Beacon,"A program is talking to Amazon's cloud servers in a way that is a known calling card for a specific malicious tool.","High"

Orion:Botnet.AsyncRAT!Secondary_C2_P*,"A program is connecting to a known hideout (port/provider) used by a specific piece of spyware.","High"

Orion:Botnet.XWorm!Secondary_C2_P7777,"A program is connecting to a specific ""address number"" (port) that a particular type of malware uses to get its instructions.","High"

Orion:Botnet.Remcos!Contabo_C2,"A connection is made to a known bad neighborhood (hosting provider and port) frequently used by a specific remote access trojan.","High"

Orion:Botnet.AsyncRAT!DigitalOcean_C2,"A program is connecting to a known hideout (port/provider) used by a specific piece of spyware.","High"

Orion:NetworkHeur!UnexpectedProcess_Calc,"A very simple program that should never use the internet (like Calculator) is suddenly making a network connection.","High"

Orion:NetworkHeur!UnexpectedProcess_Notepad,"A very simple program that should never use the internet (like Notepad) is suddenly making a network connection.","High"

Orion:NetworkHeur!UnexpectedProcess_LSASS,"A core security process is talking to a non-Microsoft server, which looks a lot like it's leaking passwords.","High"

Orion:NetworkHeur!AbusedService_Pastebin,"A system process is connecting to a file/text sharing site, a common technique for retrieving payloads.","High"

Orion:NetworkHeur!AbusedService_Discord,"A system process is connecting to Discord's file servers, a known malware hosting technique.","High"

Orion:NetworkHeur!AbusedService_Ngrok,"A connection is detected using a service (Ngrok) that's often used by attackers to sneakily tunnel back into a network.","High"

Orion:NetworkHeur!UnexpectedProcess_Spoolsv,"A core Windows component (like the Print Spooler) that should never connect to the internet is making an external connection.","High"

Orion:NetworkHeur!AnomalousProcess_DNSEdge,"Your own secure DNS client is observed trying to communicate with an unknown, non-approved server.","High"

Orion:NetworkHeur!UnexpectedProcess_*,"A core Windows component that should not make network connections is doing so, indicating process injection or abuse.","High"

Orion:NetworkHeur!UnexpectedProcess_Rundll32,"A core Windows utility is making a direct, non-Microsoft external connection, a common malware TTP.","High"

Orion:NetworkHeur!KnownRAT_Port_P31337,"A connection is being made to a very old and infamous ""hacker port number"".","High"

Orion:NetworkHeur!AnomalousProcess_*,"A specific system tool is being used to make a network connection, likely to download a payload.","High"

Orion:NetworkHeur!DirectToIP,"A program is trying to connect to a raw internet address number instead of a normal website name, which is often shady.","High"

Orion:NetworkHeur!HighEntropyDomain,"A device is trying to contact a website with a name that looks like complete gibberish, suggesting it was randomly generated by malware.","Medium"

Orion:NetworkHeur!AbusedTLD_Connection,"A connection is being made to a website ending in a less-common suffix (like `.xyz` or `.club`) that is known to be popular with criminals.","Medium"

Orion:NetworkHeur!SuspiciousHostingASN_Vultr,"A program is communicating with a hosting provider that, while legitimate, is known to be frequently abused by malware authors.","Medium"

Orion:NetworkHeur!KnownRAT_Port_P*,"A connection is made using a port number that is commonly, though not exclusively, associated with various remote access trojans.","Medium"

Orion:NetworkHeur!UnexpectedProcess_Explorer,"The main Windows user interface (File Explorer) is making a connection to a random, non-Microsoft server, which is out of character.","Medium"
Click to expand...
The rules are clear, actionable, and cover a significant range of common to sophisticated attacker Tactics, Techniques, and Procedures (TTPs).

The strength of this ruleset lies in its blend of high-fidelity, threat-specific indicators and more general, resilient behavioral patterns.

This is an excellent foundation .
 
  • Like
  • Thanks
Reactions: simmerskool, EASTER, harlan4096 and 1 other person
  • Like
  • +Reputation
  • Applause
Reactions: Sorrento, simmerskool, harlan4096 and 5 others
News on Orion and Analyse it!

The platforms and the tool will be renamed as follows:

Online analysis platform:
Old name - Analyse it!
New name - Hawk Eye Analysis Platform (HEAP)
Website: hea-p.com

Windows Malware Cleaner:
Old name - Orion Malware Cleaner (OMC)
New name - Hawk Eye Analysis Tool (HEAT)

Domains:
For the platform: hea-p.com (just purchased, don’t try yet)
For the tool - win.hea-p.com
Workers: logic.hea-p.com
Short for hawk eye analysis - platform .com (hea-p.com)

Engines:
Local engine: remains Orion
Online engine: OrionCloud

The domain is operated by Cloudflare (just like the workers).

These changes will not affect the quality of the tools, they will add branding and distinction. I will design the logos soon.
 
  • Like
  • +Reputation
Reactions: Sorrento, simmerskool, EASTER and 4 others
Trident updated Orion Malware Cleaner - by Trident with a new update entry:

Hawk Eye Analysis Tool (Formerly Orion Malware Cleaner)

This version brings the following changes:

+Rebranding: Orion Malware Cleaner has been fully rebranded to Hawk Eye Analysis Tool.
+New DynaTune heuristic system for botnet activity detection.
Detections by Dynatune look like Orion:Botnet_Dynatune!<something>
+VirusTotal links added for files and URLs for easy lookup.*
+Implemented user exclusions system
+Other updates and bug fixes

Screenshots:
View attachment 292239
[ATTACH type="full"...
Click to expand...

Read the rest of this update entry...
 
  • Like
Reactions: outlawxtorn, EASTER and harlan4096
Following the rebranding of the tool to HEAT, Orion engine will be renamed to Helios (god of the sun). This is better connected to HEAT. Still remains somewhat similar.

Orion seems to be a bit overused in the tech world.

All detections prefixes will be updated accordingly.
 
  • Like
Reactions: Sorrento and EASTER
  • Like
Reactions: Sorrento, Gandalf_The_Grey and Trident
Trident said:
Following the rebranding of the tool to HEAT, Orion engine will be renamed to Helios (god of the sun). This is better connected to HEAT. Still remains somewhat similar.

Orion seems to be a bit overused in the tech world.

All detections prefixes will be updated accordingly.
Click to expand...
Helios makes sundials in Deutschland -- I have one, very accurate, within 15 to 30 seconds!
 
  • Like
  • Love
Reactions: Sorrento, Miravi and Trident
simmerskool said:
PS I tried Orion scirpt the other day and it balked with my powershell 5 -- ChatGPT said it needed ps7, which IIRC @Trident confirmed...
Click to expand...
Yes. The multi-threading is not supported on PowerShell 5. I’ve already created a bootstrapper which is expected in Heat 2.0.

In version 2.0 no downloads will be required, the script will execute with a single line copy/pasted on PowerShell and the UI will be synced with the backend in real time (no remediation files).

The scan process will be tracked on the UI and not in PowerShell.
 
  • Like
  • +Reputation
Reactions: Sorrento, Gandalf_The_Grey, Miravi and 2 others
Trident said:
Yes. The multi-threading is not supported on PowerShell 5. I’ve already created a bootstrapper which is expected in Heat 2.0.

In version 2.0 no downloads will be required, the script will execute with a single line copy/pasted on PowerShell and the UI will be synced with the backend in real time (no remediation files).

The scan process will be tracked on the UI and not in PowerShell.
Click to expand...
High commendations on a fine creation. Definitely is surpassed expectations to date and then some.

Very Imaginative sequence for an analysis tool which covers the bases (or should one say vectors)
 
  • Like
  • Applause
  • Thanks
Reactions: Sorrento, Gandalf_The_Grey, simmerskool and 1 other person
Status
Not open for further replies.

You may also like...