Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

APT Tools

APT Tools

Section titled “APT Tools”

5 automated security scanners

Firmware Implant Detection

Section titled “Firmware Implant Detection”

Purpose: The Firmware Implant Detection Scanner is designed to identify modifications to UEFI/BIOS firmware and persistent code implants that could indicate advanced persistent threats (APTs) or unauthorized access attempts. This tool aims to provide insights into potential security breaches, aiding in the detection of malicious activities within a system’s firmware and underlying software components.

What It Detects:

  • UEFI/BIOS Modification Indicators: The scanner searches for patterns indicating that the UEFI or BIOS firmware has been compromised, such as indications of “UEFI compromised” or “BIOS tampering detected.” It also identifies signs of firmware corruption or unexpected changes in the boot process.
  • Persistent Code Implants: It looks for indicators of persistent malware, including detection of rootkits installed or malicious persistence mechanisms identified as “rootkit installed” or “malware persistence mechanism.” The scanner also detects patterns related to code injection into system firmware, such as indications of “code injected into BIOS.”
  • Threat Intelligence Feeds Analysis: The tool utilizes the Shodan API to search for exposed services and vulnerabilities, while leveraging the VirusTotal API to assess domain/IP reputation for known malicious activities. Additionally, it cross-references findings with CISA’s Known Exploited Vulnerabilities (KEV) catalog.
  • Dark Web and AbuseIPDB Monitoring: The scanner monitors dark web sources for any mentions of targeted domain or IP addresses and uses AbuseIPDB to check for malicious activities associated with the domain’s IP address.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This scanner is crucial for organizations aiming to maintain the integrity of their firmware and prevent unauthorized access or advanced persistent threats. By detecting modifications and implants, it helps in mitigating potential risks associated with compromised systems, safeguarding sensitive information, and maintaining regulatory compliance.

Risk Levels:

  • Critical: Conditions that directly indicate a severe vulnerability leading to immediate risk of data breach or system compromise.
  • High: Conditions indicating significant vulnerabilities that could be exploited by malicious actors but may require further investigation for full impact assessment.
  • Medium: Conditions suggesting potential risks that need careful monitoring and mitigation strategies.
  • Low: Informal findings that do not pose an immediate threat but should still be monitored for trends or future risk assessments.
  • Info: Non-critical information that provides context but does not directly indicate a security issue.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  1. “We discovered that the UEFI firmware on our servers had been compromised.” - This finding indicates a critical severity as it directly points to unauthorized access and potential data breach.
  2. “Malware persistence mechanism detected in BIOS” - This is a high-severity finding, highlighting significant risk due to persistent malware presence within the system’s core components.

Supply Chain Implant Detection

Section titled “Supply Chain Implant Detection”

Purpose: The Supply Chain Implant Detection Scanner is designed to identify potential supply chain attacks by analyzing domain reputation, exposed services, known vulnerabilities, and other threat intelligence feeds. It aims to detect software tampering and backdoored updates that could compromise the integrity of a system.

What It Detects:

  • Malware Indicators in Domain Reputation: The scanner detects patterns such as “malware,” “ransomware,” or “trojan” in VirusTotal API results, indicating potential malware presence on domains.
  • Command and Control (C2) Server References: Identifies references to C2 servers using phrases like “command and control” or “c2”, which are indicative of malicious activity.
  • Known Exploited Vulnerabilities: Checks for known exploited vulnerabilities listed in the CISA KEV and NVD/CVE database, alerting on potential security breaches.
  • Exposed Services and Vulnerabilities: Identifies exposed services and vulnerabilities from Shodan API results that suggest unauthorized access or data leakage.
  • Phishing and Credential Harvesting Indicators: Detects attempts to harvest credentials or engage in phishing activities by identifying related patterns in threat intelligence feeds.

Inputs Required:

  • domain (string): The primary domain to be analyzed, such as “acme.com,” which is crucial for querying various APIs and databases.

Business Impact: This scanner is critical for organizations aiming to maintain the integrity of their software supply chains, preventing unauthorized modifications that could lead to data breaches or system compromise. Detecting potential tampering early can mitigate significant risks associated with cyber threats.

Risk Levels:

  • Critical: The risk level is critical when patterns indicating malware, ransomware, trojans, or unauthorized access are detected in the domain’s reputation and services.
  • High: High severity is triggered by known exploited vulnerabilities identified through CISA KEV and NVD/CVE databases.
  • Medium: Medium severity findings include exposed services that could lead to data leakage or other forms of unauthorized access.
  • Low: Low severity risks pertain to less critical indicators such as phishing attempts, which are still significant but may not pose immediate threats.
  • Info: Informational findings relate to the detection of potential vulnerabilities and malware indicators without severe consequences on systems.

Example Findings:

  • The scanner might flag a domain associated with “malware” or “ransomware” patterns in VirusTotal results, indicating a high risk for critical severity.
  • A domain hosting references to “command and control” servers could be flagged as a high risk due to potential malicious activity.
  • Known vulnerabilities such as CVE-2021-44228 identified through the CISA KEV database would trigger a high risk level.

This structured output format provides clear, actionable insights into the detected security issues related to supply chain implants, aiding in informed decision-making for enhanced cybersecurity posture.

Custom Malware Identification

Section titled “Custom Malware Identification”

Purpose: The Custom Malware Identification Scanner is designed to detect zero-day malware and targeted payloads by analyzing domain reputation, exposed services, known vulnerabilities, and other threat intelligence sources. This tool aims to identify potential security threats by leveraging various APIs to gather information about the domain’s activities and vulnerabilities.

What It Detects:

  • Domain Reputation Analysis: Checks the VirusTotal API for a domain’s reputation score and identifies malicious activities or suspicious behavior associated with the domain.
  • Exposed Services Detection: Utilizes the Shodan API to find exposed services and vulnerabilities on the domain, scanning for open ports, outdated software versions, and other potential entry points.
  • Known Exploited Vulnerabilities: Cross-references the CISA KEV (Known Exploited Vulnerabilities) list to identify if any known vulnerabilities are present in relation to the domain.
  • IP Reputation Evaluation: Uses the AbuseIPDB API to assess the reputation of associated IPs, detecting malicious activities such as DDoS attacks or other suspicious behaviors linked to the domain’s IPs.
  • Vulnerability Lookup: Queries the NVD/CVE database for detailed vulnerability information related to the domain.

Inputs Required:

  • domain (string): The primary domain to analyze, e.g., acme.com. This is a mandatory input that specifies the target domain for analysis.

Business Impact: This scanner is crucial for organizations aiming to maintain robust cybersecurity measures against potential threats posed by zero-day malware and targeted payloads. By identifying vulnerabilities and malicious activities early, it helps in mitigating risks associated with data breaches and cyber attacks.

Risk Levels:

  • Critical: The scanner identifies a critical vulnerability that has been exploited recently or is known to be widely exploitable.
  • High: The scanner detects a high number of exposed services or vulnerabilities that could serve as entry points for attackers.
  • Medium: The scanner flags potential issues, such as moderate risk vulnerabilities or suspicious domain activities, which require further investigation.
  • Low: The scanner identifies minor risks, such as outdated software versions on exposed ports, which are less critical but still need monitoring and possible remediation.
  • Info: Provides informational findings about the general health of the domain based on its reputation score and IP reputation.

Example Findings:

  • A high risk level could be found if a domain is associated with multiple known exploited vulnerabilities affecting significant parts of its infrastructure.
  • A critical finding might include exposure to a recently patched but actively exploited vulnerability that could lead to immediate system compromise.

Rootkit Detection

Section titled “Rootkit Detection”

Purpose: The Rootkit Detection Scanner is designed to identify and alert users about potential kernel modifications, driver manipulations, hidden processes, file system anomalies, and network activities that may indicate the presence of rootkits on a system. This is essential for maintaining system integrity and preventing unauthorized access.

What It Detects:

  • Kernel Modifications: Identifies suspicious changes in kernel modules or drivers, as well as unusual kernel symbols or functions not part of standard distributions.
  • Driver Manipulation: Detects anomalies in driver files such as unexpected modifications or additions, scanning for known malicious driver signatures and behaviors.
  • Hidden Processes: Identifies processes that are hidden from the system’s process list and checks for elevated privilege processes without legitimate reasons.
  • File System Anomalies: Detects unusual file changes like modifications to critical system files and scans for hidden or encrypted files containing potential malicious code.
  • Network Activity Indicators: Monitors network traffic for suspicious activities that could indicate rootkit communication with external servers, including unusual outbound connections from the system.

Inputs Required:

  • domain (string): Primary domain to analyze for associated IP addresses and services.

Business Impact: Maintaining a secure system is crucial as unauthorized access can lead to data breaches, financial losses, and damage to organizational reputation. The scanner helps in proactively identifying potential threats that could compromise the integrity of critical systems.

Risk Levels:

  • Critical: Conditions that pose an immediate threat to system security, such as significant kernel modifications or presence of well-known rootkits.
  • High: Conditions that indicate high risk but do not necessarily represent a direct threat to all aspects of system security, such as unauthorized driver additions.
  • Medium: Conditions that may suggest potential issues requiring attention but are less severe than those at the critical and high levels.
  • Low: Informative findings that provide some insight into system behavior but generally pose minimal risk.
  • Info: Informational findings that do not indicate any significant security concerns, serving more as indicators of normal or expected system activity.

Example Findings:

  1. A sudden increase in the number of kernel modules without apparent changes to the operating system suggests potential unauthorized modifications.
  2. Unauthorized driver additions detected could be indicative of a rootkit being installed on the system.

Advanced RAT Analysis

Section titled “Advanced RAT Analysis”

Purpose: The Advanced RAT Analysis Scanner is designed to detect fileless persistence and memory-only execution by analyzing domain-related threat intelligence feeds. It aims to identify potential Remote Access Trojan (RAT) activities, unauthorized command and control communications, and other malicious behaviors.

What It Detects:

  • Fileless Persistence Indicators: Detection of patterns indicating in-memory code execution without writing files to disk, along with identification of suspicious processes or services that do not have corresponding files on the filesystem.
  • Memory-Only Execution Patterns: Recognition of indicators suggesting malware operates entirely in memory, avoiding detection by traditional file-based antivirus solutions. This includes analysis of process behavior for signs of obfuscation and evasion techniques commonly used by RATs.
  • Command and Control (C2) Communication: Identification of domain names or IP addresses associated with known C2 servers using threat intelligence feeds, as well as detection of patterns indicative of command and control traffic, such as unusual outbound connections to suspicious domains/IPs.
  • Malware Signatures and Indicators: Matching against known malware signatures and indicators of compromise (IOCs) from VirusTotal and other sources, along with analysis of domain reputation for malicious activities or associations with known threat actors.
  • Vulnerability Exploitation Patterns: Detection of patterns indicating exploitation of known vulnerabilities, especially those listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and identification of CVE identifiers in breach disclosures that may indicate specific exploits used by RATs.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com).

Business Impact: This scanner is crucial for organizations looking to proactively detect and mitigate threats associated with Remote Access Trojans, which can lead to unauthorized access to sensitive information, data breaches, and potential financial losses. The ability to identify fileless persistence and memory-only execution patterns helps in preventing the installation and execution of malicious software without leaving detectable traces on a system.

Risk Levels:

  • Critical: Conditions that directly indicate active exploitation of known vulnerabilities or critical security flaws that could lead to immediate data loss or unauthorized access.
  • High: Conditions suggesting high risk, such as widespread exposure of systems through compromised credentials or the use of well-known malware signatures indicative of significant threat potential.
  • Medium: Conditions indicating medium risk, including the presence of suspicious processes or services without corresponding files on disk and unusual outbound network connections to potentially malicious domains.
  • Low: Informal findings that do not pose immediate risks but may indicate ongoing exposure or trends that require monitoring for future developments.
  • Info: General information about domain reputation and historical data, which does not directly affect security posture but can be useful for trend analysis and strategic planning.

Example Findings:

  • A process was detected running without corresponding files on disk, indicating potential fileless persistence.
  • An unusual outbound network connection to a suspicious domain was identified, suggesting command and control communication with a malicious server.