Overview

Group-IB Threat Hunting Framework (THF) is a single solution for complex protection of IT and OT segments in any organization. It is based on adversary-centric approach to detection and mitigation of targeted attacks and our patented technologies.
THF Sensor module sends a file extracted from mail or Internet traffic to the THF Polygon module, which is specifically designed for unknown threats and causes them to detonate in an isolated environment. Ordinary sandboxes also try to check such files, but if nothing is found during unpacking, they are skipped.
Cyber criminals have learned how to determine whether they are on a real machine or are still being checked in a virtual environment. For instance, they look at the presence of documents on the desktop, in the recently edited folder, in order to understand whether this is a sandbox. Therefore, the system must behave like a real user in order to provoke the execution of malicious code. This includes imitation of a mouse movement and more – after all, the robot often will not absentmindedly move the mouse across the screen, it will immediately and accurately hit the desired button.
Also, a lot of trouble is caused by links – in the moment of checking it can lead to a normal site, and after a while – to the Trojan’s download page. Hackers also use the tactics of deferred tasks, when their mine is triggered after a certain, sometimes very long time. Despite these tricks, THF Polygon copes with them perfectly and makes the malware manifest itself.