Modeling File Behavior

Last Updated: Jul 29, 2019 11:49AM EDT
User and Higher


File Indicators can model a special Indicator-to-Indicator association, which is based on their behavior once opened. These associations can be used to model the fact that malware may contain and create additional files or communicate with network devices. This behavior can be modeled on a File Indicator’s Details screen.

Viewing a File Indicator's Behavior Model

  1. From the top navigation bar (Figure 1), hover the cursor over Browse and then over the Indicators option. Click on the File object to display a results table (Figure 2).
  2. Click on one of the entries, and the Details drawer for that entry will be displayed (Figure 3).
  3. Click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will be displayed (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
  4. Click the Behavior tab, and the Behavior screen will be displayed (Figure 5).

Modeling Behavior

File behavior is represented as a tree, with each branch consisting of one of seven Indicator types:

  • File Archive: This File Indicator contains other File Indicators.
  • File Drop: This File Indicator creates another File Indicator.
  • File Traffic: This File Indicator communicates with a Host, Address, or URL Indicator.
  • File DNS Query: This File Indicator attempts to retrieve the DNS record for a Host Indicator.
  • File Mutex: This File Indicator creates a Mutex indicator.
  • File Registry Key: This File Indicator creates a Registry Key Indicator.
  • File User Agent: This File Indicator creates a User Agent Indicator.

Creating an Association

  1. Click the Plus icon next to one of the branches, and then click the New button that appears (Figure 6).
  2. The Select an Indicator window will be displayed (Figure 7).
  3. Select an Indicator, and then click the SAVE button. The new association will be displayed (Figure 8). Note that File behavior can be nested; that is, a dropped File Indicator can subsequently have its own behavior, which will be reflected in the model.

20028-07 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found