Custom sandflies can be cloned to enhance the system sandflies or create entirely new methods of security analysis that may be unique to your operational environment or use cases. Either way, they leverage the file, directory, log, process, user or other incident response analysis methods that the Sandfly system has to offer.


In general, "sandflies" are small JSON modules that are passed to the Sandfly agentless forensic engines to investigate remote systems. They also use regular expression (aka regex) in the options section of the JSON. Thus regex knowledge is valuable, especially for creating or modifying complex rules.



Sidebar Options for the Sandflies SectionSidebar Options for the Sandflies Section


Viewing

To access a table view of sandflies, use the All Sandflies sub-menu option or simply click on Sandflies in the sidebar. Both methods will open a page that, by default, provides an unfiltered list of every sandfly that exists on the server. Use the Presets table button to quickly filter on commonly needed views. The table header also provides buttons to Activate, Deactivate, or Delete selected sandflies in bulk.



Adding

Depending on whether an existing sandfly or template is being reused or an entirely new one is being created from scratch, the web interface provides two ways to add custom sandflies.


  1. Use the Clone button in the Actions column of the Sandflies table view or on any Sandfly Details page.
    • This method copies the corresponding JSON and adds it into the Add Custom Sandfly form.
    • In order to save it, at minimum the value for "name" must be changed to something unique.
  2. Use the Add Custom Sandfly menu option in the sidebar or the button of the same name in the view page.
  • This method comes populated with example JSON which can be extended or replaced entirely.



Administrative

Downloading

Starting with Sandfly version 4.3, custom sandflies can be downloaded via the web interface from the Download Custom Sandflies button found on the Sandflies view. Using that button will download every custom sandfly as a single JSON file.


Uploading

Starting with Sandfly version 4.3, custom sandflies can also be uploaded via a web browser either individually or in bulk from the Upload Sandflies menu option in the sidebar. The form requires only a single JSON file that is structured in the same way as the downloaded custom sandfly JSON file, regardless if it includes one or multiple entries.


Malformed JSON and custom sandflies with a name of an existing system sandfly will be rejected. Uploading files that contain custom sandfly names that already exist will completely overwrite those sandflies. Names that do not exist at the time of the upload will create new custom sandflies.



Sandfly JSON Details

Example

Custom sandflies look similar to the JSON below. We will go over what each section means further below.

{
  "active": true,
  "custom": true,
  "date_added": "2021-03-14T22:33:52Z",
  "description": "Searches for generic shell commands that may be operating as a backdoor on the system (variant 1).",
  "format": "3.0",
  "max_cpu_load": 1,
  "max_disk_load": 1,
  "max_timeout": 360,
  "severity": 3,
  "name": "process_backdoor_bindshell_generic_1_test",
  "options": {
    "engines": [
      "sandfly_engine_process"
    ],
    "explanation": "The process name '{process.name}' with PID '{process.pid}' may be operating as a generic shell backdoor based on the command line contents. Check this process and any open network ports to be sure it is not malicious as it could allow remote access or exfiltration of data.",
    "process": {
      "cmdline": [
        ".*>& \\/dev\\/tcp\\/.*0>&1",
        ".*>& \\/dev\\/udp\\/.*0>&1",
        "nohup.*exec.*<>.*\\/dev\\/tcp\\/.*",
        "nohup.*exec.*<>.*\\/dev\\/udp\\/.*"
      ],
      "name": [
        ".*"
      ],
      "name_ignore": [],
      "network_ports": {
        "operating": true
      }
    },
    "response": {
      "process": {
        "kill": false,
        "suspend": false
      }
    }
  },
  "os_compat": {
    "linux": []
  },
  "tags": [
    "attack.tactic.execution",
    "attack.id.T1059",
    "attack.id.T1100",
    "process"
  ],
  "type": "process",
  "version": "2021-03-11T12:14:09"
}

Header

The header of the custom Sandfly describes what it is to the system. This is used to organize the Sandfly in the database and for display in the UI. Key elements include:

  • name - Name of the Sandfly using only lower case and underscores (_) characters in the value.
  • description - A short description of what the sandfly does which is shown in the UI listing.
  • format - Sandfly format version. Use the default and do not alter it, otherwise the Sandfly will be rejected.
  • max_timeout - Maximum number of seconds this Sandfly can run before it is stopped by the system. Maximum timeout value allowed is 1800 seconds (30 minutes). The minimum allowed is 1 second.
  • max_cpu_load - The relative loading this sandfly may cause on the remote host. A value of 1 is lowest and value of 3 the highest.
  • max_disk_load - The relative disk load this sandfly may cause on the remote host. A value of 1 is lowest and value of 3 the highest.
  • severity - A value ranging from 0 to 3 used to for personalizing a sandfly for use within your environment.
  • type - This is either directory, file, incident, log, policy, process, recon or user. Any other value is rejected.
  • version - The manually provided date and time of that particular version of a sandfly.
  • options - The options to pass to the forensic engine. This will be discussed below.


Important points regarding the naming of sandflies:

  • A custom sandfly can never be saved with the name of an existing system sandfly.
    • If a system sandfly needs to be extended, you can use the same base name and simply add some extra identifier to help indicate that this is a modified version of a system sandfly.
    • Example: 'dirs_hidden_bin' could become 'dirs_hidden_bin_modified' or 'dirs_hidden_bin_internal'.
  • Ensure that custom sandfly names are unique. If a new or uploaded custom sandfly has the name of an existing custom sandfly, when saved it will completely overwrite the existing sandfly regardless of its content.


WARNING: Custom Sandflies With The Same Name Will Be Overwritten!

Ensure that custom sandfly names are unique. If a new or uploaded custom sandfly has the name of an existing custom sandfly, when saved it will completely overwrite the existing sandfly regardless of its content.


Options

The options area of a custom sandfly is where the parameters for scanning are passed to the associated agentless forensic engines. See the Interpreting Results section for how this works.




Previous
Previous Article:

Next Article:
Next